 using Python for a lot of stuff and I was pretty you know narrow focused when I was writing the stock I assumed everybody would know some of the stuff that I'm speaking about or would know the concepts behind some of the stuff I'm speaking about I'm not quite sure if that is true anymore but I'm sorry if I'm making assumptions but I'm sorry I I guess I should have thought about it earlier anyways so let me start so we're talking about Parameco I this talk is about Parameco. Parameco is a module a Python module that lets you do SSH stuff SSH is secure shall I everyone knows what SSH is yeah pretty much everyone so this should be pretty straightforward so it lets you do SSH stuff in Python so it's an implementation okay there is something wrong with this I'm sorry okay I'll just resize it oops no so sorry I hate this yeah okay so I'm just going to resize this that's good yeah yeah so it's a Python implementation of SSH V2 protocol and it provides both capabilities to create clients as well as servers using Python and the good thing about Parameco is it is completely Python although for the encryption for the crypto stuff it uses pycrypto but which is a C library I mean it has got it is a C extension but Parameco itself is pure Python the website the source code and the docs are there I can I don't know we'll probably upload the slides sometime so let's get started what can you do with Parameco you can create SSH clients and this is a pretty simple thing like most well well-designed Python modules this one in my opinion is very well-designed it's the API the interaction is very simple the author tried to keep it very simple and it is quite a mature module so you know it's not something that is just been around for a few months this has been around for a while and the interface is pretty nice so how do you create SSH client you import Parameco you just create an SSH client object one of the things that you'll have to do is you'll have to set a missing host key policy I what is this if you've ever used SSH from a terminal to log in into a box the first thing that you see if you log in into an unknown box is a message asking you whether you would like to connect are you sure you want to connect to that box because that box is not trusted it your box does not know the identity of that box so it warns you the same thing happens with Parameco but the default policy the default policy is to reject any connection any boxes that you're connecting to if the if its host key is unknown so the default policy is to reject it will just throw an exception instead you probably want to have an auto add policy which will automatically add the key to your known host or you have a warning policy you can connect using username passwords you can connect using a key file you can look for keys in your home directory wherever you store them or you can connect using your SSH agent does anyone know as what SSH agent is everybody anybody knows what SSH agent yeah so okay it's not it's not important it's just SSH agent is an agent that keeps running in the background you can you can identify or submit your keys to the agent and it would handle the authentication on behalf of you so that you don't have to keep typing out your passwords every single time you connect to a remote box over SSH so and it's as simple as you create you connect and you execute a command when you execute a command your standard output standard and standard error is all available and that's how you create an SSH client so what else can you do with Parameco you can do you can create SFTP clients SFTP is a protocol pretty much like FTP for file transfer only thing only references it runs on top of SSH so it's secure same thing here you create an SSH client you set the policy you connect and here you open an FTP connection and you can you know run regular SFTP commands so what else can you do with Parameco you can create an SSH channel a transport and a server and optionally a subsystem now what are all of these all of these are standard SSH names for components that are involved within the SSH communication this is not Parameco specific all of these constitute a server a channel is a tunnel SSH is unique I mean not unique but SSH is nice protocol where the security the the encryption is separated out from the actual communication that is happening within within the communication that is happening between the two systems what that means is with SSH you can set up a communication layer you can set up a secure communication layer and then over that you can talk anything you could talk HTTP you could talk you know FTP you could talk any sort of protocol so SSH creates tunnels for you over which you can you can speak any protocol now each of these in SSH terminology are referred to as channels so it's a secure tunnel across SSH transport a channel is meant to behave like a socket and the API of a channel is indistinguishable from a regular unique socket a transport is the meat of the entire protocol the entire implementation this usually creates the transport attaches to a stream negotiates an encrypted session authenticates and create stream tunnings so this is where most of the magic is happening and the server this implements the server side interface of SSH we'll take a look at what that means usually this is doing the actual authentication doing or setting up policies for whether channels can be created or not and lastly there is the subsystem and subsystem is just about anything as long as your client and server agrees that this is what I'm going to call a certain let's say command let's say you've got like you know some command that does for instance fires up backups okay or starts some sort of service as long as your client and server agrees that this is what we are going to call it you can use SSH the encryption provided by SSH and just tell SSH that this is the subsystem I would like to use and I'd like to use this command as a subsystem so a subsystem is anything that you define within your configurations or within your implementation most SSH servers come with a built-in subsystem called SFTP which lets you do file transfers okay so how do you create a server you start with a channel I mentioned that all the things that go in creating a server the first of them was the channel a channel like I said is a socket it's a regular unit socket so just use a socket okay this is there is nothing strange nothing paramico specific about this entire code if you've done network programming this is all standard then you just pass the channel or the socket to a transport add your key this is your host key add your key to it and your transport is ready it's as easy as that and now you can tie in your service you create a server and run the start server method you you see transport that start server and pass the server as an argument and that's started up the server that starts up the server that you want to run now I said this is all simple you saw the code of what it takes to create a channel it is just a regular socket let's look at how do we create a server a server oh I'm sorry so besides the server you can also create a subsystem it's the same thing you to your transport you say that you know first for for this name for this name add like this this class to handle any connections so transport that's a subsystem handler my whatever and you start the server so I don't know if I'm going too quick if a lot of people really get what I'm saying but my assumption was people knew is such by itself but anyways so this is what a server class looks like a server class all that it has to do is implement the server interface okay and most of the functions within the server class are booleans the return booleans so like for example check out password you pass it a username password and you do whatever you want to over here if it is successful if you have validated you just say or successful or say or fail and most of the implementation within the paramico server interface it is like this so again if a user passes a puppy you do what successful okay and if a channel request comes in whether depending on the type of the channel that is requested you can either allow it or disallow it so these are so if you look through the documentation or the code of paramico dot server interface you it is it is pretty much you know up to you how you define the implementation these are the things that will eventually get called while creating the interface no so this is any user any password so this is an actual server this is an actual server as in this is this is not running over open as such open as such is a different implementation of the same protocol paramico by itself is a standalone as such implementation so what you can do is if let's say you want to in your server not use generic username passwords or you want to enforce some extra rule you want to check whether the user names contains a certain thing or you want to check against your LDAP database or some other database so you can do that here you can write the code for it here and if you think that's a valid user is written or successful the ssh client on the other end irrespective of which ssh client the user is using he's talking the same protocol and he gets the correct answer you don't have to construct right exactly yeah as it stands right now you'd be allowed I'll be showing you in fact that's exactly what I intend on showing I'll be showing you an example of this so here I'm just building up the server such a subsystem class it's pretty much similar in the sense like it's not I'm sorry it's not similar but it it has a well-defined interface as well parami code or SFTP server interface and you need to these are the two methods that you will have to implement the start subsystem finish subsystem rest all is up to you what you do once a subsystem has been created is really up to you your channel is ready you don't have to do any encryption you don't have to worry about implementing the algorithms you don't have to worry about what happens if connection loses or whatever so all that is handled by parami code this is the only thing that you have to worry about so before I go to the code I'll give you an example of why you might need this why I found this interesting I work for a company called Axelion the they the provide file sharing services for enterprises the easiest way to say it although my superiors would hate me saying this is it is Dropbox for enterprises we provide a lot of enterprisey features like but a service like Dropbox for enterprises so you can upload your file form and share them across the organization you can put rules about who can see them who can download them and stuff like that it gives you a nice you know activity list of what happened to your file who saw it how many times was it downloaded who downloaded it all that activity log is mentioned and maintained you can tie it up with your existing enterprise authentication system so if you've got an internal LDAP server or Active Directory server you can tie it up with that so all of this is pretty much more than what Dropbox provides one of the things that we did also was we allow this this file system that we store to be accessed using an SFTP console so because some of our customers wanted to the ability to script uploading and downloading files and the thing is in the back end though we are not actually storing files just as they are because there is a lot of metadata so there is the representation is is not an actual file system it's not the same as the user would see in their workspace just like Dropbox when you apply upload a file to Dropbox it's not stored in exactly the same manner that you see it the folders are not there because it comes with a lot of extra metadata so what we did was we created an SFTP server and tied that up to our back end the earlier version of a product did the same thing but those poor guys had to implement the entire SFTP protocol with Paramiko we churned this out in a matter of week or so and the basic implementation was all done clean and you know ready for testing within a very short while so that was my motivation for exploring Paramiko okay I'm sorry did anyone have question we I work for company called Axelion yeah a double C E double L I own so they they are not consumer facing they just they sell to enterprises so like I said that was our motivation for this talk I wanted to give you a feel of what that is like and show you how easy that is so I've implemented the same thing or at least one command for Dropbox so you can SFTP into your Dropbox I'll give you an example oops so okay is that good okay so let me split up this term into two okay so first I'll show you the code then we can try it out here's it so this is my entire server that's it this is my entire server I defined what host pole I define a key file for my server I create a socket of course this is very I've retained what I put in the slides so you obviously there's no error checking this is a single threaded server so it's very simplistic but the essential idea is here you create a socket this is your channel you add the host key you create the transport you set the subsystem handler you set the stub server and you start it as connections come in you accept and start of your session the transport will ensure that when your connection has started up your start server would be called let's look at the stub server a whole bunch of imports this is where I import Dropbox the Dropbox API client the Python API client for Dropbox and like I've done here I've allowed all access so anyone can log in give any username any password you will always be successful in logging in and every time you request for a channel to be open you'll always be allowed this is the actual service so here I I just initialize the the SFTP server interface I just you know let paramico dot SFTP server do whatever initializations it has to do and for my Dropbox account the token used to access my Dropbox account I initialize that and that's it this is the list folder I'll give you an example now so let's start up the server it started up I say I should have put some login messages but yeah so I'll connect to the server I'm running the server on port 8022 and as as you see here as soon as I connect it says it tries to authenticate authenticate is authentication is rejected because I did not pass any password this is all handled by paramico okay and I give any password it authenticates me and gives me my SFTP prompt I do Alice and it oh sorry read the failure because I'm not connected to the net so I can't access the Dropbox folders I can't access my Dropbox folders so obviously I can't connect it so yeah can be this one okay we are connected so let's try this again and for some reason it's taking too long but that's my Dropbox folder so I over SFTP I have connected to Dropbox I've listed my own folders I can do the same thing with any service that provides a file system like interface G drive S3 you just have to tie your brackets and you can SFTP into all of these services now why would you do that because first of all your probably your clients want them probably they are tools it's scripted and it's a stitch I mean it's a trusted encryption it's a trusted transport it's well known and you don't have to download specific kind of clients your customers can use whatever is on their box most as such installations I mean not most all as such installations come with an SFTP client side so that's that's what you can do and it's pretty simple I mean I I know it might seem a bit complicated but it's not here some references this is a very good starting point for creating or using SFTP not SFTP itself for using paramico the demos inside the paramico source tree are very good unfortunately online all that you find is how to use paramico as a client to connect to a set servers they are very very few in fact I think I can count only two or three instances where you they talk about creating a server and that too they don't go into too much detail but the demos in the and the test folder in the paramico source tree have got quite a bit and yeah the also the other thing that I should mention is the API docs and the source code are very readable paramico if you know basic Python you can go through the implementation you can understand as long as you understand the concept of a transport a channel it's pretty much readable code so well that's all hope that made sense yeah thanks thank you okay I just have to say this I I hate doing slides and I found this really neat tool called pie down which is which let me create a the create this these slides it is a way to write markdown files and turn them into presentations so anyone who wants to create presentations okay yes sure sure sure I'll do that I should have any questions so the thing is yeah no so yes the thing the the the crypto algorithms are all implemented with pie crypto and pie crypto is up to date with a lot of security so our paramico has got a neat division between this cryptos the crypto implementations or the crypto handling of stuff and the protocol stuff so if you go through the source code it's it's quite nice it's well designed the module and yeah pie crypto you're basically trusting what pie crypto to be secure so as far as security is concerned yeah that's your that's your bottleneck any other questions so like I said we like accessing the Dropbox API okay how many of you know about fabric fabric uses parmico so in the back end if you see a python implementation that allows you access over SH in all likelihood it is using parmico so it's not like a lot of people a lot of tools in fact they are various there is something called bold cuisine all of these are pretty much doing the same thing and all of them use are based off parmico I'm sorry ansible okay I didn't know I didn't know yeah no I know about ansible they don't use parmico oh okay that's weird because this is pretty mature they don't want to assume anything on the remote books the assumption is that they can speak at the stage but you don't want to bundle any any extra part of what it seems parmico is not even core right right exactly yeah interesting do they make the module available I don't know if I don't think it's just kind of I think ansible alone is just one one thing good about parmico is this thing that it has it's real as in it's very the interfaces are pretty clean so if you want to you could like integrate it completely with your application but you can just swap it out with an open as such implementation in fact I'll let you in on a little secret RSFTP implementation does not use parmico server the thing that is listening on port 22 is not parmico we use only SFTP subsystem server so parmico allows you to do that it allows you to create only the subsystem and we use open as such to handle the connections because we found that parmico kind of is resource hungry as compared to open as such so sorry I like oh okay now actually so what ansible does is if it finds open as such it will use it then it will fold back on parmico if there is nothing else okay yeah yeah so yeah it actually has a fall back I'm pretty sure the reason for using a set open as such is more to do with the resource with efficiency rather than anything else it's probably just efficiency we found open as such to be a bit more efficient in terms of just handling more connection more load than parmico parmico takes up memory and CPU who were a certain number of connections no no so I'm sorry I didn't get your question so no every as such connect as every SFTP connection is parmico thread the thing is because parmico is not handling the the the server side that means the incoming connections it's only implementing the the the subsystem so as parmico process would be just alive as long as your SFTP session is alive so yeah I mean it's not much of a difference I would say it was more to do with you know the amount of memory consumption the amount of clients so the the thing is in our tests we found open as such to be more more responsive and that's why we shifted and also it may a lot of people would like want to know what is your server a lot of our clients who do not know what parmico is you see yeah the SSH server is open as such because that is what is providing the entire tunnel so parmico is not involved in creating the tunnel or create the transport that is your authentication setting up of your encryption and connecting the two ends that's what is the heavy lifting that is done by open SSH in our case rather than SFTP rather than parmico but after that after the entire tunnel has been set we use parmico because it lets us nicely join up a backend API like we did the Dropbox API to the interface so yeah to answer your question no the number of connections is probably the same but here open SSH is doing the heavy lifting so where do you use a parmico in this scenario is it on a server side or an on the server side so is the server side does it stay on the box yes it's an enterprise environment usually customers so the thing is the way we another difference between cities companies like Dropbox and Axelion is Axelion lets you install the product in your own premises so it's a hosted solution I mean it's a yeah it's an appliance kind of thing so it's a self-hosted thing so you you don't like Dropbox you you're not trusting Dropbox servers and our appliances are based on Linux and Linux in the enterprise we've noticed that most of these kind of services are Linux based they're not Windows based so a lot of like file system sharing mail what else directory services web servers all of by and large are Linux boxes so but anyway that's by crypto yes so the thing is unfortunately the the maintainer may writes parmico only and writes and tests it only for Linux and macOS it has been reported that parmico works just as well on Windows but it is not an officially supported platform by the maintainer so yeah it should work exactly to be honest I do not know the answer to that question no it is it's a third-party module so I think it might be I'm not quite sure I do not know but I as far as I know it's just plain C so you should be able to compile it on a Windows one yeah but okay