Documentation ¶
Index ¶
- func StartKeepAliveLoop(p KeepAliveParams)
- type ActivityTracker
- type AuthHandlers
- func (h *AuthHandlers) CheckAgentForward(ctx *ServerContext) error
- func (h *AuthHandlers) CheckPortForward(addr string, ctx *ServerContext) error
- func (h *AuthHandlers) CreateIdentityContext(sconn *ssh.ServerConn) (IdentityContext, error)
- func (h *AuthHandlers) HostKeyAuth(hostport string, remote net.Addr, key ssh.PublicKey) error
- func (h *AuthHandlers) IsHostAuthority(hostport string, remote net.Addr, cert ssh.PublicKey) error
- func (h *AuthHandlers) IsUserAuthority(cert ssh.PublicKey) bool
- func (h *AuthHandlers) UserKeyAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error)
- type Exec
- type ExecResult
- type IdentityContext
- type KeepAliveParams
- type LookupGroup
- type LookupUser
- type Monitor
- type MonitorConfig
- type RequestSender
- type Server
- type ServerContext
- func (c *ServerContext) AddCloser(closer io.Closer)
- func (c *ServerContext) Close() error
- func (c *ServerContext) CreateOrJoinSession(reg *SessionRegistry) error
- func (c *ServerContext) GetAgent() agent.Agent
- func (c *ServerContext) GetAgentChannel() ssh.Channel
- func (c *ServerContext) GetClientLastActive() time.Time
- func (c *ServerContext) GetEnv(key string) (string, bool)
- func (c *ServerContext) GetServer() Server
- func (c *ServerContext) GetTerm() Terminal
- func (c *ServerContext) ID() int
- func (c *ServerContext) ProxyPublicAddress() string
- func (c *ServerContext) SendExecResult(r ExecResult)
- func (c *ServerContext) SendSubsystemResult(r SubsystemResult)
- func (c *ServerContext) SessionID() rsession.ID
- func (c *ServerContext) SetAgent(a agent.Agent, channel ssh.Channel)
- func (c *ServerContext) SetEnv(key, val string)
- func (c *ServerContext) SetTerm(t Terminal)
- func (c *ServerContext) String() string
- func (c *ServerContext) UpdateClientActivity()
- type SessionRegistry
- type Subsystem
- type SubsystemResult
- type TermHandlers
- func (t *TermHandlers) HandleExec(ch ssh.Channel, req *ssh.Request, ctx *ServerContext) error
- func (t *TermHandlers) HandlePTYReq(ch ssh.Channel, req *ssh.Request, ctx *ServerContext) error
- func (t *TermHandlers) HandleShell(ch ssh.Channel, req *ssh.Request, ctx *ServerContext) error
- func (t *TermHandlers) HandleWinChange(ch ssh.Channel, req *ssh.Request, ctx *ServerContext) error
- type Terminal
- type TrackingConn
- type TrackingReader
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func StartKeepAliveLoop ¶ added in v3.1.0
func StartKeepAliveLoop(p KeepAliveParams)
StartKeepAliveLoop starts the keep-alive loop.
Types ¶
type ActivityTracker ¶ added in v3.2.0
type ActivityTracker interface { // GetClientLastActive returns the time of the last recorded activity GetClientLastActive() time.Time // UpdateClient updates client activity UpdateClientActivity() }
ActivityTracker is a connection activity tracker, it allows to update the activity on the connection and retrieve the time when the connection was last active
type AuthHandlers ¶
type AuthHandlers struct { *log.Entry // Server is the services.Server in the backend. Server Server // Component is the type of SSH server (node, proxy, or recording proxy). Component string // AuditLog is the service used to access Audit Log. AuditLog events.IAuditLog // AccessPoint is used to access the Auth Server. AccessPoint auth.AccessPoint }
AuthHandlers are common authorization and authentication related handlers used by the regular and forwarding server.
func (*AuthHandlers) CheckAgentForward ¶
func (h *AuthHandlers) CheckAgentForward(ctx *ServerContext) error
CheckAgentForward checks if agent forwarding is allowed for the users RoleSet.
func (*AuthHandlers) CheckPortForward ¶
func (h *AuthHandlers) CheckPortForward(addr string, ctx *ServerContext) error
CheckPortForward checks if port forwarding is allowed for the users RoleSet.
func (*AuthHandlers) CreateIdentityContext ¶
func (h *AuthHandlers) CreateIdentityContext(sconn *ssh.ServerConn) (IdentityContext, error)
BuildIdentityContext returns an IdentityContext populated with information about the logged in user on the connection.
func (*AuthHandlers) HostKeyAuth ¶
HostKeyAuth implements host key verification and is called by the client to validate the certificate presented by the target server. If the target server presents a SSH certificate, we validate that it was Teleport that generated the certificate. If the target server presents a public key, if we are strictly checking keys, we reject the target server. If we are not we take whatever.
func (*AuthHandlers) IsHostAuthority ¶
IsHostAuthority is called when checking the host certificate a server presents. It make sure that the key used to sign the host certificate was a Teleport CA.
func (*AuthHandlers) IsUserAuthority ¶
func (h *AuthHandlers) IsUserAuthority(cert ssh.PublicKey) bool
IsUserAuthority is called during checking the client key, to see if the key used to sign the certificate was a Teleport CA.
func (*AuthHandlers) UserKeyAuth ¶
func (h *AuthHandlers) UserKeyAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error)
UserKeyAuth implements SSH client authentication using public keys and is called by the server every time the client connects.
type Exec ¶
type Exec interface { // GetCommand returns the command to be executed. GetCommand() string // SetCommand sets the command to be executed. SetCommand(string) // Start will start the execution of the command. Start(channel ssh.Channel) (*ExecResult, error) // Wait will block while the command executes. Wait() (*ExecResult, error) }
Exec executes an "exec" request.
func NewExecRequest ¶
func NewExecRequest(ctx *ServerContext, command string) (Exec, error)
NewExecRequest creates a new local or remote Exec.
type ExecResult ¶
type ExecResult struct { // Command is the command that was executed. Command string // Code is return code that execution of the command resulted in. Code int }
ExecResult is used internally to send the result of a command execution from a goroutine to SSH request handler and back to the calling client
type IdentityContext ¶
type IdentityContext struct { // TeleportUser is the Teleport user associated with the connection. TeleportUser string // Login is the operating system user associated with the connection. Login string // Certificate is the SSH user certificate bytes marshalled in the OpenSSH // authorized_keys format. Certificate []byte // CertAuthority is the Certificate Authority that signed the Certificate. CertAuthority services.CertAuthority // RoleSet is the roles this Teleport user is associated with. RoleSet is // used to check RBAC permissions. RoleSet services.RoleSet // CertValidBefore is set to the expiry time of a certificate, or // empty, if cert does not expire CertValidBefore time.Time }
IdentityContext holds all identity information associated with the user logged on the connection.
func (IdentityContext) GetCertificate ¶
func (c IdentityContext) GetCertificate() (*ssh.Certificate, error)
GetCertificate parses the SSH certificate bytes and returns a *ssh.Certificate.
type KeepAliveParams ¶ added in v3.1.0
type KeepAliveParams struct { // Conns is the list of connections to send keep-alive connections to. All // connections must respond to the keep-alive to not be considered missed. Conns []RequestSender // Interval is the interval to send keep-alive messsages at. Interval time.Duration // MaxCount is the number of keep-alive messages that can be missed before // the connection is disconnected. MaxCount int // CloseContext is used by the server to notify the keep-alive loop to stop. CloseContext context.Context // CloseCancel is used by the keep-alive loop to notify the server to stop. CloseCancel context.CancelFunc }
KeepAliveParams configures the keep-alive loop.
type LookupGroup ¶ added in v3.1.6
LookupGroup is used to mock the value returned by user.LookupGroup(string).
type LookupUser ¶ added in v3.1.6
LookupUser is used to mock the value returned by user.Lookup(string).
type Monitor ¶ added in v3.2.0
type Monitor struct { // MonitorConfig is a connection monitori configuration MonitorConfig }
Monitor moniotiors connection activity and disconnects connections with expired certificates or with periods of inactivity
func NewMonitor ¶ added in v3.2.0
func NewMonitor(cfg MonitorConfig) (*Monitor, error)
NewMonitor returns a new monitor
type MonitorConfig ¶ added in v3.2.0
type MonitorConfig struct { // DisconnectExpiredCert is a point in time when // the certificate should be disconnected DisconnectExpiredCert time.Time // ClientIdleTimeout is a timeout of inactivity // on the wire ClientIdleTimeout time.Duration // Clock is a clock, realtime or fixed in tests Clock clockwork.Clock // Tracker is activity tracker Tracker ActivityTracker // Conn is a connection to close Conn TrackingConn // Context is an external context to cancel the operation Context context.Context // Login is linux box login Login string // TeleportUser is a teleport user name TeleportUser string // ServerID is a session server ID ServerID string // Audit is audit log Audit events.IAuditLog // Entry is a logging entry Entry *log.Entry }
MonitorConfig is a wiretap configuration
func (*MonitorConfig) CheckAndSetDefaults ¶ added in v3.2.0
func (m *MonitorConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks values and sets defaults
type RequestSender ¶ added in v3.1.0
type RequestSender interface { // SendRequest is used to send a out-of-band request. SendRequest(name string, wantReply bool, payload []byte) (bool, []byte, error) }
RequestSender is an interface that impliments SendRequest. It is used so server and client connections can be passed to functions to send requests.
type Server ¶
type Server interface { // ID is the unique ID of the server. ID() string // GetNamespace returns the namespace the server was created in. GetNamespace() string // AdvertiseAddr is the publicly addressable address of this server. AdvertiseAddr() string // Component is the type of server, forwarding or regular. Component() string // PermitUserEnvironment returns if reading environment variables upon // startup is allowed. PermitUserEnvironment() bool // EmitAuditEvent emits an Audit Event to the Auth Server. EmitAuditEvent(string, events.EventFields) // GetAuditLog returns the Audit Log for this cluster. GetAuditLog() events.IAuditLog // GetAccessPoint returns an auth.AccessPoint for this cluster. GetAccessPoint() auth.AccessPoint // GetSessionServer returns a session server. GetSessionServer() rsession.Service // GetDataDir returns data directory of the server GetDataDir() string // GetPAM returns PAM configuration for this server. GetPAM() (*pam.Config, error) // GetClock returns a clock setup for the server GetClock() clockwork.Clock // GetInfo returns a services.Server that represents this server. GetInfo() services.Server }
Server is regular or forwarding SSH server.
type ServerContext ¶
type ServerContext struct { *log.Entry sync.RWMutex // Conn is the underlying *ssh.ServerConn. Conn *ssh.ServerConn // Identity holds the identity of the user that is currently logged in on // the Conn. Identity IdentityContext // ExecResultCh is a Go channel which will be used to send and receive the // result of a "exec" request. ExecResultCh chan ExecResult // SubsystemResultCh is a Go channel which will be used to send and receive // the result of a "subsystem" request. SubsystemResultCh chan SubsystemResult // IsTestStub is set to true by tests. IsTestStub bool // ExecRequest is the command to be executed within this session context. ExecRequest Exec // ClusterName is the name of the cluster current user is authenticated with. ClusterName string // ClusterConfig holds the cluster configuration at the time this context was // created. ClusterConfig services.ClusterConfig // RemoteClient holds a SSH client to a remote server. Only used by the // recording proxy. RemoteClient *ssh.Client // RemoteSession holds a SSH session to a remote server. Only used by the // recording proxy. RemoteSession *ssh.Session // contains filtered or unexported fields }
ServerContext holds session specific context, such as SSH auth agents, PTYs, and other resources. SessionContext also holds a ServerContext which can be used to access resources on the underlying server. SessionContext can also be used to attach resources that should be closed once the session closes.
func NewServerContext ¶
func NewServerContext(srv Server, conn *ssh.ServerConn, identityContext IdentityContext) (*ServerContext, error)
NewServerContext creates a new *ServerContext which is used to pass and manage resources.
func (*ServerContext) AddCloser ¶
func (c *ServerContext) AddCloser(closer io.Closer)
AddCloser adds any closer in ctx that will be called whenever server closes session channel
func (*ServerContext) Close ¶
func (c *ServerContext) Close() error
func (*ServerContext) CreateOrJoinSession ¶
func (c *ServerContext) CreateOrJoinSession(reg *SessionRegistry) error
CreateOrJoinSession will look in the SessionRegistry for the session ID. If no session is found, a new one is created. If one is found, it is returned.
func (*ServerContext) GetAgent ¶
func (c *ServerContext) GetAgent() agent.Agent
GetAgent returns a agent.Agent which represents the capabilities of an SSH agent.
func (*ServerContext) GetAgentChannel ¶
func (c *ServerContext) GetAgentChannel() ssh.Channel
GetAgentChannel returns the channel over which communication with the agent occurs.
func (*ServerContext) GetClientLastActive ¶
func (c *ServerContext) GetClientLastActive() time.Time
GetClientLastActive returns time when client was last active
func (*ServerContext) GetEnv ¶
func (c *ServerContext) GetEnv(key string) (string, bool)
GetEnv returns a environment variable within this context.
func (*ServerContext) GetServer ¶
func (c *ServerContext) GetServer() Server
GetServer returns the underlying server which this context was created in.
func (*ServerContext) GetTerm ¶
func (c *ServerContext) GetTerm() Terminal
GetTerm returns a Terminal.
func (*ServerContext) ProxyPublicAddress ¶
func (c *ServerContext) ProxyPublicAddress() string
ProxyPublicAddress tries to get the public address from the first available proxy. if public_address is not set, fall back to the hostname of the first proxy we get back.
func (*ServerContext) SendExecResult ¶
func (c *ServerContext) SendExecResult(r ExecResult)
SendExecResult sends the result of execution of the "exec" command over the ExecResultCh.
func (*ServerContext) SendSubsystemResult ¶
func (c *ServerContext) SendSubsystemResult(r SubsystemResult)
SendSubsystemResult sends the result of running the subsystem over the SubsystemResultCh.
func (*ServerContext) SessionID ¶
func (c *ServerContext) SessionID() rsession.ID
SessionID returns the ID of the session in the context.
func (*ServerContext) SetAgent ¶
func (c *ServerContext) SetAgent(a agent.Agent, channel ssh.Channel)
SetAgent sets the agent and channel over which communication with the agent occurs.
func (*ServerContext) SetEnv ¶
func (c *ServerContext) SetEnv(key, val string)
SetEnv sets a environment variable within this context.
func (*ServerContext) String ¶
func (c *ServerContext) String() string
func (*ServerContext) UpdateClientActivity ¶
func (c *ServerContext) UpdateClientActivity()
UpdateClientActivity sets last recorded client activity associated with this context either channel or session
type SessionRegistry ¶
SessionRegistry holds a map of all active sessions on a given SSH server
func NewSessionRegistry ¶
func NewSessionRegistry(srv Server) (*SessionRegistry, error)
func (*SessionRegistry) Close ¶
func (s *SessionRegistry) Close()
func (*SessionRegistry) NotifyWinChange ¶
func (s *SessionRegistry) NotifyWinChange(params rsession.TerminalParams, ctx *ServerContext) error
NotifyWinChange is called to notify all members in the party that the PTY size has changed. The notification is sent as a global SSH request and it is the responsibility of the client to update it's window size upon receipt.
func (*SessionRegistry) OpenSession ¶
func (s *SessionRegistry) OpenSession(ch ssh.Channel, req *ssh.Request, ctx *ServerContext) error
OpenSession either joins an existing session or starts a new session.
type Subsystem ¶
type Subsystem interface { // Start starts subsystem Start(*ssh.ServerConn, ssh.Channel, *ssh.Request, *ServerContext) error // Wait is returned by subystem when it's completed Wait() error }
Subsystem represents SSH subsytem - special command executed in the context of the session.
type SubsystemResult ¶
type SubsystemResult struct { // Name holds the name of the subsystem that was executed. Name string // Err holds the result of execution of the subsystem. Err error }
SubsystemResult is a result of execution of the subsystem.
type TermHandlers ¶
type TermHandlers struct {
SessionRegistry *SessionRegistry
}
TermHandlers are common terminal handling functions used by both the regular and forwarding server.
func (*TermHandlers) HandleExec ¶
func (t *TermHandlers) HandleExec(ch ssh.Channel, req *ssh.Request, ctx *ServerContext) error
HandleExec handles requests of type "exec" which can execute with or without a TTY. Result of execution is propagated back on the ExecResult channel of the context.
func (*TermHandlers) HandlePTYReq ¶
func (t *TermHandlers) HandlePTYReq(ch ssh.Channel, req *ssh.Request, ctx *ServerContext) error
HandlePTYReq handles requests of type "pty-req" which allocate a TTY for "exec" or "shell" requests. The "pty-req" includes the size of the TTY as well as the terminal type requested.
func (*TermHandlers) HandleShell ¶
func (t *TermHandlers) HandleShell(ch ssh.Channel, req *ssh.Request, ctx *ServerContext) error
HandleShell handles requests of type "shell" which request a interactive shell be created within a TTY.
func (*TermHandlers) HandleWinChange ¶
func (t *TermHandlers) HandleWinChange(ch ssh.Channel, req *ssh.Request, ctx *ServerContext) error
HandleWinChange handles requests of type "window-change" which update the size of the PTY running on the server and update any other members in the party.
type Terminal ¶
type Terminal interface { // AddParty adds another participant to this terminal. We will keep the // Terminal open until all participants have left. AddParty(delta int) // Run will run the terminal. Run() error // Wait will block until the terminal is complete. Wait() (*ExecResult, error) // Kill will force kill the terminal. Kill() error // PTY returns the PTY backing the terminal. PTY() io.ReadWriter // TTY returns the TTY backing the terminal. TTY() *os.File // Close will free resources associated with the terminal. Close() error // GetWinSize returns the window size of the terminal. GetWinSize() (*term.Winsize, error) // SetWinSize sets the window size of the terminal. SetWinSize(params rsession.TerminalParams) error // GetTerminalParams is a fast call to get cached terminal parameters // and avoid extra system call. GetTerminalParams() rsession.TerminalParams // SetTerminalModes sets the terminal modes from "pty-req" SetTerminalModes(ssh.TerminalModes) // GetTermType gets the terminal type set in "pty-req" GetTermType() string // SetTermType sets the terminal type from "pty-req" SetTermType(string) }
Terminal defines an interface of handy functions for managing a (local or remote) PTY, such as resizing windows, executing commands with a PTY, and cleaning up.
func NewTerminal ¶
func NewTerminal(ctx *ServerContext) (Terminal, error)
NewTerminal returns a new terminal. Terminal can be local or remote depending on cluster configuration.
type TrackingConn ¶ added in v3.2.0
type TrackingConn interface { // LocalAddr returns local addres LocalAddr() net.Addr // RemoteAddr returns remote address RemoteAddr() net.Addr // Close closes the connection Close() error }
TrackingConn is an interface representing tracking connection
type TrackingReader ¶
type TrackingReader struct {
// contains filtered or unexported fields
}
TrackingReader wraps the writer and every time write occurs, updates the activity in the server context
func NewTrackingReader ¶
func NewTrackingReader(ctx *ServerContext, r io.Reader) *TrackingReader
NewTrackingReader returns a new instance of activity tracking reader.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package regular implements SSH server that supports multiplexing tunneling, SSH connections proxying and only supports Key based auth
|
Package regular implements SSH server that supports multiplexing tunneling, SSH connections proxying and only supports Key based auth |