sshmitm.plugins.sftp.check_file module

class sshmitm.plugins.sftp.check_file.ClamAVClient(socket_path='/tmp/clamd.sock')

Bases: object

Parameters:

socket_path (str, default: '/tmp/clamd.sock')

__init__(socket_path='/tmp/clamd.sock')
Parameters:

socket_path (str, default: '/tmp/clamd.sock')

instream(data, chunk_size=1024)
Parameters:
  • data (bytes)

  • chunk_size (int, default: 1024)

Return type:

str

class sshmitm.plugins.sftp.check_file.SFTPHandlerCheckFilePlugin(sftp, filename)

Bases: SFTPHandlerPlugin

Scans SFTP-transferred files with ClamAV before forwarding them.

All file data is buffered in memory during the transfer. On uploads, the complete content is scanned via the ClamAV INSTREAM protocol before being written to the remote server. On downloads, the remote file is fetched and scanned before being served to the client. Transfers that fail the scan are blocked with a permission-denied error.

Usage example

Requires a running ClamAV daemon with a Unix socket:

ssh-mitm server --sftp-handler check_file --clamav-socket /tmp/clamd.sock

Notes

  • ClamAV must be reachable via the configured socket; if the connection fails the transfer is blocked as a precaution.

  • The entire file is held in memory — avoid this plugin for very large files without sufficient RAM.

  • Both uploads and downloads are scanned.

Parameters:
class SFTPInterface(serverinterface)

Bases: SFTPProxyServerInterface

Parameters:

serverinterface (BaseServerInterface)

open(path, flags, attr)

Open a file on the server and create a handle for future operations on that file. On success, a new object subclassed from .SFTPHandle should be returned. This handle will be used for future operations on the file (read, write, etc). On failure, an error code such as SFTP_PERMISSION_DENIED should be returned.

flags contains the requested mode for opening (read-only, write-append, etc) as a bitset of flags from the os module:

  • os.O_RDONLY

  • os.O_WRONLY

  • os.O_RDWR

  • os.O_APPEND

  • os.O_CREAT

  • os.O_TRUNC

  • os.O_EXCL

(One of os.O_RDONLY, os.O_WRONLY, or os.O_RDWR will always be set.)

The attr object contains requested attributes of the file if it has to be created. Some or all attribute fields may be missing if the client didn’t specify them.

Note

The SFTP protocol defines all files to be in “binary” mode. There is no equivalent to Python’s “text” mode.

Parameters:
  • path (str) – the requested path (relative or absolute) of the file to be opened.

  • flags (int) – flags or’d together from the os module indicating the requested mode for opening the file.

  • attr (SFTPAttributes) – requested attributes of the file if it is newly created.

  • path

  • flags

  • attr

Return type:

SFTPHandle | int

Returns:

a new .SFTPHandle or error code.

__init__(sftp, filename)

Initializes the in-memory buffer and logs the start of the transfer.

Parameters:
  • sftp (SFTPBaseHandle) – the SFTP file handle for the intercepted transfer.

  • filename (str) – the original filename as requested by the client.

check_file()

Scan the buffered file with ClamAV via INSTREAM

Return type:

bool

close()
Return type:

None

classmethod get_interface()
Return type:

type[BaseSFTPServerInterface] | None

handle_data(data, *, offset=None, length=None)
Parameters:
  • data (bytes)

  • offset (int | None, default: None)

  • length (int | None, default: None)

Return type:

bytes

classmethod parser_arguments()
Return type:

None