Affected by GO-2022-0964 and 7 other vulnerabilities

GO-2022-0964: SFTPGo vulnerable to recovery codes abuse in github.com/drakkan/sftpgo

GO-2022-1015: SFTPGo WebClient vulnerable to Cross-site Scripting in github.com/drakkan/sftpgo

GO-2024-2940: SFTPGo has insufficient access control for password reset in github.com/drakkan/sftpgo

GO-2024-3283: SFTPGo allows administrators to restrict command execution from the EventManager in github.com/drakkan/sftpgo

GO-2024-3300: sftpgo vulnerable to brute force takeover of OpenID Connect session cookies in github.com/drakkan/sftpgo

GO-2025-3458: SFTPGo has insufficient sanitization of user provided rsync command in github.com/drakkan/sftpgo

GO-2026-4697: SFTPGo improperly sanitizes placeholders in group home directories/key prefixes in github.com/drakkan/sftpgo

GO-2026-4699: SFTPGo Vulnerable to Path Traversal and Permission Bypass via Path Normalization Discrepancy in github.com/drakkan/sftpgo

The highest tagged major version is v2.

sftpd

package

v1.1.0 Latest Latest Go to latest Published: Oct 10, 2020 License: GPL-3.0 Imports: 34 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/drakkan/sftpgo

Links

Open Source Insights

Documentation ¶

Rendered for

Overview ¶

Package sftpd implements the SSH File Transfer Protocol as described in https://tools.ietf.org/html/draft-ietf-secsh-filexfer-02. It uses pkg/sftp library: https://github.com/pkg/sftp

Index ¶

func GetDefaultSSHCommands() []string
func GetSupportedSSHCommands() []string
type Configuration
- func (c Configuration) AcceptInboundConnection(conn net.Conn, config *ssh.ServerConfig)
- func (c Configuration) Initialize(configDir string) error
type Connection
type Key

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func GetDefaultSSHCommands ¶

func GetDefaultSSHCommands() []string

GetDefaultSSHCommands returns the SSH commands enabled as default

func GetSupportedSSHCommands ¶

func GetSupportedSSHCommands() []string

GetSupportedSSHCommands returns the supported SSH commands

Types ¶

type Configuration ¶

type Configuration struct {
	// Identification string used by the server
	Banner string `json:"banner" mapstructure:"banner"`
	// The port used for serving SFTP requests
	BindPort int `json:"bind_port" mapstructure:"bind_port"`
	// The address to listen on. A blank value means listen on all available network interfaces.
	BindAddress string `json:"bind_address" mapstructure:"bind_address"`
	// Deprecated: please use the same key in common configuration
	IdleTimeout int `json:"idle_timeout" mapstructure:"idle_timeout"`
	// Maximum number of authentication attempts permitted per connection.
	// If set to a negative number, the number of attempts is unlimited.
	// If set to zero, the number of attempts are limited to 6.
	MaxAuthTries int `json:"max_auth_tries" mapstructure:"max_auth_tries"`
	// Deprecated: please use the same key in common configuration
	UploadMode int `json:"upload_mode" mapstructure:"upload_mode"`
	// Actions to execute on file operations and SSH commands
	Actions common.ProtocolActions `json:"actions" mapstructure:"actions"`
	// Deprecated: please use HostKeys
	Keys []Key `json:"keys" mapstructure:"keys"`
	// HostKeys define the daemon's private host keys.
	// Each host key can be defined as a path relative to the configuration directory or an absolute one.
	// If empty or missing, the daemon will search or try to generate "id_rsa" and "id_ecdsa" host keys
	// inside the configuration directory.
	HostKeys []string `json:"host_keys" mapstructure:"host_keys"`
	// KexAlgorithms specifies the available KEX (Key Exchange) algorithms in
	// preference order.
	KexAlgorithms []string `json:"kex_algorithms" mapstructure:"kex_algorithms"`
	// Ciphers specifies the ciphers allowed
	Ciphers []string `json:"ciphers" mapstructure:"ciphers"`
	// MACs Specifies the available MAC (message authentication code) algorithms
	// in preference order
	MACs []string `json:"macs" mapstructure:"macs"`
	// TrustedUserCAKeys specifies a list of public keys paths of certificate authorities
	// that are trusted to sign user certificates for authentication.
	// The paths can be absolute or relative to the configuration directory
	TrustedUserCAKeys []string `json:"trusted_user_ca_keys" mapstructure:"trusted_user_ca_keys"`
	// LoginBannerFile the contents of the specified file, if any, are sent to
	// the remote user before authentication is allowed.
	LoginBannerFile string `json:"login_banner_file" mapstructure:"login_banner_file"`
	// Deprecated: please use the same key in common configuration
	SetstatMode int `json:"setstat_mode" mapstructure:"setstat_mode"`
	// List of enabled SSH commands.
	// We support the following SSH commands:
	// - "scp". SCP is an experimental feature, we have our own SCP implementation since
	//      we can't rely on scp system command to proper handle permissions, quota and
	//      user's home dir restrictions.
	// 		The SCP protocol is quite simple but there is no official docs about it,
	// 		so we need more testing and feedbacks before enabling it by default.
	// 		We may not handle some borderline cases or have sneaky bugs.
	// 		Please do accurate tests yourself before enabling SCP and let us known
	// 		if something does not work as expected for your use cases.
	//      SCP between two remote hosts is supported using the `-3` scp option.
	// - "md5sum", "sha1sum", "sha256sum", "sha384sum", "sha512sum". Useful to check message
	//      digests for uploaded files. These commands are implemented inside SFTPGo so they
	//      work even if the matching system commands are not available, for example on Windows.
	// - "cd", "pwd". Some mobile SFTP clients does not support the SFTP SSH_FXP_REALPATH and so
	//      they use "cd" and "pwd" SSH commands to get the initial directory.
	//      Currently `cd` do nothing and `pwd` always returns the "/" path.
	//
	// The following SSH commands are enabled by default: "md5sum", "sha1sum", "cd", "pwd".
	// "*" enables all supported SSH commands.
	EnabledSSHCommands []string `json:"enabled_ssh_commands" mapstructure:"enabled_ssh_commands"`
	// Absolute path to an external program or an HTTP URL to invoke for keyboard interactive authentication.
	// Leave empty to disable this authentication mode.
	KeyboardInteractiveHook string `json:"keyboard_interactive_auth_hook" mapstructure:"keyboard_interactive_auth_hook"`
	// PasswordAuthentication specifies whether password authentication is allowed.
	PasswordAuthentication bool `json:"password_authentication" mapstructure:"password_authentication"`
	// Deprecated: please use the same key in common configuration
	ProxyProtocol int `json:"proxy_protocol" mapstructure:"proxy_protocol"`
	// Deprecated: please use the same key in common configuration
	ProxyAllowed []string `json:"proxy_allowed" mapstructure:"proxy_allowed"`
	// contains filtered or unexported fields
}

Configuration for the SFTP server

func (Configuration) AcceptInboundConnection ¶

func (c Configuration) AcceptInboundConnection(conn net.Conn, config *ssh.ServerConfig)

AcceptInboundConnection handles an inbound connection to the server instance and determines if the request should be served or not.

func (Configuration) Initialize ¶

func (c Configuration) Initialize(configDir string) error

Initialize the SFTP server and add a persistent listener to handle inbound SFTP connections.

type Connection ¶

type Connection struct {
	*common.BaseConnection
	// client's version string
	ClientVersion string
	// Remote address for this connection
	RemoteAddr net.Addr
	// contains filtered or unexported fields
}

Connection details for an authenticated user

func (*Connection) Disconnect ¶ added in v1.1.0

func (c *Connection) Disconnect() error

Disconnect disconnects the client closing the network connection

func (*Connection) Filecmd ¶

func (c *Connection) Filecmd(request *sftp.Request) error

Filecmd hander for basic SFTP system calls related to files, but not anything to do with reading or writing to those files.

func (*Connection) Filelist ¶

func (c *Connection) Filelist(request *sftp.Request) (sftp.ListerAt, error)

Filelist is the handler for SFTP filesystem list calls. This will handle calls to list the contents of a directory as well as perform file/folder stat calls.

func (*Connection) Fileread ¶

func (c *Connection) Fileread(request *sftp.Request) (io.ReaderAt, error)

Fileread creates a reader for a file on the system and returns the reader back.

func (*Connection) Filewrite ¶

func (c *Connection) Filewrite(request *sftp.Request) (io.WriterAt, error)

Filewrite handles the write actions for a file on the system.

func (*Connection) GetClientVersion ¶ added in v1.1.0

func (c *Connection) GetClientVersion() string

GetClientVersion returns the connected client's version

func (*Connection) GetCommand ¶ added in v1.1.0

func (c *Connection) GetCommand() string

GetCommand returns the SSH command, if any

func (*Connection) GetRemoteAddress ¶ added in v1.1.0

func (c *Connection) GetRemoteAddress() string

GetRemoteAddress return the connected client's address

func (*Connection) Lstat ¶ added in v1.1.0

func (c *Connection) Lstat(request *sftp.Request) (sftp.ListerAt, error)

Lstat implements LstatFileLister interface

func (*Connection) OpenFile ¶ added in v1.1.0

func (c *Connection) OpenFile(request *sftp.Request) (sftp.WriterAtReaderAt, error)

OpenFile implements OpenFileWriter interface

type Key ¶

type Key struct {
	// The private key path as absolute path or relative to the configuration directory
	PrivateKey string `json:"private_key" mapstructure:"private_key"`
}

Key contains information about host keys Deprecated: please use HostKeys

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL