Documentation ¶
Index ¶
- func GetTokenFromHOTPMockFile(path string) (token string, e error)
- func ParseLabelSpec(spec string) (map[string]string, error)
- func Username() string
- type Config
- type FSLocalKeyStore
- func (fs *FSLocalKeyStore) AddKey(host, username string, key *Key) error
- func (fs *FSLocalKeyStore) AddKnownCA(domainName string, hostKeys []ssh.PublicKey) error
- func (fs *FSLocalKeyStore) DeleteKey(host string, username string) error
- func (fs *FSLocalKeyStore) GetKey(host, username string) (*Key, error)
- func (fs *FSLocalKeyStore) GetKeys(username string) (keys []Key, err error)
- func (fs *FSLocalKeyStore) GetKnownCAs() ([]ssh.PublicKey, error)
- type ForwardedPort
- type HOTPMock
- type HostKeyCallback
- type Key
- type LocalKeyAgent
- func (a *LocalKeyAgent) AddHostSignersToCache(hostSigners []services.CertAuthority) error
- func (a *LocalKeyAgent) AddKey(host string, username string, key *Key) error
- func (a *LocalKeyAgent) CheckHostSignature(hostId string, remote net.Addr, key ssh.PublicKey) error
- func (a *LocalKeyAgent) DeleteKey(host string, username string) error
- func (a *LocalKeyAgent) GetKeys(username string) ([]agent.AddedKey, error)
- type LocalKeyStore
- type NodeClient
- func (client *NodeClient) Close() error
- func (client *NodeClient) Download(remoteSourcePath, localDestinationPath string, isDir bool, stderr io.Writer) error
- func (client *NodeClient) Run(cmd []string, stdin io.Reader, stdout, stderr io.Writer) error
- func (client *NodeClient) Shell(width, height int, sessionID session.ID) (io.ReadWriteCloser, error)
- func (client *NodeClient) Upload(localSourcePath, remoteDestinationPath string, stderr io.Writer) error
- type ProxyClient
- func (proxy *ProxyClient) Close() error
- func (proxy *ProxyClient) ConnectToNode(nodeAddress string, user string) (*NodeClient, error)
- func (proxy *ProxyClient) ConnectToSite() (auth.ClientI, error)
- func (proxy *ProxyClient) FindServersByLabels(labels map[string]string) ([]services.Server, error)
- func (proxy *ProxyClient) GetSites() ([]services.Site, error)
- type TeleportClient
- func (tc *TeleportClient) AddKey(host string, key *Key) error
- func (tc *TeleportClient) AddTrustedCA(ca *services.CertAuthority) error
- func (tc *TeleportClient) AskPasswordAndHOTP() (pwd string, token string, err error)
- func (tc *TeleportClient) ConnectToProxy() (*ProxyClient, error)
- func (tc *TeleportClient) GetKeys() ([]agent.AddedKey, error)
- func (tc *TeleportClient) Join(sessionID session.ID, input io.Reader) (err error)
- func (tc *TeleportClient) ListNodes() ([]services.Server, error)
- func (tc *TeleportClient) LocalAgent() *LocalKeyAgent
- func (tc *TeleportClient) Login() error
- func (tc *TeleportClient) Logout() error
- func (tc *TeleportClient) MakeKey() (key *Key, err error)
- func (tc *TeleportClient) Play(sessionId string) (err error)
- func (tc *TeleportClient) SCP(args []string, port int, recursive bool) (err error)
- func (tc *TeleportClient) SSH(command []string, runLocally bool, input io.Reader) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetTokenFromHOTPMockFile ¶
GetTokenFromHOTPMockFile opens HOTPMock from file, gets token value, increases hotp and saves it to the file. Returns hotp token value.
