client

package
v2.0.0-alpha.0+incompa... Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 19, 2017 License: Apache-2.0 Imports: 39 Imported by: 0

Documentation

Index

Constants

View Source
const CurrentProfileSymlink = "profile"

CurrentProfileSymlink is a filename which is a symlink to the current profile, usually something like this:

~/.tsh/profile -> ~/.tsh/staging.yaml

View Source
const (
	// Directory location where tsh profiles (and session keys) are stored
	ProfileDir = ".tsh"
)
View Source
const (
	ProfileMakeCurrent = 1 << iota
)

Variables

This section is empty.

Functions

func FullProfilePath added in v1.2.6

func FullProfilePath(pDir string) string

FullProfilePath returns the full path to the user profile directory. If the parameter is empty, it returns expanded "~/.tsh", otherwise returns its unmodified parameter

func GetTokenFromHOTPMockFile

func GetTokenFromHOTPMockFile(path string) (token string, e error)

GetTokenFromHOTPMockFile opens HOTPMock from file, gets token value, increases hotp and saves it to the file. Returns hotp token value.

func ParseLabelSpec added in v1.0.0

func ParseLabelSpec(spec string) (map[string]string, error)

ParseLabelSpec parses a string like 'name=value,"long name"="quoted value"` into a map like { "name" -> "value", "long name" -> "quoted value" }

func UnlinkCurrentProfile added in v1.3.0

func UnlinkCurrentProfile() error

If there's a current profile symlink, remove it

func Username added in v1.0.0

func Username() string

Username returns the current user's username

Types

type ClientProfile added in v1.2.6

type ClientProfile struct {
	//
	// proxy configuration
	//
	ProxyHost    string `yaml:"proxy_host,omitempty"`
	ProxySSHPort int    `yaml:"proxy_port,omitempty"`
	ProxyWebPort int    `yaml:"proxy_web_port,omitempty"`

	//
	// auth/identity
	//
	Username  string `yaml:"user,omitempty"`
	HostLogin string `yaml:"host_login,omitempty"`

	// AuthType (like "google")
	AuthType string `yaml:"auth_type,omitempty"`

	// SiteName is equivalient to --cluster argument
	SiteName string `yaml:"cluster,omitempty"`

	//
	// other stuff
	//
	ForwardedPorts []string `yaml:"forward_ports,omitempty"`
}

ClientProfile is a collection of most frequently used CLI flags for "tsh".

Profiles can be stored in a profile file, allowing TSH users to type fewer CLI args.

func ProfileFromDir added in v1.2.6

func ProfileFromDir(dirPath string) (*ClientProfile, error)

ProfileFromDir reads the user profile from a given directory. It works by looking for a "profile" symlink in that directory pointing to the profile's YAML file.

func ProfileFromFile added in v1.2.6

func ProfileFromFile(filePath string) (*ClientProfile, error)

ProfileFromFile loads the profile from a YAML file

func (*ClientProfile) SaveTo added in v1.2.6

func (cp *ClientProfile) SaveTo(filePath string, opts ProfileOptions) error

SaveTo saves the profile into a given filename, optionally overwriting it.

type Config added in v1.0.0

type Config struct {
	// Username is the Teleport account username (for logging into Teleport proxies)
	Username string

	// Remote host to connect
	Host string

	// Labels represent host Labels
	Labels map[string]string

	// Namespace is nodes namespace
	Namespace string

	// HostLogin is a user login on a remote host
	HostLogin string

	// HostPort is a remote host port to connect to
	HostPort int

	// ProxyHostPort is a host or IP of the proxy (with optional ":ssh_port,https_port").
	// The value is taken from the --proxy flag and can look like --proxy=host:5025,5080
	ProxyHostPort string

	// KeyTTL is a time to live for the temporary SSH keypair to remain valid:
	KeyTTL time.Duration

	// InsecureSkipVerify is an option to skip HTTPS cert check
	InsecureSkipVerify bool

	// SkipLocalAuth will not try to connect to local SSH agent
	// or use any local certs, and not use interactive logins
	SkipLocalAuth bool

	// AuthMethods to use to login into cluster. If left empty, teleport will
	// use its own session store,
	AuthMethods []ssh.AuthMethod

	Stdout io.Writer
	Stderr io.Writer
	Stdin  io.Reader

	// ExitStatus carries the returned value (exit status) of the remote
	// process execution (via SSh exec)
	ExitStatus int

	// SiteName specifies site to execute operation,
	// if omitted, first available site will be selected
	SiteName string

	// Locally forwarded ports (parameters to -L ssh flag)
	LocalForwardPorts ForwardedPorts

	// HostKeyCallback will be called to check host keys of the remote
	// node, if not specified will be using CheckHostSignature function
	// that uses local cache to validate hosts
	HostKeyCallback HostKeyCallback

	// SecondFactorType indicates whether OTP, OIDC or U2F should be used
	// for the second factor
	SecondFactorType string

	// ConnectorID is used to authenticate user via OpenID Connect
	// registered connector
	ConnectorID string

	// KeyDir defines where temporary session keys will be stored.
	// if empty, they'll go to ~/.tsh
	KeysDir string

	// Env is a map of environmnent variables to send when opening session
	Env map[string]string

	// Interactive, when set to true, tells tsh to launch a remote command
	// in interactive mode, i.e. attaching the temrinal to it
	Interactive bool
}

Config is a client config

func MakeDefaultConfig added in v1.2.6

func MakeDefaultConfig() *Config

func (*Config) LoadProfile added in v1.2.6

func (c *Config) LoadProfile(profileDir string) error

LoadProfile populates Config with the values stored in the given profiles directory. If profileDir is an empty string, the default profile directory ~/.tsh is used

func (*Config) NodeHostPort added in v1.0.0

func (c *Config) NodeHostPort() string

NodeHostPort returns host:port string based on user supplied data either if user has set host:port in the connection string, or supplied the -p flag. If user has set both, -p flag data is ignored

func (*Config) ProxyHost added in v1.0.0

func (c *Config) ProxyHost() string

ProxyHost returns the hostname of the proxy server (without any port numbers)

func (*Config) ProxySSHHostPort added in v1.2.6

func (c *Config) ProxySSHHostPort() string

func (*Config) ProxySSHPort added in v1.2.6

func (c *Config) ProxySSHPort() (retval int)

func (*Config) ProxySpecified added in v1.0.0

func (c *Config) ProxySpecified() bool

ProxySpecified returns true if proxy has been specified

func (*Config) ProxyWebHostPort added in v1.2.6

func (c *Config) ProxyWebHostPort() string

func (*Config) ProxyWebPort added in v1.2.6

func (c *Config) ProxyWebPort() (retval int)

func (*Config) SaveProfile added in v1.2.6

func (c *Config) SaveProfile(profileDir string) error

SaveProfile updates the given profiles directory with the current configuration If profileDir is an empty string, the default ~/.tsh is used

func (*Config) SetProxy added in v1.2.6

func (c *Config) SetProxy(host string, webPort, sshPort int)

type FSLocalKeyStore added in v1.0.0

type FSLocalKeyStore struct {
	LocalKeyStore

	// KeyDir is the directory where all keys are stored
	KeyDir string
}

FSLocalKeyStore implements LocalKeyStore interface using the filesystem Here's the file layout for the FS store: ~/.tsh/ ├── known_hosts --> trusted certificate authorities (their keys) in a format similar to known_hosts └── sessions --> server-signed session keys

└── host-a
|   ├── cert
|   ├── key
|   └── pub
└── host-b
    ├── cert
    ├── key
    └── pub

func NewFSLocalKeyStore added in v1.0.0

func NewFSLocalKeyStore(dirPath string) (s *FSLocalKeyStore, err error)

NewFSLocalKeyStore creates a new filesystem-based local keystore object and initializes it.

if dirPath is empty, sets it to ~/.tsh

func (*FSLocalKeyStore) AddKey added in v1.0.0

func (fs *FSLocalKeyStore) AddKey(host, username string, key *Key) error

AddKey adds a new key to the session store. If a key for the host is already stored, overwrites it.

func (*FSLocalKeyStore) AddKnownHostKeys added in v1.0.0

func (fs *FSLocalKeyStore) AddKnownHostKeys(hostname string, hostKeys []ssh.PublicKey) error

AddKnownHostKeys adds a new entry to 'known_hosts' file

func (*FSLocalKeyStore) DeleteKey added in v1.0.0

func (fs *FSLocalKeyStore) DeleteKey(host string, username string) error

DeleteKey deletes a key from the local store

func (*FSLocalKeyStore) GetKey added in v1.0.0

func (fs *FSLocalKeyStore) GetKey(host, username string) (*Key, error)

GetKey returns a key for a given host. If the key is not found, returns trace.NotFound error.

func (*FSLocalKeyStore) GetKeys added in v1.0.0

func (fs *FSLocalKeyStore) GetKeys(username string) (keys []Key, err error)

GetKeys returns all user session keys stored in the store

func (*FSLocalKeyStore) GetKnownHostKeys added in v1.0.0

func (fs *FSLocalKeyStore) GetKnownHostKeys(hostname string) ([]ssh.PublicKey, error)

GetKnownHostKeys returns all known public keys from 'known_hosts'

type ForwardedPort added in v1.0.0

type ForwardedPort struct {
	SrcIP    string
	SrcPort  int
	DestPort int
	DestHost string
}

ForwardedPort specifies local tunnel to remote destination managed by the client, is equivalent of ssh -L src:host:dst command

func (*ForwardedPort) ToString added in v1.2.6

func (p *ForwardedPort) ToString() string

ToString() returns a string representation of a forwarded port spec, compatible with OpenSSH's -L flag, i.e. "src_host:src_port:dest_host:dest_port"

type ForwardedPorts added in v1.2.6

type ForwardedPorts []ForwardedPort

func ParsePortForwardSpec added in v1.1.0

func ParsePortForwardSpec(spec []string) (ports ForwardedPorts, err error)

ParsePortForwardSpec parses parameter to -L flag, i.e. strings like "[ip]:80:remote.host:3000" The opposite of this function (spec generation) is ForwardedPorts.ToString()

func (ForwardedPorts) ToStringSpec added in v1.2.6

func (fp ForwardedPorts) ToStringSpec() (retval []string)

ToString() returns the same string spec which can be parsed by ParsePortForwardSpec

type HOTPMock

type HOTPMock struct {
	*hotp.HOTP
}

HOTPMock is a HOTP that can be saved or load from file Using HOTPMock disables the hotp security level, don't use it in production

func CreateHOTPMock

func CreateHOTPMock(hotpURLString string) (*HOTPMock, error)

func LoadHOTPMockFromFile

func LoadHOTPMockFromFile(path string) (*HOTPMock, error)

func (*HOTPMock) SaveToFile

func (otp *HOTPMock) SaveToFile(path string) error

type HostKeyCallback added in v1.0.0

type HostKeyCallback func(host string, ip net.Addr, key ssh.PublicKey) error

HostKeyCallback is called by SSH client when it needs to check remote host key or certificate validity

type Key

type Key struct {
	Priv []byte `json:"Priv,omitempty"`
	Pub  []byte `json:"Pub,omitempty"`
	Cert []byte `json:"Cert,omitempty"`
}

Key describes a complete (signed) client key

func (*Key) AsAgentKey added in v1.0.0

func (k *Key) AsAgentKey() (*agent.AddedKey, error)

AsAgentKey converts our Key structure to ssh.Agent.Key

func (*Key) CertValidBefore added in v1.0.0

func (k *Key) CertValidBefore() (t time.Time, err error)

CertValidBefore returns the time of the cert expiration

type LocalKeyAgent added in v1.0.0

type LocalKeyAgent struct {
	// implements ssh agent.Agent interface
	agent.Agent
	// contains filtered or unexported fields
}

func NewLocalAgent added in v1.0.0

func NewLocalAgent(keyDir, username string) (a *LocalKeyAgent, err error)

NewLocalAgent loads all the saved teleport certificates and creates ssh agent with them

func (*LocalKeyAgent) AddHostSignersToCache added in v1.0.0

func (a *LocalKeyAgent) AddHostSignersToCache(hostSigners []services.CertAuthorityV1) error

AddHostSignersToCache takes a list of CAs whom we trust. This list is added to a database of "seen" CAs.

Every time we connect to a new host, we'll request its certificaate to be signed by one of these trusted CAs.

Why do we trust these CAs? Because we received them from a trusted Teleport Proxy. Why do we trust the proxy? Because we've connected to it via HTTPS + username + Password + HOTP.

func (*LocalKeyAgent) AddKey added in v1.0.0

func (a *LocalKeyAgent) AddKey(host string, username string, key *Key) error

func (*LocalKeyAgent) CheckHostSignature added in v1.0.0

func (a *LocalKeyAgent) CheckHostSignature(hostId string, remote net.Addr, key ssh.PublicKey) error

CheckHostSignature checks if the given host key was signed by one of the trusted certificaate authorities (CAs)

func (*LocalKeyAgent) DeleteKey added in v1.0.0

func (a *LocalKeyAgent) DeleteKey(host string, username string) error

func (*LocalKeyAgent) GetKeys added in v1.0.0

func (a *LocalKeyAgent) GetKeys(username string) ([]agent.AddedKey, error)

GetKeys return the list of keys for the given user from the local keystore (files in ~/.tsh)

type LocalKeyStore added in v1.0.0

type LocalKeyStore interface {
	// client key management
	GetKeys(username string) ([]Key, error)
	AddKey(host string, username string, key *Key) error
	GetKey(host string, username string) (*Key, error)
	DeleteKey(host string, username string) error

	// interface to known_hosts file:
	AddKnownHostKeys(hostname string, keys []ssh.PublicKey) error
	GetKnownHostKeys(hostname string) ([]ssh.PublicKey, error)
}

LocalKeyStore interface allows for different storage back-ends for TSH to load/save its keys

type NodeClient

type NodeClient struct {
	Namespace string
	Client    *ssh.Client
	Proxy     *ProxyClient
}

NodeClient implements ssh client to a ssh node (teleport or any regular ssh node) NodeClient can run shell and commands or upload and download files.

func (*NodeClient) Close

func (client *NodeClient) Close() error

func (*NodeClient) Download

func (client *NodeClient) Download(remoteSourcePath, localDestinationPath string, recursive bool, stderr, progressWriter io.Writer) error

Download downloads file or dir from the remote server

func (*NodeClient) Upload

func (client *NodeClient) Upload(srcPath, rDestPath string, recursive bool, stderr, progressWriter io.Writer) error

Upload uploads local file(s) or to the remote server's destination path

type NodeSession added in v1.1.0

type NodeSession struct {
	ExitMsg string
	// contains filtered or unexported fields
}

type ProfileOptions added in v1.2.6

type ProfileOptions int

type ProxyClient

type ProxyClient struct {
	Client *ssh.Client
	// contains filtered or unexported fields
}

ProxyClient implements ssh client to a teleport proxy It can provide list of nodes or connect to nodes

func (*ProxyClient) Close

func (proxy *ProxyClient) Close() error

func (*ProxyClient) ConnectToNode

func (proxy *ProxyClient) ConnectToNode(ctx context.Context, nodeAddress string, user string, quiet bool) (*NodeClient, error)

ConnectToNode connects to the ssh server via Proxy. It returns connected and authenticated NodeClient

func (*ProxyClient) ConnectToSite added in v1.0.0

func (proxy *ProxyClient) ConnectToSite(ctx context.Context, quiet bool) (auth.ClientI, error)

ConnectToSite connects to the auth server of the given site via proxy. It returns connected and authenticated auth server client

if 'quiet' is set to true, no errors will be printed to stdout, otherwise any connection errors are visible to a user.

func (*ProxyClient) FindServersByLabels added in v1.0.0

func (proxy *ProxyClient) FindServersByLabels(ctx context.Context, namespace string, labels map[string]string) ([]services.Server, error)

FindServersByLabels returns list of the nodes which have labels exactly matching the given label set.

A server is matched when ALL labels match. If no labels are passed, ALL nodes are returned.

func (*ProxyClient) GetSites added in v1.0.0

func (proxy *ProxyClient) GetSites() ([]services.Site, error)

GetSites returns list of the "sites" (AKA teleport clusters) connected to the proxy Each site is returned as an instance of its auth server

type ShellCreatedCallback added in v1.1.0

type ShellCreatedCallback func(shell io.ReadWriteCloser) (exit bool, err error)

ShellCreatedCallback can be supplied for every teleport client. It will be called right after the remote shell is created, but the session hasn't begun yet.

It allows clients to cancel SSH action

type TeleportClient added in v1.0.0

type TeleportClient struct {
	Config

	// OnShellCreated gets called when the shell is created. It's
	// safe to keep it nil
	OnShellCreated ShellCreatedCallback
	// contains filtered or unexported fields
}

TeleportClient is a wrapper around SSH client with teleport specific workflow built in

func NewClient added in v1.0.0

func NewClient(c *Config) (tc *TeleportClient, err error)

NewClient creates a TeleportClient object and fully configures it

func (*TeleportClient) AddKey added in v1.0.0

func (tc *TeleportClient) AddKey(host string, key *Key) error

func (*TeleportClient) AddTrustedCA added in v1.0.0

func (tc *TeleportClient) AddTrustedCA(ca *services.CertAuthorityV1) error

Adds a new CA as trusted CA for this client

func (*TeleportClient) AskPassword added in v1.3.0

func (tc *TeleportClient) AskPassword() (pwd string, err error)

AskPassword prompts the user to enter the password

func (*TeleportClient) AskPasswordAndOTP

func (tc *TeleportClient) AskPasswordAndOTP() (pwd string, token string, err error)

AskPasswordAndOTP prompts the user to enter the password + OTP 2nd factor

func (*TeleportClient) ConnectToProxy added in v1.0.0

func (tc *TeleportClient) ConnectToProxy() (*ProxyClient, error)

ConnectToProxy dials the proxy server and returns ProxyClient if successful

func (*TeleportClient) GetKeys added in v1.0.0

func (tc *TeleportClient) GetKeys() ([]agent.AddedKey, error)

GetKeys returns a list of stored local keys/certs for this Teleport user

func (*TeleportClient) Join added in v1.0.0

func (tc *TeleportClient) Join(ctx context.Context, namespace string, sessionID session.ID, input io.Reader) (err error)

Join connects to the existing/active SSH session

func (*TeleportClient) ListNodes added in v1.0.0

func (tc *TeleportClient) ListNodes(ctx context.Context) ([]services.Server, error)

ListNodes returns a list of nodes connected to a proxy

func (*TeleportClient) LocalAgent added in v1.0.0

func (tc *TeleportClient) LocalAgent() *LocalKeyAgent

func (*TeleportClient) Login added in v1.0.0

func (tc *TeleportClient) Login() error

Login logs user in using proxy's local 2FA auth access or used OIDC external authentication, it later saves the generated credentials into local keystore for future use

func (*TeleportClient) Logout added in v1.0.0

func (tc *TeleportClient) Logout() error

Logout locates a certificate stored for a given proxy and deletes it

func (*TeleportClient) MakeKey added in v1.0.0

func (tc *TeleportClient) MakeKey() (key *Key, err error)

MakeKey generates a new unsigned key. It's useless by itself until a trusted CA signs it

func (*TeleportClient) Play added in v1.0.0

func (tc *TeleportClient) Play(ctx context.Context, namespace, sessionId string) (err error)

Play replays the recorded session

func (*TeleportClient) SCP added in v1.0.0

func (tc *TeleportClient) SCP(ctx context.Context, args []string, port int, recursive bool, quiet bool) (err error)

SCP securely copies file(s) from one SSH server to another

func (*TeleportClient) SSH added in v1.0.0

func (tc *TeleportClient) SSH(ctx context.Context, command []string, runLocally bool) error

SSH connects to a node and, if 'command' is specified, executes the command on it, otherwise runs interactive shell

Returns nil if successful, or (possibly) *exec.ExitError

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL