aker-gateway / aker Goto Github PK

# su test
WARNING:root:There was an error loading ipalib, falling back to JSON

Traceback (most recent call last):
  File "/bin/aker/aker.py", line 149, in <module>
    Aker().build_tui()
  File "/bin/aker/aker.py", line 121, in build_tui
    self.tui.start()
  File "/usr/bin/aker/tui.py", line 144, in start
    self.loop.run()
  File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 271, in run
    self.screen.run_wrapper(self._run)
  File "/usr/lib64/python2.7/site-packages/urwid/raw_display.py", line 241, in run_wrapper
    return fn()
  File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 336, in _run
    self.event_loop.run()
  File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 707, in run
    self._loop()
  File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 786, in _loop
    self._watch_files[fd]()
  File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 387, in _update
    self.process_input(keys)
  File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 487, in process_input
    k = self._topmost_widget.keypress(self.screen_size, k)
  File "/usr/lib64/python2.7/site-packages/urwid/container.py", line 1102, in keypress
    return self.body.keypress( (maxcol, remaining), key )
  File "/usr/lib64/python2.7/site-packages/urwid/container.py", line 1102, in keypress
    return self.body.keypress( (maxcol, remaining), key )
  File "/usr/lib64/python2.7/site-packages/urwid/listbox.py", line 986, in keypress
    key = focus_widget.keypress((maxcol,),key)
  File "/usr/bin/aker/tui.py", line 27, in keypress
    urwid.emit_signal(self, 'connect')
  File "/usr/lib64/python2.7/site-packages/urwid/signals.py", line 120, in emit
    result |= bool(callback(*args_copy))
  File "/usr/bin/aker/tui.py", line 59, in host_chosen
    self.aker.init_connection(choice)
  File "/bin/aker/aker.py", line 139, in init_connection
    session.stop_sniffer()
  File "/usr/bin/aker/session.py", line 36, in stop_sniffer
    self._client.stop_sniffer()
  File "/usr/bin/aker/SSHClient.py", line 36, in stop_sniffer
    sniffer.stop()
  File "/usr/bin/aker/snoop.py", line 159, in stop
    self.log_file.write('Session End %s' % session_end)
AttributeError: 'NoneType' object has no attribute 'write'

This happens when selecting a host and press enter.
Same issue occurs when I login as the user. Any idea?

uname -r
3.10.0-327.4.4.el7.centos.plus.x86_64
python -V
Python 2.7.5

i haven't tested this with Aker yet, as i haven't installed it but i noticed in setup process you add it to /etc/shells and then set it as the default shell with "chsh -s /bin/aker/aker.py username" for users who you want to pipe through aker. this reminded me of an old trick (not necessarily a true vuln) that i used to do when i was forced to use a certain shell to login, i could just manually pass the shell i wanted by doing

ssh [email protected] /bin/bash

would someone who uses Aker please try this and see if it works? this behavior can be fixed by editing /etc/ssh/sshd_config to include:

Match User username
    ForceCommand /bin/aker/aker.py 

or by editing .profile or .bashrc / whatever your shell's profile dotfile is, to include and begin with /bin/aker/aker.py

in any event, Aker looks pretty useful and i'll be trying it when i get a chance. thanks

Hello,

I was about to try and test you code on a fresh alpine linux.

When loging to aker-enabled user, I endup with the following stacktrace :

Traceback (most recent call last): File "/bin/aker/aker.py", line 33, in <module> import tui File "/bin/aker/tui.py", line 13, in <module> import aker File "/bin/aker/aker.py", line 35, in <module> from snoop import Sniffer File "/bin/aker/snoop.py", line 12, in <module> from queue import Queue ImportError: No module named queue

I tried to search for something on pip, but didn't find the right one.

Is it possible to specify on installation procedure which module exactly is missing ?
I will be glad to test/specify steps if you'd like so.

regards

Hi Ahmed,

I am running Aker SSH bastion/jump host application on CentOS release 6.9 (Final) having Python 2.6.6 version. I am encountering the below issue when i select the specific hostname from the Aker tui console. I have attached the screenshot for your reference.

ssh 172.16.0.23
/usr/bin/aker/aker.py:52: DeprecationWarning: You passed a bytestring as filenames. This will not work on Python 3. Use cp.read_file() or switch to using Unicode strings across the board.
self.configparser.read(filename)
/usr/bin/aker/hosts.py:70: DeprecationWarning: BaseException.message has been deprecated as of Python 2.6
logging.error("Hosts: all subsequent calls will fallback to backened idp, cache error: {0}".format(e.message))
/usr/bin/aker/pyte/streams.py:353: DeprecationWarning: As of version 0.6.0 pyte.streams.ByteStream is an alias for pyte.streams.Stream. The former will be removed in pyte 0.6.1.
"removed in pyte 0.6.1.", DeprecationWarning)
/usr/bin/aker/snoop.py:159: DeprecationWarning: BaseException.message has been deprecated as of Python 2.6
logging.error("Sniffer: close session files error {0} ".format(e.message))
Traceback (most recent call last):
File "/usr/bin/aker/aker.py", line 152, in
Aker().build_tui()
File "/usr/bin/aker/aker.py", line 124, in build_tui
self.tui.start()
File "/usr/bin/aker/tui.py", line 168, in start
self.loop.run()
File "/usr/lib/python2.6/site-packages/urwid/main_loop.py", line 278, in run
self._run()
File "/usr/lib/python2.6/site-packages/urwid/main_loop.py", line 376, in _run
self.event_loop.run()
File "/usr/lib/python2.6/site-packages/urwid/main_loop.py", line 682, in run
self._loop()
File "/usr/lib/python2.6/site-packages/urwid/main_loop.py", line 719, in _loop
self._watch_filesfd
File "/usr/lib/python2.6/site-packages/urwid/raw_display.py", line 393, in
event_loop, callback, self.get_available_raw_input())
File "/usr/lib/python2.6/site-packages/urwid/raw_display.py", line 493, in parse_input
callback(processed, processed_codes)
File "/usr/lib/python2.6/site-packages/urwid/main_loop.py", line 403, in _update
self.process_input(keys)
File "/usr/lib/python2.6/site-packages/urwid/main_loop.py", line 503, in process_input
k = self._topmost_widget.keypress(self.screen_size, k)
File "/usr/lib/python2.6/site-packages/urwid/wimp.py", line 643, in keypress
return self._current_widget.keypress(size, key)
File "/usr/lib/python2.6/site-packages/urwid/container.py", line 1128, in keypress
return self.body.keypress( (maxcol, remaining), key )
File "/usr/lib/python2.6/site-packages/urwid/container.py", line 1128, in keypress
return self.body.keypress( (maxcol, remaining), key )
File "/usr/lib/python2.6/site-packages/urwid/listbox.py", line 987, in keypress
key = focus_widget.keypress((maxcol,),key)
File "/usr/bin/aker/tui.py", line 27, in keypress
urwid.emit_signal(self, 'connect')
File "/usr/lib/python2.6/site-packages/urwid/signals.py", line 264, in emit
result |= self._call_callback(callback, user_arg, user_args, args)
File "/usr/lib/python2.6/site-packages/urwid/signals.py", line 294, in _call_callback
return bool(callback(*args_to_pass))
File "/usr/bin/aker/tui.py", line 60, in host_chosen
self.aker.init_connection(choice)
File "/usr/bin/aker/aker.py", line 142, in init_connection
session.stop_sniffer()
File "/usr/bin/aker/session.py", line 36, in stop_sniffer
self._client.stop_sniffer()
File "/usr/bin/aker/SSHClient.py", line 36, in stop_sniffer
sniffer.stop()
File "/usr/bin/aker/snoop.py", line 161, in stop
self.log_file.write('Session End %s' % session_end)
AttributeError: 'NoneType' object has no attribute 'write'
Connection to 172.16.0.23 closed.

Hi.

Sometimes, an EOFError is raised on embedded devices or devices for which the SSH implementation cannot be fixed by the end user. Right now, I have a local patch that fixes this by catching the exception and closing the transport and socket but not bubbling the error up. It looks like this:

try:
    self._start_session(transport)
except EOFError as e:
    logging.error('Received EOFError.  Assuming bad SSH implementation.')
    logging.error('Stack trace: {}'.format(e))
    self._session.close_session()
    if transport:
        transport.close()
    self._socket.close()
except Exception as e:
    logging.error(e)
    self._session.close_session()
    if transport:
        transport.close()
    self._socket.close()
    raise e

Would you accept a pull request for this? It should probably ultimately be refactored to be less ugly and repeated less.

Thanks!

Hi.
I'm using Aker master branch.
Is it possible to enable agent forwarding?

Hi!

First, this project is pretty awesome. Thank you for this!

I have a need for password-based authentication. The use case is network devices which authenticate on the backend to RADIUS or TACACS+. This grants centralized account management, but it doesn't allow for SSH keys.

I have a local patch that gives me this feature, but I would prefer not having to maintain my own fork for the sake of interactive passwords.

Would you be open to a pull request that implements the feature? Basically, the code checks to see if a particular user has the password key set to yes, and if so, it prompts for a password. I'm not sure what implications this may have elsewhere, but it serves my particular use case pretty well.

Thanks!

Hello,
Can you write document detail about install Aker with Freeipa? I cannot found any document on your wiki.

Thank in advance,

After a fresh install (idp=Json):

--

root@bastion:~# ls -l /var/log/aker/

total 0

root@bastion:~# ls -ld /var/log/aker/

drwxrwxrwx 2 root root 4096 Dec 20 16:15 /var/log/aker/

--

root@workstation:~# ssh user1@bastion

( Here Aker works as expected, but after a logout....)

Logout

--

root@bastion:~# ls -l /var/log/aker/

total 8

drwxrwxrwx 2 user1 user1 4096 Dec 20 16:18 20171220

-rw-r--r-- 1 user1 user1 856 Dec 20 16:18 aker.log

root@bastion:~# ls -ld /var/log/aker/

drwxrwxrwx 3 root root 4096 Dec 20 16:18 /var/log/aker/

--

root@workstation:~# ssh user2@bastion

user2@bastion's password:

Traceback (most recent call last):

File "/usr/bin/aker/aker.py", line 168, in
Aker().build_tui()
File "/usr/bin/aker/aker.py", line 117, in init
level=config.log_level)
File "/usr/lib/python2.7/logging/init.py", line 1547, in basicConfig
hdlr = FileHandler(filename, mode)
File "/usr/lib/python2.7/logging/init.py", line 913, in init
StreamHandler.init(self, self._open())
File "/usr/lib/python2.7/logging/init.py", line 943, in _open
stream = open(self.baseFilename, self.mode)
IOError: [Errno 13] Permission denied: '/var/log/aker/aker.log'

Connection to bastion closed.

root@workstation:~#

--

The only workaround is to chmod 777 the aker log file.

Hi, I'd like to create pypi package. I am creating this issue beforehand as contribution guide requires it.
I will send PR when I'm done.

does container need to be sshd server instead of host machine?

Currently, I must specify a username for a host in aker.ini. This is a convenient feature in some scenarios, but it would be nice if Aker would default to the user's username for the connection and optionally allow the user to specify a different username if he or she wanted.

As an example, consider the following:

[supertylerc]
hosts = 10.0.0.1,22
    192.168.0.1,22,admin

Given this configuration, Aker should connect to 10.0.0.1 as the user supertylerc because a more specific user isn't defined on that line. For 192.168.0.1, though, the more specific user admin is specified, so Aker should connect to 192.168.0.1 as that user.

Hi!

I was wondering if there is a specific style guide that should be followed. While making changes to a local copy to support #11 and #12, my linting plugins raised a large number of issues (tabs, line length). If I should disable them, I can do that. If you're interested in bringing the codebase in line with Python's various style guides (pep8, pep257, etc), I could submit a pull request for that.

Thank you!

Hi, I'd like to have ability to provide path to configuration file, log file, etc. via command-line arguments (argparse).
What do you think?

The README states this project's roadmap has different phases. Which phase it the project in now? Also, how about creating issues for the tasks and creating milestones for the phases?

Trace :
Traceback (most recent call last): File "/bin/aker/aker.py", line 137, in <module> Aker().build_tui() File "/bin/aker/aker.py", line 99, in __init__ self.build_tui() File "/bin/aker/aker.py", line 107, in build_tui self.tui.start() File "/bin/aker/tui.py", line 147, in start self.loop.run() File "/usr/lib/python2.7/site-packages/urwid/main_loop.py", line 278, in run self._run() File "/usr/lib/python2.7/site-packages/urwid/main_loop.py", line 376, in _run self.event_loop.run() File "/usr/lib/python2.7/site-packages/urwid/main_loop.py", line 682, in run self._loop() File "/usr/lib/python2.7/site-packages/urwid/main_loop.py", line 719, in _loop self._watch_files[fd]() File "/usr/lib/python2.7/site-packages/urwid/raw_display.py", line 393, in <lambda> event_loop, callback, self.get_available_raw_input()) File "/usr/lib/python2.7/site-packages/urwid/raw_display.py", line 493, in parse_input callback(processed, processed_codes) File "/usr/lib/python2.7/site-packages/urwid/main_loop.py", line 403, in _update self.process_input(keys) File "/usr/lib/python2.7/site-packages/urwid/main_loop.py", line 503, in process_input k = self._topmost_widget.keypress(self.screen_size, k) File "/usr/lib/python2.7/site-packages/urwid/container.py", line 1128, in keypress return self.body.keypress( (maxcol, remaining), key ) File "/usr/lib/python2.7/site-packages/urwid/container.py", line 1128, in keypress return self.body.keypress( (maxcol, remaining), key ) File "/usr/lib/python2.7/site-packages/urwid/listbox.py", line 987, in keypress key = focus_widget.keypress((maxcol,),key) File "/bin/aker/tui.py", line 27, in keypress urwid.emit_signal(self, 'connect') File "/usr/lib/python2.7/site-packages/urwid/signals.py", line 264, in emit result |= self._call_callback(callback, user_arg, user_args, args) File "/usr/lib/python2.7/site-packages/urwid/signals.py", line 294, in _call_callback return bool(callback(*args_to_pass)) File "/bin/aker/tui.py", line 61, in host_chosen self.aker.init_connection(choice) File "/bin/aker/aker.py", line 124, in init_connection session.start_session() File "/bin/aker/session.py", line 60, in start_session self._client.start_session(self.host_user,priv_key) File "/bin/aker/SSHClient.py", line 56, in start_session self._session.close_session() File "/bin/aker/session.py", line 38, in close_session self.aker.ssession_end_callback(self) AttributeError: 'Aker' object has no attribute 'ssession_end_callback'

Happens upon disconnecting from private instance.
Maybe a typo (ss instead of s) ?

When entering a host group, the order is 'messed up', it pretty much looks random.
Are you/we able to sort it alphabetical, or as it was before in the previous version, sorted as appeared in hosts.json?

Let me know, thank you!

Reproducer : on a logged session try to produce non-unicode chrs , for example use head -8 /dev/urandom , you will get an error :

File "/usr/lib64/python2.7/site-packages/urwid/container.py", line 1127, in keypress
                                                                                        return self.body.keypress( (maxcol, remaining), key )
                   File "/usr/lib64/python2.7/site-packages/urwid/listbox.py", line 986, in keypress
                                                                                                        key = focus_widget.keypress((maxcol,),key)
                        File "/usr/bin/aker/tui.py", line 27, in keypress
                                                                             urwid.emit_signal(self, 'connect')
                                                                                                                 File "/usr/lib64/python2.7/site-packages/urwid/signals.py", line 263, in emit
                                                                      result |= self._call_callback(callback, user_arg, user_args, args)
              File "/usr/lib64/python2.7/site-packages/urwid/signals.py", line 293, in _call_callback
                                                                                                         return bool(callback(*args_to_pass))
                   File "/usr/bin/aker/tui.py", line 61, in host_chosen
                                                                           self.aker.init_connection(choice)
                                                                                                              File "/bin/aker/aker.py", line 125, in init_connection
                                            session.start_session()
                                                                     File "/usr/bin/aker/session.py", line 60, in start_session
       self._client.start_session(self.host_user,priv_key)
                                                            File "/usr/bin/aker/SSHClient.py", line 60, in start_session
                                                                                                                            raise e
       UnicodeDecodeError: 'utf8' codec can't decode byte 0xcf in position 1: invalid continuation byte

It looks like hosts right now are defined per-user. This results in duplicating entries quite a bit. If I have five people on my team and we are managing a total of 500 nodes, I have to have 2,500 hosts in aker.ini -- the same 500 for each user.

I would like the ability to label hosts at a more "global" level. In this particular feature, we would just have a list of 500 hosts. Ideally, there would be a lookup hierarchy so that an individual user could potentially have the same host as described at the "global" level but with "more specific" information.

Hello anazmy.

We use our jump-server for accessing our switches and such as well.
But this requires a local shell to do so. And it's also used for testing purposes like IP's, traceroutes and such.
Is it possible to login to shell for some users that require so?
Or can I do this by allowing a local SSH key and adding another host to login to the local shell, or should I create a separate user which can access shell?

EDIT:
Works for a normal user, but not via your script?
May 11 11:38:15 noc su: pam_unix(su:session): session opened for user X by root(uid=0)
May 11 11:38:18 noc sshd[4003]: Connection closed by 127.0.0.1 [preauth]

Hi,

After a successful login on Aker server via SSH Keys, no Kerberos ticket is generated. This is a normal behaviour as in this case, Auth is delegated to the authkey mechanism of SSH.

Scenario :

• FreeIPA (ipa.example.com, CentOS7) used as Kerberos server
• Aker (aker.example.com, CentOS7), client of the FreeIPA
• srv1 (srv1.example.com, CentOS7), client of the FreeIPA too
• Aker is configured with IPA, not JSON

I make a connexion to aker with a SSH Key. Access granted, but the aker.py crashes :

Traceback (most recent call last):
  File "/usr/bin/aker/aker.py", line 152, in <module>
    Aker().build_tui()
  File "/usr/bin/aker/aker.py", line 117, in __init__
    self.user = User(self.posix_user)
  File "/usr/bin/aker/aker.py", line 75, in __init__
    self.hosts = Hosts(config,self.name,gateway_hostgroup,idp)
  File "/usr/bin/aker/hosts.py", line 59, in __init__
    self.idp = IdPFactory.getIdP(idp)(config,username,gateway_hostgroup)
  File "/usr/bin/aker/idp/IPA.py", line 34, in __init__
    api.Backend.rpcclient.connect()
  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect
    conn = self.create_connection(*args, **kw)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 931, in create_connection
    raise errors.KerberosError(message=unicode(krberr))
ipalib.errors.KerberosError: did not receive Kerberos credentials
Connection to bastion-aker closed.

There's no standard way that I know of generating a kerberos ticket after a successful SSH.

Two ideas :

• catch this error and ask the user for its Kerberos password
• on first login, get a keytab from the IPA server and use it to kinit the user

Any thought on this ?

In a production environment it wont be idle to query FreeIPA (reterive hosts) on each and every user login, ideally Aker should maintain a local cache of the hosts once fetched from FreeIPA, with ability for manual refresh based on user input, F5 for example .

I like the idea when you filter hosts by user rights defined in FreeIPA. But I would like to add feature for cases when you don't have FreeIPA or you cannot even list all your hosts in json file.

I'd call it simple mode - Aker would try to connect to host provided by user without checking any groups or doing any filtering.

This would be good for cases when your hostnames are often changing or when you have no rights management or when you simply don't know about hosts user might want to connect to.

I know that this will need some greater design changes because host list is loaded once in the beginning and then filtering is done but it is not impossible.

I consider this as the simplest use case that should be provided by Aker.

What do you think?

Using the same format of cryptoauditor connections or an alternative, it would be great to direct connect the final server instead of using a list if you know the hostname or the ip address.

For example:

ssh user@destinationhost@bastionhost -> This will connects to the destinationhost
ssh user@bastionhost -> This will connects to the bastion host and shows the connection list

I think the paramiko version should be 2.1.2. the latest may have bug.

File "/opt/aker/aker.py", line 28, in
import paramiko
File "/usr/lib/python2.7/site-packages/paramiko/init.py", line 31, in
from paramiko.transport import SecurityOptions, Transport
File "/usr/lib/python2.7/site-packages/paramiko/transport.py", line 38, in
from paramiko.auth_handler import AuthHandler
File "/usr/lib/python2.7/site-packages/paramiko/auth_handler.py", line 48, in
from paramiko.ssh_gss import GSSAuth, GSS_EXCEPTIONS
File "/usr/lib/python2.7/site-packages/paramiko/ssh_gss.py", line 54, in
GSS_EXCEPTIONS = (gssapi.GSSException,)
AttributeError: 'module' object has no attribute 'GSSException'

Hi :)
Actually I testing Aker for my entreprise and I confront behind two problem :

• SCP transfert with jump host : actually, Aker don't catch scp transfert and is cool, but it not log the file who is transfert (for exemple file /etc/uselessfile is transfered by xxx)
• SCP transfert with second jump host... Actually, we have jump host to access on wan, but we have lot of wan. And, if we put Aker between user and first jump host, we have problem to access on the last host

Do you have any idea how to solve these problems? (I can help you)

Thank :)

Add ability to handle environments where SSH is configured on a custom port other than port 22 .
The environment can be mixed , where every group of servers are on a different port .

Relaying on local config file to populate users , their privileges etc.. wont work for big scale environments.

Aker needs to integrate with a central Identity provider - for starters FreeIPA - to :

• Authenticate users access to Aker servers .
• Pull list of allowed hosts to the user (HBAC) .
• Govern the allowed SUDO commands .

Currently when list_allowed() is called on line 70 of aker.py, a list of strings that contain the host names are returned.

I suggest that a list of host objects are returned instead. This will allow for host based configuration when listed.

psudo representation of some of the proposed host class properties

class Host(object):
   # Hostname used when connecting
   self.hostname
   
   # Canonical name for the list
   self.name                              
   
   # Type of private key: encrypted_direct, direct, encrypted_path, path.  
   #        Where direct has the value of the private key in memory 
   self.private_key_type           
 
   # Depending on key type should either be a path to local file or the value of the private key  
   self.private_key_value
 
   # If the key is encrypted the phrase used to decrypt the key
   self.private_key_password

In the list of available hosts in tui, I suggest changing the display to:

<canonical name> (<hostname>)

so if I had a host with "name = NAS" and "hostname = nas.internal.example.com", it would be displayed as so:

nas (nas.internal.example.com)

This would require some refactoring to handle the hosts as object and not strings but would allow for more complex per host configuration if defined as additional properties via ldap or other authority

This might help when dealing with #29 as it suggests a format of what properties of a host would need to be stored

It would be really cool if Aker could reload the configuration from disk. Right now, if I need to modify the list of hosts, I would need to stop and start the aker.py process (in other words, log out and log back in).

It would be nice if I could just press F5 while at the main Aker menu and have it reload the config from disk.

Hi there, I have got Aker configured and functioning correctly for login to server (so far tested with localhost, thus connecting to jumpserver itself), however on exiting Aker (with 'exit' as root, I get this error report)... does this mean there is something wrong with configuration or is it just that I am trying to access jumpserver itself via Aker ? (to be clear I logged in as root and ran 'python /usr/bin/aker/aker.py)

Error report:

File "/usr/bin/aker/aker.py", line 168, in <module> Aker().build_tui() File "/usr/bin/aker/aker.py", line 130, in build_tui self.tui.start() File "/usr/bin/aker/tui.py", line 344, in start self.loop.run() File "/usr/lib/python2.7/dist-packages/urwid/main_loop.py", line 278, in run self._run() File "/usr/lib/python2.7/dist-packages/urwid/main_loop.py", line 376, in _run self.event_loop.run() File "/usr/lib/python2.7/dist-packages/urwid/main_loop.py", line 682, in run self._loop() File "/usr/lib/python2.7/dist-packages/urwid/main_loop.py", line 719, in _loop self._watch_files[fd]() File "/usr/lib/python2.7/dist-packages/urwid/raw_display.py", line 393, in <lambda> event_loop, callback, self.get_available_raw_input()) File "/usr/lib/python2.7/dist-packages/urwid/raw_display.py", line 493, in parse_input callback(processed, processed_codes) File "/usr/lib/python2.7/dist-packages/urwid/main_loop.py", line 403, in _update self.process_input(keys) File "/usr/lib/python2.7/dist-packages/urwid/main_loop.py", line 503, in process_input k = self._topmost_widget.keypress(self.screen_size, k) File "/usr/lib/python2.7/dist-packages/urwid/wimp.py", line 643, in keypress return self._current_widget.keypress(size, key) File "/usr/lib/python2.7/dist-packages/urwid/container.py", line 1128, in keypress return self.body.keypress( (maxcol, remaining), key ) File "/usr/lib/python2.7/dist-packages/urwid/container.py", line 1128, in keypress return self.body.keypress( (maxcol, remaining), key ) File "/usr/bin/aker/tui.py", line 76, in keypress self.focus.original_widget.get_caption()) AttributeError: 'NoneType' object has no attribute 'original_widget'

Also...

If I login as another user (etc. admin), I get Aker UI (obviously) and login to jumpserver, I get Aker UI again (still quite obviously because logging to jumpserver even through jumpserver shouldn't make server not to run aker.py automatically), however after exiting I get a little bit different error log:

Traceback (most recent call last): File "/usr/bin/aker/aker.py", line 168, in <module> Aker().build_tui() File "/usr/bin/aker/aker.py", line 130, in build_tui self.tui.start() File "/usr/bin/aker/tui.py", line 344, in start self.loop.run() File "/usr/lib/python2.7/dist-packages/urwid/main_loop.py", line 278, in run self._run() File "/usr/lib/python2.7/dist-packages/urwid/main_loop.py", line 376, in _run self.event_loop.run() File "/usr/lib/python2.7/dist-packages/urwid/main_loop.py", line 682, in run self._loop() File "/usr/lib/python2.7/dist-packages/urwid/main_loop.py", line 706, in _loop ready, w, err = select.select(fds, [], fds) KeyboardInterrupt Connection to bastion.seculin.com closed.

I believe this is just because of my interruption and my attempt to login multiple times to same server, right?

Add a tool to create/update/delete entries in hosts.json, should also support bulk actions, maybe via a csv file or similar

Hi @anazmy. I figured a way to implement it to our needs and it works fine.
I have just one small issue. My hosts.json file:

                            {
                    "name":"test.hostname.com",
                    "username":"root",
                    "hostname":"123.123.123.123",
                    "port":"22",
                    "key":"~/.ssh/id_rsa",
                    "groups":[
                            "Test"
                    ]
            },

But for some reason the "name" isn't working and it only shows the hostname.
Does it use the "hostname" in the /etc/hosts/ file or the DNS record for hostname?
As not all of our servers have a DNS record this might be an issue.

EDIT: code formatting wasn't working with GIT, so pasting it as plain text.

i followed you installation-instruction

python aker.py 
Traceback (most recent call last):
  File "aker.py", line 137, in <module>
    Aker().build_tui()
  File "aker.py", line 99, in __init__
    self.build_tui()
  File "aker.py", line 105, in build_tui
    self.tui = tui.Window(self)
  File "/home/mex/data/svn/Aker/tui.py", line 43, in __init__
    self.draw()
  File "/home/mex/data/svn/Aker/tui.py", line 96, in draw
    self.hosts_listbox = self.refresh_hosts(self.aker.user.ssh_hosts)
  File "/home/mex/data/svn/Aker/tui.py", line 53, in refresh_hosts
    return urwid.ListBox(urwid.SimpleFocusListWalker(body))
AttributeError: 'module' object has no attribute 'SimpleFocusListWalker'

Hi @anazmy.
Just deployed a new Aker server.

In the readme it says to install redis via yum. But you do this via the pip command? So scrap that I think?
Also, it didn't want to install Paramiko, I was still missing python-devel, libevent-devel, error: command 'gcc' failed with exit status 1.
After installing that it installed Paramiko.

Also, pip doesn't come by default with CentOS 7 minimal, I used curl "https://bootstrap.pypa.io/get-pip.py" -o "get-pip.py" and then python get-pip.py!

Hi anazmy,

I've been using this project in our organization now, in 40+ hosts, including routers and switches.
However it's very unclear. Could you implement some kind of category system or sub-folder which we can use in Aker overview?
Thanks!

Using Json as identity provider (idp=Json).
The redis database does not reflect changes made in /etc/aker/hosts.json.

Restarting redis server has no effect.
Manual "redis-cli flushall" will help.

Currently, aker.py expects to find its config file at /etc/aker.ini. I'd like to propose a location that can be specified at runtime, using one or both of the following methods:

• an environment variable, ANKER_CONFIG_FILE (or similar name) with the path to the config file
• a command line option, --config-file/-c, the value of which is the path to the config file

My current use case is Docker. Right now, I'm deploying Aker using Docker, and if I need or want to modify the list of hosts, I must either bind mount all of /etc (ew) or rebuild the container (also ew). If I have a configurable location for the Aker config file, I can bind mount a separate config directory and modify the config on my disk and then restart the container.

Sometimes there are huge gaps when nothing is happening during session replay.
Lets add new flag --delta or --delay so user can specify delay in seconds between steps during akerctl --replay.

Would you be against using Python3 for this? Python2 is about to be history.

Hi,
when I tried to run aker.py I got

ModuleNotFoundError: No module named 'pyhbac'

I believe it is some FreeIPA dependency. I would prefer to be independent on FreeIPA since I do not want to use it anyway. It should be only optional dependency.

Currently in "aker.py" on line 69:
self.hosts = Hosts(username,gateway_hostgroup)

This will return an object for the FreeIPA integration (Which I will refer to as an authority), which implements a method that will return a list of hostnames.

I suggest a change that would allow mutliple authorities to be implemented, and chosen via configuration.

Hosts.py

• Create a base Authority class that will implement required methods (list_allowed(), etc)
• Make a new FreeIPA authority that will extend the authority parent class
• Make a new JSON authority that will act as a flat file configuration of hosts (Format to be determined )
• Create an authority factory that will return an authority class based on string input or configuration

Aker.py

• On line 69 replace the Hosts object with a factory that will return the correct authority class to be instantiated as a new object
  self.hosts = AuthorityFactory.getAuthority("IPA")(username,gateway_hostgroup)

User should be able to mark a group of servers to run same command on them in a simple way.

Output of the commands should be captured on the user interface with some stats like, how long the command took to execute, failing servers etc..

Hi,
Your project seem good idea, i can purpose to package them for Debian / CentOS.

Best regards.

TUI show the hosts correctly. but after pressing the "enter" key. get this error below.

File "/opt/aker/SSHClient.py", line 68, in connect
self._socket.connect((ip, port))
File "/usr/lib64/python2.7/socket.py", line 224, in meth
return getattr(self._sock,name)(*args)
socket.gaierror: [Errno -2] Name or service not known

is this DNS issue?

i installed aker but when i ssh in i get this:
[email protected]'s password:
Traceback (most recent call last):
File "/usr/bin/aker/aker.py", line 168, in
Aker().build_tui()
File "/usr/bin/aker/aker.py", line 105, in init
config = Configuration(config_file)
File "/usr/bin/aker/aker.py", line 54, in init
self.log_level = self.configparser.get('General', 'log_level')
File "/usr/lib/python2.7/dist-packages/backports/configparser/init.py", line 792, in get
d = self._unify_values(section, vars)
File "/usr/lib/python2.7/dist-packages/backports/configparser/init.py", line 1162, in _unify_values
raise NoSectionError(section)
backports.configparser.NoSectionError: No section: 'General'
Connection to 192.168.1.111 closed.

Any ideas?

In the interest of simplifying the aker.ini configuration, I'd like for Aker to assume that the SSH port to use is 22. Example of how the config file could look:

[supertylerc]
hosts = 10.0.0.1,,admin
    192.168.0.1,2222,admin

Above, we would use port 22 to connect to 10.0.0.1 and port 2222 to connect to 192.168.0.1.

I think that this has a few implications, too. First, the default port should be configurable at the General level. Example:

[General]
ssh_port = 2222

[supertylerc]
hosts = 10.0.0.1,,admin
    192.168.0.1,22,admin

Given the above, any host which does not have a more specific SSH port specified should use port 2222. If ssh_port is not set, then Aker should use port 22. Specifically, Aker would use port 2222 to connect to 10.0.0.1 and port 22 to connect to 192.168.0.1.

As can be see in the examples above, "blank" spots are used to skip a value. This mechanism should preserve the current code splitting on ,.

Hi, any reason why is this licensed under AGPL-3.0 and not just MIT?