func ParseLabelSpec ¶ added in v1.0.0
ParseLabelSpec parses a string like 'name=value,"long name"="quoted value"` into a map like { "name" -> "value", "long name" -> "quoted value" }
Types ¶
type Config ¶ added in v1.0.0
type Config struct { // Username is the Teleport account username (for logging into Teleport proxies) Username string // Remote host to connect Host string // Labels represent host Labels Labels map[string]string // HostLogin is a user login on a remote host HostLogin string // HostPort is a remote host port to connect to HostPort int // ProxyHost is a host or IP of the proxy (with optional ":port") ProxyHost string // KeyTTL is a time to live for the temporary SSH keypair to remain valid: KeyTTL time.Duration // InsecureSkipVerify is an option to skip HTTPS cert check InsecureSkipVerify bool // SkipLocalAuth will not try to connect to local SSH agent // or use any local certs, and not use interactive logins SkipLocalAuth bool // AuthMethods to use to login into cluster. If left empty, teleport will // use its own session store, AuthMethods []ssh.AuthMethod Stdout io.Writer Stderr io.Writer Stdin io.Reader // ExitStatus carries the returned value (exit status) of the remote // process execution (via SSh exec) ExitStatus int // SiteName specifies site to execute operation, // if omitted, first available site will be selected SiteName string // Locally forwarded ports (parameters to -L ssh flag) LocalForwardPorts []ForwardedPort // HostKeyCallback will be called to check host keys of the remote // node, if not specified will be using CheckHostSignature function // that uses local cache to validate hosts HostKeyCallback HostKeyCallback // ConnectorID is used to authenticate user via OpenID Connect // registered connector ConnectorID string // KeyDir defines where temporary session keys will be stored. // if empty, they'll go to ~/.tsh KeysDir string }
Config is a client config
func (*Config) NodeHostPort ¶ added in v1.0.0
NodeHostPort returns host:port string based on user supplied data either if user has set host:port in the connection string, or supplied the -p flag. If user has set both, -p flag data is ignored
func (*Config) ProxyHostPort ¶ added in v1.0.0
ProxyHostPort returns a full host:port address of the proxy or an empty string if no proxy is given. If 'forWeb' flag is set, returns HTTPS port, otherwise returns SSH port (proxy servers listen on both)
func (*Config) ProxySpecified ¶ added in v1.0.0
ProxySpecified returns true if proxy has been specified
type FSLocalKeyStore ¶ added in v1.0.0
type FSLocalKeyStore struct { LocalKeyStore // KeyDir is the directory where all keys are stored KeyDir string }
FSLocalKeyStore implements LocalKeyStore interface using the filesystem Here's the file layout for the FS store: ~/.tsh/ ├── known_hosts --> trusted certificate authorities (their keys) in a format similar to known_hosts └── sessions --> server-signed session keys
└── host-a | ├── cert | ├── key | └── pub └── host-b ├── cert ├── key └── pub
func NewFSLocalKeyStore ¶ added in v1.0.0
func NewFSLocalKeyStore(dirPath string) (s *FSLocalKeyStore, err error)
NewFSLocalKeyStore creates a new filesystem-based local keystore object and initializes it.
if dirPath is empty, sets it to ~/.tsh
func (*FSLocalKeyStore) AddKey ¶ added in v1.0.0
func (fs *FSLocalKeyStore) AddKey(host, username string, key *Key) error
AddKey adds a new key to the session store. If a key for the host is already stored, overwrites it.
func (*FSLocalKeyStore) AddKnownCA ¶
func (fs *FSLocalKeyStore) AddKnownCA(domainName string, hostKeys []ssh.PublicKey) error
AddKnownHost adds a new entry to 'known_CAs' file
func (*FSLocalKeyStore) DeleteKey ¶ added in v1.0.0
func (fs *FSLocalKeyStore) DeleteKey(host string, username string) error
DeleteKey deletes a key from the local store
func (*FSLocalKeyStore) GetKey ¶ added in v1.0.0
func (fs *FSLocalKeyStore) GetKey(host, username string) (*Key, error)
GetKey returns a key for a given host. If the key is not found, returns trace.NotFound error.
func (*FSLocalKeyStore) GetKeys ¶ added in v1.0.0
func (fs *FSLocalKeyStore) GetKeys(username string) (keys []Key, err error)
GetKeys returns all user session keys stored in the store
func (*FSLocalKeyStore) GetKnownCAs ¶
func (fs *FSLocalKeyStore) GetKnownCAs() ([]ssh.PublicKey, error)
GetKnownHost returns public keys of all trusted CAs
type ForwardedPort ¶ added in v1.0.0
ForwardedPort specifies local tunnel to remote destination managed by the client, is equivalent of ssh -L src:host:dst command
type HOTPMock ¶
HOTPMock is a HOTP that can be saved or load from file Using HOTPMock disables the hotp security level, don't use it in production
func CreateHOTPMock ¶
func LoadHOTPMockFromFile ¶
func (*HOTPMock) SaveToFile ¶
type HostKeyCallback ¶ added in v1.0.0
HostKeyCallback is called by SSH client when it needs to check remote host key or certificate validity
type Key ¶
type Key struct { Priv []byte `json:"Priv,omitempty"` Pub []byte `json:"Pub,omitempty"` Cert []byte `json:"Cert,omitempty"` }
Key describes a complete (signed) client key
func (*Key) AsAgentKey ¶ added in v1.0.0
AsAgentKey converts our Key structure to ssh.Agent.Key
type LocalKeyAgent ¶ added in v1.0.0
type LocalKeyAgent struct { // implements ssh agent.Agent interface agent.Agent // contains filtered or unexported fields }
func NewLocalAgent ¶ added in v1.0.0
func NewLocalAgent(keyDir, username string) (a *LocalKeyAgent, err error)
NewLocalAgent loads all the saved teleport certificates and creates ssh agent with them
func (*LocalKeyAgent) AddHostSignersToCache ¶ added in v1.0.0
func (a *LocalKeyAgent) AddHostSignersToCache(hostSigners []services.CertAuthority) error
AddHostSignersToCache takes a list of CAs whom we trust. This list is added to a database of "seen" CAs.
Every time we connect to a new host, we'll request its certificaate to be signed by one of these trusted CAs.
Why do we trust these CAs? Because we received them from a trusted Teleport Proxy. Why do we trust the proxy? Because we've connected to it via HTTPS + username + Password + HOTP.
func (*LocalKeyAgent) AddKey ¶ added in v1.0.0
func (a *LocalKeyAgent) AddKey(host string, username string, key *Key) error
func (*LocalKeyAgent) CheckHostSignature ¶ added in v1.0.0
CheckHostSignature checks if the given host key was signed by one of the trusted certificaate authorities (CAs)
type LocalKeyStore ¶ added in v1.0.0
type LocalKeyStore interface { // client key management GetKeys(username string) ([]Key, error) AddKey(host string, username string, key *Key) error GetKey(host string, username string) (*Key, error) DeleteKey(host string, username string) error // trusted CAs management: AddKnownCA(domainName string, publicKeys []ssh.PublicKey) error GetKnownCAs() ([]ssh.PublicKey, error) }
LocalKeyStore interface allows for different storage back-ends for TSH to load/save its keys
type NodeClient ¶
type NodeClient struct { Client *ssh.Client Proxy *ProxyClient }
NodeClient implements ssh client to a ssh node (teleport or any regular ssh node) NodeClient can run shell and commands or upload and download files.
func (*NodeClient) Close ¶
func (client *NodeClient) Close() error
func (*NodeClient) Download ¶
func (client *NodeClient) Download(remoteSourcePath, localDestinationPath string, isDir bool, stderr io.Writer) error
Download downloads file or dir from the remote server
func (*NodeClient) Run ¶
Run executes command on the remote server and writes its stdout to the 'output' argument
func (*NodeClient) Shell ¶
func (client *NodeClient) Shell(width, height int, sessionID session.ID) (io.ReadWriteCloser, error)
Shell returns remote shell as io.ReadWriterCloser object
type ProxyClient ¶
ProxyClient implements ssh client to a teleport proxy It can provide list of nodes or connect to nodes
func (*ProxyClient) Close ¶
func (proxy *ProxyClient) Close() error
func (*ProxyClient) ConnectToNode ¶
func (proxy *ProxyClient) ConnectToNode(nodeAddress string, user string) (*NodeClient, error)
ConnectToNode connects to the ssh server via Proxy. It returns connected and authenticated NodeClient
func (*ProxyClient) ConnectToSite ¶ added in v1.0.0
func (proxy *ProxyClient) ConnectToSite() (auth.ClientI, error)
ConnectToSite connects to the auth server of the given site via proxy. It returns connected and authenticated auth server client
func (*ProxyClient) FindServersByLabels ¶ added in v1.0.0
FindServersByLabels returns list of the nodes which have labels exactly matching the given label set.
A server is matched when ALL labels match. If no labels are passed, ALL nodes are returned.
type TeleportClient ¶ added in v1.0.0
type TeleportClient struct { Config // contains filtered or unexported fields }
TeleportClient is a wrapper around SSH client with teleport specific workflow built in
func NewClient ¶ added in v1.0.0
func NewClient(c *Config) (tc *TeleportClient, err error)
NewClient creates a TeleportClient object and fully configures it
func (*TeleportClient) AddKey ¶ added in v1.0.0
func (tc *TeleportClient) AddKey(host string, key *Key) error
func (*TeleportClient) AddTrustedCA ¶ added in v1.0.0
func (tc *TeleportClient) AddTrustedCA(ca *services.CertAuthority) error
Adds a new CA as trusted CA for this client
func (*TeleportClient) AskPasswordAndHOTP ¶ added in v1.0.0
func (tc *TeleportClient) AskPasswordAndHOTP() (pwd string, token string, err error)
AskPasswordAndHOTP prompts the user to enter the password + HTOP 2nd factor
func (*TeleportClient) ConnectToProxy ¶ added in v1.0.0
func (tc *TeleportClient) ConnectToProxy() (*ProxyClient, error)
ConnectToProxy dials the proxy server and returns ProxyClient if successful
func (*TeleportClient) GetKeys ¶ added in v1.0.0
func (tc *TeleportClient) GetKeys() ([]agent.AddedKey, error)
GetKeys returns a list of stored local keys/certs for this Teleport user
func (*TeleportClient) ListNodes ¶ added in v1.0.0
func (tc *TeleportClient) ListNodes() ([]services.Server, error)
ListNodes returns a list of nodes connected to a proxy
func (*TeleportClient) LocalAgent ¶ added in v1.0.0
func (tc *TeleportClient) LocalAgent() *LocalKeyAgent
func (*TeleportClient) Login ¶ added in v1.0.0
func (tc *TeleportClient) Login() error
Login logs user in using proxy's local 2FA auth access or used OIDC external authentication, it later saves the generated credentials into local keystore for future use
func (*TeleportClient) Logout ¶ added in v1.0.0
func (tc *TeleportClient) Logout() error
Logout locates a certificate stored for a given proxy and deletes it
func (*TeleportClient) MakeKey ¶ added in v1.0.0
func (tc *TeleportClient) MakeKey() (key *Key, err error)
MakeKey generates a new unsigned key. It's useless by itself until a trusted CA signs it
func (*TeleportClient) Play ¶ added in v1.0.0
func (tc *TeleportClient) Play(sessionId string) (err error)
Play replays the recorded session
func (*TeleportClient) SCP ¶ added in v1.0.0
func (tc *TeleportClient) SCP(args []string, port int, recursive bool) (err error)
SCP securely copies file(s) from one SSH server to another