sshutils

package
v0.0.0-...-ba35baa Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 19, 2024 License: Apache-2.0 Imports: 25 Imported by: 16

Documentation

Overview

Package sshutils defines several functions and types used across the Teleport API and other Teleport packages when working with SSH.

Index

Constants

View Source
const (
	// ConnectionTypeRequest is a request sent over a SSH channel that returns a
	// boolean which indicates the connection type (direct or tunnel).
	ConnectionTypeRequest = "x-teleport-connection-type"
)

Variables

This section is empty.

Functions

func AsAuthMethod

func AsAuthMethod(sshCert *ssh.Certificate, signer crypto.Signer) (ssh.AuthMethod, error)

AsAuthMethod returns an "auth method" interface, a common abstraction used by Golang SSH library. This is how you actually use a Key to feed it into the SSH lib.

func DiscardChannelData

func DiscardChannelData(ch ChannelReadWriter)

DiscardChannelData discards all data received from an ssh channel in the background.

func HostKeyCallback

func HostKeyCallback(trustedKeys []ssh.PublicKey, withHostKeyFallback bool) (ssh.HostKeyCallback, error)

HostKeyCallback returns an ssh.HostKeyCallback that validates host keys/certs against trusted host keys, usually associated with trusted CAs.

If no trusted keys are provided, the returned ssh.HostKeyCallback is nil. This causes golang.org/x/crypto/ssh to prompt the user to verify host key fingerprint (same as OpenSSH does for an unknown host).

func HostNameMatch

func HostNameMatch(matchHosts []string, hosts []string) bool

HostNameMatch returns whether at least one of the given hosts matches one of the given matchHosts. If a host has a wildcard prefix "*.", it will be used to match. Ex: "*.example.com" will match "proxy.example.com".

func IsSSHCertType

func IsSSHCertType(val string) bool

IsSSHCertType checks if the given string looks like an ssh cert type. e.g. ssh-rsa-cert-v01@openssh.com.

func KeysEqual

func KeysEqual(ak, bk ssh.PublicKey) bool

KeysEqual is constant time compare of the keys to avoid timing attacks

func MakeRealHostCert

func MakeRealHostCert(realCA ssh.Signer) (ssh.Signer, error)

MakeRealHostCert makes an SSH host certificate that is signed by the provided CA.

func MakeRealHostCertWithKey

func MakeRealHostCertWithKey(hostKey crypto.Signer, realCA ssh.Signer) (ssh.Signer, error)

MakeRealHostCertWithKey makes an SSH host certificate with the provided key that is signed by the provided CA.

func MakeRealHostCertWithPrincipals

func MakeRealHostCertWithPrincipals(realCA ssh.Signer, principals ...string) (ssh.Signer, error)

MakeRealHostCertWithPrincipals makes an SSH host certificate that is signed by the provided CA for the provided principals.

func MakeSpoofedHostCert

func MakeSpoofedHostCert(realCA ssh.Signer) (ssh.Signer, error)

MakeSpoofedHostCert makes an SSH host certificate that claims to be signed by the provided CA but in fact is signed by a different CA.

func MakeTestSSHCA

func MakeTestSSHCA() (ssh.Signer, error)

MakeTestSSHCA generates a new SSH certificate authority for tests.

func NewHostKeyCallback

func NewHostKeyCallback(conf HostKeyCallbackConfig) (ssh.HostKeyCallback, error)

NewHostKeyCallback returns host key callback function with the specified parameters.

func ParseAuthorizedKeys

func ParseAuthorizedKeys(authorizedKeys [][]byte) ([]ssh.PublicKey, error)

ParseAuthorizedKeys parses provided authorized_keys entries into ssh.PublicKey list.

func ParseCertificate

func ParseCertificate(buf []byte) (*ssh.Certificate, error)

ParseCertificate parses an SSH certificate from the authorized_keys format.

func ParseKnownHosts

func ParseKnownHosts(knownHosts [][]byte, matchHostnames ...string) ([]ssh.PublicKey, error)

ParseKnownHosts parses provided known_hosts entries into ssh.PublicKey list. If one or more hostnames are provided, only keys that have at least one match will be returned.

func ProxyClientSSHConfig

func ProxyClientSSHConfig(sshCert *ssh.Certificate, priv crypto.Signer, knownHosts ...[]byte) (*ssh.ClientConfig, error)

ProxyClientSSHConfig returns an ssh.ClientConfig from the given ssh.AuthMethod. If known_hosts are provided, they will be used in the config's HostKeyCallback.

The config is set up to authenticate to proxy with the first available principal.

func RunSSH

func RunSSH(ctx context.Context, addr, command string, cfg *ssh.ClientConfig, opts ...RunSSHOption) ([]byte, []byte, error)

RunSSH runs a command on an SSH server and returns the output.

func SSHSigner

func SSHSigner(sshCert *ssh.Certificate, signer crypto.Signer) (ssh.Signer, error)

SSHSigner returns an ssh.Signer from certificate and private key

Types

type CertChecker

type CertChecker struct {
	ssh.CertChecker

	// FIPS means in addition to checking the validity of the key or
	// certificate, also check that FIPS 140-2 algorithms were used.
	FIPS bool

	// OnCheckCert is called when validating host certificate.
	OnCheckCert func(*ssh.Certificate) error
}

CertChecker is a drop-in replacement for ssh.CertChecker. In FIPS mode, checks if the certificate (or key) were generated with a supported algorithm.

func (*CertChecker) Authenticate

func (c *CertChecker) Authenticate(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error)

Authenticate checks the validity of a user certificate.

func (*CertChecker) CheckCert

func (c *CertChecker) CheckCert(principal string, cert *ssh.Certificate) error

CheckCert checks certificate metadata and signature.

func (*CertChecker) CheckHostKey

func (c *CertChecker) CheckHostKey(addr string, remote net.Addr, key ssh.PublicKey) error

CheckHostKey checks the validity of a host certificate.

type ChConn

type ChConn struct {
	ssh.Channel
	// contains filtered or unexported fields
}

ChConn is a net.Conn like object that uses SSH channel

func ConnectProxyTransport

func ConnectProxyTransport(sconn ssh.Conn, req *DialReq, exclusive bool) (conn *ChConn, invalid bool, err error)

ConnectProxyTransport opens a channel over the remote tunnel and connects to the requested host.

