1

I'm on the same machine as OpenSSH server, that is, I don't need to authenticate. I, however, want to be able to get communicate with OpenSSH server from my client application in Python or other language. Namely, when a new client is connecting, in my python script I want to get notified about that and retrieve their public keys, IP address, etc... And reject that a client from login. Or maybe allow -- depending on some conditions.

Does OpenSSH server provide such API or callbacks?

Jodari
  • 89
  • 1
  • 1
  • 6
  • Are you asking about an API that might let you see connections as they're made? You can do that by monitoring the SSH logs ([Fail2ban](http://www.fail2ban.org) is a Python program that does this, for example), or if you want to be more invasive, you could change the users' shells to something that provides additional information that your python code can pick up. – Adam Katz Aug 09 '17 at 19:10
  • If you're otherwise asking about a OpenSSH client that you can use from python, just make system calls using passwordless ssh keys dedicated for this purpose so you don't need to bother the user with authentication. – Adam Katz Aug 09 '17 at 19:11
  • @AdamKatz, `just make system calls using passwordless ssh keys dedicated for this purpose` --> what do you mean? – Jodari Aug 13 '17 at 02:40
  • I'm pretty sure you're actually looking for a log monitor since the key fingerprint, IP, and user data are all logged by sshd, but I've elaborated on both sides in [my answer below](https://serverfault.com/a/868578/209449). If you reply with which one is more appropriate, I'll remove the other and provide a link to the older revision that still contains it. – Adam Katz Aug 14 '17 at 16:08

3 Answers3

2

It does not offer an API.

Keep in mind since you are talking about authentication, that OpenSSH can use PAM. So you could probably collect some information about authentication and make allow/reject decisions in a PAM module, but I don't think that can be done with python.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
2

If your clients never use a password but always a key, you can use the AuthorizedKeysCommand parameter in sshd_config to execute your Python script in order to validate the SSH key. You can probably do some tricks to also find the IP etc by detecting your Python process father process and check its file descriptors.

I hope this helps.

Florin Asăvoaie
  • 6,932
  • 22
  • 35
0

I see two ways to interpret your question.

Log monitoring

Perhaps you're really looking for a log monitoring script like Fail2ban (which is a free software python project, so you can see how their code works).

SSH server logs vary in their location based on how they are installed. They most commonly live in /var/log/auth.log, /var/log/secure, /var/log/sshd.log, or a similar name in an alternate log area like /usr/local/var/log/ (see also How to check sshd log?). Here's a sample log:

Aug 14 12:34:56 jodari-desktop sshd[12345]: Accepted pubkey for jodari from 127.0.0.1 port 54321 ssh2: RSA SHA256:3xyQ+PG0Z3CIiShclJ2iNya5TOdKDgE/HrOXr11IdOo

If you "want to get notified about that and retrieve their public keys, IP address, etc." then you need only monitor that line. (It is possible you need to increase the LogLevel in /etc/ssh/sshd_config or wherever that file lives.)

If you're looking to retrieve the user's actual public keys (rather than just their fingerprints), your script would merely need to traverse their $HOME/.ssh/authorized_keys file (that's the default location; it can be changed with the AuthorizedKeysFile directive in your sshd_config). You'll need to match the fingerprint to the public key. It's free if there's only one valid line in the file, but you'd otherwise need to generate each public key's fingerprint and match it to the fingerprint you extracted from the logs. Just search for the fingerprint in the output of the following command:

ssh-keygen -lf "$HOME/.ssh/authorized_keys"

 

Running commands via SSH

If you're actually looking to run things as they'd be experienced in an SSH session, you can use passwordless ssh keys to run commands.

Generate ssh keys for internal use only and you'll have automated passwordless access via ssh on localhost. This will keep everything controlled by OpenSSH, so to monitor connections, just look for localhost as authenticated by the dedicated internal keys in the standard SSH logs.

I can't speak to the python way of doing this, but you can do all of these in python as system calls.

To create the key:

mkdir -p "$HOME/.ssh"
chmod 700 "$HOME/.ssh"
ssh keygen -t rsa -b 4096 -P "" -C "python script PASSWORDLESS access" \
  -f "$HOME/.ssh/python-localhost.id_rsa"

To install it locally:

cat "$HOME/.ssh/python-localhost.id_rsa.pub" >> "$HOME/.ssh/authorized_keys"

To then use it:

ssh -i "$HOME/.ssh/python-localhost.id_rsa" localhost your_command_goes_here
Adam Katz
  • 869
  • 8
  • 16