sshutils

package
v4.3.8-dev.1+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 29, 2020 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Overview

Package sshutils contains contains the implementations of the base SSH server used throughout Teleport.

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index

Constants

View Source 
const (
	// ExecRequest is a request to run a command.
	ExecRequest = "exec"

	// ShellRequest is a request for a shell.
	ShellRequest = "shell"

	// EnvRequest is a request to set an environment variable.
	EnvRequest = "env"

	// SubsystemRequest is a request to run a subsystem.
	SubsystemRequest = "subsystem"

	// WindowChangeRequest is a request to change window.
	WindowChangeRequest = "window-change"

	// PTYRequest is a request for PTY.
	PTYRequest = "pty-req"

	// AgentForwardRequest is SSH agent request.
	AgentForwardRequest = "auth-agent-req@openssh.com"

	// AuthAgentRequest is a request to a SSH client to open an agent channel.
	AuthAgentRequest = "auth-agent@openssh.com"

	// X11ForwardRequest is a request to initiate X11 forwarding.
	X11ForwardRequest = "x11-req"

	// X11ChannelRequest is the type of an X11 forwarding channel.
	X11ChannelRequest = "x11"
)
View Source 
const (
	// SSHVersionPrefix is the prefix of "server version" string which begins
	// every SSH handshake. It MUST start with "SSH-2.0" according to
	// https://tools.ietf.org/html/rfc4253#page-4
	SSHVersionPrefix = "SSH-2.0-Teleport"

	// ProxyHelloSignature is a string which Teleport proxy will send
	// right after the initial SSH "handshake/version" message if it detects
	// talking to a Teleport server.
	ProxyHelloSignature = "Teleport-Proxy"

	// MaxVersionStringBytes is the maximum number of bytes allowed for a
	// SSH version string
	// https://tools.ietf.org/html/rfc4253
	MaxVersionStringBytes = 255

	// TrueClientAddrVar environment variable is used by the web UI to pass
	// the remote IP (user's IP) from the browser/HTTP session into an SSH session
	TrueClientAddrVar = "TELEPORT_CLIENT_ADDR"
)
View Source 
const SessionEnvVar = "TELEPORT_SESSION"

SessionEnvVar is environment variable for SSH session

Variables

This section is empty.

Functions

func AlgSigner 

func AlgSigner(s ssh.Signer, alg string) ssh.Signer

AlgSigner wraps a provided ssh.Signer to ensure signature algorithm compatibility with OpenSSH.

Right now it allows forcing SHA-2 signatures with RSA keys, instead of the default SHA-1 used by x/crypto/ssh. See https://www.openssh.com/txt/release-8.2 for context.

If the provided Signer is not an RSA key or does not implement ssh.AlgorithmSigner, it's returned as is.

DELETE IN 5.0: assuming https://github.com/golang/go/issues/37278 is fixed by then and we pull in the fix. Also delete all call sites.

func AuthorizedKeyFingerprint added in v1.0.0 

func AuthorizedKeyFingerprint(publicKey []byte) (string, error)

AuthorizedKeyFingerprint returns fingerprint from public key in authorized key format

func CryptoPublicKey 

func CryptoPublicKey(publicKey []byte) (crypto.PublicKey, error)

CryptoPublicKey extracts public key from RSA public key in authorized_keys format

func Fingerprint added in v1.0.0 

func Fingerprint(key ssh.PublicKey) string

Fingerprint returns SSH RFC4716 fingerprint of the key

func KeysEqual 

func KeysEqual(ak, bk ssh.PublicKey) bool

KeysEqual is constant time compare of the keys to avoid timing attacks

func MarshalAuthorizedHostsFormat 

func MarshalAuthorizedHostsFormat(clusterName string, keyBytes []byte, logins []string) (string, error)

MarshalAuthorizedHostsFormat returns the certificate authority public key exported as a single line that can be placed in ~/.ssh/authorized_hosts. The format adheres to the man sshd (8) authorized_hosts format, a space-separated list of: marker, hosts, key, and comment. For example: 

@cert-authority *.cluster-a ssh-rsa AAA... type=host

URL encoding is used to pass the CA type and allowed logins into the comment field.

func MarshalAuthorizedKeysFormat 

func MarshalAuthorizedKeysFormat(clusterName string, keyBytes []byte) (string, error)

MarshalAuthorizedKeysFormat returns the certificate authority public key exported as a single line that can be placed in ~/.ssh/authorized_keys file. The format adheres to the man sshd (8) authorized_keys format, a space-separated list of: options, keytype, base64-encoded key, comment. For example: 

cert-authority AAA... type=user&clustername=cluster-a

URL encoding is used to pass the CA type and cluster name into the comment field.

func NewSigner 

func NewSigner(keyBytes, certBytes []byte) (ssh.Signer, error)

NewSigner returns new ssh Signer from private key + certificate pair. The signer can be used to create "auth methods" i.e. login into Teleport SSH servers.

func PrivateKeyFingerprint added in v1.0.0 

func PrivateKeyFingerprint(keyBytes []byte) (string, error)

PrivateKeyFingerprint returns fingerprint of the public key extracted from the PEM encoded private key

Types

type AuthMethods 

type AuthMethods struct {
	PublicKey PublicKeyFunc
	Password  PasswordFunc
	NoClient  bool
}

type ConnectionContext 

type ConnectionContext struct {
	// NetConn is the base connection object.
	NetConn net.Conn

	// ServerConn is authenticated ssh connection.
	ServerConn *ssh.ServerConn
	// contains filtered or unexported fields
}

ConnectionContext manages connection-level state.

func NewConnectionContext 

func NewConnectionContext(ctx context.Context, nconn net.Conn, sconn *ssh.ServerConn) (context.Context, *ConnectionContext)

NewConnectionContext creates a new ConnectionContext and a child context.Context instance which will be canceled when the ConnectionContext is closed.

func (*ConnectionContext) AddCloser 

func (c *ConnectionContext) AddCloser(closer io.Closer)

AddCloser adds any closer in ctx that will be called when the underlying connection is closed.

func (*ConnectionContext) Close 

func (c *ConnectionContext) Close() error

Close closes associated resources (e.g. agent channel).

func (*ConnectionContext) GetEnv 

func (c *ConnectionContext) GetEnv(key string) (string, bool)

GetEnv returns a environment variable within this context.

func (*ConnectionContext) GetForwardAgent 

func (c *ConnectionContext) GetForwardAgent() bool

GetForwardAgent loads the forwardAgent flag with lock.

func (*ConnectionContext) SetEnv 

func (c *ConnectionContext) SetEnv(key, val string)

SetEnv sets a environment variable within this context.

func (*ConnectionContext) SetForwardAgent 

func (c *ConnectionContext) SetForwardAgent(forwardAgent bool)

SetForwardAgent configures this context to support agent forwarding. Must not be set until agent forwarding is explicitly requested.

func (*ConnectionContext) StartAgentChannel 

func (c *ConnectionContext) StartAgentChannel() (teleagent.Agent, error)

StartAgentChannel sets up a new agent forwarding channel against this connection. The channel is automatically closed when either ConnectionContext, or the supplied context.Context gets canceled.

func (*ConnectionContext) VisitEnv 

func (c *ConnectionContext) VisitEnv(visit func(key, val string))

VisitEnv grants visitor-style access to env variables.

type DirectTCPIPReq 

type DirectTCPIPReq struct {
	Host string
	Port uint32

	Orig     string
	OrigPort uint32
}

func ParseDirectTCPIPReq 

func ParseDirectTCPIPReq(data []byte) (*DirectTCPIPReq, error)

type EnvReqParams 

type EnvReqParams struct {
	Name  string
	Value string
}

EnvReqParams are parameters for env request

type ExecReq 

type ExecReq struct {
	Command string
}

ExecReq specifies parameters for a "exec" request.

type HandshakePayload 

type HandshakePayload struct {
	// ClientAddr is the IP address of the remote client
	ClientAddr string `json:"clientAddr,omitempty"`
}

HandshakePayload structure is sent as a JSON blob by the teleport proxy to every SSH server who identifies itself as Teleport server

It allows teleport proxies to communicate additional data to server

type NewChanHandler 

type NewChanHandler interface {
	HandleNewChan(context.Context, *ConnectionContext, ssh.NewChannel)
}

type NewChanHandlerFunc 

type NewChanHandlerFunc func(context.Context, *ConnectionContext, ssh.NewChannel)

func (NewChanHandlerFunc) HandleNewChan 

func (f NewChanHandlerFunc) HandleNewChan(ctx context.Context, ccx *ConnectionContext, ch ssh.NewChannel)

type PTYReqParams 

type PTYReqParams struct {
	Env   string
	W     uint32
	H     uint32
	Wpx   uint32
	Hpx   uint32
	Modes string
}

PTYReqParams specifies parameters for pty change window

func (*PTYReqParams) Check 

func (p *PTYReqParams) Check() error

Check validates PTY parameters.

func (*PTYReqParams) CheckAndSetDefaults 

func (p *PTYReqParams) CheckAndSetDefaults() error

CheckAndSetDefaults validates PTY parameters and ensures parameters are within default values.

func (*PTYReqParams) TerminalModes 

func (p *PTYReqParams) TerminalModes() (ssh.TerminalModes, error)

TerminalModes converts encoded terminal modes into a ssh.TerminalModes map. The encoding is described in: https://tools.ietf.org/html/rfc4254#section-8 

All 'encoded terminal modes' (as passed in a pty request) are encoded
into a byte stream.  It is intended that the coding be portable
across different environments.  The stream consists of opcode-
argument pairs wherein the opcode is a byte value.  Opcodes 1 to 159
have a single uint32 argument.  Opcodes 160 to 255 are not yet
defined, and cause parsing to stop (they should only be used after
any other data).  The stream is terminated by opcode TTY_OP_END
(0x00).

In practice, this means encoded terminal modes get translated like below: 

0x80 0x00 0x00 0x38 0x40  0x81 0x00 0x00 0x38 0x40  0x35 0x00 0x00 0x00 0x00  0x00
|___|__________________|  |___|__________________|  |___|__________________|  |__|
       0x80: 0x3840              0x81: 0x3840              0x35: 0x00         0x00
ssh.TTY_OP_ISPEED: 14400  ssh.TTY_OP_OSPEED: 14400         ssh.ECHO:0

type PasswordFunc 

type PasswordFunc func(conn ssh.ConnMetadata, password []byte) (*ssh.Permissions, error)

type PublicKeyFunc 

type PublicKeyFunc func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error)

type RequestHandler 

type RequestHandler interface {
	HandleRequest(r *ssh.Request)
}

type Server 

type Server struct {
	*log.Entry
	sync.RWMutex
	// contains filtered or unexported fields
}

Server is a generic implementation of an SSH server. All Teleport services (auth, proxy, ssh) use this as a base to accept SSH connections.

func NewServer 

func NewServer(
	component string,
	a utils.NetAddr,
	h NewChanHandler,
	hostSigners []ssh.Signer,
	ah AuthMethods,
	opts ...ServerOption) (*Server, error)

func (*Server) Addr 

func (s *Server) Addr() string

func (*Server) Close 

func (s *Server) Close() error

Close closes listening socket and stops accepting connections

func (*Server) HandleConnection 

func (s *Server) HandleConnection(conn net.Conn)

HandleConnection is called every time an SSH server accepts a new connection from a client.

this is the foundation of all SSH connections in Teleport (between clients and proxies, proxies and servers, servers and auth, etc).

func (*Server) Serve 

func (s *Server) Serve(listener net.Listener) error

func (*Server) Shutdown 

func (s *Server) Shutdown(ctx context.Context) error

Shutdown initiates graceful shutdown - waiting until all active connections will get closed

func (*Server) Start 

func (s *Server) Start() error

func (*Server) Wait 

func (s *Server) Wait(ctx context.Context)

Wait waits until server stops serving new connections on the listener socket

type ServerOption 

type ServerOption func(cfg *Server) error

ServerOption is a functional argument for server

func SetCiphers 

func SetCiphers(ciphers []string) ServerOption

func SetFIPS 

func SetFIPS(fips bool) ServerOption

func SetInsecureSkipHostValidation 

func SetInsecureSkipHostValidation() ServerOption

SetInsecureSkipHostValidation does not validate the host signers to make sure they are a valid certificate. Used in tests.

func SetKEXAlgorithms 

func SetKEXAlgorithms(kexAlgorithms []string) ServerOption

func SetLimiter added in v1.0.0 

func SetLimiter(limiter *limiter.Limiter) ServerOption

func SetMACAlgorithms 

func SetMACAlgorithms(macAlgorithms []string) ServerOption

func SetRequestHandler 

func SetRequestHandler(req RequestHandler) ServerOption

func SetSSHConfig 

func SetSSHConfig(cfg ssh.ServerConfig) ServerOption

func SetShutdownPollPeriod 

func SetShutdownPollPeriod(period time.Duration) ServerOption

SetShutdownPollPeriod sets a polling period for graceful shutdowns of SSH servers

type SubsystemReq 

type SubsystemReq struct {
	Name string
}

SubsystemReq specifies the parameters for a "subsystem" request.

type WinChangeReqParams 

type WinChangeReqParams struct {
	W   uint32
	H   uint32
	Wpx uint32
	Hpx uint32
}

WinChangeReqParams specifies parameters for window changes

Source Files

View all Source files

Directories

Path Synopsis
Package scp handles file uploads and downloads via scp command
 Package scp handles file uploads and downloads via scp command

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.