client

package
v0.2.0-beta.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 7, 2016 License: Apache-2.0 Imports: 37 Imported by: 22

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetTokenFromHOTPMockFile

func GetTokenFromHOTPMockFile(path string) (token string, e error)

GetTokenFromHOTPMockFile opens HOTPMock from file, gets token value, increases hotp and saves it to the file. Returns hotp token value.

func ParseLabelSpec added in v1.0.0

func ParseLabelSpec(spec string) (map[string]string, error)

ParseLabelSpec parses a string like 'name=value,"long name"="quoted value"` into a map like { "name" -> "value", "long name" -> "quoted value" }

func Username added in v1.0.0

func Username() string

Username returns the current user's username

Types

type Config added in v1.0.0

type Config struct {
	// Username is the Teleport account username (for logging into Teleport proxies)
	Username string

	// Remote host to connect
	Host string

	// Labels represent host Labels
	Labels map[string]string

	// HostLogin is a user login on a remote host
	HostLogin string

	// HostPort is a remote host port to connect to
	HostPort int

	// ProxyHost is a host or IP of the proxy (with optional ":port")
	ProxyHost string

	// KeyTTL is a time to live for the temporary SSH keypair to remain valid:
	KeyTTL time.Duration

	// InsecureSkipVerify is an option to skip HTTPS cert check
	InsecureSkipVerify bool

	// SkipLocalAuth will not try to connect to local SSH agent
	// or use any local certs, and not use interactive logins
	SkipLocalAuth bool

	// AuthMethods to use to login into cluster. If left empty, teleport will
	// use its own session store,
	AuthMethods []ssh.AuthMethod

	Stdout io.Writer
	Stderr io.Writer
	Stdin  io.Reader

	// ExitStatus carries the returned value (exit status) of the remote
	// process execution (via SSh exec)
	ExitStatus int

	// SiteName specifies site to execute operation,
	// if omitted, first available site will be selected
	SiteName string

	// Locally forwarded ports (parameters to -L ssh flag)
	LocalForwardPorts []ForwardedPort

	// HostKeyCallback will be called to check host keys of the remote
	// node, if not specified will be using CheckHostSignature function
	// that uses local cache to validate hosts
	HostKeyCallback HostKeyCallback

	// ConnectorID is used to authenticate user via OpenID Connect
	// registered connector
	ConnectorID string

	// KeyDir defines where temporary session keys will be stored.
	// if empty, they'll go to ~/.tsh
	KeysDir string
}

Config is a client config

func (*Config) NodeHostPort added in v1.0.0

func (c *Config) NodeHostPort() string

NodeHostPort returns host:port string based on user supplied data either if user has set host:port in the connection string, or supplied the -p flag. If user has set both, -p flag data is ignored

func (*Config) ProxyHostPort added in v1.0.0

func (c *Config) ProxyHostPort(defaultPort int) string

ProxyHostPort returns a full host:port address of the proxy or an empty string if no proxy is given. If 'forWeb' flag is set, returns HTTPS port, otherwise returns SSH port (proxy servers listen on both)

func (*Config) ProxySpecified added in v1.0.0

func (c *Config) ProxySpecified() bool

ProxySpecified returns true if proxy has been specified

type FSLocalKeyStore added in v1.0.0

type FSLocalKeyStore struct {
	LocalKeyStore

	// KeyDir is the directory where all keys are stored
	KeyDir string
}

FSLocalKeyStore implements LocalKeyStore interface using the filesystem Here's the file layout for the FS store: ~/.tsh/ ├── known_hosts --> trusted certificate authorities (their keys) in a format similar to known_hosts └── sessions --> server-signed session keys

└── host-a
|   ├── cert
|   ├── key
|   └── pub
└── host-b
    ├── cert
    ├── key
    └── pub

func NewFSLocalKeyStore added in v1.0.0

func NewFSLocalKeyStore(dirPath string) (s *FSLocalKeyStore, err error)

NewFSLocalKeyStore creates a new filesystem-based local keystore object and initializes it.

if dirPath is empty, sets it to ~/.tsh

func (*FSLocalKeyStore) AddKey added in v1.0.0

func (fs *FSLocalKeyStore) AddKey(host, username string, key *Key) error

AddKey adds a new key to the session store. If a key for the host is already stored, overwrites it.

func (*FSLocalKeyStore) AddKnownCA

func (fs *FSLocalKeyStore) AddKnownCA(domainName string, hostKeys []ssh.PublicKey) error

AddKnownHost adds a new entry to 'known_CAs' file

func (*FSLocalKeyStore) DeleteKey added in v1.0.0

func (fs *FSLocalKeyStore) DeleteKey(host string, username string) error

DeleteKey deletes a key from the local store

func (*FSLocalKeyStore) GetKey added in v1.0.0

func (fs *FSLocalKeyStore) GetKey(host, username string) (*Key, error)

GetKey returns a key for a given host. If the key is not found, returns trace.NotFound error.

func (*FSLocalKeyStore) GetKeys added in v1.0.0

func (fs *FSLocalKeyStore) GetKeys(username string) (keys []Key, err error)

GetKeys returns all user session keys stored in the store

func (*FSLocalKeyStore) GetKnownCAs

func (fs *FSLocalKeyStore) GetKnownCAs() ([]ssh.PublicKey, error)

GetKnownHost returns public keys of all trusted CAs

type ForwardedPort added in v1.0.0

type ForwardedPort struct {
	SrcIP    string
	SrcPort  int
	DestPort int
	DestHost string
}

ForwardedPort specifies local tunnel to remote destination managed by the client, is equivalent of ssh -L src:host:dst command

type HOTPMock

type HOTPMock struct {
	*hotp.HOTP
}

HOTPMock is a HOTP that can be saved or load from file Using HOTPMock disables the hotp security level, don't use it in production

func CreateHOTPMock

func CreateHOTPMock(hotpURLString string) (*HOTPMock, error)

func LoadHOTPMockFromFile

func LoadHOTPMockFromFile(path string) (*HOTPMock, error)

func (*HOTPMock) SaveToFile

func (otp *HOTPMock) SaveToFile(path string) error

type HostKeyCallback added in v1.0.0

type HostKeyCallback func(host string, ip net.Addr, key ssh.PublicKey) error

HostKeyCallback is called by SSH client when it needs to check remote host key or certificate validity

type Key

type Key struct {
	Priv []byte `json:"Priv,omitempty"`
	Pub  []byte `json:"Pub,omitempty"`
	Cert []byte `json:"Cert,omitempty"`
}

Key describes a complete (signed) client key

func (*Key) AsAgentKey added in v1.0.0

func (k *Key) AsAgentKey() (*agent.AddedKey, error)

AsAgentKey converts our Key structure to ssh.Agent.Key

func (*Key) CertValidBefore added in v1.0.0

func (k *Key) CertValidBefore() (time.Time, error)

CertValidBefore returns UTC time of the cert expiration

type LocalKeyAgent added in v1.0.0

type LocalKeyAgent struct {
	// implements ssh agent.Agent interface
	agent.Agent
	// contains filtered or unexported fields
}

func NewLocalAgent added in v1.0.0

func NewLocalAgent(keyDir, username string) (a *LocalKeyAgent, err error)

NewLocalAgent loads all the saved teleport certificates and creates ssh agent with them

func (*LocalKeyAgent) AddHostSignersToCache added in v1.0.0

func (a *LocalKeyAgent) AddHostSignersToCache(hostSigners []services.CertAuthority) error

AddHostSignersToCache takes a list of CAs whom we trust. This list is added to a database of "seen" CAs.

Every time we connect to a new host, we'll request its certificaate to be signed by one of these trusted CAs.

Why do we trust these CAs? Because we received them from a trusted Teleport Proxy. Why do we trust the proxy? Because we've connected to it via HTTPS + username + Password + HOTP.

func (*LocalKeyAgent) AddKey added in v1.0.0

func (a *LocalKeyAgent) AddKey(host string, username string, key *Key) error

func (*LocalKeyAgent) CheckHostSignature added in v1.0.0

func (a *LocalKeyAgent) CheckHostSignature(hostId string, remote net.Addr, key ssh.PublicKey) error

CheckHostSignature checks if the given host key was signed by one of the trusted certificaate authorities (CAs)

func (*LocalKeyAgent) DeleteKey added in v1.0.0

func (a *LocalKeyAgent) DeleteKey(host string, username string) error

func (*LocalKeyAgent) GetKeys added in v1.0.0

func (a *LocalKeyAgent) GetKeys(username string) ([]agent.AddedKey, error)

GetKeys return the list of keys for the given user from the local keystore (files in ~/.tsh)

type LocalKeyStore added in v1.0.0

type LocalKeyStore interface {
	// client key management
	GetKeys(username string) ([]Key, error)
	AddKey(host string, username string, key *Key) error
	GetKey(host string, username string) (*Key, error)
	DeleteKey(host string, username string) error

	// trusted CAs management:
	AddKnownCA(domainName string, publicKeys []ssh.PublicKey) error
	GetKnownCAs() ([]ssh.PublicKey, error)
}

LocalKeyStore interface allows for different storage back-ends for TSH to load/save its keys

type NodeClient

type NodeClient struct {
	Client *ssh.Client
	Proxy  *ProxyClient
}

NodeClient implements ssh client to a ssh node (teleport or any regular ssh node) NodeClient can run shell and commands or upload and download files.

func (*NodeClient) Close

func (client *NodeClient) Close() error

func (*NodeClient) Download

func (client *NodeClient) Download(remoteSourcePath, localDestinationPath string, isDir bool, stderr io.Writer) error

Download downloads file or dir from the remote server

func (*NodeClient) Run

func (client *NodeClient) Run(cmd []string, stdin io.Reader, stdout, stderr io.Writer) error

Run executes command on the remote server and writes its stdout to the 'output' argument

func (*NodeClient) Shell

func (client *NodeClient) Shell(width, height int, sessionID session.ID) (io.ReadWriteCloser, error)

Shell returns remote shell as io.ReadWriterCloser object

func (*NodeClient) Upload

func (client *NodeClient) Upload(localSourcePath, remoteDestinationPath string, stderr io.Writer) error

Upload uploads file or dir to the remote server

type ProxyClient

type ProxyClient struct {
	Client *ssh.Client
	// contains filtered or unexported fields
}

ProxyClient implements ssh client to a teleport proxy It can provide list of nodes or connect to nodes

func (*ProxyClient) Close

func (proxy *ProxyClient) Close() error

func (*ProxyClient) ConnectToNode

func (proxy *ProxyClient) ConnectToNode(nodeAddress string, user string) (*NodeClient, error)

ConnectToNode connects to the ssh server via Proxy. It returns connected and authenticated NodeClient

func (*ProxyClient) ConnectToSite added in v1.0.0

func (proxy *ProxyClient) ConnectToSite() (auth.ClientI, error)

ConnectToSite connects to the auth server of the given site via proxy. It returns connected and authenticated auth server client

func (*ProxyClient) FindServersByLabels added in v1.0.0

func (proxy *ProxyClient) FindServersByLabels(labels map[string]string) ([]services.Server, error)

FindServersByLabels returns list of the nodes which have labels exactly matching the given label set.

A server is matched when ALL labels match. If no labels are passed, ALL nodes are returned.

func (*ProxyClient) GetSites added in v1.0.0

func (proxy *ProxyClient) GetSites() ([]services.Site, error)

GetSites returns list of the "sites" (AKA teleport clusters) connected to the proxy Each site is returned as an instance of its auth server

type TeleportClient added in v1.0.0

type TeleportClient struct {
	Config
	// contains filtered or unexported fields
}

TeleportClient is a wrapper around SSH client with teleport specific workflow built in

func NewClient added in v1.0.0

func NewClient(c *Config) (tc *TeleportClient, err error)

NewClient creates a TeleportClient object and fully configures it

func (*TeleportClient) AddKey added in v1.0.0

func (tc *TeleportClient) AddKey(host string, key *Key) error

func (*TeleportClient) AddTrustedCA added in v1.0.0

func (tc *TeleportClient) AddTrustedCA(ca *services.CertAuthority) error

Adds a new CA as trusted CA for this client

func (*TeleportClient) AskPasswordAndHOTP added in v1.0.0

func (tc *TeleportClient) AskPasswordAndHOTP() (pwd string, token string, err error)

AskPasswordAndHOTP prompts the user to enter the password + HTOP 2nd factor

func (*TeleportClient) ConnectToProxy added in v1.0.0

func (tc *TeleportClient) ConnectToProxy() (*ProxyClient, error)

ConnectToProxy dials the proxy server and returns ProxyClient if successful

func (*TeleportClient) GetKeys added in v1.0.0

func (tc *TeleportClient) GetKeys() ([]agent.AddedKey, error)

GetKeys returns a list of stored local keys/certs for this Teleport user

func (*TeleportClient) Join added in v1.0.0

func (tc *TeleportClient) Join(sessionID session.ID, input io.Reader) (err error)

Join connects to the existing/active SSH session

func (*TeleportClient) ListNodes added in v1.0.0

func (tc *TeleportClient) ListNodes() ([]services.Server, error)

ListNodes returns a list of nodes connected to a proxy

func (*TeleportClient) LocalAgent added in v1.0.0

func (tc *TeleportClient) LocalAgent() *LocalKeyAgent

func (*TeleportClient) Login added in v1.0.0

func (tc *TeleportClient) Login() error

Login logs user in using proxy's local 2FA auth access or used OIDC external authentication, it later saves the generated credentials into local keystore for future use

func (*TeleportClient) Logout added in v1.0.0

func (tc *TeleportClient) Logout() error

Logout locates a certificate stored for a given proxy and deletes it

func (*TeleportClient) MakeKey added in v1.0.0

func (tc *TeleportClient) MakeKey() (key *Key, err error)

MakeKey generates a new unsigned key. It's useless by itself until a trusted CA signs it

func (*TeleportClient) Play added in v1.0.0

func (tc *TeleportClient) Play(sessionId string) (err error)

Play replays the recorded session

func (*TeleportClient) SCP added in v1.0.0

func (tc *TeleportClient) SCP(args []string, port int, recursive bool) (err error)

SCP securely copies file(s) from one SSH server to another

func (*TeleportClient) SSH added in v1.0.0

func (tc *TeleportClient) SSH(command []string, runLocally bool, input io.Reader) error

SSH connects to a node and, if 'command' is specified, executes the command on it, otherwise runs interactive shell

Returns nil if successful, or (possibly) *exec.ExitError

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL