sshutils

package
v0.0.0-...-5c79d48 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 15, 2024 License: AGPL-3.0 Imports: 31 Imported by: 0

Documentation

Overview

Package sshutils contains the implementations of the base SSH server used throughout Teleport.

Index

Constants

View Source 
const (
	// ExecRequest is a request to run a command.
	ExecRequest = "exec"

	// ShellRequest is a request for a shell.
	ShellRequest = "shell"

	// EnvRequest is a request to set an environment variable.
	EnvRequest = "env"

	// SubsystemRequest is a request to run a subsystem.
	SubsystemRequest = "subsystem"

	// WindowChangeRequest is a request to change window.
	WindowChangeRequest = "window-change"

	// PTYRequest is a request for PTY.
	PTYRequest = "pty-req"

	// AgentForwardRequest is SSH agent request.
	AgentForwardRequest = "auth-agent-req@openssh.com"

	// AuthAgentRequest is a request to a SSH client to open an agent channel.
	AuthAgentRequest = "auth-agent@openssh.com"

	// X11ForwardRequest is a request to initiate X11 forwarding.
	X11ForwardRequest = "x11-req"

	// X11ChannelRequest is the type of an X11 forwarding channel.
	X11ChannelRequest = "x11"

	// PuTTYSimpleRequest is a PuTTY-specific channel name which it automatically requests when it proxies
	// connections. Teleport does not support this channel type, so deliberately ignores requests for it.
	PuTTYSimpleRequest = "simple@putty.projects.tartarus.org"

	// PuTTYWinadjRequest is a PuTTY-specific channel name which it automatically requests to measure window
	// size on active connections, expecting a failure response from the server.
	PuTTYWinadjRequest = "winadj@putty.projects.tartarus.org"
)
View Source 
const (
	// SSHVersionPrefix is the prefix of "server version" string which begins
	// every SSH handshake. It MUST start with "SSH-2.0" according to
	// https://tools.ietf.org/html/rfc4253#page-4
	SSHVersionPrefix = "SSH-2.0-Teleport"

	// MaxVersionStringBytes is the maximum number of bytes allowed for a
	// SSH version string
	// https://tools.ietf.org/html/rfc4253
	MaxVersionStringBytes = 255
)
View Source 
const SessionEnvVar = "TELEPORT_SESSION"

SessionEnvVar is environment variable for SSH session

Variables

This section is empty.

Functions

func AuthorizedKeyFingerprint 

func AuthorizedKeyFingerprint(publicKey []byte) (string, error)

AuthorizedKeyFingerprint returns fingerprint from public key in authorized key format

func CryptoPublicKey 

func CryptoPublicKey(publicKey []byte) (crypto.PublicKey, error)

CryptoPublicKey extracts public key from RSA public key in authorized_keys format

func Fingerprint 

func Fingerprint(key ssh.PublicKey) string

Fingerprint returns SSH RFC4716 fingerprint of the key

func ForwardRequest 

func ForwardRequest(ctx context.Context, sender RequestForwarder, req *ssh.Request) (bool, error)

ForwardRequest is a helper for forwarding a request across a session or channel.

func ForwardRequests 

func ForwardRequests(ctx context.Context, sin <-chan *ssh.Request, sender RequestForwarder) error

ForwardRequests forwards all ssh requests received from the given channel until the channel or context is closed.

func GetCheckers 

func GetCheckers(ca types.CertAuthority) ([]ssh.PublicKey, error)

GetCheckers returns public keys that can be used to check cert authorities

func GetSigners 

func GetSigners(ca types.CertAuthority) ([]ssh.Signer, error)

GetSigners returns SSH signers for the provided authority.

func MarshalAuthorizedKeysFormat 

func MarshalAuthorizedKeysFormat(clusterName string, keyBytes []byte) (string, error)

MarshalAuthorizedKeysFormat returns the certificate authority public key exported as a single line that can be placed in ~/.ssh/authorized_keys file. The format adheres to the man sshd (8) authorized_keys format, a space-separated list of: options, keytype, base64-encoded key, comment. For example: 

cert-authority AAA... type=user&clustername=cluster-a

URL encoding is used to pass the CA type and cluster name into the comment field.

func MarshalKnownHost 

func MarshalKnownHost(kh KnownHost) (string, error)

MarshalKnownHost returns the certificate authority public key exported as a single line that can be placed in ~/.ssh/known_hosts. The format adheres to the man sshd (8) known_hosts format, a space-separated list of: marker, hosts, key, and comment. For example: 

@cert-authority proxy.example.com,cluster-a,*.cluster-a ssh-rsa AAA... type=host

URL encoding is used to pass the CA type and allowed logins into the comment field.

func NewSigner 

func NewSigner(keyBytes, certBytes []byte) (ssh.Signer, error)

NewSigner returns new ssh Signer from private key + certificate pair. The signer can be used to create "auth methods" i.e. login into Teleport SSH servers.

func PrivateKeyFingerprint 

func PrivateKeyFingerprint(keyBytes []byte) (string, error)

PrivateKeyFingerprint returns fingerprint of the public key extracted from the PEM encoded private key

func ValidateSigners 

func ValidateSigners(ca types.CertAuthority) error

ValidateSigners returns a list of signers that could be used to sign keys.

Types

type AuthMethods 

type AuthMethods struct {
	PublicKey PublicKeyFunc
	Password  PasswordFunc
	NoClient  bool
}

type ClusterDetails 

type ClusterDetails struct {
	RecordingProxy bool
	FIPSEnabled    bool
}

ClusterDetails specifies information about a cluster

type ConnectionContext 

type ConnectionContext struct {
	// NetConn is the base connection object.
	NetConn net.Conn

	// ServerConn is authenticated ssh connection.
	ServerConn *ssh.ServerConn
	// contains filtered or unexported fields
}

ConnectionContext manages connection-level state.

func NewConnectionContext 

func NewConnectionContext(ctx context.Context, nconn net.Conn, sconn *ssh.ServerConn, opts ...ConnectionContextOption) (context.Context, *ConnectionContext)

NewConnectionContext creates a new ConnectionContext and a child context.Context instance which will be canceled when the ConnectionContext is closed.

func (*ConnectionContext) AddCloser 

func (c *ConnectionContext) AddCloser(closer io.Closer)

AddCloser adds any closer in ctx that will be called when the underlying connection is closed.

func (*ConnectionContext) Close 

func (c *ConnectionContext) Close() error

Close closes associated resources (e.g. agent channel).

func (*ConnectionContext) GetClientLastActive 

func (c *ConnectionContext) GetClientLastActive() time.Time

GetClientLastActive returns time when client was last active.

func (*ConnectionContext) GetDirectTCPIPForwardDialer 

func (c *ConnectionContext) GetDirectTCPIPForwardDialer() (d TCPIPForwardDialer, ok bool)

GetDirectTCPIPForwardDialer gets the registered DirectTCPIPForwardDialer if one exists.

func (*ConnectionContext) GetEnv 

func (c *ConnectionContext) GetEnv(key string) (string, bool)

GetEnv returns a environment variable within this context.

func (*ConnectionContext) GetForwardAgent 

func (c *ConnectionContext) GetForwardAgent() bool

GetForwardAgent loads the forwardAgent flag with lock.

func (*ConnectionContext) IncrSessions 

func (c *ConnectionContext) IncrSessions(max int64) (decr func(), ok bool)

TryIncrSessions tries to increment the active session count; if ok the returned decr function *must* be called when the associated session is closed.

func (*ConnectionContext) SetEnv 

func (c *ConnectionContext) SetEnv(key, val string)

SetEnv sets a environment variable within this context.

func (*ConnectionContext) SetForwardAgent 

func (c *ConnectionContext) SetForwardAgent(forwardAgent bool)

SetForwardAgent configures this context to support agent forwarding. Must not be set until agent forwarding is explicitly requested.

func (*ConnectionContext) StartAgentChannel 

func (c *ConnectionContext) StartAgentChannel() (teleagent.Agent, error)

StartAgentChannel sets up a new agent forwarding channel against this connection. The channel is automatically closed when either ConnectionContext, or the supplied context.Context gets canceled.

func (*ConnectionContext) TrySetDirectTCPIPForwardDialer 

func (c *ConnectionContext) TrySetDirectTCPIPForwardDialer(d TCPIPForwardDialer) (registered TCPIPForwardDialer, ok bool)

TrySetDirectTCPIPForwardDialer attempts to registers a DirectTCPIPForwardDialer. If a different dialer was concurrently registered, ok is false and the previously registered dialer is returned.

func (*ConnectionContext) UpdateClientActivity 

func (c *ConnectionContext) UpdateClientActivity()

UpdateClientActivity sets last recorded client activity associated with this context.

func (*ConnectionContext) VisitEnv 

func (c *ConnectionContext) VisitEnv(visit func(key, val string))

VisitEnv grants visitor-style access to env variables.

type ConnectionContextOption 

type ConnectionContextOption func(c *ConnectionContext)

func SetConnectionContextClock 

func SetConnectionContextClock(clock clockwork.Clock) ConnectionContextOption

SetConnectionContextClock sets the connection context's internal clock.

type DirectTCPIPReq 

type DirectTCPIPReq struct {
	Host string
	Port uint32

	Orig     string
	OrigPort uint32
}

func ParseDirectTCPIPReq 

func ParseDirectTCPIPReq(data []byte) (*DirectTCPIPReq, error)

type EnvReqParams 

type EnvReqParams struct {
	Name  string
	Value string
}

EnvReqParams are parameters for env request

type ExecReq 

type ExecReq struct {
	Command string
}

ExecReq specifies parameters for a "exec" request.

type KnownHost 

type KnownHost struct {
	AuthorizedKey []byte
	ProxyHost     string
	Hostname      string
	Comment       map[string][]string
}

KnownHost is a structural representation of a known hosts entry for a Teleport host.

func UnmarshalKnownHosts 

func UnmarshalKnownHosts(knownHostsFile [][]byte) ([]KnownHost, error)

UnmarshalKnownHosts returns a list of authorized hosts from the given known_hosts file. Entries in the given file should adhere to the man sshd (8) known_hosts format, a space-separated list of: marker, hosts, key, and comment. For example: 

@cert-authority proxy.example.com,cluster-a,*.cluster-a ssh-rsa AAA... type=host

UnmarshalKnownHosts will try to guess the proxy host and cluster name for entries that look like Teleport authorized host entries, generated with MarshalKnownHost.

type LegacySHA1Signer 

type LegacySHA1Signer struct {
	Signer ssh.AlgorithmSigner
}

LegacySHA1Signer always forces use of SHA-1 for signing. It should be not be used until necessary. This struct should not implement SignWithAlgorithm() method from ssh.AlgorithmSigner interface. This would break the SHA-1 signing.

func (*LegacySHA1Signer) PublicKey 

func (s *LegacySHA1Signer) PublicKey() ssh.PublicKey

PublicKey returns the public key from the underlying signer.

func (*LegacySHA1Signer) Sign 

func (s *LegacySHA1Signer) Sign(rand io.Reader, data []byte) (*ssh.Signature, error)

Sign forces the SHA-1 signature.

type NewChanHandler 

type NewChanHandler interface {
	HandleNewChan(context.Context, *ConnectionContext, ssh.NewChannel)
}

type NewChanHandlerFunc 

type NewChanHandlerFunc func(context.Context, *ConnectionContext, ssh.NewChannel)

func (NewChanHandlerFunc) HandleNewChan 

func (f NewChanHandlerFunc) HandleNewChan(ctx context.Context, ccx *ConnectionContext, ch ssh.NewChannel)

type NewConnHandler 

type NewConnHandler interface {
	HandleNewConn(ctx context.Context, ccx *ConnectionContext) (context.Context, error)
}

NewConnHandler is called once per incoming connection. Errors terminate the incoming connection. The returned context must be the same as, or a child of, the passed in context.

type PTYReqParams 

type PTYReqParams struct {
	Env   string
	W     uint32
	H     uint32
	Wpx   uint32
	Hpx   uint32
	Modes string
}

PTYReqParams specifies parameters for pty change window

func (*PTYReqParams) Check 

func (p *PTYReqParams) Check() error

Check validates PTY parameters.

func (*PTYReqParams) CheckAndSetDefaults 

func (p *PTYReqParams) CheckAndSetDefaults() error

CheckAndSetDefaults validates PTY parameters and ensures parameters are within default values.

func (*PTYReqParams) TerminalModes 

func (p *PTYReqParams) TerminalModes() (ssh.TerminalModes, error)

TerminalModes converts encoded terminal modes into a ssh.TerminalModes map. The encoding is described in: https://tools.ietf.org/html/rfc4254#section-8 

All 'encoded terminal modes' (as passed in a pty request) are encoded
into a byte stream.  It is intended that the coding be portable
across different environments.  The stream consists of opcode-
argument pairs wherein the opcode is a byte value.  Opcodes 1 to 159
have a single uint32 argument.  Opcodes 160 to 255 are not yet
defined, and cause parsing to stop (they should only be used after
any other data).  The stream is terminated by opcode TTY_OP_END
(0x00).

In practice, this means encoded terminal modes get translated like below: 

0x80 0x00 0x00 0x38 0x40  0x81 0x00 0x00 0x38 0x40  0x35 0x00 0x00 0x00 0x00  0x00
|___|__________________|  |___|__________________|  |___|__________________|  |__|
       0x80: 0x3840              0x81: 0x3840              0x35: 0x00         0x00
ssh.TTY_OP_ISPEED: 14400  ssh.TTY_OP_OSPEED: 14400         ssh.ECHO:0

type PasswordFunc 

type PasswordFunc func(conn ssh.ConnMetadata, password []byte) (*ssh.Permissions, error)

type PublicKeyFunc 

type PublicKeyFunc func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error)

type RequestForwarder 

type RequestForwarder interface {
	SendRequest(ctx context.Context, name string, wantReply bool, payload []byte) (bool, error)
}

RequestForwarder represents a resource capable of sending an ssh request such as an ssh.Channel or ssh.Session.

type RequestHandler 

type RequestHandler interface {
	HandleRequest(ctx context.Context, r *ssh.Request)
}

type SSHServerVersionOverrider 

type SSHServerVersionOverrider interface {
	SSHServerVersionOverride() string
}

SSHServerVersionOverrider returns a SSH server version string that should be used instead of the one from a static configuration (typically because the version was already sent and can't be un-sent). If SSHServerVersionOverride returns a blank string (which is an invalid version string, as version strings should start with "SSH-2.0-") then no override is specified. The string is intended to be passed as the ssh.ServerConfig.ServerVersion, so it should not include a trailing CRLF pair ("\r\n").

type Server 

type Server struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

Server is a generic implementation of an SSH server. All Teleport services (auth, proxy, ssh) use this as a base to accept SSH connections.

func NewServer 

func NewServer(
	component string,
	a utils.NetAddr,
	h NewChanHandler,
	hostSigners []ssh.Signer,
	ah AuthMethods,
	opts ...ServerOption,
) (*Server, error)

func (*Server) ActiveConnections 

func (s *Server) ActiveConnections() int32

ActiveConnections returns the number of connections that are being served.

func (*Server) Addr 

func (s *Server) Addr() string

func (*Server) Close 

func (s *Server) Close() error

Close closes listening socket and stops accepting connections

func (*Server) HandleConnection 

func (s *Server) HandleConnection(conn net.Conn)

HandleConnection is called every time an SSH server accepts a new connection from a client.

this is the foundation of all SSH connections in Teleport (between clients and proxies, proxies and servers, servers and auth, etc), except for forwarding SSH proxy that used when "recording on proxy" is enabled.

func (*Server) Serve 

func (s *Server) Serve(listener net.Listener) error

func (*Server) SetListener 

func (s *Server) SetListener(l net.Listener) error

func (*Server) Shutdown 

func (s *Server) Shutdown(ctx context.Context) error

Shutdown initiates graceful shutdown - waiting until all active connections will get closed

func (*Server) Start 

func (s *Server) Start() error

func (*Server) TrackUserConnection 

func (s *Server) TrackUserConnection() (release func())

TrackUserConnection tracks a user connection that should prevent the server from being terminated if active. The returned function should be called when the connection is terminated.

func (*Server) Wait 

func (s *Server) Wait(ctx context.Context)

Wait waits until server stops serving new connections on the listener socket

type ServerOption 

type ServerOption func(cfg *Server) error

ServerOption is a functional argument for server

func SetCiphers 

func SetCiphers(ciphers []string) ServerOption

func SetClock 

func SetClock(clock clockwork.Clock) ServerOption

SetClock sets the server's clock.

func SetClusterName 

func SetClusterName(clusterName string) ServerOption

func SetFIPS 

func SetFIPS(fips bool) ServerOption

func SetIngressReporter 

func SetIngressReporter(service string, r *ingress.Reporter) ServerOption

SetIngressReporter sets the reporter for reporting new and active connections.

func SetInsecureSkipHostValidation 

func SetInsecureSkipHostValidation() ServerOption

SetInsecureSkipHostValidation does not validate the host signers to make sure they are a valid certificate. Used in tests.

func SetKEXAlgorithms 

func SetKEXAlgorithms(kexAlgorithms []string) ServerOption

func SetLimiter 

func SetLimiter(limiter *limiter.Limiter) ServerOption

func SetLogger 

func SetLogger(logger logrus.FieldLogger) ServerOption

SetLogger sets the logger for the server

func SetMACAlgorithms 

func SetMACAlgorithms(macAlgorithms []string) ServerOption

func SetNewConnHandler 

func SetNewConnHandler(handler NewConnHandler) ServerOption

func SetRequestHandler 

func SetRequestHandler(req RequestHandler) ServerOption

func SetSSHConfig 

func SetSSHConfig(cfg ssh.ServerConfig) ServerOption

func SetShutdownPollPeriod 

func SetShutdownPollPeriod(period time.Duration) ServerOption

SetShutdownPollPeriod sets a polling period for graceful shutdowns of SSH servers

func SetTracerProvider 

func SetTracerProvider(provider oteltrace.TracerProvider) ServerOption

SetTracerProvider sets the tracer provider for the server.

type SubsystemReq 

type SubsystemReq struct {
	Name string
}

SubsystemReq specifies the parameters for a "subsystem" request.

type TCPIPForwardDialer 

type TCPIPForwardDialer func(string) (net.Conn, error)

TCPIPForwardDialer represents a dialer used to handle TCPIP forward requests.

type WinChangeReqParams 

type WinChangeReqParams struct {
	W   uint32
	H   uint32
	Wpx uint32
	Hpx uint32
}

WinChangeReqParams specifies parameters for window changes

Source Files

View all Source files

Directories

Path Synopsis
Package scp handles file uploads and downloads via SCP command.
 Package scp handles file uploads and downloads via SCP command.
Package sftp handles file transfers client-side via SFTP.
 Package sftp handles file transfers client-side via SFTP.
Package X11 contains contains the ssh client/server helper functions for performing X11 forwarding.
 Package X11 contains contains the ssh client/server helper functions for performing X11 forwarding.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.