The highest tagged major version is
README
¶
ContainerSSH SSH Server Library
This library provides an overlay for the built-in go SSH server library that makes it easier to handle.
Note: This is a developer documentation.
The user documentation for ContainerSSH is located at containerssh.github.io.
Using this library
This library provides a friendlier way to handle SSH requests than with the built-in SSH library. the primary method of using this library is via the Lifecycle objects from the service library:
// Create the server. See the description below for parameters.
server, err := sshserver.New(
cfg,
handler,
logger,
)
if err != nil {
// Handle configuration errors
log.Fatalf("%v", err)
}
lifecycle := service.NewLifecycle(server)
defer func() {
// The Run method will run the server and return when the server is shut down.
// We are running this in a goroutine so the shutdown below can proceed after a minute.
if err := lifecycle.Run(); err != nil {
// Handle errors while running the server
}
}()
time.Sleep(60 * time.Second)
// Shut down the server. Pass a context to indicate how long the server should wait
// for existing connections to finish. This function will return when the server
// has stopped.
lifecycle.Stop(
context.WithTimeout(
context.Background(),
30 * time.Second,
),
)
The cfg variable will be a Config structure as described in config.go.
The handler variable must be an implementation of the Handler interface described in handler.go.
The logger variable needs to be an instance of the Logger interface from github.com/containerssh/log.
Implementing a handler
The handler interface consists of multiple parts:
- The
Handleris the main handler for the application providing several hooks for events. On new connections theOnNetworkConnectionmethod is called, which must return aNetworkConnectionHandler - The
NetworkConnectionHandleris a handler for network connections before the SSH handshake is complete. It is called to perform authentication and return anSSHConnectionHandlerwhen the authentication is successful. - The
SSHConnectionHandleris responsible for handling an individual SSH connection. Most importantly, it is responsible for providing aSessionChannelHandlerwhen a new session channel is requested by the client. - The
SessionChannelHandleris responsible for an individual session channel (single program execution). It provides several hooks for setting up and running the program. Once the program execution is complete the channel is closed. You must, however, keep handling requests (e.g. window size change) during program execution.
A sample implementation can be found in the test code at the bottom of the file.
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuthResponse ¶
type AuthResponse uint8
AuthResponse indicates the various response states for the authentication process.
const ( // AuthResponseSuccess indicates that the authentication was successful. AuthResponseSuccess AuthResponse = 1 // AuthResponseFailure indicates that the authentication failed for invalid credentials. AuthResponseFailure AuthResponse = 2 // to respond. AuthResponseUnavailable AuthResponse = 3 )
type ChannelRejection ¶
type ChannelRejection interface {
error
// Message contains a message intended for the user.
Message() string
// Reason contains the SSH-specific reason for the rejection.
Reason() ssh.RejectionReason
}
ChannelRejection is an error type that also contains a Message and a Reason
type Cipher ¶
type Cipher string
Cipher is the SSH cipher
const ( CipherChaCha20Poly1305 Cipher = "chacha20-poly1305@openssh.com" CipherAES256GCM Cipher = "aes256-gcm@openssh.com" CipherAES128GCM Cipher = "aes128-gcm@openssh.com" CipherAES256CTE Cipher = "aes256-ctr" CipherAES192CTR Cipher = "aes192-ctr" CipherAES128CTR Cipher = "aes128-ctr" CipherAES128CBC Cipher = "aes128-cbc" CipherArcFour256 Cipher = "arcfour256" CipherArcFour128 Cipher = "arcfour128" CipherArcFour Cipher = "arcfour" CipherTripleDESCBCID Cipher = "tripledescbcID" )
Cipher is the SSH cipher
type Config ¶
type Config struct {
// Listen is the listen address for the SSH server
Listen string `json:"listen" yaml:"listen" default:"0.0.0.0:2222"`
// ServerVersion is the version sent to the client.
// Must be in the format of "SSH-protoversion-softwareversion SPACE comments".
// See https://tools.ietf.org/html/rfc4253#page-4 section 4.2. Protocol Version Exchange
// The trailing CR and LF characters should NOT be added to this string.
ServerVersion string `json:"serverVersion" yaml:"serverVersion" default:"SSH-2.0-ContainerSSH"`
// Ciphers are the ciphers offered to the client.
Ciphers []Cipher `` /* 205-byte string literal not displayed */
// KexAlgorithms are the key exchange algorithms offered to the client.
KexAlgorithms []Kex `` /* 176-byte string literal not displayed */
// MACs are the MAC algorithms offered to the client.
MACs []MAC `` /* 150-byte string literal not displayed */
// Banner is the banner sent to the client on connecting.
Banner string `json:"banner" yaml:"banner" comment:"Host banner to show after the username" default:""`
// HostKeys are the host keys either in PEM format, or filenames to load.
HostKeys []ssh.Signer `json:"hostkeys" yaml:"hostkeys" comment:"Host keys in PEM format or files to load PEM host keys from."`
}
Config is the base configuration structure of the SSH server.
func DefaultConfig ¶
func DefaultConfig() Config
DefaultConfig returns the config structure with the default settings. Only the HostKeys option will need to be
filled.
func (*Config) GenerateHostKey ¶
GenerateHostKey generates a random host key and adds it to Config
func (*Config) UnmarshalJSON ¶
UnmarshalJSON decodes a JSON data structure into the configuration.
type ExitStatus ¶ added in v0.9.2
type ExitStatus uint32
ExitStatus contains the status code with which the program exited. See RFC 4254 section 6.10: Returning Exit Status for details. ( https://tools.ietf.org/html/rfc4254#section-6.10 )
type Handler ¶
type Handler interface {
// OnReady is called when the server is ready to receive connections. It has an opportunity to return an error to
// abort the startup.
OnReady() error
// OnShutdown is called when a shutdown of the SSH server is desired. The shutdownContext is passed as a deadline
// for the shutdown, after which the server should abort all running connections and return as fast as
// possible.
OnShutdown(shutdownContext context.Context)
// OnNetworkConnection is called when a new network connection is opened. It must either return a
// NetworkConnectionHandler object or an error. In case of an error the network connection is closed.
//
// The ip parameter provides the IP address of the connecting user. The connectionID parameter provides an opaque
// binary identifier for the connection that can be used to track the connection across multiple subsystems.
OnNetworkConnection(client net.TCPAddr, connectionID []byte) (NetworkConnectionHandler, error)
}
Handler is the basic handler for SSH connections. It contains several methods to handle startup and operations of the
server
type HostKeyAlgo ¶
type HostKeyAlgo string
HostKeyAlgo are supported host key algorithms.
const ( HostKeyAlgoSSHRSACertv01 HostKeyAlgo = "ssh-rsa-cert-v01@openssh.com" HostKeyAlgoSSHDSSCertv01 HostKeyAlgo = "ssh-dss-cert-v01@openssh.com" HostKeyAlgoECDSASHA2NISTp256Certv01 HostKeyAlgo = "ecdsa-sha2-nistp256-cert-v01@openssh.com" HostKeyAlgoECDSASHA2NISTp384Certv01 HostKeyAlgo = "ecdsa-sha2-nistp384-cert-v01@openssh.com" HostKeyAlgoECDSASHA2NISTp521Certv01 HostKeyAlgo = "ecdsa-sha2-nistp521-cert-v01@openssh.com" HostKeyAlgoSSHED25519Certv01 HostKeyAlgo = "ssh-ed25519-cert-v01@openssh.com" HostKeyAlgoSSHRSA HostKeyAlgo = "ssh-rsa" HostKeyAlgoSSHDSS HostKeyAlgo = "ssh-dss" HostKeyAlgoSSHED25519 HostKeyAlgo = "ssh-ed25519" )
HostKeyAlgo are supported host key algorithms.
func (HostKeyAlgo) String ¶
func (h HostKeyAlgo) String() string
String creates a string representation.
type Kex ¶
type Kex string
Kex are the SSH key exchange algorithms
const ( KexCurve25519SHA256 Kex = "curve25519-sha256@libssh.org" KexECDHSHA2NISTp521 Kex = "ecdh-sha2-nistp521" KexECDHSHA2Nistp384 Kex = "ecdh-sha2-nistp384" KexECDHSHA2Nistp256 Kex = "ecdh-sha2-nistp256" KexDHGroup14SHA1 Kex = "diffie-hellman-group14-sha1" KexDHGroup1SHA1 Kex = "diffie-hellman-group1-sha1" )
Kex are the SSH key exchange algorithms
type MAC ¶
type MAC string
MAC are the SSH mac algorithms.
type NetworkConnectionHandler ¶
type NetworkConnectionHandler interface {
// OnAuthPassword is called when a user attempts a password authentication. The implementation must always supply
// AuthResponse and may supply error as a reason description.
OnAuthPassword(username string, password []byte) (response AuthResponse, reason error)
// OnAuthPassword is called when a user attempts a pubkey authentication. The implementation must always supply
// AuthResponse and may supply error as a reason description.
OnAuthPubKey(username string, pubKey []byte) (response AuthResponse, reason error)
// OnHandshakeFailed is called when the SSH handshake failed. This method is also called after an authentication
// failure. After this method is the connection will be closed and the OnDisconnect method will be
// called.
OnHandshakeFailed(reason error)
// OnHandshakeSuccess is called when the SSH handshake was successful. It returns connection to process
// requests, or failureReason to indicate that a backend error has happened. In this case, the
// connection will be closed and OnDisconnect will be called.
OnHandshakeSuccess() (connection SSHConnectionHandler, failureReason error)
// OnDisconnect is called when the network connection is closed.
OnDisconnect()
}
NetworkConnectionHandler is an object that is used to represent the underlying network connection and the SSH handshake.
type SSHConnectionHandler ¶
type SSHConnectionHandler interface {
// OnUnsupportedGlobalRequest captures all global SSH requests and gives the implementation an opportunity to log
// the request.
//
// requestID is an ID uniquely identifying the request within the scope connection. The same ID may appear within
// a channel.
OnUnsupportedGlobalRequest(requestID uint64, requestType string, payload []byte)
// OnUnsupportedChannel is called when a new channel is requested of an unsupported type. This gives the implementer
// the ability to log unsupported channel requests.
//
// channelID is an ID uniquely identifying the channel within the connection.
// channelType is the type of channel requested by the client. We only support the "session" channel type
// extraData contains the binary extra data submitted by the client. This is usually empty.
OnUnsupportedChannel(channelID uint64, channelType string, extraData []byte)
// OnSessionChannel is called when a channel of the session type is requested. The implementer must either return
// the channel result if the channel was successful, or failureReason to state why the channel
// should be rejected.
//
// channelID is an ID uniquely identifying the channel within the connection.
// extraData contains the binary extra data submitted by the client. This is usually empty.
OnSessionChannel(channelID uint64, extraData []byte) (channel SessionChannelHandler, failureReason ChannelRejection)
}
SSHConnectionHandler represents an established SSH connection that is ready to receive requests.
type Server ¶
Server is the main SSH server interface, compatible with the Service library. It should always be used in conjunction with the Lifecycle interface from the service library.
type SessionChannelHandler ¶
type SessionChannelHandler interface {
// OnUnsupportedChannelRequest captures channel requests of unsupported types.
//
// requestID is an incrementing number uniquely identifying this request within the channel.
// requestType contains the SSH request type.
// payload is the binary payload.
OnUnsupportedChannelRequest(
requestID uint64,
requestType string,
payload []byte,
)
// OnFailedDecodeChannelRequest is called when a supported channel request was received, but the payload could not
// be decoded.
//
// requestID is an incrementing number uniquely identifying this request within the channel.
// requestType contains the SSH request type.
// payload is the binary payload.
// reason is the reason why the decoding failed.
OnFailedDecodeChannelRequest(
requestID uint64,
requestType string,
payload []byte,
reason error,
)
// OnEnvRequest is called when the client requests an environment variable to be set. The implementation can return
// an error to reject the request.
OnEnvRequest(
requestID uint64,
name string,
value string,
) error
// OnPtyRequest is called when the client requests an interactive terminal to be allocated. The implementation can
// return an error to reject the request.
//
// requestID is an incrementing number uniquely identifying this request within the channel.
// term is the terminal name. This is usually set in the TERM environment variable.
// columns is the number of columns in the terminal.
// rows is the number of rows in the terminal.
// width is the width of the terminal in pixels.
// height is the height of a terminal in pixels.
// modelist are the encoded terminal modes the client desires. See RFC4254 section 8 and RFC8160 for details.
OnPtyRequest(
requestID uint64,
term string,
columns uint32,
rows uint32,
width uint32,
height uint32,
modeList []byte,
) error
// OnExecRequest is called when the client request a program to be executed. The implementation can return an error
// to reject the request.
//
// requestID is an incrementing number uniquely identifying this request within the channel.
// program is the name of the program to be executed.
// stdin is a reader for the shell or program to read the stdin.
// stdout is a writer for the shell or program standard output.
// stderr is a writer for the shell or program standard error.
// onExit is a callback to send the exit status back to the client.
OnExecRequest(
requestID uint64,
program string,
stdin io.Reader,
stdout io.Writer,
stderr io.Writer,
onExit func(exitStatus ExitStatus),
) error
// OnShell is called when the client requests a shell to be started. The implementation can return an error to
// reject the request. The implementation should send the IO handling into background. It should also
// respect the shutdown context on the Handler.
//
// requestID is an incrementing number uniquely identifying this request within the channel.
// stdin is a reader for the shell or program to read the stdin.
// stdout is a writer for the shell or program standard output.
// stderr is a writer for the shell or program standard error.
// onExit is a callback to send the exit status back to the client.
OnShell(
requestID uint64,
stdin io.Reader,
stdout io.Writer,
stderr io.Writer,
onExit func(exitStatus ExitStatus),
) error
// OnSubsystem is called when the client calls a well-known subsystem (e.g. sftp). The implementation can return an
// error to reject the request. The implementation should send the IO handling into background. It
// should also respect the shutdown context on the Handler.
//
// requestID is an incrementing number uniquely identifying this request within the channel.
// stdin is a reader for the shell or program to read the stdin.
// stdout is a writer for the shell or program standard output.
// stderr is a writer for the shell or program standard error.
// onExit is a callback to send the exit status back to the client.
OnSubsystem(
requestID uint64,
subsystem string,
stdin io.Reader,
stdout io.Writer,
stderr io.Writer,
onExit func(exitStatus ExitStatus),
) error
// OnSignal is called when the client requests a signal to be sent to the running process. The implementation can
// return an error to reject the request.
OnSignal(
requestID uint64,
signal string,
) error
// OnWindow is called when the client requests requests the window size to be changed. This method may be called
// after a program is started. The implementation can return an error to reject the request.
//
// requestID is an incrementing number uniquely identifying this request within the channel.
// columns is the number of columns in the terminal.
// rows is the number of rows in the terminal.
// width is the width of the terminal in pixels.
// height is the height of a terminal in pixels.
OnWindow(
requestID uint64,
columns uint32,
rows uint32,
width uint32,
height uint32,
) error
}
SessionChannelHandler is a channel of the "session" type used for interactive and non-interactive sessions
Source Files
Click to show internal directories.
Click to hide internal directories.