如何通过 SSH 提供 Python CLI 应用程序

发布于 2024-11-30 03:26:41 字数 661 浏览 0 评论 0原文

我正在用 python 编写一个带有 Urwid 前端和 MongoDB 后端的应用程序。最终目标是能够通过 SSH 为应用程序提供服务。该应用程序有自己的身份验证/身份系统。我不关心为每个用户启动新进程的开销,预期的并发用户数很低。由于客户端不记得任何状态信息,而是全部存储在数据库中,因此除了身份验证目的之外,我不关心会话本身。

我想知道是否有任何方法可以按原样提供应用程序服务,而无需滚动我自己的套接字服务器代码或使用 Twisted 重新编码应用程序。老实说,我不知道 Urwid 和 Twisted 是如何一起玩的。我看到 Urwid 有一个 TwistedEventLoop 方法,该方法声称使用扭曲反应器,但我找不到任何通过扭曲连接运行 Urwid 应用程序的示例代码。示例将不胜感激,即使是简单的示例。我也研究过 ZeroMQ,但这似乎比 Twisted 更难以理解。简而言之,我探索了许多不同的库,这些库旨在通过 tcp 为应用程序提供服务,其中大多数是通过 telnet 提供的。几乎所有这些都专注于 http。

最坏的情况是我预计我可能会创建一个高度锁定的用户作为全局登录并使用 chroot SSH 会话。这样每个用户都会获得自己的 chroot/进程/客户端。是的,我知道这可能是一个“非常糟糕的主意”。但我不得不把它作为一种可能性扔掉。

我感谢任何建设性的反馈。侮辱、责备和傲慢将被皱眉、打印出来并吐口水。

-CH

I'm in the process of writing an application with an Urwid front-end and a MongoDB back-end in python. The ultimate goal is to be able to be able to serve the application over SSH. The application has its own authentication/identity system. I'm not concerned about the overhead of launching a new process for each user, the expected number of concurrent users is low. Since the client does not recall any state information and instead it is all stored in the DB I'm not concerned about sessions as such except for authentication purposes.

I was wondering if there are any methods to serving the application as is without having to roll my own socket-server code or re-code the app using Twisted. I honestly don't know how Urwid and Twisted play together. I see that Urwid has a TwistedEventLoop method which purports to use the twisted reactor but I cannot find any example code running an Urwid application over a twisted connection. Examples would be appreciated, even simple ones. I've also looked at ZeroMQ but that seems even more inscrutable than Twisted. In short I explored a number of different libraries which purport to serve applications over tcp, most of them by telnet. And nearly all of them focusing on http.

Worst case scenario I expect that I may create an extremely locked down user as a global login and use chrooted SSH sessions. that way each user gets their own chroot/process/client. Yes, I know that's probably a "Very Bad Idea(tm)". But I had to throw it out there as a possibility.

I appreciate any constructive feedback. Insults, chides, and arrogance will be scowled at, printed out and spat upon.

-CH

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

疑心病 2024-12-07 03:26:41

Twisted 有一个用于编写此类内容的层: twisted.conch .侮辱。我要小心不要过度推销它;它仍然需要更多文档,并且缺少一些功能。正如文档字符串所说,它“目前非常基础”。

不过,侮辱是有原因的。我的理解是,Urwid 即使在 Twisted 模式下,也直接与文件描述符对话,因此不能通过同一线程加密和传输其输出;有人需要读取该文件描述符的另一端。我相信 Twisted 模式更多的是使用 Urwid 建立一个控制台应用程序,该应用程序将 Twisted 网络用于其他内容;正如您可能希望在客户端应用程序中或在具有控制台视图的服务器中一样。

如果您不介意每个连接一个进程,您可以使用 Conch 编写一个 SSH 服务器,该服务器使用 PTY 将您的 Urwid 程序生成为子进程,并提供有关其身份验证和环境的信息,例如通过环境变量。查看 spawnProcess API< /a> 和 Jean-Paul Calderone 的关于使用 Conch 的优秀系列

Twisted has a layer for writiing this kind of thing: twisted.conch.insults. I want to be careful not to oversell it; it still needs more documentation and some features are lacking. As the docstring says, it is 'very basic at the moment'.

Insults came about for a reason though. My understanding is that Urwid, even in its Twisted mode, is talking directly to a file descriptor, though, and therefore can't have its output encrypted and transported by the same thread; someone needs to be reading the other end of that file descriptor. I believe the Twisted mode is more about having a console application using Urwid which uses Twisted networking for other stuff; as you might want to have in a client application, or in a server with a console view.

If you don't mind one process per connection, you may be able to write an SSH server using Conch that spawns your Urwid program as a subprocess using a PTY, with information about its authentication and environment supplied, for example, via environment variables. Check out the spawnProcess API and Jean-Paul Calderone's excellent series on using Conch.

ζ澈沫 2024-12-07 03:26:41

由于应用程序进行自己的身份验证,因此您可以通过 xinetd 转储它并让它处理 I /O。然后用户只需远程登录到适当的端口即可使其工作。

Since the application does its own auth, you can just dump it through xinetd and let that handle the I/O. Then the users can just telnet to the appropriate port and have it work.

吐个泡泡 2024-12-07 03:26:41

一种廉价且可能非常危险的黑客方法是将您的应用程序作为特定用户的默认 shell。不过,您需要非常小心(建议将其chroot到地狱然后再返回),因为它可能会突破应用程序并进入服务器。

A cheap and posibly very dangerous hack is to put your app as the default shell for a particular user. you need to be very careful though (suggestion chroot it to hell and back) as it might be possible to break out of the app and into the server.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文