Documentation ¶
Index ¶
- Constants
- Variables
- func CheckHomeDir(localUser *user.User) (bool, error)
- func ComputeLockTargets(clusterName, serverID string, id IdentityContext) []types.LockTarget
- func ConfigureCommand(ctx *ServerContext, extraFiles ...*os.File) (*exec.Cmd, error)
- func DecodeChildError(r io.Reader) error
- func GetDisconnectExpiredCertFromIdentity(checker services.AccessChecker, authPref types.AuthPreference, ...) time.Time
- func IsReexec() bool
- func ParseAccessRequestIDs(str string) ([]string, error)
- func RunAndExit(commandType string)
- func RunCommand() (errw io.Writer, code int, err error)
- func RunForward() (errw io.Writer, code int, err error)
- func StartKeepAliveLoop(p KeepAliveParams)
- func StartMonitor(cfg MonitorConfig) error
- func WebSessionController(controller *SessionController) ...
- type AccessPoint
- type AccessRequests
- type ActivityTracker
- type AuthHandlerConfig
- type AuthHandlers
- func (h *AuthHandlers) CheckAgentForward(ctx *ServerContext) error
- func (h *AuthHandlers) CheckFileCopying(ctx *ServerContext) error
- func (h *AuthHandlers) CheckPortForward(addr string, ctx *ServerContext) error
- func (h *AuthHandlers) CheckX11Forward(ctx *ServerContext) error
- func (h *AuthHandlers) CreateIdentityContext(sconn *ssh.ServerConn) (IdentityContext, error)
- func (h *AuthHandlers) HostKeyAuth(addr string, remote net.Addr, key ssh.PublicKey) error
- func (h *AuthHandlers) IsHostAuthority(cert ssh.PublicKey, address string) bool
- func (h *AuthHandlers) IsUserAuthority(cert ssh.PublicKey) bool
- func (h *AuthHandlers) UserKeyAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error)
- type ConnectionMonitor
- type ConnectionMonitorConfig
- type Exec
- type ExecCommand
- type ExecResult
- type FileFD
- type FileTransferRequestEvent
- type GetServerInfoFn
- type Heartbeat
- type HeartbeatConfig
- type HeartbeatI
- type HeartbeatMode
- type HeartbeatV2
- type HostSudoers
- type HostSudoersBackend
- type HostSudoersManagement
- type HostSudoersNotImplemented
- type HostSudoersProvisioningBackend
- type HostUserManagement
- func (u *HostUserManagement) CreateUser(name string, ui *services.HostUsersInfo) (io.Closer, error)
- func (u *HostUserManagement) DeleteAllUsers() error
- func (u *HostUserManagement) DeleteUser(username string, gid string) error
- func (u *HostUserManagement) SetHostUserDeletionGrace(d time.Duration)
- func (u *HostUserManagement) Shutdown()
- func (u *HostUserManagement) UserCleanup()
- func (u *HostUserManagement) UserExists(username string) error
- type HostUsers
- type HostUsersBackend
- type HostUsersProvisioningBackend
- func (*HostUsersProvisioningBackend) CreateGroup(name string, gid string) error
- func (u *HostUsersProvisioningBackend) CreateHomeDirectory(user string, uidS, gidS string) error
- func (*HostUsersProvisioningBackend) CreateUser(name string, groups []string, uid, gid string) error
- func (*HostUsersProvisioningBackend) DeleteUser(name string) error
- func (*HostUsersProvisioningBackend) GetAllUsers() ([]string, error)
- func (*HostUsersProvisioningBackend) Lookup(username string) (*user.User, error)
- func (*HostUsersProvisioningBackend) LookupGroup(name string) (*user.Group, error)
- func (*HostUsersProvisioningBackend) LookupGroupByID(gid string) (*user.Group, error)
- func (*HostUsersProvisioningBackend) UserGIDs(u *user.User) ([]string, error)
- type IdentityContext
- type KeepAliveParams
- type KeepAliveState
- type LockEnforcer
- type LookupGroup
- type LookupUser
- type Monitor
- type MonitorConfig
- type PAMConfig
- type RequestSender
- type SSHServerHeartbeatConfig
- type Server
- type ServerContext
- func (c *ServerContext) AddCloser(closer io.Closer)
- func (c *ServerContext) CancelContext() context.Context
- func (c *ServerContext) CancelFunc() context.CancelFunc
- func (c *ServerContext) CheckFileCopyingAllowed() error
- func (c *ServerContext) CheckSFTPAllowed(registry *SessionRegistry) error
- func (c *ServerContext) Close() error
- func (c *ServerContext) CreateOrJoinSession(reg *SessionRegistry) error
- func (c *ServerContext) ExecCommand() (*ExecCommand, error)
- func (c *ServerContext) GetChildError() error
- func (c *ServerContext) GetEnv(key string) (string, bool)
- func (c *ServerContext) GetExecRequest() (Exec, error)
- func (c *ServerContext) GetSSHRequest() (*ssh.Request, error)
- func (c *ServerContext) GetServer() Server
- func (c *ServerContext) GetServerMetadata() apievents.ServerMetadata
- func (c *ServerContext) GetSessionMetadata() apievents.SessionMetadata
- func (c *ServerContext) GetTerm() Terminal
- func (c *ServerContext) ID() int
- func (c *ServerContext) OpenXServerListener(x11Req x11.ForwardRequestPayload, displayOffset, maxDisplays int) error
- func (c *ServerContext) Parent() *sshutils.ConnectionContext
- func (c *ServerContext) SendExecResult(r ExecResult)
- func (c *ServerContext) SendSubsystemResult(r SubsystemResult)
- func (c *ServerContext) SessionID() rsession.ID
- func (c *ServerContext) SetAllowFileCopying(allow bool)
- func (c *ServerContext) SetEnv(key, val string)
- func (c *ServerContext) SetExecRequest(e Exec) error
- func (c *ServerContext) SetSSHRequest(e *ssh.Request) error
- func (c *ServerContext) SetTerm(t Terminal)
- func (c *ServerContext) String() string
- func (c *ServerContext) TrackActivity(ch ssh.Channel) ssh.Channel
- func (c *ServerContext) VisitEnv(visit func(key, val string))
- type SessionAccessEvaluator
- type SessionController
- func (s *SessionController) AcquireSessionContext(ctx context.Context, identity IdentityContext, localAddr, remoteAddr string, ...) (context.Context, error)
- func (s *SessionController) EnforceConnectionLimits(ctx context.Context, identity auth.ConnectionIdentity, closers ...io.Closer) (context.Context, error)
- type SessionControllerConfig
- type SessionRegistry
- func (s *SessionRegistry) Close()
- func (s *SessionRegistry) ForceTerminate(ctx *ServerContext) error
- func (s *SessionRegistry) GetTerminalSize(sessionID string) (*term.Winsize, error)
- func (s *SessionRegistry) NotifyFileTransferRequest(req *fileTransferRequest, res FileTransferRequestEvent, scx *ServerContext) error
- func (s *SessionRegistry) NotifyWinChange(ctx context.Context, params rsession.TerminalParams, scx *ServerContext) error
- func (s *SessionRegistry) OpenExecSession(ctx context.Context, channel ssh.Channel, scx *ServerContext) error
- func (s *SessionRegistry) OpenSession(ctx context.Context, ch ssh.Channel, scx *ServerContext) error
- func (s *SessionRegistry) TryCreateHostUser(ctx *ServerContext) error
- func (s *SessionRegistry) TryWriteSudoersFile(ctx *ServerContext) error
- type SessionRegistryConfig
- type SessionTracker
- func (s *SessionTracker) AddParticipant(ctx context.Context, p *types.Participant) error
- func (s *SessionTracker) Close(ctx context.Context) error
- func (s *SessionTracker) GetParticipants() []types.Participant
- func (s *SessionTracker) GetState() types.SessionState
- func (s *SessionTracker) RemoveParticipant(ctx context.Context, participantID string) error
- func (s *SessionTracker) UpdateExpiration(ctx context.Context, expiry time.Time) error
- func (s *SessionTracker) UpdateExpirationLoop(ctx context.Context, clock clockwork.Clock) error
- func (s *SessionTracker) UpdateState(ctx context.Context, state types.SessionState) error
- func (s *SessionTracker) WaitForStateUpdate(initialState types.SessionState) types.SessionState
- func (s *SessionTracker) WaitOnState(ctx context.Context, wanted types.SessionState) error
- type Subsystem
- type SubsystemResult
- type TermHandlers
- func (t *TermHandlers) HandleExec(ctx context.Context, ch ssh.Channel, req *ssh.Request, scx *ServerContext) error
- func (t *TermHandlers) HandleFileTransferDecision(ctx context.Context, ch ssh.Channel, req *ssh.Request, scx *ServerContext) error
- func (t *TermHandlers) HandleFileTransferRequest(ctx context.Context, ch ssh.Channel, req *ssh.Request, scx *ServerContext) error
- func (t *TermHandlers) HandleForceTerminate(ch ssh.Channel, req *ssh.Request, ctx *ServerContext) error
- func (t *TermHandlers) HandlePTYReq(ctx context.Context, ch ssh.Channel, req *ssh.Request, scx *ServerContext) error
- func (t *TermHandlers) HandleShell(ctx context.Context, ch ssh.Channel, req *ssh.Request, scx *ServerContext) error
- func (t *TermHandlers) HandleTerminalSize(req *ssh.Request) error
- func (t *TermHandlers) HandleWinChange(ctx context.Context, ch ssh.Channel, req *ssh.Request, scx *ServerContext) error
- type TermManager
- func (g *TermManager) AddReader(name string, r io.Reader)
- func (g *TermManager) AddWriter(name string, w io.Writer)
- func (g *TermManager) BroadcastMessage(message string)
- func (g *TermManager) Close()
- func (g *TermManager) CountRead() uint64
- func (g *TermManager) CountWritten() uint64
- func (g *TermManager) DeleteReader(name string)
- func (g *TermManager) DeleteWriter(name string)
- func (g *TermManager) GetRecentHistory() []byte
- func (g *TermManager) Off()
- func (g *TermManager) On()
- func (g *TermManager) Read(p []byte) (int, error)
- func (g *TermManager) TerminateNotifier() <-chan struct{}
- func (g *TermManager) Write(p []byte) (int, error)
- type Terminal
- type TrackingConn
- type TrackingReadConn
- type TrackingReadConnConfig
- type UaccMetadata
- type WebSessionContext
- type X11Config
Constants ¶
const ( PresenceVerifyInterval = time.Second * 15 PresenceMaxDifference = time.Minute )
const SessionControlsInfoBroadcast = "Controls\r\n - CTRL-C: Leave the session\r\n - t: Forcefully terminate the session (moderators only)"
SessionControlsInfoBroadcast is sent in tandem with session creation to inform any joining users about the session controls.
Variables ¶
var (
ErrNodeFileCopyingNotPermitted = trace.AccessDenied("node does not allow file copying via SCP or SFTP")
)
var ErrUserLoggedIn = errors.New("User logged in error")
Functions ¶
func CheckHomeDir ¶
CheckHomeDir checks if the user's home dir exists
func ComputeLockTargets ¶
func ComputeLockTargets(clusterName, serverID string, id IdentityContext) []types.LockTarget
ComputeLockTargets computes lock targets inferred from the clusterName, serverID and IdentityContext.
func ConfigureCommand ¶
ConfigureCommand creates a command fully configured to execute. This function is used by Teleport to re-execute itself and pass whatever data is need to the child to actually execute the shell.
func DecodeChildError ¶
DecodeChildError consumes the output from a child process decoding it from its raw form back into a concrete error.
func GetDisconnectExpiredCertFromIdentity ¶
func GetDisconnectExpiredCertFromIdentity( checker services.AccessChecker, authPref types.AuthPreference, identity *tlsca.Identity, ) time.Time
GetDisconnectExpiredCertFromIdentity calculates the proper value for DisconnectExpiredCert based on whether a connection is set to disconnect on cert expiry, and whether the cert is a short lived (<1m) one issued for an MFA verified session. If the session doesn't need to be disconnected on cert expiry it will return the default value for time.Time.
func IsReexec ¶
func IsReexec() bool
IsReexec determines if the current process is a teleport reexec command. Used by tests to reroute the execution to RunAndExit.
func ParseAccessRequestIDs ¶
func RunAndExit ¶
func RunAndExit(commandType string)
RunAndExit will run the requested command and then exit. This wrapper allows Run{Command,Forward} to use defers and makes sure error messages are consistent across both.
func RunCommand ¶
RunCommand reads in the command to run from the parent process (over a pipe) then constructs and runs the command.
func RunForward ¶
RunForward reads in the command to run from the parent process (over a pipe) then port forwards.
func StartKeepAliveLoop ¶
func StartKeepAliveLoop(p KeepAliveParams)
StartKeepAliveLoop starts the keep-alive loop.
func WebSessionController ¶
func WebSessionController(controller *SessionController) func(ctx context.Context, sctx WebSessionContext, login, localAddr, remoteAddr string) (context.Context, error)
WebSessionController is a wrapper around SessionController which can be used to create an IdentityContext and apply session controls for a web session. This allows `lib/web` to not depend on `lib/srv`.
Types ¶
type AccessPoint ¶
type AccessPoint interface { // Announcer adds methods used to announce presence auth.Announcer // Semaphores provides semaphore operations types.Semaphores // GetClusterName returns cluster name GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error) // GetClusterNetworkingConfig returns cluster networking configuration. GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error) // GetSessionRecordingConfig returns session recording configuration. GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error) // GetAuthPreference returns the cluster authentication configuration. GetAuthPreference(ctx context.Context) (types.AuthPreference, error) // GetRole returns role by name GetRole(ctx context.Context, name string) (types.Role, error) // GetCertAuthorities returns a list of cert authorities GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool) ([]types.CertAuthority, error) // ConnectionDiagnosticTraceAppender adds a method to append traces into ConnectionDiagnostics. services.ConnectionDiagnosticTraceAppender }
AccessPoint is the access point contract required by a Server
type AccessRequests ¶
type AccessRequests struct {
IDs []string `json:"access_requests"`
}
AccessRequests are the access requests associated with a session
type ActivityTracker ¶
type ActivityTracker interface { // GetClientLastActive returns the time of the last recorded activity GetClientLastActive() time.Time // UpdateClientActivity updates the last active timestamp UpdateClientActivity() }
ActivityTracker is a connection activity tracker, it allows to update the activity on the connection and retrieve the time when the connection was last active
type AuthHandlerConfig ¶
type AuthHandlerConfig struct { // Server is the services.Server in the backend. Server Server // Component is the type of SSH server (node, proxy, or recording proxy). Component string // Emitter is event emitter Emitter apievents.Emitter // AccessPoint is used to access the Auth Server. AccessPoint AccessPoint // TargetServer is the host that the connection is being established for. // It **MUST** only be populated when the target is a teleport ssh server // or an agentless server. TargetServer types.Server // FIPS mode means Teleport started in a FedRAMP/FIPS 140-2 compliant // configuration. FIPS bool // Clock specifies the time provider. Will be used to override the time anchor // for TLS certificate verification. // Defaults to real clock if unspecified Clock clockwork.Clock }
AuthHandlerConfig is the configuration for an application handler.
func (*AuthHandlerConfig) CheckAndSetDefaults ¶
func (c *AuthHandlerConfig) CheckAndSetDefaults() error
type AuthHandlers ¶
type AuthHandlers struct {
// contains filtered or unexported fields
}
AuthHandlers are common authorization and authentication related handlers used by the regular and forwarding server.
func NewAuthHandlers ¶
func NewAuthHandlers(config *AuthHandlerConfig) (*AuthHandlers, error)
NewAuthHandlers initializes authorization and authentication handlers
func (*AuthHandlers) CheckAgentForward ¶
func (h *AuthHandlers) CheckAgentForward(ctx *ServerContext) error
CheckAgentForward checks if agent forwarding is allowed for the users RoleSet.
func (*AuthHandlers) CheckFileCopying ¶
func (h *AuthHandlers) CheckFileCopying(ctx *ServerContext) error
func (*AuthHandlers) CheckPortForward ¶
func (h *AuthHandlers) CheckPortForward(addr string, ctx *ServerContext) error
CheckPortForward checks if port forwarding is allowed for the users RoleSet.
func (*AuthHandlers) CheckX11Forward ¶
func (h *AuthHandlers) CheckX11Forward(ctx *ServerContext) error
CheckX11Forward checks if X11 forwarding is permitted for the user's RoleSet.
func (*AuthHandlers) CreateIdentityContext ¶
func (h *AuthHandlers) CreateIdentityContext(sconn *ssh.ServerConn) (IdentityContext, error)
CreateIdentityContext returns an IdentityContext populated with information about the logged in user on the connection.
func (*AuthHandlers) HostKeyAuth ¶
HostKeyAuth implements host key verification and is called by the client to validate the certificate presented by the target server. If the target server presents a SSH certificate, we validate that it was Teleport that generated the certificate. If the target server presents a public key, if we are strictly checking keys, we reject the target server. If we are not we take whatever.
func (*AuthHandlers) IsHostAuthority ¶
func (h *AuthHandlers) IsHostAuthority(cert ssh.PublicKey, address string) bool
IsHostAuthority is called when checking the host certificate a server presents. It make sure that the key used to sign the host certificate was a Teleport CA.
func (*AuthHandlers) IsUserAuthority ¶
func (h *AuthHandlers) IsUserAuthority(cert ssh.PublicKey) bool
IsUserAuthority is called during checking the client key, to see if the key used to sign the certificate was a Teleport CA.
func (*AuthHandlers) UserKeyAuth ¶
func (h *AuthHandlers) UserKeyAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error)
UserKeyAuth implements SSH client authentication using public keys and is called by the server every time the client connects.
type ConnectionMonitor ¶
type ConnectionMonitor struct {
// contains filtered or unexported fields
}
ConnectionMonitor monitors the activity of connections and disconnects them if the certificate expires, if a new lock is placed that applies to the connection, or after periods of inactivity
func NewConnectionMonitor ¶
func NewConnectionMonitor(cfg ConnectionMonitorConfig) (*ConnectionMonitor, error)
NewConnectionMonitor returns a ConnectionMonitor that can be used to monitor connection activity and terminate connections based on various cluster conditions.
func (*ConnectionMonitor) MonitorConn ¶
func (c *ConnectionMonitor) MonitorConn(ctx context.Context, authzCtx *authz.Context, conn net.Conn) (context.Context, net.Conn, error)
MonitorConn ensures that the provided net.Conn is allowed per cluster configuration and security controls. If at any point during the lifetime of the connection the cluster controls dictate that the connection is not permitted it will be closed and the returned context.Context will be canceled.
type ConnectionMonitorConfig ¶
type ConnectionMonitorConfig struct { // AccessPoint is used to retrieve cluster configuration. AccessPoint AccessPoint // LockWatcher ensures lock information is up to date. LockWatcher *services.LockWatcher // Clock is a clock, realtime or fixed in tests. Clock clockwork.Clock // ServerID is the host UUID of the server receiving connections. ServerID string // Emitter allows events to be emitted. Emitter apievents.Emitter // EmitterContext is long-lived context suitable to be used with Emitter EmitterContext context.Context // Logger is a logging entry. Logger log.FieldLogger // MonitorCloseChannel will be signaled when the monitor closes a connection. // Used only for testing. Optional. MonitorCloseChannel chan struct{} }
ConnectionMonitorConfig contains dependencies required by the ConnectionMonitor.
func (*ConnectionMonitorConfig) CheckAndSetDefaults ¶
func (c *ConnectionMonitorConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks values and sets defaults
type Exec ¶
type Exec interface { // GetCommand returns the command to be executed. GetCommand() string // SetCommand sets the command to be executed. SetCommand(string) // Start will start the execution of the command. Start(ctx context.Context, channel ssh.Channel) (*ExecResult, error) // Wait will block while the command executes. Wait() *ExecResult // WaitForChild blocks until the child process has completed any required // setup operations before proceeding with execution. WaitForChild() error // Continue will resume execution of the process after it completes its // pre-processing routine (placed in a cgroup). Continue() // PID returns the PID of the Teleport process that was re-execed. PID() int }
Exec executes an "exec" request.
func NewExecRequest ¶
func NewExecRequest(ctx *ServerContext, command string) (Exec, error)
NewExecRequest creates a new local or remote Exec.
type ExecCommand ¶
type ExecCommand struct { // Command is the command to execute. If an interactive session is being // requested, will be empty. If a subsystem is requested, it will contain // the subsystem name. Command string `json:"command"` // DestinationAddress is the target address to dial to. DestinationAddress string `json:"dst_addr"` // Username is the username associated with the Teleport identity. Username string `json:"username"` // Login is the local *nix account. Login string `json:"login"` // Roles is the list of Teleport roles assigned to the Teleport identity. Roles []string `json:"roles"` // ClusterName is the name of the Teleport cluster. ClusterName string `json:"cluster_name"` // Terminal indicates if a TTY has been allocated for the session. This is // typically set if either a shell was requested or a TTY was explicitly // allocated for an exec request. Terminal bool `json:"term"` // TerminalName is the name of TTY terminal, ex: /dev/tty1. // Currently, this field is used by auditd. TerminalName string `json:"terminal_name"` // ClientAddress contains IP address of the connected client. // Currently, this field is used by auditd. ClientAddress string `json:"client_address"` // RequestType is the type of request: either "exec" or "shell". This will // be used to control where to connect std{out,err} based on the request // type: "exec", "shell" or "subsystem". RequestType string `json:"request_type"` // PAMConfig is the configuration data that needs to be passed to the child and then to PAM modules. PAMConfig *PAMConfig `json:"pam_config,omitempty"` // Environment is a list of environment variables to add to the defaults. Environment []string `json:"environment"` // PermitUserEnvironment is set to allow reading in ~/.tsh/environment // upon login. PermitUserEnvironment bool `json:"permit_user_environment"` // IsTestStub is used by tests to mock the shell. IsTestStub bool `json:"is_test_stub"` // UserCreatedByTeleport is true when the system user was created by Teleport user auto-provision. UserCreatedByTeleport bool // UaccMetadata contains metadata needed for user accounting. UaccMetadata UaccMetadata `json:"uacc_meta"` // X11Config contains an xauth entry to be added to the command user's xauthority. X11Config X11Config `json:"x11_config"` // ExtraFilesLen is the number of extra files that are inherited from // the parent process. These files start at file descriptor 3 of the // child process, and are only valid for processes without a terminal. ExtraFilesLen int `json:"extra_files_len"` }
ExecCommand contains the payload to "teleport exec" which will be used to construct and execute a shell.
type ExecResult ¶
type ExecResult struct { // Command is the command that was executed. Command string // Code is return code that execution of the command resulted in. Code int }
ExecResult is used internally to send the result of a command execution from a goroutine to SSH request handler and back to the calling client
type FileFD ¶
type FileFD = uintptr
FileFD is a file descriptor passed down from a parent process when Teleport is re-executing itself.
const ( // CommandFile is used to pass the command and arguments that the // child process should execute from the parent process. CommandFile FileFD = 3 + iota // ContinueFile is used to communicate to the child process that // it can continue after the parent process assigns a cgroup to the // child process. ContinueFile // ReadyFile is used to communicate to the parent process that // the child has completed any setup operations that must occur before // the child is placed into its cgroup. ReadyFile // TerminateFile is used to communicate to the child process that // the interactive terminal should be killed as the client ended the // SSH session and without termination the terminal process will be assigned // to pid 1 and "live forever". Killing the shell should not prevent processes // preventing SIGHUP to be reassigned (ex. processes running with nohup). TerminateFile // X11File is used to communicate to the parent process that the child // process has set up X11 forwarding. X11File // ErrorFile is used to communicate any errors terminating the child process // to the parent process ErrorFile // PTYFile is a PTY the parent process passes to the child process. PTYFile // TTYFile is a TTY the parent process passes to the child process. TTYFile // FirstExtraFile is the first file descriptor that will be valid when // extra files are passed to child processes without a terminal. FirstExtraFile FileFD = ErrorFile + 1 )
type FileTransferRequestEvent ¶
type FileTransferRequestEvent string
FileTransferRequestEvent is an event used to Notify party members during File Transfer Request approval process
const ( // FileTransferUpdate is used when a file transfer request is created or updated. // An update will happen if a file transfer request was approved but the policy still isn't fulfilled FileTransferUpdate FileTransferRequestEvent = "file_transfer_request" // FileTransferApproved is used when a file transfer request has received an approval decision // and the policy is fulfilled. This lets the client know that the file transfer is ready to download/upload // and be removed from any pending state. FileTransferApproved FileTransferRequestEvent = "file_transfer_request_approve" // FileTransferDenied is used when a file transfer request is denied. This lets the client know to remove // this file transfer from any pending state. FileTransferDenied FileTransferRequestEvent = "file_transfer_request_deny" )
type GetServerInfoFn ¶
GetServerInfoFn is function that returns server info
type Heartbeat ¶
type Heartbeat struct { HeartbeatConfig *log.Entry // contains filtered or unexported fields }
Heartbeat keeps heartbeat state, it is implemented according to actor model - all interactions with it are to be done with signals
func NewHeartbeat ¶
func NewHeartbeat(cfg HeartbeatConfig) (*Heartbeat, error)
NewHeartbeat returns a new instance of heartbeat
func (*Heartbeat) Close ¶
Close closes all timers and goroutines, note that this function is equivalent of canceling of the context passed in configuration and can be used interchangeably
type HeartbeatConfig ¶
type HeartbeatConfig struct { // Mode sets one of the proxy, auth or node modes. Mode HeartbeatMode // Context is parent context that signals // heartbeat cancel Context context.Context // Component is a name of component used in logs Component string // Announcer is used to announce presence Announcer auth.Announcer // GetServerInfo returns server information GetServerInfo GetServerInfoFn // ServerTTL is a server TTL used in announcements ServerTTL time.Duration // KeepAlivePeriod is a period between light-weight // keep alive calls, that only update TTLs and don't consume // bandwidh, also is used to derive time between // failed attempts as well for auth and proxy modes KeepAlivePeriod time.Duration // AnnouncePeriod is a period between announce calls, // when client sends full server specification // to the presence service AnnouncePeriod time.Duration // CheckPeriod is a period to check for updates CheckPeriod time.Duration // Clock is a clock used to override time in tests Clock clockwork.Clock // OnHeartbeat is called after every heartbeat. A non-nil error is passed // when a heartbeat fails. OnHeartbeat func(error) }
HeartbeatConfig is a heartbeat configuration
func (*HeartbeatConfig) CheckAndSetDefaults ¶
func (cfg *HeartbeatConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default values
type HeartbeatI ¶
HeartbeatI abstracts over the basic interface of Heartbeat and HeartbeatV2. This can be removed once we've fully transitioned to HeartbeatV2.
type HeartbeatMode ¶
type HeartbeatMode int
HeartbeatMode represents the mode of the heartbeat node, proxy or auth server
const ( // HeartbeatModeNode sets heartbeat to node // updates that support keep alives HeartbeatModeNode HeartbeatMode = iota // HeartbeatModeProxy sets heartbeat to proxy // that does not support keep alives HeartbeatModeProxy // HeartbeatModeAuth sets heartbeat to auth // that does not support keep alives HeartbeatModeAuth // HeartbeatModeKube is a mode for kubernetes service heartbeats. HeartbeatModeKube // HeartbeatModeApp sets heartbeat to apps and will use keep alives. HeartbeatModeApp // HeartbeatModeDB sets heartbeat to db HeartbeatModeDB // HeartbeatModeDatabaseService sets heartbeat mode to DatabaseService. HeartbeatModeDatabaseService // HeartbeatModeWindowsDesktopService sets heartbeat mode to windows desktop // service. HeartbeatModeWindowsDesktopService // HeartbeatModeWindowsDesktop sets heartbeat mode to windows desktop. HeartbeatModeWindowsDesktop )
func (HeartbeatMode) CheckAndSetDefaults ¶
func (h HeartbeatMode) CheckAndSetDefaults() error
CheckAndSetDefaults checks values and sets defaults
func (HeartbeatMode) String ¶
func (h HeartbeatMode) String() string
String returns user-friendly representation of the mode
type HeartbeatV2 ¶
type HeartbeatV2 struct {
// contains filtered or unexported fields
}
HeartbeatV2 heartbeats presence via the inventory control stream.
func NewSSHServerHeartbeat ¶
func NewSSHServerHeartbeat(cfg SSHServerHeartbeatConfig) (*HeartbeatV2, error)
func (*HeartbeatV2) Close ¶
func (h *HeartbeatV2) Close() error
func (*HeartbeatV2) ForceSend ¶
func (h *HeartbeatV2) ForceSend(timeout time.Duration) error
ForceSend is used in tests to trigger an announce and block until it one successfully completes or the provided timeout is reached.
func (*HeartbeatV2) Run ¶
func (h *HeartbeatV2) Run() error
func (*HeartbeatV2) SetDefaults ¶
func (c *HeartbeatV2) SetDefaults()
type HostSudoers ¶
type HostSudoers interface { // WriteSudoers creates a temporary Teleport user in the TeleportServiceGroup WriteSudoers(name string, sudoers []string) error // RemoveSudoers removes the users sudoer file RemoveSudoers(name string) error }
func NewHostSudoers ¶
func NewHostSudoers(uuid string) HostSudoers
type HostSudoersBackend ¶
type HostSudoersBackend interface { // CheckSudoers ensures that a sudoers file to be written is valid CheckSudoers(contents []byte) error // WriteSudoersFile creates the user's sudoers file. WriteSudoersFile(user string, entries []byte) error // RemoveSudoersFile deletes a user's sudoers file. RemoveSudoersFile(user string) error }
type HostSudoersManagement ¶
type HostSudoersManagement struct {
// contains filtered or unexported fields
}
func (*HostSudoersManagement) RemoveSudoers ¶
func (u *HostSudoersManagement) RemoveSudoers(name string) error
func (*HostSudoersManagement) WriteSudoers ¶
func (u *HostSudoersManagement) WriteSudoers(name string, sudoers []string) error
WriteSudoers creates a sudoers file for a user from a list of entries
type HostSudoersNotImplemented ¶
type HostSudoersNotImplemented struct{}
func (*HostSudoersNotImplemented) RemoveSudoers ¶
func (*HostSudoersNotImplemented) RemoveSudoers(name string) error
RemoveSudoers removes the users sudoer file
func (*HostSudoersNotImplemented) WriteSudoers ¶
func (*HostSudoersNotImplemented) WriteSudoers(string, []string) error
WriteSudoers creates a temporary Teleport user in the TeleportServiceGroup
type HostSudoersProvisioningBackend ¶
type HostSudoersProvisioningBackend struct { // HostUUID is the UUID of the running host HostUUID string // SudoersPath is the path to write sudoers files to. SudoersPath string }
HostSudoersProvisioningBackend is used to implement HostSudoersBackend
func (*HostSudoersProvisioningBackend) CheckSudoers ¶
func (*HostSudoersProvisioningBackend) CheckSudoers(contents []byte) error
CheckSudoers ensures that a sudoers file to be written is valid
func (*HostSudoersProvisioningBackend) RemoveSudoersFile ¶
func (u *HostSudoersProvisioningBackend) RemoveSudoersFile(username string) error
RemoveSudoersFile deletes a user's sudoers file.
func (*HostSudoersProvisioningBackend) WriteSudoersFile ¶
func (u *HostSudoersProvisioningBackend) WriteSudoersFile(username string, contents []byte) error
WriteSudoersFile creates the user's sudoers file.
type HostUserManagement ¶
type HostUserManagement struct {
// contains filtered or unexported fields
}
func (*HostUserManagement) CreateUser ¶
func (u *HostUserManagement) CreateUser(name string, ui *services.HostUsersInfo) (io.Closer, error)
CreateUser creates a temporary Teleport user in the TeleportServiceGroup
func (*HostUserManagement) DeleteAllUsers ¶
func (u *HostUserManagement) DeleteAllUsers() error
DeleteAllUsers deletes all host users in the teleport service group.
func (*HostUserManagement) DeleteUser ¶
func (u *HostUserManagement) DeleteUser(username string, gid string) error
DeleteUser deletes the specified user only if they are present in the specified group.
func (*HostUserManagement) SetHostUserDeletionGrace ¶
func (u *HostUserManagement) SetHostUserDeletionGrace(d time.Duration)
func (*HostUserManagement) Shutdown ¶
func (u *HostUserManagement) Shutdown()
Shutdown cancels the UserCleanup loop
func (*HostUserManagement) UserCleanup ¶
func (u *HostUserManagement) UserCleanup()
UserCleanup starts a periodic user deletion cleanup loop for users that failed to delete
func (*HostUserManagement) UserExists ¶
func (u *HostUserManagement) UserExists(username string) error
UserExists looks up an existing host user.
type HostUsers ¶
type HostUsers interface { // CreateUser creates a temporary Teleport user in the TeleportServiceGroup CreateUser(name string, hostRoleInfo *services.HostUsersInfo) (io.Closer, error) // DeleteUser deletes a temporary Teleport user only if they are // in a specified group DeleteUser(name string, gid string) error // DeleteAllUsers deletes all suer in the TeleportServiceGroup DeleteAllUsers() error // UserCleanup starts a periodic user deletion cleanup loop for // users that failed to delete UserCleanup() // Shutdown cancels the UserCleanup loop Shutdown() // UserExists returns nil should a hostuser exist UserExists(string) error // SetHostUserDeletionGrace sets the grace period before a user // can be deleted, used so integration tests don't need to sleep SetHostUserDeletionGrace(time.Duration) // contains filtered or unexported methods }
func NewHostUsers ¶
NewHostUsers initialize a new HostUsers object
type HostUsersBackend ¶
type HostUsersBackend interface { // GetAllUsers returns all host users on a node. GetAllUsers() ([]string, error) // UserGIDs returns a list of group ids for a user. UserGIDs(*user.User) ([]string, error) // Lookup retrieves a user by name. Lookup(name string) (*user.User, error) // LookupGroup retrieves a group by name. LookupGroup(group string) (*user.Group, error) // LookupGroupByID retrieves a group by its ID. LookupGroupByID(gid string) (*user.Group, error) // CreateGroup creates a group on a host. CreateGroup(group string, gid string) error // CreateUser creates a user on a host. CreateUser(name string, groups []string, uid, gid string) error // DeleteUser deletes a user from a host. DeleteUser(name string) error // CreateHomeDirectory creates the users home directory and copies in /etc/skel CreateHomeDirectory(user string, uid, gid string) error }
type HostUsersProvisioningBackend ¶
type HostUsersProvisioningBackend struct { }
HostUsersProvisioningBackend is used to implement HostUsersBackend
func (*HostUsersProvisioningBackend) CreateGroup ¶
func (*HostUsersProvisioningBackend) CreateGroup(name string, gid string) error
CreateGroup creates a group on a host
func (*HostUsersProvisioningBackend) CreateHomeDirectory ¶
func (u *HostUsersProvisioningBackend) CreateHomeDirectory(user string, uidS, gidS string) error
func (*HostUsersProvisioningBackend) CreateUser ¶
func (*HostUsersProvisioningBackend) CreateUser(name string, groups []string, uid, gid string) error
CreateUser creates a user on a host
func (*HostUsersProvisioningBackend) DeleteUser ¶
func (*HostUsersProvisioningBackend) DeleteUser(name string) error
DeleteUser deletes a user on a host. The user must not be logged in.
func (*HostUsersProvisioningBackend) GetAllUsers ¶
func (*HostUsersProvisioningBackend) GetAllUsers() ([]string, error)
GetAllUsers returns a full list of users present on a system
func (*HostUsersProvisioningBackend) Lookup ¶
func (*HostUsersProvisioningBackend) Lookup(username string) (*user.User, error)
Lookup implements host user information lookup
func (*HostUsersProvisioningBackend) LookupGroup ¶
func (*HostUsersProvisioningBackend) LookupGroup(name string) (*user.Group, error)
LookupGroup host group information lookup
func (*HostUsersProvisioningBackend) LookupGroupByID ¶
func (*HostUsersProvisioningBackend) LookupGroupByID(gid string) (*user.Group, error)
LookupGroup host group information lookup by GID
type IdentityContext ¶
type IdentityContext struct { // TeleportUser is the Teleport user associated with the connection. TeleportUser string // Impersonator is a user acting on behalf of other user Impersonator string // Login is the operating system user associated with the connection. Login string // Certificate is the SSH user certificate bytes marshaled in the OpenSSH // authorized_keys format. Certificate *ssh.Certificate // CertAuthority is the Certificate Authority that signed the Certificate. CertAuthority types.CertAuthority // AccessChecker is used to check RBAC permissions. AccessChecker services.AccessChecker // UnmappedRoles lists the original roles of this Teleport user without // trusted-cluster-related role mapping being applied. UnmappedRoles []string // CertValidBefore is set to the expiry time of a certificate, or // empty, if cert does not expire CertValidBefore time.Time // RouteToCluster is derived from the certificate RouteToCluster string // ActiveRequests is active access request IDs ActiveRequests []string // DisallowReissue is a flag that, if set, instructs the auth server to // deny any requests from this identity to generate new certificates. DisallowReissue bool // Renewable indicates this certificate is renewable. Renewable bool // Generation counts the number of times this identity's certificate has // been renewed. Generation uint64 // BotName is the name of the Machine ID bot this identity is associated // with, if any. BotName string // AllowedResourceIDs lists the resources this identity should be allowed to // access AllowedResourceIDs []types.ResourceID // PreviousIdentityExpires is the expiry time of the identity/cert that this // identity/cert was derived from. It is used to determine a session's hard // deadline in cases where both require_session_mfa and disconnect_expired_cert // are enabled. See https://github.com/gravitational/teleport/issues/18544. PreviousIdentityExpires time.Time }
IdentityContext holds all identity information associated with the user logged on the connection.
func (*IdentityContext) GetUserMetadata ¶
func (id *IdentityContext) GetUserMetadata() apievents.UserMetadata
type KeepAliveParams ¶
type KeepAliveParams struct { // Conns is the list of connections to send keep-alive connections to. All // connections must respond to the keep-alive to not be considered missed. Conns []RequestSender // Interval is the interval to send keep-alive messsages at. Interval time.Duration // MaxCount is the number of keep-alive messages that can be missed before // the connection is disconnected. MaxCount int64 // CloseContext is used by the server to notify the keep-alive loop to stop. CloseContext context.Context // CloseCancel is used by the keep-alive loop to notify the server to stop. CloseCancel context.CancelFunc }
KeepAliveParams configures the keep-alive loop.
type KeepAliveState ¶
type KeepAliveState int
KeepAliveState represents state of the heartbeat
const ( // HeartbeatStateInit is set when // the state has not been collected yet, // or the state is not fetched HeartbeatStateInit KeepAliveState = iota // HeartbeatStateAnnounce is set when full // state has to be announced back to the auth server HeartbeatStateAnnounce // HeartbeatStateAnnounceWait is set after successful // announce, heartbeat will wait until server updates // information, or time for next announce comes HeartbeatStateAnnounceWait // HeartbeatStateKeepAlive is set when // only sending keep alives is necessary HeartbeatStateKeepAlive // HeartbeatStateKeepAliveWait is set when // heartbeat will waiting until it's time to send keep alive HeartbeatStateKeepAliveWait )
func (KeepAliveState) String ¶
func (k KeepAliveState) String() string
type LockEnforcer ¶
type LockEnforcer interface {
CheckLockInForce(mode constants.LockingMode, targets ...types.LockTarget) error
}
LockEnforcer determines whether a lock is being enforced on the provided targets
type LookupGroup ¶
LookupGroup is used to mock the value returned by user.LookupGroup(string).
type LookupUser ¶
LookupUser is used to mock the value returned by user.Lookup(string).
type Monitor ¶
type Monitor struct { // MonitorConfig is a connection monitor configuration MonitorConfig }
Monitor monitors the activity on a single connection and disconnects that connection if the certificate expires, if a new lock is placed that applies to the connection, or after periods of inactivity
type MonitorConfig ¶
type MonitorConfig struct { // LockWatcher is a lock watcher. LockWatcher *services.LockWatcher // LockTargets is used to detect a lock applicable to the connection. LockTargets []types.LockTarget // LockingMode determines how to handle possibly stale lock views. LockingMode constants.LockingMode // DisconnectExpiredCert is a point in time when // the certificate should be disconnected DisconnectExpiredCert time.Time // ClientIdleTimeout is a timeout of inactivity // on the wire ClientIdleTimeout time.Duration // Clock is a clock, realtime or fixed in tests Clock clockwork.Clock // Tracker is activity tracker Tracker ActivityTracker // Conn is a connection to close Conn TrackingConn // Context is an external context. To reliably close the monitor and ensure no goroutine leak, // make sure to pass a context which will be canceled on time. Context context.Context // Login is linux box login Login string // TeleportUser is a teleport user name TeleportUser string // ServerID is a session server ID ServerID string // Emitter is events emitter Emitter apievents.Emitter // EmitterContext is long-lived context suitable to be used with Emitter. Typically, a server exit context will be used here. EmitterContext context.Context // Entry is a logging entry Entry log.FieldLogger // IdleTimeoutMessage is sent to the client when the idle timeout expires. IdleTimeoutMessage string // MessageWriter wraps a channel to send text messages to the client. Use // for disconnection messages, etc. MessageWriter io.StringWriter // MonitorCloseChannel will be signaled when the monitor closes a connection. // Used only for testing. Optional. MonitorCloseChannel chan struct{} }
MonitorConfig is a wiretap configuration
func (*MonitorConfig) CheckAndSetDefaults ¶
func (m *MonitorConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks values and sets defaults
type PAMConfig ¶
type PAMConfig struct { // UsePAMAuth specifies whether to trigger the "auth" PAM modules from the // policy. UsePAMAuth bool `json:"use_pam_auth"` // ServiceName is the name of the PAM service requested if PAM is enabled. ServiceName string `json:"service_name"` // Environment represents env variables to pass to PAM. Environment map[string]string `json:"environment"` }
PAMConfig represents all the configuration data that needs to be passed to the child.
type RequestSender ¶
type RequestSender interface { // SendRequest is used to send a out-of-band request. SendRequest(name string, wantReply bool, payload []byte) (bool, []byte, error) }
RequestSender is an interface that implements SendRequest. It is used so server and client connections can be passed to functions to send requests.
type SSHServerHeartbeatConfig ¶
type SSHServerHeartbeatConfig struct { // InventoryHandle is used to send heartbeats. InventoryHandle inventory.DownstreamHandle // GetServer gets the latest server spec. GetServer func() *types.ServerV2 // Announcer is a fallback used to perform basic upsert-style heartbeats // if the control stream is unavailable. // // DELETE IN: 11.0 (only exists for back-compat with v9 auth servers) Announcer auth.Announcer // OnHeartbeat is a per-attempt callback (optional). OnHeartbeat func(error) // AnnounceInterval is the interval at which heartbeats are attempted (optional). AnnounceInterval time.Duration // PollInterval is the interval at which checks for change are performed (optional). PollInterval time.Duration }
SSHServerHeartbeatConfig configures the HeartbeatV2 for an ssh server.
func (*SSHServerHeartbeatConfig) Check ¶
func (c *SSHServerHeartbeatConfig) Check() error
type Server ¶
type Server interface { // StreamEmitter allows server to emit audit events and create // event streams for recording sessions events.StreamEmitter // ID is the unique ID of the server. ID() string // HostUUID is the UUID of the underlying host. For the forwarding // server this is the proxy the forwarding server is running in. HostUUID() string // GetNamespace returns the namespace the server was created in. GetNamespace() string // AdvertiseAddr is the publicly addressable address of this server. AdvertiseAddr() string // Component is the type of server, forwarding or regular. Component() string // PermitUserEnvironment returns if reading environment variables upon // startup is allowed. PermitUserEnvironment() bool // GetAccessPoint returns an AccessPoint for this cluster. GetAccessPoint() AccessPoint // GetDataDir returns data directory of the server GetDataDir() string // GetPAM returns PAM configuration for this server. GetPAM() (*servicecfg.PAMConfig, error) // GetClock returns a clock setup for the server GetClock() clockwork.Clock // GetInfo returns a services.Server that represents this server. GetInfo() types.Server // UseTunnel used to determine if this node has connected to this cluster // using reverse tunnel. UseTunnel() bool // GetBPF returns the BPF service used for enhanced session recording. GetBPF() bpf.BPF // Context returns server shutdown context Context() context.Context // GetUserAccountingPaths returns the path of the user accounting database and log. Returns empty for system defaults. GetUserAccountingPaths() (utmp, wtmp, btmp string) // GetLockWatcher gets the server's lock watcher. GetLockWatcher() *services.LockWatcher // GetCreateHostUser returns whether the node should create // temporary teleport users or not GetCreateHostUser() bool // GetHostUsers returns the HostUsers instance being used to manage // host user provisioning GetHostUsers() HostUsers // GetHostSudoers returns the HostSudoers instance being used to manage // sudoer file provisioning GetHostSudoers() HostSudoers // TargetMetadata returns metadata about the session target node. TargetMetadata() apievents.ServerMetadata }
Server is regular or forwarding SSH server.
type ServerContext ¶
type ServerContext struct { // ConnectionContext is the parent context which manages connection-level // resources. *sshutils.ConnectionContext *log.Entry // Identity holds the identity of the user that is currently logged in on // the Conn. Identity IdentityContext // ExecResultCh is a Go channel which will be used to send and receive the // result of a "exec" request. ExecResultCh chan ExecResult // SubsystemResultCh is a Go channel which will be used to send and receive // the result of a "subsystem" request. SubsystemResultCh chan SubsystemResult // IsTestStub is set to true by tests. IsTestStub bool // ClusterName is the name of the cluster current user is authenticated with. ClusterName string // SessionRecordingConfig holds the session recording configuration at the // time this context was created. SessionRecordingConfig types.SessionRecordingConfig // RemoteClient holds an SSH client to a remote server. Only used by the // recording proxy. RemoteClient *tracessh.Client // RemoteSession holds an SSH session to a remote server. Only used by the // recording proxy. RemoteSession *tracessh.Session // ChannelType holds the type of the channel. For example "session" or // "direct-tcpip". Used to create correct subcommand during re-exec. ChannelType string // SrcAddr is the source address of the request. This the originator IP // address and port in an SSH "direct-tcpip" request. This value is only // populated for port forwarding requests. SrcAddr string // DstAddr is the destination address of the request. This is the host and // port to connect to in a "direct-tcpip" request. This value is only // populated for port forwarding requests. DstAddr string // allowFileCopying controls if remote file operations via SCP/SFTP are allowed // by the server. AllowFileCopying bool // JoinOnly is set if the connection was created using a join-only principal and may only be used to join other sessions. JoinOnly bool // ServerSubKind if the sub kind of the node this context is for. ServerSubKind string // UserCreatedByTeleport is true when the system user was created by Teleport user auto-provision. UserCreatedByTeleport bool // contains filtered or unexported fields }
ServerContext holds session specific context, such as SSH auth agents, PTYs, and other resources. SessionContext also holds a ServerContext which can be used to access resources on the underlying server. SessionContext can also be used to attach resources that should be closed once the session closes.
Any events that need to be recorded should be emitted via session and not ServerContext directly. Failure to use the session emitted will result in incorrect event indexes that may ultimately cause events to be overwritten.
func NewServerContext ¶
func NewServerContext(ctx context.Context, parent *sshutils.ConnectionContext, srv Server, identityContext IdentityContext, monitorOpts ...func(*MonitorConfig)) (context.Context, *ServerContext, error)
NewServerContext creates a new *ServerContext which is used to pass and manage resources, and an associated context.Context which is canceled when the ServerContext is closed. The ctx parameter should be a child of the ctx associated with the scope of the parent ConnectionContext to ensure that cancellation of the ConnectionContext propagates to the ServerContext.
func (*ServerContext) AddCloser ¶
func (c *ServerContext) AddCloser(closer io.Closer)
AddCloser adds any closer in ctx that will be called whenever server closes session channel
func (*ServerContext) CancelContext ¶
func (c *ServerContext) CancelContext() context.Context
CancelContext is a context associated with server context, closed whenever this server context is closed
func (*ServerContext) CancelFunc ¶
func (c *ServerContext) CancelFunc() context.CancelFunc
CancelFunc gets the context.CancelFunc associated with this context. Not a substitute for calling the ServerContext.Close method.
func (*ServerContext) CheckFileCopyingAllowed ¶
func (c *ServerContext) CheckFileCopyingAllowed() error
CheckFileCopyingAllowed returns an error if remote file operations via SCP or SFTP are not allowed by the user's role or the node's config.
func (*ServerContext) CheckSFTPAllowed ¶
func (c *ServerContext) CheckSFTPAllowed(registry *SessionRegistry) error
CheckSFTPAllowed returns an error if remote file operations via SCP or SFTP are not allowed by the user's role or the node's config, or if the user is not allowed to start unattended sessions.
func (*ServerContext) Close ¶
func (c *ServerContext) Close() error
func (*ServerContext) CreateOrJoinSession ¶
func (c *ServerContext) CreateOrJoinSession(reg *SessionRegistry) error
CreateOrJoinSession will look in the SessionRegistry for the session ID. If no session is found, a new one is created. If one is found, it is returned.
func (*ServerContext) ExecCommand ¶
func (c *ServerContext) ExecCommand() (*ExecCommand, error)
ExecCommand takes a *ServerContext and extracts the parts needed to create an *execCommand which can be re-sent to Teleport.
func (*ServerContext) GetChildError ¶
func (c *ServerContext) GetChildError() error
GetChildError returns the error from the child process
func (*ServerContext) GetEnv ¶
func (c *ServerContext) GetEnv(key string) (string, bool)
GetEnv returns a environment variable within this context.
func (*ServerContext) GetExecRequest ¶
func (c *ServerContext) GetExecRequest() (Exec, error)
GetExecRequest returns the exec request that is to be executed within this session context, or an error if it has not been set.
func (*ServerContext) GetSSHRequest ¶
func (c *ServerContext) GetSSHRequest() (*ssh.Request, error)
GetSSHRequest returns the ssh request that was issued by the client and saved on this ServerContext by SetExecRequest, or an error if it has not been set.
func (*ServerContext) GetServer ¶
func (c *ServerContext) GetServer() Server
GetServer returns the underlying server which this context was created in.
func (*ServerContext) GetServerMetadata ¶
func (c *ServerContext) GetServerMetadata() apievents.ServerMetadata
func (*ServerContext) GetSessionMetadata ¶
func (c *ServerContext) GetSessionMetadata() apievents.SessionMetadata
func (*ServerContext) GetTerm ¶
func (c *ServerContext) GetTerm() Terminal
GetTerm returns a Terminal.
func (*ServerContext) OpenXServerListener ¶
func (c *ServerContext) OpenXServerListener(x11Req x11.ForwardRequestPayload, displayOffset, maxDisplays int) error
OpenXServerListener opens a new XServer unix listener.
func (*ServerContext) Parent ¶
func (c *ServerContext) Parent() *sshutils.ConnectionContext
Parent grants access to the connection-level context of which this is a subcontext. Useful for unambiguously accessing methods which this subcontext overrides (e.g. child.Parent().SetEnv(...)).
func (*ServerContext) SendExecResult ¶
func (c *ServerContext) SendExecResult(r ExecResult)
SendExecResult sends the result of execution of the "exec" command over the ExecResultCh.
func (*ServerContext) SendSubsystemResult ¶
func (c *ServerContext) SendSubsystemResult(r SubsystemResult)
SendSubsystemResult sends the result of running the subsystem over the SubsystemResultCh.
func (*ServerContext) SessionID ¶
func (c *ServerContext) SessionID() rsession.ID
SessionID returns the ID of the session in the context.
func (*ServerContext) SetAllowFileCopying ¶
func (c *ServerContext) SetAllowFileCopying(allow bool)
func (*ServerContext) SetEnv ¶
func (c *ServerContext) SetEnv(key, val string)
SetEnv sets a environment variable within this context.
func (*ServerContext) SetExecRequest ¶
func (c *ServerContext) SetExecRequest(e Exec) error
SetExecRequest sets the command to be executed within this session context. Will return an error if called more than once for a single server context.
func (*ServerContext) SetSSHRequest ¶
func (c *ServerContext) SetSSHRequest(e *ssh.Request) error
SetSSHRequest sets the ssh request that was issued by the client. Will return an error if called more than once for a single server context.
func (*ServerContext) String ¶
func (c *ServerContext) String() string
func (*ServerContext) TrackActivity ¶
func (c *ServerContext) TrackActivity(ch ssh.Channel) ssh.Channel
TrackActivity keeps track of all activity on ssh.Channel. The caller should use the returned ssh.Channel instead of the original one.
func (*ServerContext) VisitEnv ¶
func (c *ServerContext) VisitEnv(visit func(key, val string))
VisitEnv grants visitor-style access to env variables.
type SessionAccessEvaluator ¶
type SessionAccessEvaluator interface { IsModerated() bool FulfilledFor(participants []auth.SessionAccessContext) (bool, auth.PolicyOptions, error) PrettyRequirementsList() string CanJoin(user auth.SessionAccessContext) []types.SessionParticipantMode }
SessionAccessEvaluator is the interface that defines criteria needed to be met in order to start and join sessions.
type SessionController ¶
type SessionController struct {
// contains filtered or unexported fields
}
SessionController enforces session control restrictions required by locks, private key policy, and max connection limits
func NewSessionController ¶
func NewSessionController(cfg SessionControllerConfig) (*SessionController, error)
NewSessionController creates a SessionController from the provided config. If any of the required parameters in the SessionControllerConfig are not provided an error is returned.
func (*SessionController) AcquireSessionContext ¶
func (s *SessionController) AcquireSessionContext(ctx context.Context, identity IdentityContext, localAddr, remoteAddr string, closers ...io.Closer) (context.Context, error)
AcquireSessionContext attempts to create a context for the session. If the session is not allowed due to session control an error is returned. The returned context is scoped to the session and will be canceled in the event the semaphore lock is no longer held. The closers provided are immediately closed when the semaphore lock is released as well.
func (*SessionController) EnforceConnectionLimits ¶
func (s *SessionController) EnforceConnectionLimits(ctx context.Context, identity auth.ConnectionIdentity, closers ...io.Closer) (context.Context, error)
EnforceConnectionLimits retrieves a semaphore lock to ensure that connection limits for the identity are enforced. If the lock is closed for any reason prior to the connection being terminated any of the provided closers will be closed.
type SessionControllerConfig ¶
type SessionControllerConfig struct { // Semaphores is used to obtain a semaphore lock when max sessions are defined Semaphores types.Semaphores // AccessPoint is the cache used to get cluster information AccessPoint AccessPoint // LockEnforcer is used to determine if locks should prevent a session LockEnforcer LockEnforcer // Emitter is used to emit session rejection events Emitter apievents.Emitter // Component is the component running the session controller. Nodes and Proxies // have different flows Component string // Logger is used to emit log entries Logger *logrus.Entry // TracerProvider creates a tracer so that spans may be emitted TracerProvider oteltrace.TracerProvider // ServerID is the UUID of the server ServerID string // Clock used in tests to change time Clock clockwork.Clock // contains filtered or unexported fields }
SessionControllerConfig contains dependencies needed to create a SessionController
func (*SessionControllerConfig) CheckAndSetDefaults ¶
func (c *SessionControllerConfig) CheckAndSetDefaults() error
CheckAndSetDefaults ensures all the required dependencies were provided and sets any optional values to their defaults
type SessionRegistry ¶
type SessionRegistry struct { SessionRegistryConfig // contains filtered or unexported fields }
SessionRegistry holds a map of all active sessions on a given SSH server
func NewSessionRegistry ¶
func NewSessionRegistry(cfg SessionRegistryConfig) (*SessionRegistry, error)
func (*SessionRegistry) Close ¶
func (s *SessionRegistry) Close()
func (*SessionRegistry) ForceTerminate ¶
func (s *SessionRegistry) ForceTerminate(ctx *ServerContext) error
func (*SessionRegistry) GetTerminalSize ¶
func (s *SessionRegistry) GetTerminalSize(sessionID string) (*term.Winsize, error)
GetTerminalSize fetches the terminal size of an active SSH session.
func (*SessionRegistry) NotifyFileTransferRequest ¶
func (s *SessionRegistry) NotifyFileTransferRequest(req *fileTransferRequest, res FileTransferRequestEvent, scx *ServerContext) error
NotifyFileTransferRequest is called to notify all members of a party that a file transfer request has been created/approved/denied. The notification is a global ssh request and requires the client to update its UI state accordingly.
func (*SessionRegistry) NotifyWinChange ¶
func (s *SessionRegistry) NotifyWinChange(ctx context.Context, params rsession.TerminalParams, scx *ServerContext) error
NotifyWinChange is called to notify all members in the party that the PTY size has changed. The notification is sent as a global SSH request and it is the responsibility of the client to update it's window size upon receipt.
func (*SessionRegistry) OpenExecSession ¶
func (s *SessionRegistry) OpenExecSession(ctx context.Context, channel ssh.Channel, scx *ServerContext) error
OpenExecSession opens a non-interactive exec session.
func (*SessionRegistry) OpenSession ¶
func (s *SessionRegistry) OpenSession(ctx context.Context, ch ssh.Channel, scx *ServerContext) error
OpenSession either joins an existing active session or starts a new session.
func (*SessionRegistry) TryCreateHostUser ¶
func (s *SessionRegistry) TryCreateHostUser(ctx *ServerContext) error
func (*SessionRegistry) TryWriteSudoersFile ¶
func (s *SessionRegistry) TryWriteSudoersFile(ctx *ServerContext) error
type SessionRegistryConfig ¶
type SessionRegistryConfig struct { // srv refers to the upon which this session registry is created. Srv Server // sessiontrackerService is used to share session activity to // other teleport components through the auth server. SessionTrackerService services.SessionTrackerService // contains filtered or unexported fields }
func (*SessionRegistryConfig) CheckAndSetDefaults ¶
func (sc *SessionRegistryConfig) CheckAndSetDefaults() error
type SessionTracker ¶
type SessionTracker struct {
// contains filtered or unexported fields
}
SessionTracker is a session tracker for a specific session. It tracks the session in memory and broadcasts updates to the given service (backend).
func NewSessionTracker ¶
func NewSessionTracker(ctx context.Context, trackerSpec types.SessionTrackerSpecV1, service services.SessionTrackerService) (*SessionTracker, error)
NewSessionTracker returns a new SessionTracker for the given types.SessionTracker
func (*SessionTracker) AddParticipant ¶
func (s *SessionTracker) AddParticipant(ctx context.Context, p *types.Participant) error
func (*SessionTracker) Close ¶
func (s *SessionTracker) Close(ctx context.Context) error
Close closes the session tracker and sets the tracker state to terminated
func (*SessionTracker) GetParticipants ¶
func (s *SessionTracker) GetParticipants() []types.Participant
func (*SessionTracker) GetState ¶
func (s *SessionTracker) GetState() types.SessionState
func (*SessionTracker) RemoveParticipant ¶
func (s *SessionTracker) RemoveParticipant(ctx context.Context, participantID string) error
func (*SessionTracker) UpdateExpiration ¶
func (*SessionTracker) UpdateExpirationLoop ¶
UpdateExpirationLoop extends the session tracker expiration by 30 minutes every 10 minutes until the SessionTracker or ctx is closed. If there is a failure to write the updated SessionTracker to the backend, the write is retried with exponential backoff up until the original SessionTracker expiry.
func (*SessionTracker) UpdateState ¶
func (s *SessionTracker) UpdateState(ctx context.Context, state types.SessionState) error
func (*SessionTracker) WaitForStateUpdate ¶
func (s *SessionTracker) WaitForStateUpdate(initialState types.SessionState) types.SessionState
WaitForStateUpdate waits for the tracker's state to be updated and returns the new state.
func (*SessionTracker) WaitOnState ¶
func (s *SessionTracker) WaitOnState(ctx context.Context, wanted types.SessionState) error
WaitOnState waits until the desired state is reached or the context is canceled.
type Subsystem ¶
type Subsystem interface { // Start starts subsystem Start(context.Context, *ssh.ServerConn, ssh.Channel, *ssh.Request, *ServerContext) error // Wait is returned by subsystem when it's completed Wait() error }
Subsystem represents SSH subsystem - special command executed in the context of the session.
type SubsystemResult ¶
type SubsystemResult struct { // Name holds the name of the subsystem that was executed. Name string // Err holds the result of execution of the subsystem. Err error }
SubsystemResult is a result of execution of the subsystem.
type TermHandlers ¶
type TermHandlers struct {
SessionRegistry *SessionRegistry
}
TermHandlers are common terminal handling functions used by both the regular and forwarding server.
func (*TermHandlers) HandleExec ¶
func (t *TermHandlers) HandleExec(ctx context.Context, ch ssh.Channel, req *ssh.Request, scx *ServerContext) error
HandleExec handles requests of type "exec" which can execute with or without a TTY. Result of execution is propagated back on the ExecResult channel of the context.
func (*TermHandlers) HandleFileTransferDecision ¶
func (t *TermHandlers) HandleFileTransferDecision(ctx context.Context, ch ssh.Channel, req *ssh.Request, scx *ServerContext) error
HandleFileTransferDecision handles requests of type "file-transfer-decision@goteleport.com" which will approve or deny an existing file transfer request. This response will update an active file transfer request accordingly and emit the updated file transfer request state to other members in the party.
func (*TermHandlers) HandleFileTransferRequest ¶
func (t *TermHandlers) HandleFileTransferRequest(ctx context.Context, ch ssh.Channel, req *ssh.Request, scx *ServerContext) error
HandleFileTransferRequest handles requests of type "file-transfer-request" which will create a FileTransferRequest that will be sent to other members in the party to be reviewed and approved/denied.
func (*TermHandlers) HandleForceTerminate ¶
func (t *TermHandlers) HandleForceTerminate(ch ssh.Channel, req *ssh.Request, ctx *ServerContext) error
func (*TermHandlers) HandlePTYReq ¶
func (t *TermHandlers) HandlePTYReq(ctx context.Context, ch ssh.Channel, req *ssh.Request, scx *ServerContext) error
HandlePTYReq handles requests of type "pty-req" which allocate a TTY for "exec" or "shell" requests. The "pty-req" includes the size of the TTY as well as the terminal type requested.
func (*TermHandlers) HandleShell ¶
func (t *TermHandlers) HandleShell(ctx context.Context, ch ssh.Channel, req *ssh.Request, scx *ServerContext) error
HandleShell handles requests of type "shell" which request a interactive shell be created within a TTY.
func (*TermHandlers) HandleTerminalSize ¶
func (t *TermHandlers) HandleTerminalSize(req *ssh.Request) error
func (*TermHandlers) HandleWinChange ¶
func (t *TermHandlers) HandleWinChange(ctx context.Context, ch ssh.Channel, req *ssh.Request, scx *ServerContext) error
HandleWinChange handles requests of type "window-change" which update the size of the PTY running on the server and update any other members in the party.
type TermManager ¶
type TermManager struct { OnReadError func(idString string, err error) OnWriteError func(idString string, err error) // contains filtered or unexported fields }
TermManager handles the streams of terminal-like sessions. It performs a number of tasks including: - multiplexing - history scrollback for new clients - stream breaking
func (*TermManager) BroadcastMessage ¶
func (g *TermManager) BroadcastMessage(message string)
BroadcastMessage injects a message into the stream.
func (*TermManager) Close ¶
func (g *TermManager) Close()
func (*TermManager) CountRead ¶
func (g *TermManager) CountRead() uint64
func (*TermManager) CountWritten ¶
func (g *TermManager) CountWritten() uint64
func (*TermManager) DeleteReader ¶
func (g *TermManager) DeleteReader(name string)
func (*TermManager) DeleteWriter ¶
func (g *TermManager) DeleteWriter(name string)
func (*TermManager) GetRecentHistory ¶
func (g *TermManager) GetRecentHistory() []byte
func (*TermManager) Off ¶
func (g *TermManager) Off()
Off buffers incoming writes and reads until turned on again.
func (*TermManager) TerminateNotifier ¶
func (g *TermManager) TerminateNotifier() <-chan struct{}
type Terminal ¶
type Terminal interface { // AddParty adds another participant to this terminal. We will keep the // Terminal open until all participants have left. AddParty(delta int) // Run will run the terminal. Run(ctx context.Context) error // Wait will block until the terminal is complete. Wait() (*ExecResult, error) // WaitForChild blocks until the child process has completed any required // setup operations before proceeding with execution. WaitForChild() error // Continue will resume execution of the process after it completes its // pre-processing routine (placed in a cgroup). Continue() // KillUnderlyingShell tries to gracefully stop the terminal process. KillUnderlyingShell(ctx context.Context) error // Kill will force kill the terminal. Kill(ctx context.Context) error // PTY returns the PTY backing the terminal. PTY() io.ReadWriter // TTY returns the TTY backing the terminal. TTY() *os.File // PID returns the PID of the Teleport process that was re-execed. PID() int // Close will free resources associated with the terminal. Close() error // GetWinSize returns the window size of the terminal. GetWinSize() (*term.Winsize, error) // SetWinSize sets the window size of the terminal. SetWinSize(ctx context.Context, params rsession.TerminalParams) error // GetTerminalParams is a fast call to get cached terminal parameters // and avoid extra system call. GetTerminalParams() rsession.TerminalParams // SetTerminalModes sets the terminal modes from "pty-req" SetTerminalModes(ssh.TerminalModes) // GetTermType gets the terminal type set in "pty-req" GetTermType() string // SetTermType sets the terminal type from "pty-req" SetTermType(string) }
Terminal defines an interface of handy functions for managing a (local or remote) PTY, such as resizing windows, executing commands with a PTY, and cleaning up.
func NewTerminal ¶
func NewTerminal(ctx *ServerContext) (Terminal, error)
NewTerminal returns a new terminal. Terminal can be local or remote depending on cluster configuration.
type TrackingConn ¶
type TrackingConn interface { // LocalAddr returns local address LocalAddr() net.Addr // RemoteAddr returns remote address RemoteAddr() net.Addr // Close closes the connection Close() error }
TrackingConn is an interface representing tracking connection
type TrackingReadConn ¶
TrackingReadConn allows to wrap net.Conn and keeps track of the latest conn read activity.
func NewTrackingReadConn ¶
func NewTrackingReadConn(cfg TrackingReadConnConfig) (*TrackingReadConn, error)
NewTrackingReadConn returns a new tracking read connection.
func (*TrackingReadConn) Close ¶
func (t *TrackingReadConn) Close() error
Close cancels the context with io.EOF and closes the underlying connection.
func (*TrackingReadConn) CloseWithCause ¶
func (t *TrackingReadConn) CloseWithCause(cause error) error
CloseWithCause cancels the context with provided cause and closes the underlying connection.
func (*TrackingReadConn) GetClientLastActive ¶
func (t *TrackingReadConn) GetClientLastActive() time.Time
GetClientLastActive returns time when client was last active
func (*TrackingReadConn) Read ¶
func (t *TrackingReadConn) Read(b []byte) (int, error)
Read reads data from the connection. Read can be made to time out and return an Error with Timeout() == true after a fixed time limit; see SetDeadline and SetReadDeadline.
func (*TrackingReadConn) UpdateClientActivity ¶
func (t *TrackingReadConn) UpdateClientActivity()
UpdateClientActivity sets last recorded client activity
type TrackingReadConnConfig ¶
type TrackingReadConnConfig struct { // Conn is a client connection. Conn net.Conn // Clock is a clock, realtime or fixed in tests. Clock clockwork.Clock // Context is an external context to cancel the operation. Context context.Context // Cancel is called whenever client context is closed. Cancel context.CancelCauseFunc }
TrackingReadConnConfig is a TrackingReadConn configuration.
func (*TrackingReadConnConfig) CheckAndSetDefaults ¶
func (c *TrackingReadConnConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets defaults.
type UaccMetadata ¶
type UaccMetadata struct { // The hostname of the node. Hostname string `json:"hostname"` // RemoteAddr is the address of the remote host. RemoteAddr [4]int32 `json:"remote_addr"` // UtmpPath is the path of the system utmp database. UtmpPath string `json:"utmp_path,omitempty"` // WtmpPath is the path of the system wtmp log. WtmpPath string `json:"wtmp_path,omitempty"` // BtmpPath is the path of the system btmp log. BtmpPath string `json:"btmp_path,omitempty"` }
UaccMetadata contains information the child needs from the parent for user accounting.
type WebSessionContext ¶
type WebSessionContext interface { GetUserAccessChecker() (services.AccessChecker, error) GetSSHCertificate() (*ssh.Certificate, error) GetUser() string }
WebSessionContext contains information associated with a session established via the web ui.
type X11Config ¶
type X11Config struct { // XAuthEntry contains xauth data used for X11 forwarding. XAuthEntry x11.XAuthEntry `json:"xauth_entry,omitempty"` // XServerUnixSocket is the name of an open XServer unix socket used for X11 forwarding. XServerUnixSocket string `json:"xserver_unix_socket"` }
X11Config contains information used by the child process to set up X11 forwarding.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package app runs the application proxy process.
|
Package app runs the application proxy process. |
common
Package common provides common utilities used by all supported database implementations.
|
Package common provides common utilities used by all supported database implementations. |
mongodb
Package mongodb implements database access proxy that handles authentication, authorization and protocol parsing of connections from MongoDB clients to MongoDB clusters.
|
Package mongodb implements database access proxy that handles authentication, authorization and protocol parsing of connections from MongoDB clients to MongoDB clusters. |
mongodb/protocol
Package protocol implements reading/writing MongoDB wire protocol messages from/to client/server and converting them into parsed data structures.
|
Package protocol implements reading/writing MongoDB wire protocol messages from/to client/server and converting them into parsed data structures. |
mysql
Package mysql implements MySQL protocol support for the database access.
|
Package mysql implements MySQL protocol support for the database access. |
mysql/protocol
Package protocol implements parts of MySQL wire protocol which are needed for the service to be able to interpret the protocol messages but are not readily available in the convenient form in the vendored MySQL library.
|
Package protocol implements parts of MySQL wire protocol which are needed for the service to be able to interpret the protocol messages but are not readily available in the convenient form in the vendored MySQL library. |
postgres
Package postgres implements components of the database access subsystem that proxy connections between Postgres clients (like, psql or pgAdmin) and Postgres database servers with full protocol awareness.
|
Package postgres implements components of the database access subsystem that proxy connections between Postgres clients (like, psql or pgAdmin) and Postgres database servers with full protocol awareness. |
redis
Package redis implements database access proxy that handles authentication, authorization and protocol parsing of connections from Redis clients to Redis standalone or Redis clusters.
|
Package redis implements database access proxy that handles authentication, authorization and protocol parsing of connections from Redis clients to Redis standalone or Redis clusters. |
secrets
Package secrets implements clients for managing secret values using secret management tools like AWS Secrets Manager.
|
Package secrets implements clients for managing secret values using secret management tools like AWS Secrets Manager. |
sqlserver/kinit
Package kinit provides utilities for interacting with a KDC (Key Distribution Center) for Kerberos5
|
Package kinit provides utilities for interacting with a KDC (Key Distribution Center) for Kerberos5 |
Package desktop implements Desktop Access services, like windows_desktop_access.
|
Package desktop implements Desktop Access services, like windows_desktop_access. |
rdp/rdpclient
Package rdpclient implements an RDP client.
|
Package rdpclient implements an RDP client. |
tdp
Package tdp implements the Teleport desktop protocol (TDP) encoder/decoder.
|
Package tdp implements the Teleport desktop protocol (TDP) encoder/decoder. |
Package regular implements SSH server that supports multiplexing tunneling, SSH connections proxying and only supports Key based auth
|
Package regular implements SSH server that supports multiplexing tunneling, SSH connections proxying and only supports Key based auth |
transport
|
|
Package uacc concerns itself with updating the user account database and log on nodes that a client connects to with an interactive session.
|
Package uacc concerns itself with updating the user account database and log on nodes that a client connects to with an interactive session. |