[Twisted-Python] twistd and passphrase

Lorenzo Allegrucci l.allegrucci at gmail.com
Thu Sep 7 14:39:05 MDT 2006 

On Tue, 2006-09-05 at 13:18 -0400, Mike Pelletier wrote: 
> On Tuesday 05 September 2006 12:21, Lorenzo Allegrucci wrote:
> > Hi,
> >
> > I'm using twistd to run my server as a daemon but I couldn't find a way
> > to prompt the user for a passphrase (such passphrase is used by the
> > server to read its SSL key).  I tried getpass() but it doesn't work
> > because /dev/stdin is already redirected to /dev/null.  How can I ask
> > for a passphrase using twistd?
> > Thank you
> 
> Hi, Lorenzo.  I'm going to assume you are completely new to Twisted.

Yes, I'm new to Twisted and I'm using it for a project of my degree
thesis :)
Your explanations have been very helpful and gave me some ideas, in the
meantime I post my actual code.  (non important parts taken away)

---myserver.py---
class SCF(ssl.ContextFactory):
    """Server context factory."""
    def __init__(self, passphraseCB, cacert, cert, key):
        self.passphraseCB = passphraseCB
        self.cacert = cacert
        self.cert = cert
        self.key = key  
        
    def verify(self, conn, cert, errnum, depth, ok):
        """Check the certificate of an incoming connection."""
        # snip...
        return ok
    
    def getContext(self):
        """Return an SSL context."""
        context = SSL.Context(SSL.TLSv1_METHOD)
        context.set_passwd_cb(self.passphraseCB)
        # snip...
        return context

class MyService(internet.SSLServer):
    def __init__(self):
        root = XMLRPCServer()
        
        key = config.getOption("SSL", "key")
        cert = config.getOption("SSL", "cert")
        cacert = config.getOption("SSL", "cacert") 
        port = config.getOption("daemon", "port")
        host = config.getOption("daemon", "host")
        
        context = SCF(self.getPassphraseCB, cacert, cert, key)
        internet.SSLServer.__init__(self, port, server.Site(root),
context,
                                     interface=host)
    
    def getPassphraseCB(self, repeat=False, *data):
        return "secret"

application = service.Application("MyApp")
myService = MyService()
myService.setServiceParent(application)
---myserver.py--


To start my daemon I use 'twistd -y myserver.py' and everything works
fine except for the fact that I have to "hardwire" the passphrase in
'getPassphraseCB'.
Of course this in not what I want and I would like to rewrite
getPassphraseCB as:

   def getPassphraseCB(self, repeat=False, *data):
        return self.passphrase

where self.passphrase should be set (somehow) _before_ twistd makes my
application a daemon, but I couldn't find a way to do it yet.

> You are never going to be able to read a password from stdin if twisted is 
> starting up in daemon mode.  As you noticed, in daemon mode stdin has been 
> closed before you have a chance to do anything with it.  You would instead 
> have to start it in "foreground" mode, then read the password with your 
> Protocol, and once the password has been validated ask twistd to switch to 
> daemon mode.

Exactly.

> (If indeed there even exists an interface for daemonizing after 
> the fact; I've never looked.)

Looking at the twistd.py source I would say no..

More information about the Twisted-Python mailing list