Returns the net.Conn wrapper over an SSH channel, whether the provided ssh.Conn should be considered invalid due to errors opening or sending a request to the channel while setting up the ChConn, and any error that occurs.

func NewChConn

func NewChConn(conn Conn, ch ssh.Channel) *ChConn

NewChConn returns a new net.Conn implemented over SSH channel

func NewExclusiveChConn

func NewExclusiveChConn(conn Conn, ch ssh.Channel) *ChConn

NewExclusiveChConn returns a new net.Conn implemented over SSH channel, whenever this connection closes

func (*ChConn) Close

func (c *ChConn) Close() error

Close closes channel and if the ChConn is exclusive, connection as well

func (*ChConn) LocalAddr

func (c *ChConn) LocalAddr() net.Addr

LocalAddr returns a local address of a connection Uses underlying net.Conn implementation

func (*ChConn) Read

func (c *ChConn) Read(data []byte) (int, error)

Read reads from the channel.

func (*ChConn) RemoteAddr

func (c *ChConn) RemoteAddr() net.Addr

RemoteAddr returns a remote address of a connection Uses underlying net.Conn implementation

func (*ChConn) SetDeadline

func (c *ChConn) SetDeadline(t time.Time) error

SetDeadline sets a connection deadline.

func (*ChConn) SetReadDeadline

func (c *ChConn) SetReadDeadline(t time.Time) error

SetReadDeadline sets a connection read deadline.

func (*ChConn) SetWriteDeadline

func (c *ChConn) SetWriteDeadline(t time.Time) error

SetWriteDeadline sets write deadline on a connection ignored for the channel connection

type ChannelReadWriter

type ChannelReadWriter interface {
	io.ReadWriter
	Stderr() io.ReadWriter
}

ChannelReadWriter represents the data streams of an ssh.Channel-like object.

type CheckersGetter

type CheckersGetter func() ([]ssh.PublicKey, error)

CheckersGetter defines a function that returns a list of ssh public keys.

type Conn

type Conn interface {
	io.Closer
	// RemoteAddr returns the remote address for this connection.
	RemoteAddr() net.Addr
	// LocalAddr returns the local address for this connection.
	LocalAddr() net.Addr
}

type DialReq

type DialReq struct {
	// Address is the target host to make a connection to.
	Address string `json:"address,omitempty"`

	// ServerID is the hostUUID.clusterName of the node. ServerID is used when
	// dialing through a tunnel to SSH and application nodes.
	ServerID string `json:"server_id,omitempty"`

	// ConnType is the type of connection requested, either node or application.
	ConnType types.TunnelType `json:"conn_type"`

	// ClientSrcAddr is the original observed client address, it is used to propagate
	// correct client IP through indirect connections inside teleport
	ClientSrcAddr string `json:"client_src_addr,omitempty"`

	// ClientDstAddr is the original client's destination address, it is used to propagate
	// correct client point of contact through indirect connections inside teleport
	ClientDstAddr string `json:"client_dst_addr,omitempty"`

	// IsAgentlessNode specifies whether the target is an agentless node.
	IsAgentlessNode bool `json:"is_agentless_node,omitempty"`
}

DialReq is a request for the address to connect to. Supports special non-resolvable addresses and search names if connection over a tunnel.

func (*DialReq) CheckAndSetDefaults

func (d *DialReq) CheckAndSetDefaults() error

CheckAndSetDefaults verifies all the values are valid.

type HandshakePayload

type HandshakePayload struct {
	// ClientAddr is the IP address of the remote client
	ClientAddr string `json:"clientAddr,omitempty"`
	// TracingContext contains tracing information so that spans can be correlated
	// across ssh boundaries
	TracingContext map[string]string `json:"tracingContext,omitempty"`
}

HandshakePayload structure is sent as a JSON blob by the teleport proxy to every SSH server who identifies itself as Teleport server

It allows teleport proxies to communicate additional data to server

type HostKeyCallbackConfig

type HostKeyCallbackConfig struct {
	// GetHostCheckers is used to fetch host checking (public) keys.
	GetHostCheckers CheckersGetter
	// HostKeyFallback sets optional callback to check non-certificate keys.
	HostKeyFallback ssh.HostKeyCallback
	// FIPS allows to set FIPS mode which will validate algorithms.
	FIPS bool
	// OnCheckCert is called on SSH certificate validation.
	OnCheckCert func(*ssh.Certificate) error
	// Clock is used to set the Checker Time
	Clock clockwork.Clock
}

HostKeyCallbackConfig is the host key callback configuration.

func (*HostKeyCallbackConfig) Check

func (c *HostKeyCallbackConfig) Check() error

Check validates the config.

type RunSSHOption

type RunSSHOption func(*runSSHOpts)

RunSSHOption allows setting options as functional arguments to RunSSH.

func WithDialer

func WithDialer(dialer contextDialer) RunSSHOption

WithDialer connects to an SSH server with a custom dialer.

Directories

Path Synopsis
Package ppk provides functions implementing conversion between Teleport's native RSA keypairs and PuTTY's PPK format.
Package ppk provides functions implementing conversion between Teleport's native RSA keypairs and PuTTY's PPK format.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL