srv

package
v0.0.0-...-5c79d48 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 15, 2024 License: AGPL-3.0 Imports: 81 Imported by: 0

Documentation

Index

Constants

View Source
const (
	PresenceVerifyInterval = time.Second * 15
	PresenceMaxDifference  = time.Minute
)
View Source
const SessionControlsInfoBroadcast = "Controls\r\n  - CTRL-C: Leave the session\r\n  - t: Forcefully terminate the session (moderators only)"

SessionControlsInfoBroadcast is sent in tandem with session creation to inform any joining users about the session controls.

Variables

View Source
var (
	ErrNodeFileCopyingNotPermitted = trace.AccessDenied("node does not allow file copying via SCP or SFTP")
)
View Source
var ErrUserLoggedIn = errors.New("User logged in error")

Functions

func CheckHomeDir

func CheckHomeDir(localUser *user.User) (bool, error)

CheckHomeDir checks if the user's home dir exists

func ComputeLockTargets

func ComputeLockTargets(clusterName, serverID string, id IdentityContext) []types.LockTarget

ComputeLockTargets computes lock targets inferred from the clusterName, serverID and IdentityContext.

func ConfigureCommand

func ConfigureCommand(ctx *ServerContext, extraFiles ...*os.File) (*exec.Cmd, error)

ConfigureCommand creates a command fully configured to execute. This function is used by Teleport to re-execute itself and pass whatever data is need to the child to actually execute the shell.

func DecodeChildError

func DecodeChildError(r io.Reader) error

DecodeChildError consumes the output from a child process decoding it from its raw form back into a concrete error.

func GetDisconnectExpiredCertFromIdentity

func GetDisconnectExpiredCertFromIdentity(
	checker services.AccessChecker,
	authPref types.AuthPreference,
	identity *tlsca.Identity,
) time.Time

GetDisconnectExpiredCertFromIdentity calculates the proper value for DisconnectExpiredCert based on whether a connection is set to disconnect on cert expiry, and whether the cert is a short lived (<1m) one issued for an MFA verified session. If the session doesn't need to be disconnected on cert expiry it will return the default value for time.Time.

func IsReexec

func IsReexec() bool

IsReexec determines if the current process is a teleport reexec command. Used by tests to reroute the execution to RunAndExit.

func ParseAccessRequestIDs

func ParseAccessRequestIDs(str string) ([]string, error)

func RunAndExit

func RunAndExit(commandType string)

RunAndExit will run the requested command and then exit. This wrapper allows Run{Command,Forward} to use defers and makes sure error messages are consistent across both.

func RunCommand

func RunCommand() (errw io.Writer, code int, err error)

RunCommand reads in the command to run from the parent process (over a pipe) then constructs and runs the command.

func RunForward

func RunForward() (errw io.Writer, code int, err error)

RunForward reads in the command to run from the parent process (over a pipe) then port forwards.

func StartKeepAliveLoop

func StartKeepAliveLoop(p KeepAliveParams)

StartKeepAliveLoop starts the keep-alive loop.

func StartMonitor

func StartMonitor(cfg MonitorConfig) error

StartMonitor starts a new monitor.

func WebSessionController

func WebSessionController(controller *SessionController) func(ctx context.Context, sctx WebSessionContext, login, localAddr, remoteAddr string) (context.Context, error)

WebSessionController is a wrapper around SessionController which can be used to create an IdentityContext and apply session controls for a web session. This allows `lib/web` to not depend on `lib/srv`.

Types

type AccessPoint

type AccessPoint interface {
	// Announcer adds methods used to announce presence
	auth.Announcer

	// Semaphores provides semaphore operations
	types.Semaphores

	// GetClusterName returns cluster name
	GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error)

	// GetClusterNetworkingConfig returns cluster networking configuration.
	GetClusterNetworkingConfig(ctx context.Context, opts ...services.MarshalOption) (types.ClusterNetworkingConfig, error)

	// GetSessionRecordingConfig returns session recording configuration.
	GetSessionRecordingConfig(ctx context.Context, opts ...services.MarshalOption) (types.SessionRecordingConfig, error)

	// GetAuthPreference returns the cluster authentication configuration.
	GetAuthPreference(ctx context.Context) (types.AuthPreference, error)

	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool) ([]types.CertAuthority, error)

	// ConnectionDiagnosticTraceAppender adds a method to append traces into ConnectionDiagnostics.
	services.ConnectionDiagnosticTraceAppender
}

AccessPoint is the access point contract required by a Server

type AccessRequests

type AccessRequests struct {
	IDs []string `json:"access_requests"`
}

AccessRequests are the access requests associated with a session

type ActivityTracker

type ActivityTracker interface {
	// GetClientLastActive returns the time of the last recorded activity
	GetClientLastActive() time.Time
	// UpdateClientActivity updates the last active timestamp
	UpdateClientActivity()
}

ActivityTracker is a connection activity tracker, it allows to update the activity on the connection and retrieve the time when the connection was last active

type AuthHandlerConfig

type AuthHandlerConfig struct {
	// Server is the services.Server in the backend.
	Server Server

	// Component is the type of SSH server (node, proxy, or recording proxy).
	Component string

	// Emitter is event emitter
	Emitter apievents.Emitter

	// AccessPoint is used to access the Auth Server.
	AccessPoint AccessPoint

	// TargetServer is the host that the connection is being established for.
	// It **MUST** only be populated when the target is a teleport ssh server
	// or an agentless server.
	TargetServer types.Server

	// FIPS mode means Teleport started in a FedRAMP/FIPS 140-2 compliant
	// configuration.
	FIPS bool

	// Clock specifies the time provider. Will be used to override the time anchor
	// for TLS certificate verification.
	// Defaults to real clock if unspecified
	Clock clockwork.Clock
}

AuthHandlerConfig is the configuration for an application handler.

func (*AuthHandlerConfig) CheckAndSetDefaults

func (c *AuthHandlerConfig) CheckAndSetDefaults() error

type AuthHandlers

type AuthHandlers struct {
	// contains filtered or unexported fields
}

AuthHandlers are common authorization and authentication related handlers used by the regular and forwarding server.

func NewAuthHandlers

func NewAuthHandlers(config *AuthHandlerConfig) (*AuthHandlers, error)

NewAuthHandlers initializes authorization and authentication handlers

func (*AuthHandlers) CheckAgentForward

func (h *AuthHandlers) CheckAgentForward(ctx *ServerContext) error

CheckAgentForward checks if agent forwarding is allowed for the users RoleSet.

func (*AuthHandlers) CheckFileCopying

func (h *AuthHandlers) CheckFileCopying(ctx *ServerContext) error

func (*AuthHandlers) CheckPortForward

func (h *AuthHandlers) CheckPortForward(addr string, ctx *ServerContext) error

CheckPortForward checks if port forwarding is allowed for the users RoleSet.

func (*AuthHandlers) CheckX11Forward

func (h *AuthHandlers) CheckX11Forward(ctx *ServerContext) error

CheckX11Forward checks if X11 forwarding is permitted for the user's RoleSet.

func (*AuthHandlers) CreateIdentityContext

func (h *AuthHandlers) CreateIdentityContext(sconn *ssh.ServerConn) (IdentityContext, error)

CreateIdentityContext returns an IdentityContext populated with information about the logged in user on the connection.

func (*AuthHandlers) HostKeyAuth

func (h *AuthHandlers) HostKeyAuth(addr string, remote net.Addr, key ssh.PublicKey) error

HostKeyAuth implements host key verification and is called by the client to validate the certificate presented by the target server. If the target server presents a SSH certificate, we validate that it was Teleport that generated the certificate. If the target server presents a public key, if we are strictly checking keys, we reject the target server. If we are not we take whatever.

func (*AuthHandlers) IsHostAuthority

func (h *AuthHandlers) IsHostAuthority(cert ssh.PublicKey, address string) bool

IsHostAuthority is called when checking the host certificate a server presents. It make sure that the key used to sign the host certificate was a Teleport CA.

func (*AuthHandlers) IsUserAuthority

func (h *AuthHandlers) IsUserAuthority(cert ssh.PublicKey) bool

IsUserAuthority is called during checking the client key, to see if the key used to sign the certificate was a Teleport CA.

func (*AuthHandlers) UserKeyAuth

func (h *AuthHandlers) UserKeyAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error)

UserKeyAuth implements SSH client authentication using public keys and is called by the server every time the client connects.

type ConnectionMonitor

type ConnectionMonitor struct {
	// contains filtered or unexported fields
}

ConnectionMonitor monitors the activity of connections and disconnects them if the certificate expires, if a new lock is placed that applies to the connection, or after periods of inactivity

func NewConnectionMonitor

func NewConnectionMonitor(cfg ConnectionMonitorConfig) (*ConnectionMonitor, error)

NewConnectionMonitor returns a ConnectionMonitor that can be used to monitor connection activity and terminate connections based on various cluster conditions.

func (*ConnectionMonitor) MonitorConn

func (c *ConnectionMonitor) MonitorConn(ctx context.Context, authzCtx *authz.Context, conn net.Conn) (context.Context, net.Conn, error)

MonitorConn ensures that the provided net.Conn is allowed per cluster configuration and security controls. If at any point during the lifetime of the connection the cluster controls dictate that the connection is not permitted it will be closed and the returned context.Context will be canceled.

type ConnectionMonitorConfig

type ConnectionMonitorConfig struct {
	// AccessPoint is used to retrieve cluster configuration.
	AccessPoint AccessPoint
	// LockWatcher ensures lock information is up to date.
	LockWatcher *services.LockWatcher
	// Clock is a clock, realtime or fixed in tests.
	Clock clockwork.Clock
	// ServerID is the host UUID of the server receiving connections.
	ServerID string
	// Emitter allows events to be emitted.
	Emitter apievents.Emitter
	// EmitterContext is long-lived context suitable to be used with Emitter
	EmitterContext context.Context
	// Logger is a logging entry.
	Logger log.FieldLogger
	// MonitorCloseChannel will be signaled when the monitor closes a connection.
	// Used only for testing. Optional.
	MonitorCloseChannel chan struct{}
}

ConnectionMonitorConfig contains dependencies required by the ConnectionMonitor.

func (*ConnectionMonitorConfig) CheckAndSetDefaults

func (c *ConnectionMonitorConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks values and sets defaults

type Exec

type Exec interface {
	// GetCommand returns the command to be executed.
	GetCommand() string

	// SetCommand sets the command to be executed.
	SetCommand(string)

	// Start will start the execution of the command.
	Start(ctx context.Context, channel ssh.Channel) (*ExecResult, error)

	// Wait will block while the command executes.
	Wait() *ExecResult

	// WaitForChild blocks until the child process has completed any required
	// setup operations before proceeding with execution.
	WaitForChild() error

	// Continue will resume execution of the process after it completes its
	// pre-processing routine (placed in a cgroup).
	Continue()

	// PID returns the PID of the Teleport process that was re-execed.
	PID() int
}

Exec executes an "exec" request.

func NewExecRequest

func NewExecRequest(ctx *ServerContext, command string) (Exec, error)

NewExecRequest creates a new local or remote Exec.

type ExecCommand

type ExecCommand struct {
	// Command is the command to execute. If an interactive session is being
	// requested, will be empty. If a subsystem is requested, it will contain
	// the subsystem name.
	Command string `json:"command"`

	// DestinationAddress is the target address to dial to.
	DestinationAddress string `json:"dst_addr"`

	// Username is the username associated with the Teleport identity.
	Username string `json:"username"`

	// Login is the local *nix account.
	Login string `json:"login"`

	// Roles is the list of Teleport roles assigned to the Teleport identity.
	Roles []string `json:"roles"`

	// ClusterName is the name of the Teleport cluster.
	ClusterName string `json:"cluster_name"`

	// Terminal indicates if a TTY has been allocated for the session. This is
	// typically set if either a shell was requested or a TTY was explicitly
	// allocated for an exec request.
	Terminal bool `json:"term"`

	// TerminalName is the name of TTY terminal, ex: /dev/tty1.
	// Currently, this field is used by auditd.
	TerminalName string `json:"terminal_name"`

	// ClientAddress contains IP address of the connected client.
	// Currently, this field is used by auditd.
	ClientAddress string `json:"client_address"`

	// RequestType is the type of request: either "exec" or "shell". This will
	// be used to control where to connect std{out,err} based on the request
	// type: "exec", "shell" or "subsystem".
	RequestType string `json:"request_type"`

	// PAMConfig is the configuration data that needs to be passed to the child and then to PAM modules.
	PAMConfig *PAMConfig `json:"pam_config,omitempty"`

	// Environment is a list of environment variables to add to the defaults.
	Environment []string `json:"environment"`

	// PermitUserEnvironment is set to allow reading in ~/.tsh/environment
	// upon login.
	PermitUserEnvironment bool `json:"permit_user_environment"`

	// IsTestStub is used by tests to mock the shell.
	IsTestStub bool `json:"is_test_stub"`

	// UserCreatedByTeleport is true when the system user was created by Teleport user auto-provision.
	UserCreatedByTeleport bool

	// UaccMetadata contains metadata needed for user accounting.
	UaccMetadata UaccMetadata `json:"uacc_meta"`

	// X11Config contains an xauth entry to be added to the command user's xauthority.
	X11Config X11Config `json:"x11_config"`

	// ExtraFilesLen is the number of extra files that are inherited from
	// the parent process. These files start at file descriptor 3 of the
	// child process, and are only valid for processes without a terminal.
	ExtraFilesLen int `json:"extra_files_len"`
}

ExecCommand contains the payload to "teleport exec" which will be used to construct and execute a shell.

type ExecResult

type ExecResult struct {
	// Command is the command that was executed.
	Command string

	// Code is return code that execution of the command resulted in.
	Code int
}

ExecResult is used internally to send the result of a command execution from a goroutine to SSH request handler and back to the calling client

type FileFD

type FileFD = uintptr

FileFD is a file descriptor passed down from a parent process when Teleport is re-executing itself.

const (
	// CommandFile is used to pass the command and arguments that the
	// child process should execute from the parent process.
	CommandFile FileFD = 3 + iota
	// ContinueFile is used to communicate to the child process that
	// it can continue after the parent process assigns a cgroup to the
	// child process.
	ContinueFile
	// ReadyFile is used to communicate to the parent process that
	// the child has completed any setup operations that must occur before
	// the child is placed into its cgroup.
	ReadyFile
	// TerminateFile is used to communicate to the child process that
	// the interactive terminal should be killed as the client ended the
	// SSH session and without termination the terminal process will be assigned
	// to pid 1 and "live forever". Killing the shell should not prevent processes
	// preventing SIGHUP to be reassigned (ex. processes running with nohup).
	TerminateFile
	// X11File is used to communicate to the parent process that the child
	// process has set up X11 forwarding.
	X11File
	// ErrorFile is used to communicate any errors terminating the child process
	// to the parent process
	ErrorFile
	// PTYFile is a PTY the parent process passes to the child process.
	PTYFile
	// TTYFile is a TTY the parent process passes to the child process.
	TTYFile

	// FirstExtraFile is the first file descriptor that will be valid when
	// extra files are passed to child processes without a terminal.
	FirstExtraFile FileFD = ErrorFile + 1
)

type FileTransferRequestEvent

type FileTransferRequestEvent string

FileTransferRequestEvent is an event used to Notify party members during File Transfer Request approval process

const (
	// FileTransferUpdate is used when a file transfer request is created or updated.
	// An update will happen if a file transfer request was approved but the policy still isn't fulfilled
	FileTransferUpdate FileTransferRequestEvent = "file_transfer_request"
	// FileTransferApproved is used when a file transfer request has received an approval decision
	// and the policy is fulfilled. This lets the client know that the file transfer is ready to download/upload
	// and be removed from any pending state.
	FileTransferApproved FileTransferRequestEvent = "file_transfer_request_approve"
	// FileTransferDenied is used when a file transfer request is denied. This lets the client know to remove
	// this file transfer from any pending state.
	FileTransferDenied FileTransferRequestEvent = "file_transfer_request_deny"
)

type GetServerInfoFn

type GetServerInfoFn func() (types.Resource, error)

GetServerInfoFn is function that returns server info

type Heartbeat

type Heartbeat struct {
	HeartbeatConfig

	*log.Entry
	// contains filtered or unexported fields
}

Heartbeat keeps heartbeat state, it is implemented according to actor model - all interactions with it are to be done with signals

func NewHeartbeat

func NewHeartbeat(cfg HeartbeatConfig) (*Heartbeat, error)

NewHeartbeat returns a new instance of heartbeat

func (*Heartbeat) Close

func (h *Heartbeat) Close() error

Close closes all timers and goroutines, note that this function is equivalent of canceling of the context passed in configuration and can be used interchangeably

func (*Heartbeat) ForceSend

func (h *Heartbeat) ForceSend(timeout time.Duration) error

ForceSend forces send cycle, used in tests, returns nil in case of success, error otherwise

func (*Heartbeat) Run

func (h *Heartbeat) Run() error

Run periodically calls to announce presence, should be called explicitly in a separate goroutine

type HeartbeatConfig

type HeartbeatConfig struct {
	// Mode sets one of the proxy, auth or node modes.
	Mode HeartbeatMode
	// Context is parent context that signals
	// heartbeat cancel
	Context context.Context
	// Component is a name of component used in logs
	Component string
	// Announcer is used to announce presence
	Announcer auth.Announcer
	// GetServerInfo returns server information
	GetServerInfo GetServerInfoFn
	// ServerTTL is a server TTL used in announcements
	ServerTTL time.Duration
	// KeepAlivePeriod is a period between light-weight
	// keep alive calls, that only update TTLs and don't consume
	// bandwidh, also is used to derive time between
	// failed attempts as well for auth and proxy modes
	KeepAlivePeriod time.Duration
	// AnnouncePeriod is a period between announce calls,
	// when client sends full server specification
	// to the presence service
	AnnouncePeriod time.Duration
	// CheckPeriod is a period to check for updates
	CheckPeriod time.Duration
	// Clock is a clock used to override time in tests
	Clock clockwork.Clock
	// OnHeartbeat is called after every heartbeat. A non-nil error is passed
	// when a heartbeat fails.
	OnHeartbeat func(error)
}

HeartbeatConfig is a heartbeat configuration

func (*HeartbeatConfig) CheckAndSetDefaults

func (cfg *HeartbeatConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type HeartbeatI

type HeartbeatI interface {
	Run() error
	Close() error
	ForceSend(timeout time.Duration) error
}

HeartbeatI abstracts over the basic interface of Heartbeat and HeartbeatV2. This can be removed once we've fully transitioned to HeartbeatV2.

type HeartbeatMode

type HeartbeatMode int

HeartbeatMode represents the mode of the heartbeat node, proxy or auth server

const (
	// HeartbeatModeNode sets heartbeat to node
	// updates that support keep alives
	HeartbeatModeNode HeartbeatMode = iota
	// HeartbeatModeProxy sets heartbeat to proxy
	// that does not support keep alives
	HeartbeatModeProxy
	// HeartbeatModeAuth sets heartbeat to auth
	// that does not support keep alives
	HeartbeatModeAuth
	// HeartbeatModeKube is a mode for kubernetes service heartbeats.
	HeartbeatModeKube
	// HeartbeatModeApp sets heartbeat to apps and will use keep alives.
	HeartbeatModeApp
	// HeartbeatModeDB sets heartbeat to db
	HeartbeatModeDB
	// HeartbeatModeDatabaseService sets heartbeat mode to DatabaseService.
	HeartbeatModeDatabaseService
	// HeartbeatModeWindowsDesktopService sets heartbeat mode to windows desktop
	// service.
	HeartbeatModeWindowsDesktopService
	// HeartbeatModeWindowsDesktop sets heartbeat mode to windows desktop.
	HeartbeatModeWindowsDesktop
)

func (HeartbeatMode) CheckAndSetDefaults

func (h HeartbeatMode) CheckAndSetDefaults() error

CheckAndSetDefaults checks values and sets defaults

func (HeartbeatMode) String

func (h HeartbeatMode) String() string

String returns user-friendly representation of the mode

type HeartbeatV2

type HeartbeatV2 struct {
	// contains filtered or unexported fields
}

HeartbeatV2 heartbeats presence via the inventory control stream.

func NewSSHServerHeartbeat

func NewSSHServerHeartbeat(cfg SSHServerHeartbeatConfig) (*HeartbeatV2, error)

func (*HeartbeatV2) Close

func (h *HeartbeatV2) Close() error

func (*HeartbeatV2) ForceSend

func (h *HeartbeatV2) ForceSend(timeout time.Duration) error

ForceSend is used in tests to trigger an announce and block until it one successfully completes or the provided timeout is reached.

func (*HeartbeatV2) Run

func (h *HeartbeatV2) Run() error

func (*HeartbeatV2) SetDefaults

func (c *HeartbeatV2) SetDefaults()

type HostSudoers

type HostSudoers interface {
	// WriteSudoers creates a temporary Teleport user in the TeleportServiceGroup
	WriteSudoers(name string, sudoers []string) error
	// RemoveSudoers removes the users sudoer file
	RemoveSudoers(name string) error
}

func NewHostSudoers

func NewHostSudoers(uuid string) HostSudoers

type HostSudoersBackend

type HostSudoersBackend interface {
	// CheckSudoers ensures that a sudoers file to be written is valid
	CheckSudoers(contents []byte) error
	// WriteSudoersFile creates the user's sudoers file.
	WriteSudoersFile(user string, entries []byte) error
	// RemoveSudoersFile deletes a user's sudoers file.
	RemoveSudoersFile(user string) error
}

type HostSudoersManagement

type HostSudoersManagement struct {
	// contains filtered or unexported fields
}

func (*HostSudoersManagement) RemoveSudoers

func (u *HostSudoersManagement) RemoveSudoers(name string) error

func (*HostSudoersManagement) WriteSudoers

func (u *HostSudoersManagement) WriteSudoers(name string, sudoers []string) error

WriteSudoers creates a sudoers file for a user from a list of entries

type HostSudoersNotImplemented

type HostSudoersNotImplemented struct{}

func (*HostSudoersNotImplemented) RemoveSudoers

func (*HostSudoersNotImplemented) RemoveSudoers(name string) error

RemoveSudoers removes the users sudoer file

func (*HostSudoersNotImplemented) WriteSudoers

func (*HostSudoersNotImplemented) WriteSudoers(string, []string) error

WriteSudoers creates a temporary Teleport user in the TeleportServiceGroup

type HostSudoersProvisioningBackend

type HostSudoersProvisioningBackend struct {
	// HostUUID is the UUID of the running host
	HostUUID string
	// SudoersPath is the path to write sudoers files to.
	SudoersPath string
}

HostSudoersProvisioningBackend is used to implement HostSudoersBackend

func (*HostSudoersProvisioningBackend) CheckSudoers

func (*HostSudoersProvisioningBackend) CheckSudoers(contents []byte) error

CheckSudoers ensures that a sudoers file to be written is valid

func (*HostSudoersProvisioningBackend) RemoveSudoersFile

func (u *HostSudoersProvisioningBackend) RemoveSudoersFile(username string) error

RemoveSudoersFile deletes a user's sudoers file.

func (*HostSudoersProvisioningBackend) WriteSudoersFile

func (u *HostSudoersProvisioningBackend) WriteSudoersFile(username string, contents []byte) error

WriteSudoersFile creates the user's sudoers file.

type HostUserManagement

type HostUserManagement struct {
	// contains filtered or unexported fields
}

func (*HostUserManagement) CreateUser

func (u *HostUserManagement) CreateUser(name string, ui *services.HostUsersInfo) (io.Closer, error)

CreateUser creates a temporary Teleport user in the TeleportServiceGroup

func (*HostUserManagement) DeleteAllUsers

func (u *HostUserManagement) DeleteAllUsers() error

DeleteAllUsers deletes all host users in the teleport service group.

func (*HostUserManagement) DeleteUser

func (u *HostUserManagement) DeleteUser(username string, gid string) error

DeleteUser deletes the specified user only if they are present in the specified group.

func (*HostUserManagement) SetHostUserDeletionGrace

func (u *HostUserManagement) SetHostUserDeletionGrace(d time.Duration)

func (*HostUserManagement) Shutdown

func (u *HostUserManagement) Shutdown()

Shutdown cancels the UserCleanup loop

func (*HostUserManagement) UserCleanup

func (u *HostUserManagement) UserCleanup()

UserCleanup starts a periodic user deletion cleanup loop for users that failed to delete

func (*HostUserManagement) UserExists

func (u *HostUserManagement) UserExists(username string) error

UserExists looks up an existing host user.

type HostUsers

type HostUsers interface {
	// CreateUser creates a temporary Teleport user in the TeleportServiceGroup
	CreateUser(name string, hostRoleInfo *services.HostUsersInfo) (io.Closer, error)
	// DeleteUser deletes a temporary Teleport user only if they are
	// in a specified group
	DeleteUser(name string, gid string) error
	// DeleteAllUsers deletes all suer in the TeleportServiceGroup
	DeleteAllUsers() error
	// UserCleanup starts a periodic user deletion cleanup loop for
	// users that failed to delete
	UserCleanup()
	// Shutdown cancels the UserCleanup loop
	Shutdown()

	// UserExists returns nil should a hostuser exist
	UserExists(string) error

	// SetHostUserDeletionGrace sets the grace period before a user
	// can be deleted, used so integration tests don't need to sleep
	SetHostUserDeletionGrace(time.Duration)
	// contains filtered or unexported methods
}

func NewHostUsers

func NewHostUsers(ctx context.Context, storage *local.PresenceService, uuid string) HostUsers

NewHostUsers initialize a new HostUsers object

type HostUsersBackend

type HostUsersBackend interface {
	// GetAllUsers returns all host users on a node.
	GetAllUsers() ([]string, error)
	// UserGIDs returns a list of group ids for a user.
	UserGIDs(*user.User) ([]string, error)
	// Lookup retrieves a user by name.
	Lookup(name string) (*user.User, error)
	// LookupGroup retrieves a group by name.
	LookupGroup(group string) (*user.Group, error)
	// LookupGroupByID retrieves a group by its ID.
	LookupGroupByID(gid string) (*user.Group, error)
	// CreateGroup creates a group on a host.
	CreateGroup(group string, gid string) error
	// CreateUser creates a user on a host.
	CreateUser(name string, groups []string, uid, gid string) error
	// DeleteUser deletes a user from a host.
	DeleteUser(name string) error
	// CreateHomeDirectory creates the users home directory and copies in /etc/skel
	CreateHomeDirectory(user string, uid, gid string) error
}

type HostUsersProvisioningBackend

type HostUsersProvisioningBackend struct {
}

HostUsersProvisioningBackend is used to implement HostUsersBackend

func (*HostUsersProvisioningBackend) CreateGroup

func (*HostUsersProvisioningBackend) CreateGroup(name string, gid string) error

CreateGroup creates a group on a host

func (*HostUsersProvisioningBackend) CreateHomeDirectory

func (u *HostUsersProvisioningBackend) CreateHomeDirectory(user string, uidS, gidS string) error

func (*HostUsersProvisioningBackend) CreateUser

func (*HostUsersProvisioningBackend) CreateUser(name string, groups []string, uid, gid string) error

CreateUser creates a user on a host

func (*HostUsersProvisioningBackend) DeleteUser

func (*HostUsersProvisioningBackend) DeleteUser(name string) error

DeleteUser deletes a user on a host. The user must not be logged in.

func (*HostUsersProvisioningBackend) GetAllUsers

func (*HostUsersProvisioningBackend) GetAllUsers() ([]string, error)

GetAllUsers returns a full list of users present on a system

func (*HostUsersProvisioningBackend) Lookup

func (*HostUsersProvisioningBackend) Lookup(username string) (*user.User, error)

Lookup implements host user information lookup

func (*HostUsersProvisioningBackend) LookupGroup

func (*HostUsersProvisioningBackend) LookupGroup(name string) (*user.Group, error)

LookupGroup host group information lookup

func (*HostUsersProvisioningBackend) LookupGroupByID

func (*HostUsersProvisioningBackend) LookupGroupByID(gid string) (*user.Group, error)

LookupGroup host group information lookup by GID

func (*HostUsersProvisioningBackend) UserGIDs

func (*HostUsersProvisioningBackend) UserGIDs(u *user.User) ([]string, error)

UserGIDs returns the list of group IDs for a user

type IdentityContext

type IdentityContext struct {
	// TeleportUser is the Teleport user associated with the connection.
	TeleportUser string

	// Impersonator is a user acting on behalf of other user
	Impersonator string

	// Login is the operating system user associated with the connection.
	Login string

	// Certificate is the SSH user certificate bytes marshaled in the OpenSSH
	// authorized_keys format.
	Certificate *ssh.Certificate

	// CertAuthority is the Certificate Authority that signed the Certificate.
	CertAuthority types.CertAuthority

	// AccessChecker is used to check RBAC permissions.
	AccessChecker services.AccessChecker

	// UnmappedRoles lists the original roles of this Teleport user without
	// trusted-cluster-related role mapping being applied.
	UnmappedRoles []string

	// CertValidBefore is set to the expiry time of a certificate, or
	// empty, if cert does not expire
	CertValidBefore time.Time

	// RouteToCluster is derived from the certificate
	RouteToCluster string

	// ActiveRequests is active access request IDs
	ActiveRequests []string

	// DisallowReissue is a flag that, if set, instructs the auth server to
	// deny any requests from this identity to generate new certificates.
	DisallowReissue bool

	// Renewable indicates this certificate is renewable.
	Renewable bool

	// Generation counts the number of times this identity's certificate has
	// been renewed.
	Generation uint64

	// BotName is the name of the Machine ID bot this identity is associated
	// with, if any.
	BotName string

	// AllowedResourceIDs lists the resources this identity should be allowed to
	// access
	AllowedResourceIDs []types.ResourceID

	// PreviousIdentityExpires is the expiry time of the identity/cert that this
	// identity/cert was derived from. It is used to determine a session's hard
	// deadline in cases where both require_session_mfa and disconnect_expired_cert
	// are enabled. See https://github.com/gravitational/teleport/issues/18544.
	PreviousIdentityExpires time.Time
}

IdentityContext holds all identity information associated with the user logged on the connection.

func (*IdentityContext) GetUserMetadata

func (id *IdentityContext) GetUserMetadata() apievents.UserMetadata

type KeepAliveParams

type KeepAliveParams struct {
	// Conns is the list of connections to send keep-alive connections to. All
	// connections must respond to the keep-alive to not be considered missed.
	Conns []RequestSender

	// Interval is the interval to send keep-alive messsages at.
	Interval time.Duration

	// MaxCount is the number of keep-alive messages that can be missed before
	// the connection is disconnected.
	MaxCount int64

	// CloseContext is used by the server to notify the keep-alive loop to stop.
	CloseContext context.Context

	// CloseCancel is used by the keep-alive loop to notify the server to stop.
	CloseCancel context.CancelFunc
}

KeepAliveParams configures the keep-alive loop.

type KeepAliveState

type KeepAliveState int

KeepAliveState represents state of the heartbeat

const (
	// HeartbeatStateInit is set when
	// the state has not been collected yet,
	// or the state is not fetched
	HeartbeatStateInit KeepAliveState = iota
	// HeartbeatStateAnnounce is set when full
	// state has to be announced back to the auth server
	HeartbeatStateAnnounce
	// HeartbeatStateAnnounceWait is set after successful
	// announce, heartbeat will wait until server updates
	// information, or time for next announce comes
	HeartbeatStateAnnounceWait
	// HeartbeatStateKeepAlive is set when
	// only sending keep alives is necessary
	HeartbeatStateKeepAlive
	// HeartbeatStateKeepAliveWait is set when
	// heartbeat will waiting until it's time to send keep alive
	HeartbeatStateKeepAliveWait
)

func (KeepAliveState) String

func (k KeepAliveState) String() string

type LockEnforcer

type LockEnforcer interface {
	CheckLockInForce(mode constants.LockingMode, targets ...types.LockTarget) error
}

LockEnforcer determines whether a lock is being enforced on the provided targets

type LookupGroup

type LookupGroup func(string) (*user.Group, error)

LookupGroup is used to mock the value returned by user.LookupGroup(string).

type LookupUser

type LookupUser func(string) (*user.User, error)

LookupUser is used to mock the value returned by user.Lookup(string).

type Monitor

type Monitor struct {
	// MonitorConfig is a connection monitor configuration
	MonitorConfig
}

Monitor monitors the activity on a single connection and disconnects that connection if the certificate expires, if a new lock is placed that applies to the connection, or after periods of inactivity

type MonitorConfig

type MonitorConfig struct {
	// LockWatcher is a lock watcher.
	LockWatcher *services.LockWatcher
	// LockTargets is used to detect a lock applicable to the connection.
	LockTargets []types.LockTarget
	// LockingMode determines how to handle possibly stale lock views.
	LockingMode constants.LockingMode
	// DisconnectExpiredCert is a point in time when
	// the certificate should be disconnected
	DisconnectExpiredCert time.Time
	// ClientIdleTimeout is a timeout of inactivity
	// on the wire
	ClientIdleTimeout time.Duration
	// Clock is a clock, realtime or fixed in tests
	Clock clockwork.Clock
	// Tracker is activity tracker
	Tracker ActivityTracker
	// Conn is a connection to close
	Conn TrackingConn
	// Context is an external context. To reliably close the monitor and ensure no goroutine leak,
	// make sure to pass a context which will be canceled on time.
	Context context.Context
	// Login is linux box login
	Login string
	// TeleportUser is a teleport user name
	TeleportUser string
	// ServerID is a session server ID
	ServerID string
	// Emitter is events emitter
	Emitter apievents.Emitter
	// EmitterContext is long-lived context suitable to be used with Emitter. Typically, a server exit context will be used here.
	EmitterContext context.Context
	// Entry is a logging entry
	Entry log.FieldLogger
	// IdleTimeoutMessage is sent to the client when the idle timeout expires.
	IdleTimeoutMessage string
	// MessageWriter wraps a channel to send text messages to the client. Use
	// for disconnection messages, etc.
	MessageWriter io.StringWriter
	// MonitorCloseChannel will be signaled when the monitor closes a connection.
	// Used only for testing. Optional.
	MonitorCloseChannel chan struct{}
}

MonitorConfig is a wiretap configuration

func (*MonitorConfig) CheckAndSetDefaults

func (m *MonitorConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks values and sets defaults

type PAMConfig

type PAMConfig struct {
	// UsePAMAuth specifies whether to trigger the "auth" PAM modules from the
	// policy.
	UsePAMAuth bool `json:"use_pam_auth"`

	// ServiceName is the name of the PAM service requested if PAM is enabled.
	ServiceName string `json:"service_name"`

	// Environment represents env variables to pass to PAM.
	Environment map[string]string `json:"environment"`
}

PAMConfig represents all the configuration data that needs to be passed to the child.

type RequestSender

type RequestSender interface {
	// SendRequest is used to send a out-of-band request.
	SendRequest(name string, wantReply bool, payload []byte) (bool, []byte, error)
}

RequestSender is an interface that implements SendRequest. It is used so server and client connections can be passed to functions to send requests.

type SSHServerHeartbeatConfig

type SSHServerHeartbeatConfig struct {
	// InventoryHandle is used to send heartbeats.
	InventoryHandle inventory.DownstreamHandle
	// GetServer gets the latest server spec.
	GetServer func() *types.ServerV2

	// Announcer is a fallback used to perform basic upsert-style heartbeats
	// if the control stream is unavailable.
	//
	// DELETE IN: 11.0 (only exists for back-compat with v9 auth servers)
	Announcer auth.Announcer
	// OnHeartbeat is a per-attempt callback (optional).
	OnHeartbeat func(error)
	// AnnounceInterval is the interval at which heartbeats are attempted (optional).
	AnnounceInterval time.Duration
	// PollInterval is the interval at which checks for change are performed (optional).
	PollInterval time.Duration
}

SSHServerHeartbeatConfig configures the HeartbeatV2 for an ssh server.

func (*SSHServerHeartbeatConfig) Check

func (c *SSHServerHeartbeatConfig) Check() error

type Server

type Server interface {
	// StreamEmitter allows server to emit audit events and create
	// event streams for recording sessions
	events.StreamEmitter

	// ID is the unique ID of the server.
	ID() string

	// HostUUID is the UUID of the underlying host. For the forwarding
	// server this is the proxy the forwarding server is running in.
	HostUUID() string

	// GetNamespace returns the namespace the server was created in.
	GetNamespace() string

	// AdvertiseAddr is the publicly addressable address of this server.
	AdvertiseAddr() string

	// Component is the type of server, forwarding or regular.
	Component() string

	// PermitUserEnvironment returns if reading environment variables upon
	// startup is allowed.
	PermitUserEnvironment() bool

	// GetAccessPoint returns an AccessPoint for this cluster.
	GetAccessPoint() AccessPoint

	// GetDataDir returns data directory of the server
	GetDataDir() string

	// GetPAM returns PAM configuration for this server.
	GetPAM() (*servicecfg.PAMConfig, error)

	// GetClock returns a clock setup for the server
	GetClock() clockwork.Clock

	// GetInfo returns a services.Server that represents this server.
	GetInfo() types.Server

	// UseTunnel used to determine if this node has connected to this cluster
	// using reverse tunnel.
	UseTunnel() bool

	// GetBPF returns the BPF service used for enhanced session recording.
	GetBPF() bpf.BPF

	// Context returns server shutdown context
	Context() context.Context

	// GetUserAccountingPaths returns the path of the user accounting database and log. Returns empty for system defaults.
	GetUserAccountingPaths() (utmp, wtmp, btmp string)

	// GetLockWatcher gets the server's lock watcher.
	GetLockWatcher() *services.LockWatcher

	// GetCreateHostUser returns whether the node should create
	// temporary teleport users or not
	GetCreateHostUser() bool

	// GetHostUsers returns the HostUsers instance being used to manage
	// host user provisioning
	GetHostUsers() HostUsers

	// GetHostSudoers returns the HostSudoers instance being used to manage
	// sudoer file provisioning
	GetHostSudoers() HostSudoers

	// TargetMetadata returns metadata about the session target node.
	TargetMetadata() apievents.ServerMetadata
}

Server is regular or forwarding SSH server.

type ServerContext

type ServerContext struct {
	// ConnectionContext is the parent context which manages connection-level
	// resources.
	*sshutils.ConnectionContext
	*log.Entry

	// Identity holds the identity of the user that is currently logged in on
	// the Conn.
	Identity IdentityContext

	// ExecResultCh is a Go channel which will be used to send and receive the
	// result of a "exec" request.
	ExecResultCh chan ExecResult

	// SubsystemResultCh is a Go channel which will be used to send and receive
	// the result of a "subsystem" request.
	SubsystemResultCh chan SubsystemResult

	// IsTestStub is set to true by tests.
	IsTestStub bool

	// ClusterName is the name of the cluster current user is authenticated with.
	ClusterName string

	// SessionRecordingConfig holds the session recording configuration at the
	// time this context was created.
	SessionRecordingConfig types.SessionRecordingConfig

	// RemoteClient holds an SSH client to a remote server. Only used by the
	// recording proxy.
	RemoteClient *tracessh.Client

	// RemoteSession holds an SSH session to a remote server. Only used by the
	// recording proxy.
	RemoteSession *tracessh.Session

	// ChannelType holds the type of the channel. For example "session" or
	// "direct-tcpip". Used to create correct subcommand during re-exec.
	ChannelType string

	// SrcAddr is the source address of the request. This the originator IP
	// address and port in an SSH "direct-tcpip" request. This value is only
	// populated for port forwarding requests.
	SrcAddr string

	// DstAddr is the destination address of the request. This is the host and
	// port to connect to in a "direct-tcpip" request. This value is only
	// populated for port forwarding requests.
	DstAddr string

	// allowFileCopying controls if remote file operations via SCP/SFTP are allowed
	// by the server.
	AllowFileCopying bool

	// JoinOnly is set if the connection was created using a join-only principal and may only be used to join other sessions.
	JoinOnly bool

	// ServerSubKind if the sub kind of the node this context is for.
	ServerSubKind string

	// UserCreatedByTeleport is true when the system user was created by Teleport user auto-provision.
	UserCreatedByTeleport bool
	// contains filtered or unexported fields
}

ServerContext holds session specific context, such as SSH auth agents, PTYs, and other resources. SessionContext also holds a ServerContext which can be used to access resources on the underlying server. SessionContext can also be used to attach resources that should be closed once the session closes.

Any events that need to be recorded should be emitted via session and not ServerContext directly. Failure to use the session emitted will result in incorrect event indexes that may ultimately cause events to be overwritten.

func NewServerContext

func NewServerContext(ctx context.Context, parent *sshutils.ConnectionContext, srv Server, identityContext IdentityContext, monitorOpts ...func(*MonitorConfig)) (context.Context, *ServerContext, error)

NewServerContext creates a new *ServerContext which is used to pass and manage resources, and an associated context.Context which is canceled when the ServerContext is closed. The ctx parameter should be a child of the ctx associated with the scope of the parent ConnectionContext to ensure that cancellation of the ConnectionContext propagates to the ServerContext.

func (*ServerContext) AddCloser

func (c *ServerContext) AddCloser(closer io.Closer)

AddCloser adds any closer in ctx that will be called whenever server closes session channel

func (*ServerContext) CancelContext

func (c *ServerContext) CancelContext() context.Context

CancelContext is a context associated with server context, closed whenever this server context is closed

func (*ServerContext) CancelFunc

func (c *ServerContext) CancelFunc() context.CancelFunc

CancelFunc gets the context.CancelFunc associated with this context. Not a substitute for calling the ServerContext.Close method.

func (*ServerContext) CheckFileCopyingAllowed

func (c *ServerContext) CheckFileCopyingAllowed() error

CheckFileCopyingAllowed returns an error if remote file operations via SCP or SFTP are not allowed by the user's role or the node's config.

func (*ServerContext) CheckSFTPAllowed

func (c *ServerContext) CheckSFTPAllowed(registry *SessionRegistry) error

CheckSFTPAllowed returns an error if remote file operations via SCP or SFTP are not allowed by the user's role or the node's config, or if the user is not allowed to start unattended sessions.

func (*ServerContext) Close

func (c *ServerContext) Close() error

func (*ServerContext) CreateOrJoinSession

func (c *ServerContext) CreateOrJoinSession(reg *SessionRegistry) error

CreateOrJoinSession will look in the SessionRegistry for the session ID. If no session is found, a new one is created. If one is found, it is returned.

func (*ServerContext) ExecCommand

func (c *ServerContext) ExecCommand() (*ExecCommand, error)

ExecCommand takes a *ServerContext and extracts the parts needed to create an *execCommand which can be re-sent to Teleport.

func (*ServerContext) GetChildError

func (c *ServerContext) GetChildError() error

GetChildError returns the error from the child process

func (*ServerContext) GetEnv

func (c *ServerContext) GetEnv(key string) (string, bool)

GetEnv returns a environment variable within this context.

func (*ServerContext) GetExecRequest

func (c *ServerContext) GetExecRequest() (Exec, error)

GetExecRequest returns the exec request that is to be executed within this session context, or an error if it has not been set.

func (*ServerContext) GetSSHRequest

func (c *ServerContext) GetSSHRequest() (*ssh.Request, error)

GetSSHRequest returns the ssh request that was issued by the client and saved on this ServerContext by SetExecRequest, or an error if it has not been set.

func (*ServerContext) GetServer

func (c *ServerContext) GetServer() Server

GetServer returns the underlying server which this context was created in.

func (*ServerContext) GetServerMetadata

func (c *ServerContext) GetServerMetadata() apievents.ServerMetadata

func (*ServerContext) GetSessionMetadata

func (c *ServerContext) GetSessionMetadata() apievents.SessionMetadata

func (*ServerContext) GetTerm

func (c *ServerContext) GetTerm() Terminal

GetTerm returns a Terminal.

func (*ServerContext) ID

func (c *ServerContext) ID() int

ID returns ID of this context

func (*ServerContext) OpenXServerListener

func (c *ServerContext) OpenXServerListener(x11Req x11.ForwardRequestPayload, displayOffset, maxDisplays int) error

OpenXServerListener opens a new XServer unix listener.

func (*ServerContext) Parent

Parent grants access to the connection-level context of which this is a subcontext. Useful for unambiguously accessing methods which this subcontext overrides (e.g. child.Parent().SetEnv(...)).

func (*ServerContext) SendExecResult

func (c *ServerContext) SendExecResult(r ExecResult)

SendExecResult sends the result of execution of the "exec" command over the ExecResultCh.

func (*ServerContext) SendSubsystemResult

func (c *ServerContext) SendSubsystemResult(r SubsystemResult)

SendSubsystemResult sends the result of running the subsystem over the SubsystemResultCh.

func (*ServerContext) SessionID

func (c *ServerContext) SessionID() rsession.ID

SessionID returns the ID of the session in the context.

func (*ServerContext) SetAllowFileCopying

func (c *ServerContext) SetAllowFileCopying(allow bool)

func (*ServerContext) SetEnv

func (c *ServerContext) SetEnv(key, val string)

SetEnv sets a environment variable within this context.

func (*ServerContext) SetExecRequest

func (c *ServerContext) SetExecRequest(e Exec) error

SetExecRequest sets the command to be executed within this session context. Will return an error if called more than once for a single server context.

func (*ServerContext) SetSSHRequest

func (c *ServerContext) SetSSHRequest(e *ssh.Request) error

SetSSHRequest sets the ssh request that was issued by the client. Will return an error if called more than once for a single server context.

func (*ServerContext) SetTerm

func (c *ServerContext) SetTerm(t Terminal)

SetTerm set a Terminal.

func (*ServerContext) String

func (c *ServerContext) String() string

func (*ServerContext) TrackActivity

func (c *ServerContext) TrackActivity(ch ssh.Channel) ssh.Channel

TrackActivity keeps track of all activity on ssh.Channel. The caller should use the returned ssh.Channel instead of the original one.

func (*ServerContext) VisitEnv

func (c *ServerContext) VisitEnv(visit func(key, val string))

VisitEnv grants visitor-style access to env variables.

type SessionAccessEvaluator

type SessionAccessEvaluator interface {
	IsModerated() bool
	FulfilledFor(participants []auth.SessionAccessContext) (bool, auth.PolicyOptions, error)
	PrettyRequirementsList() string
	CanJoin(user auth.SessionAccessContext) []types.SessionParticipantMode
}

SessionAccessEvaluator is the interface that defines criteria needed to be met in order to start and join sessions.

type SessionController

type SessionController struct {
	// contains filtered or unexported fields
}

SessionController enforces session control restrictions required by locks, private key policy, and max connection limits

func NewSessionController

func NewSessionController(cfg SessionControllerConfig) (*SessionController, error)

NewSessionController creates a SessionController from the provided config. If any of the required parameters in the SessionControllerConfig are not provided an error is returned.

func (*SessionController) AcquireSessionContext

func (s *SessionController) AcquireSessionContext(ctx context.Context, identity IdentityContext, localAddr, remoteAddr string, closers ...io.Closer) (context.Context, error)

AcquireSessionContext attempts to create a context for the session. If the session is not allowed due to session control an error is returned. The returned context is scoped to the session and will be canceled in the event the semaphore lock is no longer held. The closers provided are immediately closed when the semaphore lock is released as well.

func (*SessionController) EnforceConnectionLimits

func (s *SessionController) EnforceConnectionLimits(ctx context.Context, identity auth.ConnectionIdentity, closers ...io.Closer) (context.Context, error)

EnforceConnectionLimits retrieves a semaphore lock to ensure that connection limits for the identity are enforced. If the lock is closed for any reason prior to the connection being terminated any of the provided closers will be closed.

type SessionControllerConfig

type SessionControllerConfig struct {
	// Semaphores is used to obtain a semaphore lock when max sessions are defined
	Semaphores types.Semaphores
	// AccessPoint is the cache used to get cluster information
	AccessPoint AccessPoint
	// LockEnforcer is used to determine if locks should prevent a session
	LockEnforcer LockEnforcer
	// Emitter is used to emit session rejection events
	Emitter apievents.Emitter
	// Component is the component running the session controller. Nodes and Proxies
	// have different flows
	Component string
	// Logger is used to emit log entries
	Logger *logrus.Entry
	// TracerProvider creates a tracer so that spans may be emitted
	TracerProvider oteltrace.TracerProvider
	// ServerID is the UUID of the server
	ServerID string
	// Clock used in tests to change time
	Clock clockwork.Clock
	// contains filtered or unexported fields
}

SessionControllerConfig contains dependencies needed to create a SessionController

func (*SessionControllerConfig) CheckAndSetDefaults

func (c *SessionControllerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults ensures all the required dependencies were provided and sets any optional values to their defaults

type SessionRegistry

type SessionRegistry struct {
	SessionRegistryConfig
	// contains filtered or unexported fields
}

SessionRegistry holds a map of all active sessions on a given SSH server

func NewSessionRegistry

func NewSessionRegistry(cfg SessionRegistryConfig) (*SessionRegistry, error)

func (*SessionRegistry) Close

func (s *SessionRegistry) Close()

func (*SessionRegistry) ForceTerminate

func (s *SessionRegistry) ForceTerminate(ctx *ServerContext) error

func (*SessionRegistry) GetTerminalSize

func (s *SessionRegistry) GetTerminalSize(sessionID string) (*term.Winsize, error)

GetTerminalSize fetches the terminal size of an active SSH session.

func (*SessionRegistry) NotifyFileTransferRequest

func (s *SessionRegistry) NotifyFileTransferRequest(req *fileTransferRequest, res FileTransferRequestEvent, scx *ServerContext) error

NotifyFileTransferRequest is called to notify all members of a party that a file transfer request has been created/approved/denied. The notification is a global ssh request and requires the client to update its UI state accordingly.

func (*SessionRegistry) NotifyWinChange

func (s *SessionRegistry) NotifyWinChange(ctx context.Context, params rsession.TerminalParams, scx *ServerContext) error

NotifyWinChange is called to notify all members in the party that the PTY size has changed. The notification is sent as a global SSH request and it is the responsibility of the client to update it's window size upon receipt.

func (*SessionRegistry) OpenExecSession

func (s *SessionRegistry) OpenExecSession(ctx context.Context, channel ssh.Channel, scx *ServerContext) error

OpenExecSession opens a non-interactive exec session.

func (*SessionRegistry) OpenSession

func (s *SessionRegistry) OpenSession(ctx context.Context, ch ssh.Channel, scx *ServerContext) error

OpenSession either joins an existing active session or starts a new session.

func (*SessionRegistry) TryCreateHostUser

func (s *SessionRegistry) TryCreateHostUser(ctx *ServerContext) error

func (*SessionRegistry) TryWriteSudoersFile

func (s *SessionRegistry) TryWriteSudoersFile(ctx *ServerContext) error

type SessionRegistryConfig

type SessionRegistryConfig struct {

	// srv refers to the upon which this session registry is created.
	Srv Server

	// sessiontrackerService is used to share session activity to
	// other teleport components through the auth server.
	SessionTrackerService services.SessionTrackerService
	// contains filtered or unexported fields
}

func (*SessionRegistryConfig) CheckAndSetDefaults

func (sc *SessionRegistryConfig) CheckAndSetDefaults() error

type SessionTracker

type SessionTracker struct {
	// contains filtered or unexported fields
}

SessionTracker is a session tracker for a specific session. It tracks the session in memory and broadcasts updates to the given service (backend).

func NewSessionTracker

func NewSessionTracker(ctx context.Context, trackerSpec types.SessionTrackerSpecV1, service services.SessionTrackerService) (*SessionTracker, error)

NewSessionTracker returns a new SessionTracker for the given types.SessionTracker

func (*SessionTracker) AddParticipant

func (s *SessionTracker) AddParticipant(ctx context.Context, p *types.Participant) error

func (*SessionTracker) Close

func (s *SessionTracker) Close(ctx context.Context) error

Close closes the session tracker and sets the tracker state to terminated

func (*SessionTracker) GetParticipants

func (s *SessionTracker) GetParticipants() []types.Participant

func (*SessionTracker) GetState

func (s *SessionTracker) GetState() types.SessionState

func (*SessionTracker) RemoveParticipant

func (s *SessionTracker) RemoveParticipant(ctx context.Context, participantID string) error

func (*SessionTracker) UpdateExpiration

func (s *SessionTracker) UpdateExpiration(ctx context.Context, expiry time.Time) error

func (*SessionTracker) UpdateExpirationLoop

func (s *SessionTracker) UpdateExpirationLoop(ctx context.Context, clock clockwork.Clock) error

UpdateExpirationLoop extends the session tracker expiration by 30 minutes every 10 minutes until the SessionTracker or ctx is closed. If there is a failure to write the updated SessionTracker to the backend, the write is retried with exponential backoff up until the original SessionTracker expiry.

func (*SessionTracker) UpdateState

func (s *SessionTracker) UpdateState(ctx context.Context, state types.SessionState) error

func (*SessionTracker) WaitForStateUpdate

func (s *SessionTracker) WaitForStateUpdate(initialState types.SessionState) types.SessionState

WaitForStateUpdate waits for the tracker's state to be updated and returns the new state.

func (*SessionTracker) WaitOnState

func (s *SessionTracker) WaitOnState(ctx context.Context, wanted types.SessionState) error

WaitOnState waits until the desired state is reached or the context is canceled.

type Subsystem

type Subsystem interface {
	// Start starts subsystem
	Start(context.Context, *ssh.ServerConn, ssh.Channel, *ssh.Request, *ServerContext) error

	// Wait is returned by subsystem when it's completed
	Wait() error
}

Subsystem represents SSH subsystem - special command executed in the context of the session.

type SubsystemResult

type SubsystemResult struct {
	// Name holds the name of the subsystem that was executed.
	Name string

	// Err holds the result of execution of the subsystem.
	Err error
}

SubsystemResult is a result of execution of the subsystem.

type TermHandlers

type TermHandlers struct {
	SessionRegistry *SessionRegistry
}

TermHandlers are common terminal handling functions used by both the regular and forwarding server.

func (*TermHandlers) HandleExec

func (t *TermHandlers) HandleExec(ctx context.Context, ch ssh.Channel, req *ssh.Request, scx *ServerContext) error

HandleExec handles requests of type "exec" which can execute with or without a TTY. Result of execution is propagated back on the ExecResult channel of the context.

func (*TermHandlers) HandleFileTransferDecision

func (t *TermHandlers) HandleFileTransferDecision(ctx context.Context, ch ssh.Channel, req *ssh.Request, scx *ServerContext) error

HandleFileTransferDecision handles requests of type "file-transfer-decision@goteleport.com" which will approve or deny an existing file transfer request. This response will update an active file transfer request accordingly and emit the updated file transfer request state to other members in the party.

func (*TermHandlers) HandleFileTransferRequest

func (t *TermHandlers) HandleFileTransferRequest(ctx context.Context, ch ssh.Channel, req *ssh.Request, scx *ServerContext) error

HandleFileTransferRequest handles requests of type "file-transfer-request" which will create a FileTransferRequest that will be sent to other members in the party to be reviewed and approved/denied.

func (*TermHandlers) HandleForceTerminate

func (t *TermHandlers) HandleForceTerminate(ch ssh.Channel, req *ssh.Request, ctx *ServerContext) error

func (*TermHandlers) HandlePTYReq

func (t *TermHandlers) HandlePTYReq(ctx context.Context, ch ssh.Channel, req *ssh.Request, scx *ServerContext) error

HandlePTYReq handles requests of type "pty-req" which allocate a TTY for "exec" or "shell" requests. The "pty-req" includes the size of the TTY as well as the terminal type requested.

func (*TermHandlers) HandleShell

func (t *TermHandlers) HandleShell(ctx context.Context, ch ssh.Channel, req *ssh.Request, scx *ServerContext) error

HandleShell handles requests of type "shell" which request a interactive shell be created within a TTY.

func (*TermHandlers) HandleTerminalSize

func (t *TermHandlers) HandleTerminalSize(req *ssh.Request) error

func (*TermHandlers) HandleWinChange

func (t *TermHandlers) HandleWinChange(ctx context.Context, ch ssh.Channel, req *ssh.Request, scx *ServerContext) error

HandleWinChange handles requests of type "window-change" which update the size of the PTY running on the server and update any other members in the party.

type TermManager

type TermManager struct {
	OnReadError  func(idString string, err error)
	OnWriteError func(idString string, err error)
	// contains filtered or unexported fields
}

TermManager handles the streams of terminal-like sessions. It performs a number of tasks including: - multiplexing - history scrollback for new clients - stream breaking

func NewTermManager

func NewTermManager() *TermManager

NewTermManager creates a new TermManager.

func (*TermManager) AddReader

func (g *TermManager) AddReader(name string, r io.Reader)

func (*TermManager) AddWriter

func (g *TermManager) AddWriter(name string, w io.Writer)

func (*TermManager) BroadcastMessage

func (g *TermManager) BroadcastMessage(message string)

BroadcastMessage injects a message into the stream.

func (*TermManager) Close

func (g *TermManager) Close()

func (*TermManager) CountRead

func (g *TermManager) CountRead() uint64

func (*TermManager) CountWritten

func (g *TermManager) CountWritten() uint64

func (*TermManager) DeleteReader

func (g *TermManager) DeleteReader(name string)

func (*TermManager) DeleteWriter

func (g *TermManager) DeleteWriter(name string)

func (*TermManager) GetRecentHistory

func (g *TermManager) GetRecentHistory() []byte

func (*TermManager) Off

func (g *TermManager) Off()

Off buffers incoming writes and reads until turned on again.

func (*TermManager) On

func (g *TermManager) On()

On allows data to flow through the manager.

func (*TermManager) Read

func (g *TermManager) Read(p []byte) (int, error)

func (*TermManager) TerminateNotifier

func (g *TermManager) TerminateNotifier() <-chan struct{}

func (*TermManager) Write

func (g *TermManager) Write(p []byte) (int, error)

type Terminal

type Terminal interface {
	// AddParty adds another participant to this terminal. We will keep the
	// Terminal open until all participants have left.
	AddParty(delta int)

	// Run will run the terminal.
	Run(ctx context.Context) error

	// Wait will block until the terminal is complete.
	Wait() (*ExecResult, error)

	// WaitForChild blocks until the child process has completed any required
	// setup operations before proceeding with execution.
	WaitForChild() error

	// Continue will resume execution of the process after it completes its
	// pre-processing routine (placed in a cgroup).
	Continue()

	// KillUnderlyingShell tries to gracefully stop the terminal process.
	KillUnderlyingShell(ctx context.Context) error

	// Kill will force kill the terminal.
	Kill(ctx context.Context) error

	// PTY returns the PTY backing the terminal.
	PTY() io.ReadWriter

	// TTY returns the TTY backing the terminal.
	TTY() *os.File

	// PID returns the PID of the Teleport process that was re-execed.
	PID() int

	// Close will free resources associated with the terminal.
	Close() error

	// GetWinSize returns the window size of the terminal.
	GetWinSize() (*term.Winsize, error)

	// SetWinSize sets the window size of the terminal.
	SetWinSize(ctx context.Context, params rsession.TerminalParams) error

	// GetTerminalParams is a fast call to get cached terminal parameters
	// and avoid extra system call.
	GetTerminalParams() rsession.TerminalParams

	// SetTerminalModes sets the terminal modes from "pty-req"
	SetTerminalModes(ssh.TerminalModes)

	// GetTermType gets the terminal type set in "pty-req"
	GetTermType() string

	// SetTermType sets the terminal type from "pty-req"
	SetTermType(string)
}

Terminal defines an interface of handy functions for managing a (local or remote) PTY, such as resizing windows, executing commands with a PTY, and cleaning up.

func NewTerminal

func NewTerminal(ctx *ServerContext) (Terminal, error)

NewTerminal returns a new terminal. Terminal can be local or remote depending on cluster configuration.

type TrackingConn

type TrackingConn interface {
	// LocalAddr returns local address
	LocalAddr() net.Addr
	// RemoteAddr returns remote address
	RemoteAddr() net.Addr
	// Close closes the connection
	Close() error
}

TrackingConn is an interface representing tracking connection

type TrackingReadConn

type TrackingReadConn struct {
	net.Conn
	// contains filtered or unexported fields
}

TrackingReadConn allows to wrap net.Conn and keeps track of the latest conn read activity.

func NewTrackingReadConn

func NewTrackingReadConn(cfg TrackingReadConnConfig) (*TrackingReadConn, error)

NewTrackingReadConn returns a new tracking read connection.

func (*TrackingReadConn) Close

func (t *TrackingReadConn) Close() error

Close cancels the context with io.EOF and closes the underlying connection.

func (*TrackingReadConn) CloseWithCause

func (t *TrackingReadConn) CloseWithCause(cause error) error

CloseWithCause cancels the context with provided cause and closes the underlying connection.

func (*TrackingReadConn) GetClientLastActive

func (t *TrackingReadConn) GetClientLastActive() time.Time

GetClientLastActive returns time when client was last active

func (*TrackingReadConn) Read

func (t *TrackingReadConn) Read(b []byte) (int, error)

Read reads data from the connection. Read can be made to time out and return an Error with Timeout() == true after a fixed time limit; see SetDeadline and SetReadDeadline.

func (*TrackingReadConn) UpdateClientActivity

func (t *TrackingReadConn) UpdateClientActivity()

UpdateClientActivity sets last recorded client activity

type TrackingReadConnConfig

type TrackingReadConnConfig struct {
	// Conn is a client connection.
	Conn net.Conn
	// Clock is a clock, realtime or fixed in tests.
	Clock clockwork.Clock
	// Context is an external context to cancel the operation.
	Context context.Context
	// Cancel is called whenever client context is closed.
	Cancel context.CancelCauseFunc
}

TrackingReadConnConfig is a TrackingReadConn configuration.

func (*TrackingReadConnConfig) CheckAndSetDefaults

func (c *TrackingReadConnConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults.

type UaccMetadata

type UaccMetadata struct {
	// The hostname of the node.
	Hostname string `json:"hostname"`

	// RemoteAddr is the address of the remote host.
	RemoteAddr [4]int32 `json:"remote_addr"`

	// UtmpPath is the path of the system utmp database.
	UtmpPath string `json:"utmp_path,omitempty"`

	// WtmpPath is the path of the system wtmp log.
	WtmpPath string `json:"wtmp_path,omitempty"`

	// BtmpPath is the path of the system btmp log.
	BtmpPath string `json:"btmp_path,omitempty"`
}

UaccMetadata contains information the child needs from the parent for user accounting.

type WebSessionContext

type WebSessionContext interface {
	GetUserAccessChecker() (services.AccessChecker, error)
	GetSSHCertificate() (*ssh.Certificate, error)
	GetUser() string
}

WebSessionContext contains information associated with a session established via the web ui.

type X11Config

type X11Config struct {
	// XAuthEntry contains xauth data used for X11 forwarding.
	XAuthEntry x11.XAuthEntry `json:"xauth_entry,omitempty"`
	// XServerUnixSocket is the name of an open XServer unix socket used for X11 forwarding.
	XServerUnixSocket string `json:"xserver_unix_socket"`
}

X11Config contains information used by the child process to set up X11 forwarding.

Directories

Path Synopsis
app
Package app runs the application proxy process.
Package app runs the application proxy process.
aws
gcp
db
common
Package common provides common utilities used by all supported database implementations.
Package common provides common utilities used by all supported database implementations.
mongodb
Package mongodb implements database access proxy that handles authentication, authorization and protocol parsing of connections from MongoDB clients to MongoDB clusters.
Package mongodb implements database access proxy that handles authentication, authorization and protocol parsing of connections from MongoDB clients to MongoDB clusters.
mongodb/protocol
Package protocol implements reading/writing MongoDB wire protocol messages from/to client/server and converting them into parsed data structures.
Package protocol implements reading/writing MongoDB wire protocol messages from/to client/server and converting them into parsed data structures.
mysql
Package mysql implements MySQL protocol support for the database access.
Package mysql implements MySQL protocol support for the database access.
mysql/protocol
Package protocol implements parts of MySQL wire protocol which are needed for the service to be able to interpret the protocol messages but are not readily available in the convenient form in the vendored MySQL library.
Package protocol implements parts of MySQL wire protocol which are needed for the service to be able to interpret the protocol messages but are not readily available in the convenient form in the vendored MySQL library.
postgres
Package postgres implements components of the database access subsystem that proxy connections between Postgres clients (like, psql or pgAdmin) and Postgres database servers with full protocol awareness.
Package postgres implements components of the database access subsystem that proxy connections between Postgres clients (like, psql or pgAdmin) and Postgres database servers with full protocol awareness.
redis
Package redis implements database access proxy that handles authentication, authorization and protocol parsing of connections from Redis clients to Redis standalone or Redis clusters.
Package redis implements database access proxy that handles authentication, authorization and protocol parsing of connections from Redis clients to Redis standalone or Redis clusters.
secrets
Package secrets implements clients for managing secret values using secret management tools like AWS Secrets Manager.
Package secrets implements clients for managing secret values using secret management tools like AWS Secrets Manager.
sqlserver/kinit
Package kinit provides utilities for interacting with a KDC (Key Distribution Center) for Kerberos5
Package kinit provides utilities for interacting with a KDC (Key Distribution Center) for Kerberos5
Package desktop implements Desktop Access services, like windows_desktop_access.
Package desktop implements Desktop Access services, like windows_desktop_access.
rdp/rdpclient
Package rdpclient implements an RDP client.
Package rdpclient implements an RDP client.
tdp
Package tdp implements the Teleport desktop protocol (TDP) encoder/decoder.
Package tdp implements the Teleport desktop protocol (TDP) encoder/decoder.
Package regular implements SSH server that supports multiplexing tunneling, SSH connections proxying and only supports Key based auth
Package regular implements SSH server that supports multiplexing tunneling, SSH connections proxying and only supports Key based auth
transport
Package uacc concerns itself with updating the user account database and log on nodes that a client connects to with an interactive session.
Package uacc concerns itself with updating the user account database and log on nodes that a client connects to with an interactive session.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL