Compare commits
22 Commits
Author | SHA1 | Date |
---|---|---|
Bandie | d0db0a7d94 | |
Bandie | 384c7368b2 | |
Bandie | 63e52b8c3e | |
Bandie | 4622833ff5 | |
Bandie | 57fb2f7b99 | |
Bandie | 3e7f23ccd1 | |
Bandie | abf6a0f563 | |
Bandie | 6687604446 | |
Bandie | 1a3e532b29 | |
Bandie | 36dd610965 | |
Bandie | 2141418097 | |
Bandie | 6d24484430 | |
Bandie | 9b03d6f928 | |
Bandie | dc027362f0 | |
Bandie | 406accc716 | |
Bandie | 72c68cabde | |
Bandie | a7d27c5ee9 | |
Bandie | 600524809c | |
Bandie | ae3043b1de | |
Bandie | b17e6c9353 | |
Bandie | aef87bed4a | |
Bandie | 4a09411676 |
|
@ -1,28 +1,28 @@
|
|||
#!/bin/bash
|
||||
|
||||
## Server private key
|
||||
echo -n "Where to save your server's key file? ($PWD/ding_server.key): "
|
||||
echo -n "Where to save your server's key file? ($PWD/dingd.key): "
|
||||
read temp
|
||||
|
||||
if [ -n "$temp" ]
|
||||
then
|
||||
save=$temp
|
||||
else
|
||||
save="$PWD/ding_server.key"
|
||||
save="$PWD/dingd.key"
|
||||
fi
|
||||
key=$save
|
||||
openssl genrsa -out $save 4096
|
||||
|
||||
|
||||
## CSR
|
||||
echo -n "Where to save your Certificate Signing Request (CSR)? ($PWD/ding_server.csr): "
|
||||
echo -n "Where to save your Certificate Signing Request (CSR)? ($PWD/dingd.csr): "
|
||||
read temp
|
||||
|
||||
if [ -n "$temp" ]
|
||||
then
|
||||
save=$temp
|
||||
else
|
||||
save="$PWD/ding_server.csr"
|
||||
save="$PWD/dingd.csr"
|
||||
fi
|
||||
csr=$save
|
||||
echo -e "\033[01;33mPlease enter some information. THEY MUST BE DIFFERENT FROM THE CA's INFORMATION.\033[00m"
|
||||
|
@ -50,14 +50,14 @@ else
|
|||
loadCAkey="$PWD/CA.key"
|
||||
fi
|
||||
|
||||
echo -n "Where to save your signed server certificate? ($PWD/ding_server.crt): "
|
||||
echo -n "Where to save your signed server certificate? ($PWD/dingd.crt): "
|
||||
read temp
|
||||
|
||||
if [ -n "$temp" ]
|
||||
then
|
||||
save=$temp
|
||||
else
|
||||
save="$PWD/ding_server.crt"
|
||||
save="$PWD/dingd.crt"
|
||||
fi
|
||||
|
||||
echo -n "How many days should the certificate be valid? (365): "
|
||||
|
|
|
@ -1,28 +1,28 @@
|
|||
#!/bin/bash
|
||||
|
||||
## Server private key
|
||||
echo -n "Where to save your client's key file? ($PWD/ding_client.key): "
|
||||
echo -n "Where to save your client's key file? ($PWD/ding.key): "
|
||||
read temp
|
||||
|
||||
if [ -n "$temp" ]
|
||||
then
|
||||
save=$temp
|
||||
else
|
||||
save="$PWD/ding_client.key"
|
||||
save="$PWD/ding.key"
|
||||
fi
|
||||
key=$save
|
||||
openssl genrsa -out $save 4096
|
||||
|
||||
|
||||
## CSR
|
||||
echo -n "Where to save your Certificate Signing Request (CSR)? ($PWD/ding_client.csr): "
|
||||
echo -n "Where to save your Certificate Signing Request (CSR)? ($PWD/ding.csr): "
|
||||
read temp
|
||||
|
||||
if [ -n "$temp" ]
|
||||
then
|
||||
save=$temp
|
||||
else
|
||||
save="$PWD/ding_client.csr"
|
||||
save="$PWD/ding.csr"
|
||||
fi
|
||||
csr=$save
|
||||
echo -e "\033[01;33mPlease enter some information. THEY MUST BE DIFFERENT FROM THE CA's AND SERVER's INFORMATION.\033[00m"
|
||||
|
@ -50,14 +50,14 @@ else
|
|||
loadCAkey="$PWD/CA.key"
|
||||
fi
|
||||
|
||||
echo -n "Where to save your signed client certificate? ($PWD/ding_client.crt): "
|
||||
echo -n "Where to save your signed client certificate? ($PWD/ding.crt): "
|
||||
read temp
|
||||
|
||||
if [ -n "$temp" ]
|
||||
then
|
||||
save=$temp
|
||||
else
|
||||
save="$PWD/ding_client.crt"
|
||||
save="$PWD/ding.crt"
|
||||
fi
|
||||
|
||||
echo -n "How many days should the certificate be valid? (365): "
|
||||
|
|
2
LICENSE
2
LICENSE
|
@ -1,6 +1,6 @@
|
|||
BSD 2-Clause License
|
||||
|
||||
Copyright (c) 2017, Bandie Canis
|
||||
Copyright (c) 2017, Bandie <bandie@chaospott.de>
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
|
|
38
README.md
38
README.md
|
@ -1,20 +1,24 @@
|
|||
# ding
|
||||
## What is ding?
|
||||
ding is a client-server thing written in python3. Its aim is to execute a set of commands remotely, which commands can be set in the server's config file.
|
||||
ding is a client-server thing written in python3. Its aim is to execute a set of commands remotely. The commands can be set in the server's config file.
|
||||
|
||||
|
||||
## How does it work?
|
||||
The server will wait for a command to be sent by a client. If the command is present within the servers config file it will then execute the command, else nothing will happen.
|
||||
The server will wait for a command to be sent by a client. If the command is present within the server's config file it will then execute the command, else nothing will happen.
|
||||
|
||||
|
||||
## What about ding's security?
|
||||
The authentication is done via a SSL Client Certificate signed by an (self generated) Certificate Authority. The scripts for generating a CA and signing the Server/Client Certificates are also included to make it (relatively) easy. [ This involves typing in a few certificate details and entering a previously defined CA password. ]
|
||||
|
||||
|
||||
## Pic or didn't happen
|
||||
![Screenshot of ding](/img/dingScreenshot.png)
|
||||
[Can't read a thing?](https://raw.githubusercontent.com/Bandie/ding/master/img/dingScreenshot.png)
|
||||
![Screenshot of ding](https://git.chaospott.de/Bandie/ding/raw/branch/master/img/dingScreenshot.png)
|
||||
|
||||
|
||||
## Requirements
|
||||
* Install python3 on your target computers.
|
||||
|
||||
|
||||
## Installation
|
||||
At every step please read carefully what the generate certificates scripts want from you. The information on the certificates doesn't need to be true and can be totally random. They only need to be different from one another.
|
||||
|
||||
|
@ -23,22 +27,28 @@ Step 1 to 3 can only be run on UNIX or GNU/Linux.
|
|||
1. Run `./1_generateCA.sh` to generate a CA.
|
||||
2. Run `./2_generateServCert.sh` to generate a signed Server Certificate.
|
||||
3. Run `./3_generateClientCert.sh` to generate a signed Client Certificate.
|
||||
4. Move `ding_client`, `ding_client.cfg`, `ding_client.crt`, `ding_client.key` and `CA.crt` to the computer which should be able to send commands to the server.
|
||||
* UNIX or GNU/Linux: Also move `ding_client.cfg` to that computer.
|
||||
* Windows: Also move `ding_client.win.cfg` to that computer.
|
||||
5. Do some configuration on the server and client (ding\_server.cfg, ding\_client.cfg or ding\_server.win.cfg, ding\_client.win.cfg on Windows).
|
||||
6. Start the server using `./ding_server` or `python .\ding_server` on Windows. (You may want to put this in a tmux session. [Ctrl+B, D] ;) ).
|
||||
7. Try out the client using `./ding_client <command>` òr `python .\ding_client <command>` on Windows.
|
||||
4. Move `ding`, `ding.cfg`, `ding.crt`, `ding.key` and `CA.crt` to the computer which should be able to send commands to the server.
|
||||
* UNIX or GNU/Linux: Also move `ding.cfg` to that computer.
|
||||
* Windows: Also move `ding.win.cfg` to that computer.
|
||||
5. Do some configuration on the server and client (`dingd.cfg`, `ding.cfg` or `dingd.win.cfg`, `ding.win.cfg` on Windows).
|
||||
6. Start the server using `./dingd` or `python .\dingd` on Windows. (You may want to put this in a tmux session. [Ctrl+B, D] ;) ).
|
||||
7. Try out the client using `./ding <command>` òr `python .\ding <command>` on Windows.
|
||||
|
||||
### A word about the commands
|
||||
It works much better to use (bash) scripts instead of executing the commands directly.
|
||||
|
||||
## Optional: Cleartext password with timeout
|
||||
If you want to be sure that this power won't be abused by bad people using your computer, you may want to add a password (saved in cleartext).
|
||||
The password will be sent inside the TLS connection.
|
||||
The password will be sent inside the TLS connection.
|
||||
|
||||
To do so:
|
||||
### Warning! Beware of the shell history!
|
||||
You might want to do something like `$ history -c` after sending the password via the client or play around with bash's HISTCONTROL variable.
|
||||
|
||||
1. Open your `ding_server.cfg` or `ding_server.win.cfg`.
|
||||
### How to enable the password
|
||||
|
||||
1. Open your `dingd.cfg` or `dingd.win.cfg`.
|
||||
2. Set `pw_on=true`.
|
||||
3. Set a password, like `password=abc def`.
|
||||
4. Set a password timeout: `pwtimeout=10` for 10 seconds.
|
||||
|
||||
If you have a password with special characters as in spaces and the like, you may want to use quotation marks around your password. `./ding_client "abc def"` or `python .\ding_client "abc def"` on Windows.
|
||||
If you have a password with special characters as in spaces and the like, you may want to use quotation marks around your password. `./ding "abc def"` or `python .\ding "abc def"` on Windows.
|
||||
|
|
|
@ -3,26 +3,32 @@
|
|||
# Author: Bandie Canis
|
||||
# License: 2-Clause BSD License
|
||||
|
||||
import sys, ssl, socket, os
|
||||
import sys, ssl, socket, os, getopt
|
||||
import configparser
|
||||
|
||||
|
||||
global exitcode
|
||||
host = None
|
||||
port = 0
|
||||
cafile = None
|
||||
certfile = None
|
||||
keyfile = None
|
||||
exitcode = 1
|
||||
|
||||
def readConfig():
|
||||
def init(conf):
|
||||
|
||||
if(os.name == 'nt'):
|
||||
CONFIG = "ding_client.win.cfg"
|
||||
if(conf == None):
|
||||
if(os.name == 'nt'):
|
||||
CONFIG = "ding.win.cfg"
|
||||
else:
|
||||
CONFIG = "ding.cfg"
|
||||
else:
|
||||
CONFIG = "ding_client.cfg"
|
||||
CONFIG = conf
|
||||
|
||||
cfg = configparser.SafeConfigParser()
|
||||
cfg = configparser.ConfigParser()
|
||||
try:
|
||||
cfg.read(CONFIG)
|
||||
|
||||
global host, port, cafile, certfile, keyfile
|
||||
|
||||
host = cfg.get("Client", "host")
|
||||
port = int(cfg.get("Client", "port"))
|
||||
|
||||
|
@ -30,7 +36,7 @@ def readConfig():
|
|||
certfile = cfg.get("Client", "certfile")
|
||||
keyfile = cfg.get("Client", "keyfile")
|
||||
except configparser.NoSectionError:
|
||||
print("No suitable config found. Expecting some config in", CONFIG)
|
||||
print("No suitable config found. Expecting some config in", CONFIG, file=sys.stderr)
|
||||
quit(3)
|
||||
|
||||
|
||||
|
@ -38,7 +44,7 @@ def send(conn, cmd):
|
|||
|
||||
conn.connect((host, port))
|
||||
buf = conn.recv(1024)
|
||||
if(buf == b"OK 1337\n"):
|
||||
if(buf == b"OK 1337\n"):
|
||||
conn.sendall(cmd)
|
||||
buf = conn.recv(1024)
|
||||
if(buf == b"OK CMD"):
|
||||
|
@ -47,10 +53,10 @@ def send(conn, cmd):
|
|||
print("Error. Server said: The command isn't set on the server.", file=sys.stderr)
|
||||
exitcode = 1
|
||||
elif(buf == b"ERR CMD_ERR"):
|
||||
print("Error. Server said: The command doesn't work because the file doesn't exist on the server.")
|
||||
print("Error. Server said: The command doesn't work because the file doesn't exist on the server.", file=sys.stderr)
|
||||
exitcode = 2
|
||||
elif(buf == b"ERR PW"):
|
||||
print("Error. Password required. The password was wrong.")
|
||||
print("Error. Password required. The password was wrong.", file=sys.stderr)
|
||||
exitcode = 4
|
||||
elif(b"OK PW" in buf):
|
||||
bufr=str(buf.decode('utf-8'))
|
||||
|
@ -61,10 +67,10 @@ def send(conn, cmd):
|
|||
print("The server seems to be crazy. Nothing sent.", file=sys.stderr)
|
||||
|
||||
conn.close()
|
||||
quit(exitcode)
|
||||
|
||||
|
||||
|
||||
def main():
|
||||
def main(arg):
|
||||
try:
|
||||
context = ssl.SSLContext(ssl.PROTOCOL_TLS)
|
||||
context.verify_mode = ssl.CERT_REQUIRED
|
||||
|
@ -82,7 +88,7 @@ def main():
|
|||
|
||||
|
||||
try:
|
||||
send(conn, bytes(sys.argv[1], sys.stdin.encoding))
|
||||
send(conn, bytes(arg[0], sys.stdin.encoding))
|
||||
except IndexError:
|
||||
print(sys.argv[0], ": Missing argument.\nSyntax: ", sys.argv[0], " <COMMAND>", file=sys.stderr)
|
||||
except ConnectionRefusedError:
|
||||
|
@ -95,7 +101,16 @@ def main():
|
|||
|
||||
|
||||
if(__name__ == "__main__"):
|
||||
readConfig()
|
||||
main()
|
||||
quit(exitcode)
|
||||
try:
|
||||
conf = None
|
||||
opts, args = getopt.getopt(sys.argv[1:], "c:")
|
||||
for o, a in opts:
|
||||
if o == "-c":
|
||||
conf = a
|
||||
init(conf)
|
||||
main(args)
|
||||
except getopt.GetoptError as e:
|
||||
print("Error using options. Allowed options:\n-c [FILE] - Config file\n")
|
||||
quit(2)
|
||||
|
||||
quit(exitcode)
|
|
@ -5,6 +5,6 @@ port=13573
|
|||
|
||||
cafile=CA.crt
|
||||
#Client Certificate/key signed by the CA above
|
||||
certfile=ding_client.crt
|
||||
keyfile=ding_client.key
|
||||
certfile=ding.crt
|
||||
keyfile=ding.key
|
||||
|
|
@ -5,6 +5,6 @@ port=13573
|
|||
|
||||
cafile=CA.crt
|
||||
#Client Certificate/key signed by the CA above
|
||||
certfile=ding_client.crt
|
||||
keyfile=ding_client.key
|
||||
certfile=ding.crt
|
||||
keyfile=ding.key
|
||||
|
|
@ -3,24 +3,37 @@
|
|||
# Author: Bandie Canis
|
||||
# License: 2-Clause BSD license
|
||||
|
||||
import ssl, socket, subprocess, time, os
|
||||
import ssl, socket, subprocess, time, os, sys, getopt
|
||||
import configparser
|
||||
|
||||
CONFIG = None
|
||||
host = None
|
||||
port = 0
|
||||
cafile = None
|
||||
certfile = None
|
||||
keyfile = None
|
||||
pw_on = None
|
||||
password = None
|
||||
pwtimeout = 30
|
||||
tmppw_on = None
|
||||
context = None
|
||||
bindsocket = None
|
||||
|
||||
|
||||
|
||||
def getTimestamp():
|
||||
t = "[" + time.strftime("%Y-%m-%d %H:%M:%S") + "]"
|
||||
return t
|
||||
|
||||
def execFromConfig(option, pw=False):
|
||||
cfg = configparser.SafeConfigParser()
|
||||
cfg.read(CONFIG)
|
||||
cfg = configparser.ConfigParser()
|
||||
cfg.read(CONFIG)
|
||||
|
||||
if(pw):
|
||||
if(option == password):
|
||||
return 4
|
||||
else:
|
||||
return 5
|
||||
|
||||
|
||||
else:
|
||||
|
||||
|
@ -39,16 +52,14 @@ def execFromConfig(option, pw=False):
|
|||
print(getTimestamp(), "No execution set:", option)
|
||||
return 1
|
||||
|
||||
|
||||
|
||||
def main():
|
||||
while True:
|
||||
newsocket, fromaddr = bindsocket.accept()
|
||||
try:
|
||||
connstream = context.wrap_socket(newsocket, server_side=True)
|
||||
connstream = context.wrap_socket(newsocket, server_side=True)
|
||||
print(getTimestamp(), "Incoming connection:", fromaddr[0])
|
||||
connstream.send(b"OK 1337\n")
|
||||
|
||||
|
||||
con_loop = True
|
||||
while con_loop:
|
||||
global tmppw_on, pw_on, pwtimeout
|
||||
|
@ -56,7 +67,7 @@ def main():
|
|||
del timeout
|
||||
tmppw_on=pw_on
|
||||
print(getTimestamp(), "Locked.")
|
||||
|
||||
|
||||
try:
|
||||
buf = connstream.recv(1024)
|
||||
if not buf: break
|
||||
|
@ -67,9 +78,7 @@ def main():
|
|||
except ConnectionResetError:
|
||||
print(getTimestamp(), "Connection reset.")
|
||||
serve()
|
||||
|
||||
|
||||
|
||||
if(tmppw_on):
|
||||
retval = execFromConfig(buf, True)
|
||||
if(retval == 5):
|
||||
|
@ -81,7 +90,7 @@ def main():
|
|||
connstream.send(bytes(pwokstr, "utf-8"))
|
||||
timeout=time.time() + pwtimeout
|
||||
tmppw_on = False
|
||||
|
||||
|
||||
else:
|
||||
print(getTimestamp(), " ", fromaddr[0], ": ", buf, sep="")
|
||||
retval = execFromConfig(buf)
|
||||
|
@ -91,7 +100,6 @@ def main():
|
|||
connstream.send(b"ERR NO_CMD")
|
||||
elif(retval == 2):
|
||||
connstream.send(b"ERR CMD_ERR")
|
||||
|
||||
|
||||
except ssl.SSLError as e:
|
||||
print(getTimestamp(), e)
|
||||
|
@ -99,16 +107,19 @@ def main():
|
|||
except EOFError:
|
||||
print(getTimestamp(), "EOF")
|
||||
|
||||
def init():
|
||||
def init(cfg=None):
|
||||
|
||||
global CONFIG, host, port, cafile, certfile, keyfile, pw_on, password, pwtimeout, tmppw_on, context, bindsocket
|
||||
|
||||
if(os.name == 'nt'):
|
||||
CONFIG = "ding_server.win.cfg"
|
||||
else:
|
||||
CONFIG = "ding_server.cfg"
|
||||
|
||||
cfg = configparser.SafeConfigParser()
|
||||
if(cfg==None):
|
||||
if(os.name == 'nt'):
|
||||
CONFIG = "dingd.win.cfg"
|
||||
else:
|
||||
CONFIG = "dingd.cfg"
|
||||
else:
|
||||
CONFIG = cfg
|
||||
|
||||
cfg = configparser.ConfigParser()
|
||||
cfg.read(CONFIG)
|
||||
|
||||
try:
|
||||
|
@ -125,11 +136,10 @@ def init():
|
|||
else:
|
||||
pw_on = False
|
||||
tmppw_on=pw_on
|
||||
except configparser.NoOptionError as e:
|
||||
print("Error in configuration file:", e)
|
||||
except configparser.NoSectionError as e:
|
||||
print("Error in configuration file:", e, file=sys.stderr)
|
||||
quit(1)
|
||||
|
||||
|
||||
try:
|
||||
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile=cafile)
|
||||
context.load_cert_chain(certfile=certfile, keyfile=keyfile)
|
||||
|
@ -155,11 +165,11 @@ def init():
|
|||
except PermissionError:
|
||||
print("Error: Can't bind for port number ", port, ". Permission denied.", sep="")
|
||||
quit(1)
|
||||
|
||||
print("Running ding server on ", host, ":", port,
|
||||
|
||||
print("Running dingd on ", host, ":", port,
|
||||
"\nConfig: ", CONFIG,
|
||||
"\nCAFile: ", cafile,
|
||||
"\nCertfile: ", certfile,
|
||||
"\nCAFile: ", cafile,
|
||||
"\nCertfile: ", certfile,
|
||||
"\nKeyfile: ", keyfile,
|
||||
"\nPassword lock: ", pw_on,
|
||||
"\nPassword timeout: ", pwtimeout,
|
||||
|
@ -169,10 +179,17 @@ def init():
|
|||
|
||||
|
||||
if(__name__ == "__main__"):
|
||||
|
||||
try:
|
||||
init()
|
||||
conf = None
|
||||
opts, args = getopt.getopt(sys.argv[1:], "c:")
|
||||
for o, a in opts:
|
||||
if o == "-c":
|
||||
conf = a
|
||||
init(conf)
|
||||
main()
|
||||
except getopt.GetoptError as e:
|
||||
print("Error using options. Allowed options:\n-c [FILE] - Config file\n")
|
||||
quit(2)
|
||||
except KeyboardInterrupt:
|
||||
print("\r\rServer stopped.")
|
||||
|
|
@ -7,10 +7,10 @@ port=13573
|
|||
cafile=CA.crt
|
||||
|
||||
# Server's certificate [signed by the CA above]
|
||||
certfile=ding_server.crt
|
||||
certfile=dingd.crt
|
||||
|
||||
# Server's private key
|
||||
keyfile=ding_server.key
|
||||
keyfile=dingd.key
|
||||
|
||||
## Optional cleartext password
|
||||
# To unlock the commands you need to send the password before sending the command.
|
|
@ -7,10 +7,10 @@ port=13573
|
|||
cafile=CA.crt
|
||||
|
||||
# Server's certificate [signed by the CA above]
|
||||
certfile=ding_server.crt
|
||||
certfile=dingd.crt
|
||||
|
||||
# Server's private key
|
||||
keyfile=ding_server.key
|
||||
keyfile=dingd.key
|
||||
|
||||
## Optional cleartext password
|
||||
# To unlock the commands you need to send the password before sending the command.
|
|
@ -0,0 +1,10 @@
|
|||
[Unit]
|
||||
Description=dingd Service
|
||||
|
||||
[Service]
|
||||
ExecStart=/root/ding/dingd -c /path/to/config/file/dingd.cfg
|
||||
Restart=on-failure
|
||||
RestartSec=5s
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
Loading…
Reference in New Issue