The netconf.server Module

class netconf.server.NetconfMethods

Bases: object

This is an abstract class that is used to document the server methods functionality.

The base server code will return not-implemented if the method is not found in the methods object, so feel free to use duck-typing here (i.e., no need to inherit). Create a class that implements the rpc_* methods you handle and pass that to NetconfSSHServer init.

nc_append_capabilities(capabilities)

This method should append any capabilities it supports to capabilities

Parameters:capabilities (lxml.Element) – The element to append capability elements to.
Returns:None
rpc_close_session(session, rpc, *unused_params)
rpc_copy_config(unused_session, rpc, *unused_params)

XXX API subject to change – unfinished

rpc_delete_config(unused_session, rpc, *unused_params)

XXX API subject to change – unfinished

rpc_edit_config(unused_session, rpc, *unused_params)

XXX API subject to change – unfinished

rpc_get(session, rpc, filter_or_none)

Passed the filter element or None if not present

Parameters:
  • session (NetconfServerSession) – The server session with the client.
  • rpc (lxml.Element) – The topmost element in the received message.
  • filter_or_none (lxml.Element or None) – The filter element if present.
Returns:

lxml.Element of “nc:data” type containing the requested state.
Raises:

error.RPCServerError which will be used to construct an XML error response.
rpc_get_config(session, rpc, source_elm, filter_or_none)

The client has requested the config state (config: true). The function is passed the source element and the filter element or None if not present

Parameters:
  • session (NetconfServerSession) – The server session with the client.
  • rpc (lxml.Element) – The topmost element in the received message.
  • source_elm (lxml.Element) – The source element indicating where the config should be drawn from.
  • filter_or_none (lxml.Element or None) – The filter element if present.
Returns:

lxml.Element of “nc:data” type containing the requested state.
Raises:

error.RPCServerError which will be used to construct an XML error response.
rpc_kill_session(session, rpc, *unused_params)
rpc_lock(session, rpc, target)

Lock the given target datastore.

The server tracks the lock automatically which can be checked using the server is_locked method. This function is called after the lock is granted.

This server code can only verify if a lock has been granted or not, it cannot actually verify all the lock available conditions set forth in RFC6241. If any of the following can be true the user must also check this by implementing this function:

RFC6241:

A lock MUST NOT be granted if any of the following conditions is true:

  • A lock is already held by any NETCONF session or another entity. ** The server checks for other sessions but cannot check if another entity (e.g., CLI) has been granted the lock.
  • The target configuration is <candidate>, it has already been modified, and these changes have not been committed or rolled back. ** The server code cannot check this.
  • The target configuration is <running>, and another NETCONF session has an ongoing confirmed commit (Section 8.4). ** The server code cannot check this.

Implement this method and if the lock should not be granted raise the following error (or anything else appropriate).

raise netconf.error.LockDeniedProtoError(rpc, <session-id-holding-lock>)
Parameters:
  • session (NetconfServerSession) – The server session with the client.
  • rpc (lxml.Element) – The topmost element in the received message.
  • target – The tag name of the target child element indicating which config datastore should be locked.
Returns:

None
Raises:

error.RPCServerError which will be used to construct an XML error response. The lock will be released if an error is raised.
rpc_unlock(session, rpc, target)

Unlock the given target datastore.

If this method raises an error the server code will not release the lock.

Parameters:
  • session (NetconfServerSession) – The server session with the client.
  • rpc (lxml.Element or None) – The topmost element in the received message or None if the session is being closed and this is notification of lock release. In this latter case any exception raised will be ignored.
  • target – The tag name of the target child element indicating which config datastore should be locked.
Returns:

None
Raises:

error.RPCServerError which will be used to construct an XML error response. The lock will be not be released if an error is raised.
class netconf.server.NetconfSSHServer(server_ctl=None, server_methods=None, port=830, host_key=None, debug=False)

Bases: sshutil.server.SSHServer

A netconf server.

Parameters:
  • server_ctl (ssh.ServerInterface) – The object used for authenticating connections to the server.
  • server_methods – An object which implements servers the rpc_* methods.
  • port – The port to bind the server to.
  • host_key – The file containing the host key.
  • debug – True to enable debug logging.
is_target_locked(target)

Returns the sesions ID who owns the lock or 0 if not locked.

lock_target(session, target)

Try to obtain target lock. Return 0 on success or the session ID of the lock holder.

unlock_target(session, target)

Unlock the given target.

unlock_target_any(session)

Unlock any targets locked by this session.

Returns list of targets that this session had locked.

class netconf.server.NetconfServerSession(channel, server, unused_extra_args, debug)

Bases: netconf.base.NetconfSession

Netconf Server-side session with a client.

This object will be passed to a the server RPC methods.

close()

Close the servers side of the session.

handled_rpc_methods = {'close-session', 'kill-session', 'lock', 'unlock'}
netconf.server.SSHAuthController

alias of netconf.server.SSHAuthorizedKeysController

class netconf.server.SSHAuthorizedKeysController(users=None)

Bases: paramiko.server.ServerInterface

An implementation of paramiko ServerInterface that utilizes users authorized keys file for authentication.

Parameters:users – A list of usernames whose authorized keys will allow access.
check_auth_none(unused_username)

Determine if a client may open channels with no (further) authentication.

Return AUTH_FAILED if the client must authenticate, or AUTH_SUCCESSFUL if it’s okay for the client to not authenticate.

The default implementation always returns AUTH_FAILED.

Parameters:username (str) – the username of the client.
Returns:AUTH_FAILED if the authentication fails; AUTH_SUCCESSFUL if it succeeds.
Return type:int
check_auth_password(username, password)

Determine if a given username and password supplied by the client is acceptable for use in authentication.

Return AUTH_FAILED if the password is not accepted, AUTH_SUCCESSFUL if the password is accepted and completes the authentication, or AUTH_PARTIALLY_SUCCESSFUL if your authentication is stateful, and this key is accepted for authentication, but more authentication is required. (In this latter case, get_allowed_auths will be called to report to the client what options it has for continuing the authentication.)

The default implementation always returns AUTH_FAILED.

Parameters:
  • username (str) – the username of the authenticating client.
  • password (str) – the password given by the client.
Returns:

AUTH_FAILED if the authentication fails; AUTH_SUCCESSFUL if it succeeds; AUTH_PARTIALLY_SUCCESSFUL if the password auth is successful, but authentication must continue.
Return type:

int
check_auth_publickey(username, key)

Determine if a given key supplied by the client is acceptable for use in authentication. You should override this method in server mode to check the username and key and decide if you would accept a signature made using this key.

Return AUTH_FAILED if the key is not accepted, AUTH_SUCCESSFUL if the key is accepted and completes the authentication, or AUTH_PARTIALLY_SUCCESSFUL if your authentication is stateful, and this password is accepted for authentication, but more authentication is required. (In this latter case, get_allowed_auths will be called to report to the client what options it has for continuing the authentication.)

Note that you don’t have to actually verify any key signtature here. If you’re willing to accept the key, Paramiko will do the work of verifying the client’s signature.

The default implementation always returns AUTH_FAILED.

Parameters:
  • username (str) – the username of the authenticating client
  • key (PKey) – the key object provided by the client
Returns:

AUTH_FAILED if the client can’t authenticate with this key; AUTH_SUCCESSFUL if it can; AUTH_PARTIALLY_SUCCESSFUL if it can authenticate with this key but must continue with authentication
Return type:

int
check_channel_request(kind, chanid)

Determine if a channel request of a given type will be granted, and return OPEN_SUCCEEDED or an error code. This method is called in server mode when the client requests a channel, after authentication is complete.

If you allow channel requests (and an ssh server that didn’t would be useless), you should also override some of the channel request methods below, which are used to determine which services will be allowed on a given channel:

  • check_channel_pty_request
  • check_channel_shell_request
  • check_channel_subsystem_request
  • check_channel_window_change_request
  • check_channel_x11_request
  • check_channel_forward_agent_request

The chanid parameter is a small number that uniquely identifies the channel within a .Transport. A .Channel object is not created unless this method returns OPEN_SUCCEEDED – once a .Channel object is created, you can call .Channel.get_id to retrieve the channel ID.

The return value should either be OPEN_SUCCEEDED (or 0) to allow the channel request, or one of the following error codes to reject it:

  • OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED
  • OPEN_FAILED_CONNECT_FAILED
  • OPEN_FAILED_UNKNOWN_CHANNEL_TYPE
  • OPEN_FAILED_RESOURCE_SHORTAGE

The default implementation always returns OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED.

Parameters:
  • kind (str) – the kind of channel the client would like to open (usually "session").
  • chanid (int) – ID of the channel
Returns:

an int success or failure code (listed above)
check_channel_subsystem_request(channel, name)

Determine if a requested subsystem will be provided to the client on the given channel. If this method returns True, all future I/O through this channel will be assumed to be connected to the requested subsystem. An example of a subsystem is sftp.

The default implementation checks for a subsystem handler assigned via .Transport.set_subsystem_handler. If one has been set, the handler is invoked and this method returns True. Otherwise it returns False.

Note

Because the default implementation uses the .Transport to identify valid subsystems, you probably won’t need to override this method.

Parameters:
  • channel (Channel) – the .Channel the pty request arrived on.
  • name (str) – name of the requested subsystem.
Returns:

True if this channel is now hooked up to the requested subsystem; False if that subsystem can’t or won’t be provided.
get_allowed_auths(username)

Return a list of authentication methods supported by the server. This list is sent to clients attempting to authenticate, to inform them of authentication methods that might be successful.

The “list” is actually a string of comma-separated names of types of authentication. Possible values are "password", "publickey", and "none".

The default implementation always returns "password".

Parameters:username (str) – the username requesting authentication.
Returns:a comma-separated str of authentication types
get_user_auth_keys(username)

Parse the users’s authorized_keys file if any to look for authorized keys

class netconf.server.SSHUserPassController(username=None, password=None)

Bases: paramiko.server.ServerInterface

An implementation of paramiko ServerInterface that authorizes a single user and password.

Parameters:
  • username – The username to allow.
  • password – The password to allow.
check_auth_none(username)

Determine if a client may open channels with no (further) authentication.

Return AUTH_FAILED if the client must authenticate, or AUTH_SUCCESSFUL if it’s okay for the client to not authenticate.

The default implementation always returns AUTH_FAILED.

Parameters:username (str) – the username of the client.
Returns:AUTH_FAILED if the authentication fails; AUTH_SUCCESSFUL if it succeeds.
Return type:int
check_auth_password(username, password)

Determine if a given username and password supplied by the client is acceptable for use in authentication.

Return AUTH_FAILED if the password is not accepted, AUTH_SUCCESSFUL if the password is accepted and completes the authentication, or AUTH_PARTIALLY_SUCCESSFUL if your authentication is stateful, and this key is accepted for authentication, but more authentication is required. (In this latter case, get_allowed_auths will be called to report to the client what options it has for continuing the authentication.)

The default implementation always returns AUTH_FAILED.

Parameters:
  • username (str) – the username of the authenticating client.
  • password (str) – the password given by the client.
Returns:

AUTH_FAILED if the authentication fails; AUTH_SUCCESSFUL if it succeeds; AUTH_PARTIALLY_SUCCESSFUL if the password auth is successful, but authentication must continue.
Return type:

int
check_channel_request(kind, chanid)

Determine if a channel request of a given type will be granted, and return OPEN_SUCCEEDED or an error code. This method is called in server mode when the client requests a channel, after authentication is complete.

If you allow channel requests (and an ssh server that didn’t would be useless), you should also override some of the channel request methods below, which are used to determine which services will be allowed on a given channel:

  • check_channel_pty_request
  • check_channel_shell_request
  • check_channel_subsystem_request
  • check_channel_window_change_request
  • check_channel_x11_request
  • check_channel_forward_agent_request

The chanid parameter is a small number that uniquely identifies the channel within a .Transport. A .Channel object is not created unless this method returns OPEN_SUCCEEDED – once a .Channel object is created, you can call .Channel.get_id to retrieve the channel ID.

The return value should either be OPEN_SUCCEEDED (or 0) to allow the channel request, or one of the following error codes to reject it:

  • OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED
  • OPEN_FAILED_CONNECT_FAILED
  • OPEN_FAILED_UNKNOWN_CHANNEL_TYPE
  • OPEN_FAILED_RESOURCE_SHORTAGE

The default implementation always returns OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED.

Parameters:
  • kind (str) – the kind of channel the client would like to open (usually "session").
  • chanid (int) – ID of the channel
Returns:

an int success or failure code (listed above)
check_channel_subsystem_request(channel, name)

Determine if a requested subsystem will be provided to the client on the given channel. If this method returns True, all future I/O through this channel will be assumed to be connected to the requested subsystem. An example of a subsystem is sftp.

The default implementation checks for a subsystem handler assigned via .Transport.set_subsystem_handler. If one has been set, the handler is invoked and this method returns True. Otherwise it returns False.

Note

Because the default implementation uses the .Transport to identify valid subsystems, you probably won’t need to override this method.

Parameters:
  • channel (Channel) – the .Channel the pty request arrived on.
  • name (str) – name of the requested subsystem.
Returns:

True if this channel is now hooked up to the requested subsystem; False if that subsystem can’t or won’t be provided.
get_allowed_auths(username)

Return a list of authentication methods supported by the server. This list is sent to clients attempting to authenticate, to inform them of authentication methods that might be successful.

The “list” is actually a string of comma-separated names of types of authentication. Possible values are "password", "publickey", and "none".

The default implementation always returns "password".

Parameters:username (str) – the username requesting authentication.
Returns:a comma-separated str of authentication types