Implementing SCP server with Python Paramiko SSH server

Question

I want to fake an SCP server with Paramiko. I have write the following code:

import base64
 
import time
from binascii import hexlify
import os
import socket
import sys
import threading
import traceback
import interactive
# from warnings import cls
import logging
logging.basicConfig(level='DEBUG')

import paramiko
from paramiko import SFTPClient
from paramiko.py3compat import b, u, decodebytes
 
dir_local='/tmp'
# setup logging
paramiko.util.log_to_file("demo_server.log")
 
host_key = paramiko.RSAKey(filename="test_rsa.key")
# host_key = paramiko.DSSKey(filename='test_dss.key')
 
print("Read key: " + u(hexlify(host_key.get_fingerprint())))
 
 
class Server(paramiko.ServerInterface):
    # 'data' is the output of base64.b64encode(key)
    # (using the "user_rsa_key" files)
    data = (
        b"AAAAB3NzaC1yc2EAAAABIwAAAIEAyO4it3fHlmGZWJaGrfeHOVY7RWO3P9M7hp"
        b"fAu7jJ2d7eothvfeuoRFtJwhUmZDluRdFyhFY/hFAh76PJKGAusIqIQKlkJxMC"
        b"KDqIexkgHAfID/6mqvmnSJf0b5W8v5h2pI/stOSwTQ+pxVhwJ9ctYDhRSlF0iT"
        b"UWT10hcuO4Ks8="
    )
    good_pub_key = paramiko.RSAKey(data=decodebytes(data))
 
    def __init__(self):
        logging.info('__init__')
        self.event = threading.Event()
 
    def check_channel_request(self, kind, chanid):
        logging.info('check_channel_request')
        if kind == "session":
            return paramiko.OPEN_SUCCEEDED
        return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED
 
    def check_auth_password(self, username, password):
        logging.info('check_auth_password')
        # Here you can add couple user/password
        if (username == "root") and (password == "password"):
            return paramiko.AUTH_SUCCESSFUL
        return paramiko.AUTH_FAILED
 
    def check_auth_publickey(self, username, key):
        logging.info('check_auth_publickey')
        print("Auth attempt with key: " + u(hexlify(key.get_fingerprint())))
        if (username == "micki") and (key == self.good_pub_key):
            return paramiko.AUTH_SUCCESSFUL
        return paramiko.AUTH_FAILED
 
    def check_auth_gssapi_with_mic(
        self, username, gss_authenticated=paramiko.AUTH_FAILED, cc_file=None
    ):
        logging.info('check_auth_gssapi_with_mic')
        """
        .. note::
            We are just checking in `AuthHandler` that the given user is a
            valid krb5 principal! We don't check if the krb5 principal is
            allowed to log in on the server, because there is no way to do that
            in python. So if you develop your own SSH server with paramiko for
            a certain platform like Linux, you should call ``krb5_kuserok()`` in
            your local kerberos library to make sure that the krb5_principal
            has an account on the server and is allowed to log in as a user.
        .. seealso::
            `krb5_kuserok() man page
            <http://www.unix.com/man-page/all/3/krb5_kuserok/>`_
        """
        if gss_authenticated == paramiko.AUTH_SUCCESSFUL:
            return paramiko.AUTH_SUCCESSFUL
        return paramiko.AUTH_FAILED
 
    def check_auth_gssapi_keyex(
        self, username, gss_authenticated=paramiko.AUTH_FAILED, cc_file=None
    ):
        logging.info('check_auth_gssapi_keyex')
        if gss_authenticated == paramiko.AUTH_SUCCESSFUL:
            return paramiko.AUTH_SUCCESSFUL
        return paramiko.AUTH_FAILED
 
    def enable_auth_gssapi(self):
        logging.info('enable_auth_gssapi')
        return True
 
    def get_allowed_auths(self, username):
        logging.info('get_allowed_auths')
        return "gssapi-keyex,gssapi-with-mic,password,publickey"
 
    def check_channel_shell_request(self, channel):
        logging.info('check_channel_shell_request')
        self.event.set()
        return True
 
    def check_channel_pty_request(
        self, channel, term, width, height, pixelwidth, pixelheight, modes
    ):
        logging.info('check_channel_pty_request')
        return True
 
 
DoGSSAPIKeyExchange = True
 
# now connect
try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    sock.bind(("192.168.34.10", 22))
except Exception as e:
    print("*** Bind failed: " + str(e))
    traceback.print_exc()
    sys.exit(1)
 
try:
    sock.listen(100)
    print("Listening for connection ...")
    client, addr = sock.accept()
except Exception as e:
    print("*** Listen/accept failed: " + str(e))
    traceback.print_exc()
    sys.exit(1)
 
print("Got a connection!")
 
try:
    t = paramiko.Transport(client, gss_kex=DoGSSAPIKeyExchange)
    t.set_gss_host(socket.getfqdn(""))
    try:
        t.load_server_moduli()
    except:
        print("(Failed to load moduli -- gex will be unsupported.)")
        raise
    t.add_server_key(host_key)
    server = Server()
    try:
        t.start_server(server=server)
    except paramiko.SSHException:
        print("*** SSH negotiation failed.")
        sys.exit(1)
 
    # wait for auth
    chan = t.accept(20)
    if chan is None:
        print("*** No channel.")
        sys.exit(1)
    print("Authenticated!")
 
  
    transport = paramiko.Transport(sock=("192.168.34.10", 22))
    transport.connect(username="root", password="password")
 
    interactive.interactive_shell(chan)

    server.event.wait(450)
    if not server.event.is_set():
        print("*** Client never asked for a shell.")
        sys.exit(1)
 
    chan.send("Success Connect\r\n\r\n")
 
    f = chan.makefile("rU")
 
    while True:
        cmd = f.readline().strip("\r\n")
        myCmd = os.popen(cmd).read()
        print(myCmd)
        # chan.send("\r\nGot The Command, " + myCmd + ".\r\n")

    chan.close()
 
 
except Exception as e:
    print("*** Caught exception: " + str(e.__class__) + ": " + str(e))
    traceback.print_exc()
    try:
        t.close()
    except:
        pass
    sys.exit(1)

On my client, I have the following lines when I launch scp -v file_to_transfer root@192.168.34.10:/home/user/

root@192.168.34.10's password: 
debug1: Authentication succeeded (password).
Authenticated to 192.168.34.10 ([192.168.34.10]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env XMODIFIERS = @im=none
debug1: Sending env LANG = fr_FR.UTF-8
debug1: Sending command: scp -v -t /home/user/
exec request failed on channel 0
lost connection

The ssh connection works well. But when the client send the command scp -v -t /home/user/ the exec request failed.

I've tried a lot and lot modification but I have no idea what to do to solve my issue...

Do you have an idea to solve my problem.

Thanks.

Answer 1

The scp uses "exec" channel, not "shell" channel.

So you need to implement the ServerInterface.check_channel_exec_request.

---

Though note that if you want to create a custom "SCP server", you do not need to code the SSH server. Use a standard SSH server (like OpenSSH) and just implement the custom "SCP server" for it (in Python or whatever language you like). The scp works as a server as well. So all you need to do is to put your fake scp binary (the server) on your SSH server in place of the standard OpenSSH scp binary.

---

In any case, study the OpenSSH scp code to understand how it works.

See also:

• How is SCP (secure copy protocol) file transfer working?
• Explanation for SCP protocol implementation in JSch library