Documentation
¶
Index ¶
- func Main()
- func Run(ctx context.Context, args []string, opts ...CliOption) error
- type CLIConf
- func (c *CLIConf) CommandWithBinary() string
- func (c *CLIConf) FullProfileStatus() (*client.ProfileStatus, []*client.ProfileStatus, error)
- func (c *CLIConf) GetProfile() (*profile.Profile, error)
- func (c *CLIConf) ListProfiles() ([]*client.ProfileStatus, error)
- func (c *CLIConf) ProfileStatus() (*client.ProfileStatus, error)
- func (c *CLIConf) RunCommand(cmd *exec.Cmd) error
- func (c *CLIConf) Stderr() io.Writer
- func (c *CLIConf) Stdin() io.Reader
- func (c *CLIConf) Stdout() io.Writer
- type CliOption
- type DefaultRemoteExecutor
- type ExecOptions
- type ExtraProxyHeaders
- type Options
- type ProxyTemplate
- type ProxyTemplates
- type RemoteExecutor
- type StreamOptions
- type TSHConfig
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Run ¶
Run executes TSH client. same as main() but easier to test. Note that this function modifies global state in `tsh` (e.g. the system logger), and WILL ALSO MODIFY EXTERNAL SHARED STATE in its default configuration (e.g. the $HOME/.tsh dir, $KUBECONFIG, etc).
DO NOT RUN TESTS that call Run() in parallel (unless you taken precautions).
Types ¶
type CLIConf ¶
type CLIConf struct {
// UserHost contains "[login]@hostname" argument to SSH command
UserHost string
// Commands to execute on a remote host
RemoteCommand []string
// DesiredRoles indicates one or more roles which should be requested.
DesiredRoles string
// RequestReason indicates the reason for an access request.
RequestReason string
// SuggestedReviewers is a list of suggested request reviewers.
SuggestedReviewers string
// NoWait can be used with an access request to exit without waiting for a request resolution.
NoWait bool
// RequestedResourceIDs is a list of resources to request access to.
RequestedResourceIDs []string
// RequestID is an access request ID
RequestID string
// RequestIDs is a list of access request IDs
RequestIDs []string
// ReviewReason indicates the reason for an access review.
ReviewReason string
// ReviewableRequests indicates that only requests which can be reviewed should
// be listed.
ReviewableRequests bool
// SuggestedRequests indicates that only requests which suggest the current user
// as a reviewer should be listed.
SuggestedRequests bool
// MyRequests indicates that only requests created by the current user
// should be listed.
MyRequests bool
// Approve/Deny indicates the desired review kind.
Approve, Deny bool
// AssumeStartTimeRaw format is RFC3339
AssumeStartTimeRaw string
// ResourceKind is the resource kind to search for
ResourceKind string
// Username is the Teleport user's username (to login into proxies)
Username string
// ExplicitUsername is true if Username was initially set by the end-user
// (for example, using command-line flags).
ExplicitUsername bool
// Proxy keeps the hostname:port of the Teleport proxy to use
Proxy string
// TTL defines how long a session must be active (in minutes)
MinsToLive int32
// SSH Port on a remote SSH host
NodePort int32
// Login on a remote SSH host
NodeLogin string
// InsecureSkipVerify bypasses verification of HTTPS certificate when talking to web proxy
InsecureSkipVerify bool
// SessionID identifies the session tsh is operating on.
// For `tsh join`, it is the ID of the session to join.
// For `tsh play`, it is either the ID of the session to play,
// or the path to a local session file which has already been
// downloaded.
SessionID string
// Src:dest parameter for SCP
CopySpec []string
// -r flag for scp
RecursiveCopy bool
// -L flag for ssh. Local port forwarding like 'ssh -L 80:remote.host:80 -L 443:remote.host:443'
LocalForwardPorts []string
// DynamicForwardedPorts is port forwarding using SOCKS5. It is similar to
// "ssh -D 8080 example.com".
DynamicForwardedPorts []string
// ForwardAgent agent to target node. Equivalent of -A for OpenSSH.
ForwardAgent bool
// ProxyJump is an optional -J flag pointing to the list of jumphosts,
// it is an equivalent of --proxy flag in tsh interpretation
ProxyJump string
// --local flag for ssh
LocalExec bool
// SiteName specifies remote site to login to.
SiteName string
// KubernetesCluster specifies the kubernetes cluster to login to.
KubernetesCluster string
// DaemonAddr is the daemon listening address.
DaemonAddr string
// DaemonCertsDir is the directory containing certs used to create secure gRPC connection with daemon service
DaemonCertsDir string
// DaemonPrehogAddr is the URL where prehog events should be submitted.
DaemonPrehogAddr string
// DaemonKubeconfigsDir is the directory "Directory containing kubeconfig
// for Kubernetes Access.
DaemonKubeconfigsDir string
// DaemonAgentsDir contains agent config files and data directories for Connect My Computer.
DaemonAgentsDir string
// DaemonPid is the PID to be stopped by tsh daemon stop.
DaemonPid int
// DatabaseService specifies the database proxy server to log into.
DatabaseService string
// DatabaseUser specifies database user to embed in the certificate.
DatabaseUser string
// DatabaseName specifies database name to embed in the certificate.
DatabaseName string
// DatabaseRoles specifies database roles to embed in the certificate.
DatabaseRoles string
// AppName specifies proxied application name.
AppName string
// Interactive, when set to true, launches remote command with the terminal attached
Interactive bool
// Quiet mode, -q command (disables progress printing)
Quiet bool
// Namespace is used to select cluster namespace
Namespace string
// NoCache is used to turn off client cache for nodes discovery
NoCache bool
// BenchDuration is a duration for the benchmark
BenchDuration time.Duration
// BenchRate is a requests per second rate to maintain
BenchRate int
// BenchInteractive indicates that we should create interactive session
BenchInteractive bool
// BenchRandom indicates that we should connect to a random host each time
BenchRandom bool
// BenchExport exports the latency profile
BenchExport bool
// BenchExportPath saves the latency profile in provided path
BenchExportPath string
// BenchMaxSessions is the maximum number of sessions to open
BenchMaxSessions int
// BenchTicks ticks per half distance
BenchTicks int32
// BenchValueScale value at which to scale the values recorded
BenchValueScale float64
// Context is a context to control execution
Context context.Context
// IdentityFileIn is an argument to -i flag (path to the private key+cert file)
IdentityFileIn string
// Compatibility flags, --compat, specifies OpenSSH compatibility flags.
Compatibility string
// CertificateFormat defines the format of the user SSH certificate.
CertificateFormat string
// IdentityFileOut is an argument to --out flag
IdentityFileOut string
// IdentityFormat (used for --format flag for 'tsh login') defines which
// format to use with --out to store a freshly retrieved certificate
IdentityFormat identityfile.Format
// IdentityOverwrite when true will overwrite any existing identity file at
// IdentityFileOut. When false, user will be prompted before overwriting
// any files.
IdentityOverwrite bool
// BindAddr is an address in the form of host:port to bind to
// during `tsh login` command
BindAddr string
// CallbackAddr is the optional base URL to give to the user when performing
// SSO redirect flows.
CallbackAddr string
// AuthConnector is the name of the connector to use.
AuthConnector string
// MFAMode is the preferred mode for MFA/Passwordless assertions.
MFAMode string
// SkipVersionCheck skips version checking for client and server
SkipVersionCheck bool
// Options is a list of OpenSSH options in the format used in the
// configuration file.
Options []string
// Verbose is used to print extra output.
Verbose bool
// Format is used to change the format of output
Format string
OutFile string
// PlaySpeed controls the playback speed for tsh play.
PlaySpeed string
// SearchKeywords is a list of search keywords to match against resource field values.
SearchKeywords string
// PredicateExpression defines boolean conditions that will be matched against the resource.
PredicateExpression string
// Labels is used to hold labels passed via --labels=k1=v2,k2=v2,,, flag for resource filtering.
// explicitly passed --labels overrides user@labels positional arg form.
// NOTE: no command currently supports both, try to keep it that way.
Labels string
// NoRemoteExec will not execute a remote command after connecting to a host,
// will block instead. Useful when port forwarding. Equivalent of -N for OpenSSH.
NoRemoteExec bool
// X11ForwardingUntrusted will set up untrusted X11 forwarding for the session ('ssh -X')
X11ForwardingUntrusted bool
// X11Forwarding will set up trusted X11 forwarding for the session ('ssh -Y')
X11ForwardingTrusted bool
// X11ForwardingTimeout can optionally set to set a timeout for untrusted X11 forwarding.
X11ForwardingTimeout time.Duration
// Debug sends debug logs to stdout.
Debug bool
// Browser can be used to pass the name of a browser to override the system default
// (not currently implemented), or set to 'none' to suppress browser opening entirely.
Browser string
// UseLocalSSHAgent set to false will prevent this client from attempting to
// connect to the local ssh-agent (or similar) socket at $SSH_AUTH_SOCK.
//
// Deprecated in favor of `AddKeysToAgent`.
UseLocalSSHAgent bool
// AddKeysToAgent specifies the behavior of how certs are handled.
AddKeysToAgent string
// EnableEscapeSequences will scan stdin for SSH escape sequences during
// command/shell execution. This also requires stdin to be an interactive
// terminal.
EnableEscapeSequences bool
// PreserveAttrs preserves access/modification times from the original file.
PreserveAttrs bool
// RequestTTL is the expiration time of the Access Request (how long it
// will await approval).
RequestTTL time.Duration
// SessionTTL is the expiration time for the elevated certificate that will
// be issued if the Access Request is approved.
SessionTTL time.Duration
// MaxDuration specifies how long the access will be granted for.
MaxDuration time.Duration
// OverrideStdout allows to switch standard output source for resource command. Used in tests.
OverrideStdout io.Writer
// MockSSOLogin used in tests to override sso login handler in teleport client.
MockSSOLogin client.SSOLoginFunc
// MockHeadlessLogin used in tests to override Headless login handler in teleport client.
MockHeadlessLogin client.SSHLoginFunc
// HomePath is where tsh stores profiles
HomePath string
// GlobalTshConfigPath is a path to global TSH config. Can be overridden with TELEPORT_GLOBAL_TSH_CONFIG.
GlobalTshConfigPath string
// LocalProxyPort is a port used by local proxy listener.
LocalProxyPort string
// LocalProxyTunnel specifies whether local proxy will open auth'd tunnel.
LocalProxyTunnel bool
// Exec is the command to run via tsh aws.
Exec string
// AWSRole is Amazon Role ARN or role name that will be used for AWS CLI access.
AWSRole string
// AWSCommandArgs contains arguments that will be forwarded to AWS CLI binary.
AWSCommandArgs []string
// AWSEndpointURLMode is an AWS proxy mode that serves an AWS endpoint URL
// proxy instead of an HTTPS proxy.
AWSEndpointURLMode bool
// AzureIdentity is Azure identity that will be used for Azure CLI access.
AzureIdentity string
// AzureCommandArgs contains arguments that will be forwarded to Azure CLI binary.
AzureCommandArgs []string
// GCPServiceAccount is GCP service account name that will be used for GCP CLI access.
GCPServiceAccount string
// GCPCommandArgs contains arguments that will be forwarded to GCP CLI binary.
GCPCommandArgs []string
// Reason is the reason for starting an ssh or kube session.
Reason string
// Invited is a list of invited users to an ssh or kube session.
Invited []string
// JoinMode is the participant mode someone is joining a session as.
JoinMode string
// SessionKinds is the kind of active sessions to list.
SessionKinds []string
// TSHConfig is the loaded tsh configuration file ~/.tsh/config/config.yaml.
TSHConfig TSHConfig
// ListAll specifies if an ls command should return results from all clusters and proxies.
ListAll bool
// SampleTraces indicates whether traces should be sampled.
SampleTraces bool
// TraceExporter is a manually provided URI to send traces to instead of
// forwarding them to the Auth service.
TraceExporter string
// TracingProvider is the provider to use to create tracers, from which spans can be created.
TracingProvider oteltrace.TracerProvider
// FromUTC is the start time to use for the range of sessions listed by the session recordings listing command
FromUTC string
// ToUTC is the start time to use for the range of sessions listed by the session recordings listing command
ToUTC string
// KubeConfigPath is the location of the Kubeconfig for the current test.
// Setting this value allows Teleport tests to run `tsh login` commands in
// parallel.
// It shouldn't be used outside testing.
KubeConfigPath string
// Headless uses headless login for the client session.
Headless bool
// MlockMode determines whether the process memory will be locked, and whether errors will be enforced.
// Allowed values include false, strict, and best_effort.
MlockMode string
// HeadlessAuthenticationID is the ID of a headless authentication.
HeadlessAuthenticationID string
// DTAuthnRunCeremony allows tests to override the default device
// authentication function.
// Defaults to [dtauthn.NewCeremony().Run].
DTAuthnRunCeremony client.DTAuthnRunCeremonyFunc
// WebauthnLogin allows tests to override the Webauthn Login func.
// Defaults to [wancli.Login].
WebauthnLogin client.WebauthnLoginFunc
// LeafClusterName is the optional name of a leaf cluster to connect to instead
LeafClusterName string
// PIVSlot specifies a specific PIV slot to use with hardware key support.
PIVSlot string
// SSHLogDir is the directory to log the output of multiple SSH commands to.
// If not set, no logs will be created.
SSHLogDir string
// DisableSSHResumption disables transparent SSH connection resumption.
DisableSSHResumption bool
// contains filtered or unexported fields
}
CLIConf stores command line arguments and flags:
func (*CLIConf) CommandWithBinary ¶
CommandWithBinary returns the current/selected command with the binary.
func (*CLIConf) FullProfileStatus ¶
func (c *CLIConf) FullProfileStatus() (*client.ProfileStatus, []*client.ProfileStatus, error)
func (*CLIConf) GetProfile ¶
GetProfile loads user profile.
func (*CLIConf) ListProfiles ¶
func (c *CLIConf) ListProfiles() ([]*client.ProfileStatus, error)
ListProfiles returns a list of profiles the current user has credentials for.
func (*CLIConf) ProfileStatus ¶
func (c *CLIConf) ProfileStatus() (*client.ProfileStatus, error)
func (*CLIConf) RunCommand ¶
RunCommand executes provided command.
type DefaultRemoteExecutor ¶
type DefaultRemoteExecutor struct{}
DefaultRemoteExecutor is the standard implementation of remote command execution
func (*DefaultRemoteExecutor) Execute ¶
func (*DefaultRemoteExecutor) Execute(ctx context.Context, method string, url *url.URL, config *restclient.Config, stdin io.Reader, stdout, stderr io.Writer, tty bool, terminalSizeQueue remotecommand.TerminalSizeQueue) error
type ExecOptions ¶
type ExecOptions struct {
StreamOptions
resource.FilenameOptions
ResourceName string
Command []string
EnforceNamespace bool
Builder func() *resource.Builder
ExecutablePodFn polymorphichelpers.AttachablePodForObjectFunc
Pod *corev1.Pod
Executor RemoteExecutor
PodClient coreclient.PodsGetter
GetPodTimeout time.Duration
Config *restclient.Config
// contains filtered or unexported fields
}
type ExtraProxyHeaders ¶
type ExtraProxyHeaders struct {
// Proxy is the domain of the proxy for these set of Headers, can contain globs.
Proxy string `yaml:"proxy"`
// Headers are the http header key values.
Headers map[string]string `yaml:"headers,omitempty"`
}
ExtraProxyHeaders represents the headers to include with the webclient.
type Options ¶
type Options struct {
// AddKeysToAgent specifies whether keys should be automatically added to a
// running SSH agent. Supported options values are "yes".
AddKeysToAgent bool
// ForwardAgent specifies whether the connection to the authentication
// agent will be forwarded to the remote machine. Supported option values
// are "yes", "no", and "local".
ForwardAgent client.AgentForwardingMode
// RequestTTY specifies whether to request a pseudo-tty for the session.
// Supported option values are "yes" and "no".
RequestTTY bool
// StrictHostKeyChecking is used control if tsh will automatically add host
// keys to the ~/.tsh/known_hosts file. Supported option values are "yes"
// and "no".
StrictHostKeyChecking bool
// ForwardX11 specifies whether X11 forwarding should be enabled for
// ssh sessions started by the client. Supported option values are "yes".
//
// When this option is to true, ForwardX11Trusted will default to true.
ForwardX11 bool
// ForwardX11Trusted determines what trust mode should be used for X11Forwarding.
// Supported option values are "yes" and "no"
//
// When set to yes, X11 forwarding will always be in trusted mode if requested.
// When set to no, X11 forwarding will default to untrusted mode, unless used with
// the -Y flag
ForwardX11Trusted *bool
// ForwardX11Timeout specifies a timeout in seconds after which X11 forwarding
// attempts will be rejected when in untrusted forwarding mode.
ForwardX11Timeout time.Duration
}
Options holds parsed values of OpenSSH options.
type ProxyTemplate ¶
type ProxyTemplate struct {
// Template is a regular expression that full hostname is matched against.
Template string `yaml:"template"`
// Proxy is the proxy address. Can refer to regex groups from the template.
Proxy string `yaml:"proxy"`
// Host is optional hostname. Can refer to regex groups from the template.
Host string `yaml:"host"`
// Cluster is optional cluster name. Can refer to regex groups from the template.
Cluster string `yaml:"cluster"`
// contains filtered or unexported fields
}
ProxyTemplate describes a single rule for parsing out proxy address from the full hostname. Used by tsh proxy ssh.
func (ProxyTemplate) Apply ¶
func (t ProxyTemplate) Apply(fullHostname string) (proxy, host, cluster string, matched bool)
Apply applies the proxy template to the provided hostname and returns expanded proxy address and hostname.
func (*ProxyTemplate) Check ¶
func (t *ProxyTemplate) Check() (err error)
Check validates the proxy template.
type ProxyTemplates ¶
type ProxyTemplates []*ProxyTemplate
ProxyTemplates represents a list of individual proxy templates.
type RemoteExecutor ¶
type RemoteExecutor interface {
Execute(ctx context.Context, method string, url *url.URL, config *restclient.Config, stdin io.Reader, stdout, stderr io.Writer, tty bool, terminalSizeQueue remotecommand.TerminalSizeQueue) error
}
RemoteExecutor defines the interface accepted by the Exec command - provided for test stubbing
type StreamOptions ¶
type StreamOptions struct {
Namespace string
PodName string
ContainerName string
Stdin bool
TTY bool
// minimize unnecessary output
Quiet bool
genericclioptions.IOStreams
// contains filtered or unexported fields
}
func (*StreamOptions) SetupTTY ¶
func (o *StreamOptions) SetupTTY() term.TTY
type TSHConfig ¶
type TSHConfig struct {
// ExtraHeaders are additional http headers to be included in
// webclient requests.
ExtraHeaders []ExtraProxyHeaders `yaml:"add_headers,omitempty"`
// ProxyTemplates describe rules for parsing out proxy out of full hostnames.
ProxyTemplates ProxyTemplates `yaml:"proxy_templates,omitempty"`
// Aliases are custom commands extending baseline tsh functionality.
Aliases map[string]string `yaml:"aliases,omitempty"`
}
TSHConfig represents configuration loaded from the tsh config file.
Source Files
¶
- access_request.go
- aliases.go
- app.go
- app_aws.go
- app_azure.go
- app_cloud.go
- app_gcp.go
- config.go
- daemon.go
- daemonstop_unix.go
- db.go
- db_print.go
- device.go
- fido2.go
- help.go
- kube.go
- kube_proxy.go
- kube_proxy_linux.go
- kubectl.go
- latency.go
- mfa.go
- options.go
- play.go
- proxy.go
- putty_config.go
- recording_export.go
- resolve_default_addr.go
- touchid.go
- tsh.go
- tshconfig.go
- webauthnwin.go
Click to show internal directories.
Click to hide internal directories.