SSHTunnel Class
Properties Methods Events Configuration Settings Errors
The SSHTunnel class can be used to tunnel data through an SSH server to a remote location.
Syntax
class ipworksssh.SSHTunnel
Remarks
The SSHTunnel class implements a daemon that accepts connections and tunnels the data from those connections over a Secure Shell (SSH) connection to a remote location.
First, set ssh_host to the server you wish to use to tunnel the data. ssh_user, ssh_password and the ssh_cert* properties can be used to authenticate the tunneling connection.
Second, set ssh_forward_host to the hostname or IP address of the destination machine, and ssh_forward_port to the port to which you wish to send data. Finally, set listening to true. The class will listen for connections on the interface identified by local_host and local_port.
When a client attempts to connect to the class, the class will fire a on_connection_request event that can be used to accept or reject the connection. If the connection is accepted, the class will attempt to logon to the ssh_host, and will tell the server to connect remotely to another machine. Once this process is complete, the tunnel will be established and data can be securely transmitted from end to end.
Example: Connecting Between Networks
A client which exists in Network A wishes to connect to resource that exists in Network B. Both networks are secured by a firewall, making it difficult to freely connect to resources within the other network. However, Network B contains an SSH server which supports tunneling. An SSHTunnel class set up with Network A can be used to access any resource in Network B.
The ssh_host and ssh_port property must be set to the hostname and port exposed by Network B's firewall. ssh_forward_host and ssh_forward_port are then set to the value of the resource within Network B to which the client in Network A wishes to connect. Any client in Network A can then connect to the SSHTunnel instance's local_host and local_port.
As clients within Network A connect to the SSHTunnel, the class will forward the connections, secured by SSH, through the network firewalls to the SSH server in Network B. The SSH server will then connect to the resource within Network B and forward all data received from the SSHTunnel instance to that resource. All data received from the resource will then be forwarded back to the original client in Network A.
Note: Server components are designed to process events as they occur. To ensure events are processed in a timely manner do_events should be called in a loop after the server is started.
Property List
The following is the full list of the properties of the class with short descriptions. Click on the links for further details.
connected | Triggers a connection or disconnection. |
connection_backlog | The maximum number of pending connections maintained by the TCP/IP subsystem. |
client_count | The number of records in the Client arrays. |
client_accept_data | Setting this property to False, temporarily disables data reception (and the DataIn event) on the connection. |
client_bytes_sent | This property shows how many bytes were sent after the last assignment to DataToSend . |
client_connected | This property is used to disconnect individual connections and/or show their status. |
client_connection_id | This property contains an identifier generated by the class to identify each connection. |
client_data_to_send | This property contains a string of data to be sent to the remote host. |
client_eol | The EOL property is used to define boundaries in the input stream using the value of the property. |
client_idle_timeout | The idle timeout for this connection. |
client_local_address | This property shows the IP address of the interface through which the connection is passing. |
client_ready_to_send | Indicates whether the class is ready to send data. |
client_record_length | If set to a positive value, this setting defines the length of data records to be received. |
client_remote_host | This property shows the IP address of the remote host through which the connection is coming. |
client_remote_port | This property shows the TCP port on the remote host through which the connection is coming. |
client_single_line_mode | This property shows the special mode for line-oriented protocols. |
client_timeout | This property specifies a timeout for the class. |
client_user_data | The UserData property holds connection specific user specified data. |
default_eol | A default EOL value to be used by incoming connections. |
default_single_line_mode | Tells the class whether or not to treat new connections as line-oriented. |
default_timeout | An initial timeout value to be used by incoming connections. |
firewall_auto_detect | This property tells the class whether or not to automatically detect and use firewall system settings, if available. |
firewall_type | This property determines the type of firewall to connect through. |
