When using telnetlib I noticed some interesting variables:
AUTHENTICATION = chr(37) # Authenticate
XAUTH = chr(41) # XAUTH
PRAGMA_LOGON = chr(138) # TELOPT PRAGMA LOGON
SSPI_LOGON = chr(139) # TELOPT SSPI LOGON
Also, this page lists some RFCs which describe AUTHENTICATION option in detail.
If I understand correctly, if a telnet server supports authentication I should be receiving IAC DO AUTHENTICATION when connecting to it. However, when trying to connect to telnetd on a Linux machine I do not receive this option and so I can't send IAC WILL AUTHENTICATION.
Is my understandng correct? Is there a way I can ask the server to perform authentication? Is it even possible to authenticate telnet session automatically? (without listening to "Login:", "Username:", "Password:" and similar prompts)
Yes, you are understanding RFC 1416 correctly. The server should send DO first, if it supports authentication. You can try sending WILL anyway but that'll be against the spec and probably won't work anyway.
By Linux telnetd, you probably mean the netkit telnetd. And as far as I can see on its manpage:
-a authmode This option may be used for specifying what mode should be used for
authentication. Note that this option is only useful if telnetd has
been compiled with support for authentication, which is not available
in the current version. [...]
So I'd simply say it can't do that. I'm using the OpenBSD telnetd (telnet-bsd package in Gentoo); it seems to have some auth bits but I wasn't able to get it to work at all. I suspect it only supports Kerberos-based auth.
Looking at the authentication types list in RFC 2941, it seems that most authentication types were never even specified. Looking at those which are, DSS/DSA is mostly interesting (it is used in SSH as well) but I guess it will be really hard to find a compliant server and client. Sadly, it seems that there were no proposals for simple (plaintext) authentications there.
So, to sum up: yes, it would be possible if someone implemented it. But since telnet is practically dead, I doubt you'll find server implementations for that. And even if you did, you'd have to write the client-side yourself which won't be that easy with the supported schemes. So I doubt it's worth the effort.
Related
Gooday to All, Im writing down a very sensitive web application that functions like a file browser, Instead of using sftp/ftp or ssh. It uses purely http/https. Im using request.remote_addr to determine the client's IP address. and reject if the ip isn't on the list.
good_ips = ['127.0.0.1','192.168.1.10','192.168.1.1']
if request.remote_addr in good_ips:
pass
else:
sys.exit()
It works fine, but I just would like to ask how reliable and safe this is :).
This would be the result if the ip is not on the list. other wise the site would run fine :D.
Thank you and good day!
No, that's not sufficient to build a "sensitive" service as you are using it.
See https://en.wikipedia.org/wiki/IP_address_spoofing for just a start on what could go wrong.
You should use authentication, such as with a public key (which SSH supports), or a password. Kerberos is also a possibility.
Whether source IP filtering is an adequate measure for you depends on your exact scenario, your threat model. #JohnZwinck is right in that it usually is not enough by itself, but for some applications, it can be.
While it is easy to fake source IP in individual IP packets, http goes over tcp, and a modern implementation of tcp is protected against address spoofing. Older implementations of TCP (in older operating systems) are vulnerable though. So if your server has a recent OS, it is not at all straightforward to spoof a source IP. It's probably easier to compromise a client with an address in the allowed list.
Another thing that can go wrong is related to network address translation (nat). Suppose you restrict access in your application to internal IP addresses (192.168.0.0/24). All works well, but your security department decides there need to be reverse proxies for all web applications. A proxy is deployed and all works fine. However, now your application receives all requests from the proxy wuth an internal address, so the restriction in the application doesn't make much sense anymore. Something simlar can also happen with clients, in some scenarios, clients may be behind nat, meaning they will all have the same apparent client IP address - which can be good or bad.
The best practice is of course to have proper authentication (via passwords, client certificates, or multi-factor, etc., however secure you want it to be), with IP restriction being an additional layer to provide more security.
How can I check if a FTP server allows for TLS when I connect using ftplib? I Found easy documentation on how to use TLS, but no solution on how to check for it. My script is supposed to connect either way, but use TLS if possible.
So do I just connect using TLS and if it fails I do it without? I am sure there must be a better way.
Thank you for your help.
Note that trying an encryption only, is as bad as not using any encryption at all. And maybe even worse, as it gives an impression of security, while there's none.
When you are under an MITM attack, an attacker will divert a TCP traffic to him/her and simulate encryption rejection, making you send your credentials plain-text straight to the attacker.
Anyway:
Call FTP_TLS.auth, check if it throws or not.
Call FTP_TLS.login with secure=False.
If the server supports TLS, the FTP_TLS.auth will enable encryption and the FTP_TLS.login (even with secure=False) will continue using it. If the server does not support encryption, the FTP_TLS.login (with secure=False) continues unencrypted.
Note that FTP_TLS.login (with its secure parameter) is an undocumented method - If you do not want to use it, you can fallback to creating a plain FTP, when FTP_TLS.auth throws.
To check explicitly, you can also use FTP.voidcmd('FEAT') and look for AUTH TLS (or AUTH SSL) in the response.
But there's nothing wrong about trying AUTH TLS/AUTH SSL (what the FTP_TLS.auth does) straight away.
I'm looking to create a Twisted Conch Server/Client SSH application similar to the below:
Client <---Key1---> Server/Client <---Key2---> Server
I guess it's like an SSH MITM or command proxier.
I have read the answers to similar Twisted related questions, such as:
Twisted server-client data sharing
and I understand the theory behind passing client/server data.
The part I am unsure of is the user authentication. I want to pass the login details from the first client, through my twisted conch application to the endpoint server.
Is there a way to do this?
Also, would it be possible to do separate SSH key negotiations but then pass all data, including credentials and any commands typed, between server and client?
Unfortunately, this is a little more complicated than it seems. SSH goes through some pains to try and avoid this kind of MITM. If you don't use the same key negotiation, the publickey authentication won't succeed because string you're signing is different on both sides of the connection (see the RFC section 7 for more).
Password authentication should still work okay, though. The easiest way to do that would be to create a twisted.conch.ssh.session.SSHSession subclass which listens for packets on the packetReceived method and forwards them to the corresponding transport.sendPacket.
I'm using webpy to make a small site. When I want to use OAuth, i find that the firewall will stop the http request to any site, I even can't use IE to browse the Internet.
So i asked the aministrator to open some ports for me, but i don't know which ports will be used by python or IE to send http request.
Thanks!
I assume you're talking about the remote ports. In that case, just tell the admin to open the standard web ports. Really, if your admin doesn't know how to make IE work through the firewall, he's hopeless. I suggest walking up to random people on the street and say "80 and 443" until someone looks up, then fire your admin and hire that guy; he can't be any worse.
If your admin does know what he's doing, and wants you to use an HTTP proxy instead of connecting directly, ask him to set up the proxy for you in IE, look at the settings he uses, then come back here and search for how to use HTTP proxies in Python (there are lots of answers on that), and ask for help if you get stuck.
If you're talking about the local ports, because you're got an insane firewall, they'll be picked at random from some large range. If you want to cover every common OS, you need all of 1024-65535 to be opened up, although if you only need to deal with a single platform, most use a smaller range than that, and if the machine won't be doing much but running your program, most have a way to restrict it to an even smaller range (e.g., as small as 255 ports on Windows). Google "ephemeral port" for details.
If you need to restrict your local port, the key is to call bind on your socket before calling connect. If you think you're talking about the local ports, you're probably wrong. Go ask your admin (or the new one you just hired) and make sure. But if you are…
If you're using urllib/urllib2, it does not have any way to do what you want, so you can't do that anymore. You can drop down to httplib, which lets you pass a source_address, a (host, port) tuple that it will use to bind the socket before connecting. It's not as simple as what you're using, but it's a lot easier than implementing HTTP from scratch.
You might also want to look at requests, which I know has its own native OAuth support, and probably has a way to specify a source address. (I haven't looked, but I usually find that whenever I want to know if requests can do X, it can, and in the most obvious way I think of…) The API for requests is generally similar to urllib2 when urllib2 is sane, simpler and cleaner when urllib2 is messy, so it's usually pretty easy to port things.
At any rate, however you do this, you will have to consider the fact that only one socket can be bound to the same local port at a time. So, what happens if two programs are running at once, and they both need to make an outbound connections, and your admin has only given you one port? One of them will fail. Is that acceptable?
If not, what you really need to do is open a range of ports, and write code that does a random.shuffle on the range, then tries to bind them until one succeeds. Which means you'll need an HTTP library that lets you feed in a socket factory or a pre-opened socket instead of just specifying a port, which most of them do not, which probably means you'll be hacking up a copy of the httplib source.
If all else fails, you can always set up a local proxy that binds to whatever source port (or port range) you want when proxying outward. Then you can just use your favorite high-level library, as-is, and connect to the local proxy, and there's no way the firewall can tell what's going on behind the proxy.
As you can see, this is not easy. That's mainly because you very actually rarely this.
Generally when a program wants to use a port but doesn't care which number it has, it uses an "ephemeral port." This is typical for client applications, where the remote port is fixed (by the server), but the local port doesn't make any difference.
Often a firewall will allow outgoing connections from any port, simply blocking incoming connections to unknown ports, on the theory that internal machines making outgoing requests should be allowed to decide what is proper, and that bad actors are all on the "public" side.
You may find that your administrator requires you to use an "HTTP proxy." If so, here are the instructions for Ruby which I imagine you can port to Python: Ruby and Rails - oauth and http proxy
I'm writing a simple control panel. It's going to be hosted on a single server, which communicates with other servers to do whatever it needs to. I need suggestions on how to do this securely, both from an authentication and an encryption standpoint. The only thing I've come up with so far is to use RSA keys to encrypt data on the master server and decrypt it on the slave, which would accomplish what I need but something seems flawed about it.
Use SSH.
See also: What is the simplest way to SSH using Python?
Stunnel is pretty handy. I like it since the code doesn't need to deal with encryption at all.
You could use SSL with client/server certificate validation.
Validate SSL certificates with Python
We are developing Versile Python, if you need object-level interaction with python objects over a secure channel you may want to have a look. You can use TLS or VTS to negotiate secure connections using RSA keys, or you can connect over SSH.
Other python object interaction frameworks you may want to consider are Pyro and RPyC.