firewall_host | This property contains the name or IP address of firewall (optional). |
firewall_password | This property contains a password if authentication is to be used when connecting through the firewall. |
firewall_port | This property contains the TCP port for the firewall Host . |
firewall_user | This property contains a user name if authentication is to be used connecting through a firewall. |
keep_alive | When True, KEEPALIVE packets are enabled (for long connections). |
linger | When set to True, connections are terminated gracefully. |
listening | If True, the class accepts incoming connections on LocalPort. |
local_host | The name of the local host or user-assigned IP interface through which connections are initiated or accepted. |
local_port | The TCP port in the local host where the class binds. |
ssh_accept_server_host_key_encoded | The certificate (PEM/base64 encoded). |
ssh_auth_mode | The authentication method to be used the class when calling SSHLogon . |
ssh_cert_encoded | The certificate (PEM/base64 encoded). |
ssh_cert_store | The name of the certificate store for the client certificate. |
ssh_cert_store_password | If the certificate store is of a type that requires a password, this property is used to specify that password in order to open the certificate store. |
ssh_cert_store_type | The type of certificate store for this certificate. |
ssh_cert_subject | The subject of the certificate used for client authentication. |
ssh_compression_algorithms | A comma-separated list containing all allowable compression algorithms. |
ssh_encryption_algorithms | A comma-separated list containing all allowable encryption algorithms. |
ssh_forward_host | The address of the remote host. Domain names are resolved to IP addresses. |
ssh_forward_port | The TCP port in the remote host. |
ssh_host | The address of the SSH host. |
ssh_password | The password for SSH password-based authentication. |
ssh_port | The port on the SSH server where the SSH service is running; by default, 22. |
ssh_user | The username for SSH authentication. |
Method List
The following is the full list of the methods of the class with short descriptions. Click on the links for further details.
config | Sets or retrieves a configuration setting. |
decode_packet | Decodes a hex-encoded SSH packet. |
disconnect | Disconnect the specified client. |
do_events | Processes events from the internal message queue. |
encode_packet | Hex encodes an SSH packet. |
get_ssh_param | Used to read a field from an SSH packet's payload. |
get_ssh_param_bytes | Used to read a field from an SSH packet's payload. |
reset | Reset the class. |
set_ssh_param | Used to write a field to the end of a payload. |
shutdown | Shuts down the server. |
Event List
The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.
on_connected | Fired immediately after a connection completes (or fails). |
on_connection_request | Fired when a request for connection comes from a remote host. |
on_data_in | Fired when data comes in. |
on_disconnected | Fired when a connection is closed. |
on_error | Information about errors during data delivery. |
on_log | Fires once for each log message. |
on_ssh_custom_auth | Fired when the class is doing custom authentication. |
on_ssh_keyboard_interactive | Fired when the class receives a request for user input from the server. |
on_ssh_server_authentication | Fired after the server presents its public key to the client. |
on_ssh_status | Shows the progress of the secure connection. |
Configuration Settings
The following is a list of configuration settings for the class with short descriptions. Click on the links for further details.
ShutdownChannelOnEOF | Whether the client will shutdown the channel after receiving an EOF packet from the remote host. |
ClientSSHVersionString | The SSH version string used by the class. |
EnablePageantAuth | Whether to use a key stored in Pageant to perform client authentication. |
KerberosDelegation | If true, asks for credentials with delegation enabled during authentication. |
KerberosRealm | The fully qualified domain name of the Kerberos Realm to use for GSSAPI authentication. |
KerberosSPN | The Kerberos Service Principal Name of the SSH host. |
KeyRenegotiationThreshold | Sets the threshold for the SSH Key Renegotiation. |
LogLevel | Specifies the level of detail that is logged. |
MaxPacketSize | The maximum packet size of the channel, in bytes. |
MaxWindowSize | The maximum window size allowed for the channel, in bytes. |
PasswordPrompt | The text of the password prompt used in keyboard-interactive authentication. |
PreferredDHGroupBits | The size (in bits) of the preferred modulus (p) to request from the server. |
RecordLength | The length of received data records. |
ServerSSHVersionString | The remote host's SSH version string. |
SignedSSHCert | The CA signed client public key used when authenticating. |
SSHAcceptAnyServerHostKey | If set the class will accept any key presented by the server. |
SSHAcceptServerCAKey | The CA public key that signed the server's host key. |
SSHAcceptServerHostKeyFingerPrint | The fingerprint of the server key to accept. |
SSHFingerprintHashAlgorithm | The algorithm used to calculate the fingerprint. |
SSHFingerprintMD5 | The server hostkey's MD5 fingerprint. |
SSHFingerprintSHA1 | The server hostkey's SHA1 fingerprint. |
SSHFingerprintSHA256 | The server hostkey's SHA256 fingerprint. |
SSHKeepAliveCountMax | The maximum number of keep alive packets to send without a response. |
SSHKeepAliveInterval | The interval between keep alive packets. |
SSHKeyExchangeAlgorithms | Specifies the supported key exchange algorithms. |
SSHKeyRenegotiate | Causes the class to renegotiate the SSH keys. |
SSHMacAlgorithms | Specifies the supported Mac algorithms. |
SSHPubKeyAuthSigAlgorithms | Specifies the enabled signature algorithms that may be used when attempting public key authentication. |
SSHPublicKeyAlgorithms | Specifies the supported public key algorithms. |
SSHVersionPattern | The pattern used to match the remote host's version string. |
TryAllAvailableAuthMethods | If set to true, the class will try all available authentication methods. |
WaitForChannelClose | Whether to wait for channels to be closed before disconnected. |
WaitForServerDisconnect | Whether to wait for the server to close the connection. |
ConnectionTimeout | Sets a separate timeout value for establishing a connection. |
FirewallAutoDetect | Tells the class whether or not to automatically detect and use firewall system settings, if available. |
FirewallHost | Name or IP address of firewall (optional). |
FirewallPassword | Password to be used if authentication is to be used when connecting through the firewall. |
FirewallPort | The TCP port for the FirewallHost;. |
FirewallType | Determines the type of firewall to connect through. |
FirewallUser | A user name if authentication is to be used connecting through a firewall. |
KeepAliveInterval | The retry interval, in milliseconds, to be used when a TCP keep-alive packet is sent and no response is received. |
KeepAliveTime | The inactivity time in milliseconds before a TCP keep-alive packet is sent. |
Linger | When set to True, connections are terminated gracefully. |
LingerTime | Time in seconds to have the connection linger. |
LocalHost | The name of the local host through which connections are initiated or accepted. |
LocalPort | The port in the local host where the class binds. |
MaxLineLength | The maximum amount of data to accumulate when no EOL is found. |
MaxTransferRate | The transfer rate limit in bytes per second. |
ProxyExceptionsList | A semicolon separated list of hosts and IPs to bypass when using a proxy. |
TCPKeepAlive | Determines whether or not the keep alive socket option is enabled. |
TcpNoDelay | Whether or not to delay when sending packets. |
UseIPv6 | Whether to use IPv6. |
AbsoluteTimeout | Determines whether timeouts are inactivity timeouts or absolute timeouts. |
FirewallData | Used to send extra data to the firewall. |
InBufferSize | The size in bytes of the incoming queue of the socket. |
OutBufferSize | The size in bytes of the outgoing queue of the socket. |
AllowedClients | A comma-separated list of host names or IP addresses that can access the class. |
BindExclusively | Whether or not the class considers a local port reserved for exclusive use. |
ConnectionUID | The unique connectionId for a connection. |
DefaultConnectionTimeout | The inactivity timeout applied to the SSL handshake. |
InBufferSize | The size in bytes of the incoming queue of the socket. |
KeepAliveInterval | The retry interval, in milliseconds, to be used when a TCP keep-alive packet is sent and no response is received. |
KeepAliveRetryCount | The number of keep-alive packets to be sent before the remotehost is considered disconnected. |
KeepAliveTime | The inactivity time in milliseconds before a TCP keep-alive packet is sent. |
MaxConnections | The maximum number of connections available. |
OutBufferSize | The size in bytes of the outgoing queue of the socket. |
TcpNoDelay | Whether or not to delay when sending packets. |
UseIOCP | Whether to use the completion port I/O model. |
UseIPv6 | Whether to use IPv6. |
UseWindowsMessages | Whether to use the WSAAsyncSelect I/O model. |
BuildInfo | Information about the product's build. |
CodePage | The system code page used for Unicode to Multibyte translations. |
LicenseInfo | Information about the current license. |
ProcessIdleEvents | Whether the class uses its internal event loop to process events when the main thread is idle. |
SelectWaitMillis | The length of time in milliseconds the class will wait when DoEvents is called if there are no events to process. |
UseInternalSecurityAPI | Tells the class whether or not to use the system security libraries or an internal implementation. |