sftpd

package
v2.5.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 18, 2023 License: AGPL-3.0 Imports: 37 Imported by: 0

Documentation

Overview

Package sftpd implements the SSH File Transfer Protocol as described in https://tools.ietf.org/html/draft-ietf-secsh-filexfer-02. It uses pkg/sftp library: https://github.com/pkg/sftp

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetDefaultSSHCommands 

func GetDefaultSSHCommands() []string

GetDefaultSSHCommands returns the SSH commands enabled as default

func GetSupportedSSHCommands 

func GetSupportedSSHCommands() []string

GetSupportedSSHCommands returns the supported SSH commands

func Reload 

func Reload() error

Reload reloads the list of revoked user certificates

func ServeSubSystemConnection 

func ServeSubSystemConnection(user *dataprovider.User, connectionID string, reader io.Reader, writer io.Writer) error

ServeSubSystemConnection handles a connection as SSH subsystem

Types

type Binding 

type Binding struct {
	// The address to listen on. A blank value means listen on all available network interfaces.
	Address string `json:"address" mapstructure:"address"`
	// The port used for serving requests
	Port int `json:"port" mapstructure:"port"`
	// Apply the proxy configuration, if any, for this binding
	ApplyProxyConfig bool `json:"apply_proxy_config" mapstructure:"apply_proxy_config"`
}

Binding defines the configuration for a network listener

func (*Binding) GetAddress 

func (b *Binding) GetAddress() string

GetAddress returns the binding address

func (*Binding) HasProxy 

func (b *Binding) HasProxy() bool

HasProxy returns true if the proxy protocol is active for this binding

func (*Binding) IsValid 

func (b *Binding) IsValid() bool

IsValid returns true if the binding port is > 0

type Configuration 

type Configuration struct {
	// Identification string used by the server
	Banner string `json:"banner" mapstructure:"banner"`
	// Addresses and ports to bind to
	Bindings []Binding `json:"bindings" mapstructure:"bindings"`
	// Maximum number of authentication attempts permitted per connection.
	// If set to a negative number, the number of attempts is unlimited.
	// If set to zero, the number of attempts are limited to 6.
	MaxAuthTries int `json:"max_auth_tries" mapstructure:"max_auth_tries"`
	// HostKeys define the daemon's private host keys.
	// Each host key can be defined as a path relative to the configuration directory or an absolute one.
	// If empty or missing, the daemon will search or try to generate "id_rsa" and "id_ecdsa" host keys
	// inside the configuration directory.
	HostKeys []string `json:"host_keys" mapstructure:"host_keys"`
	// HostCertificates defines public host certificates.
	// Each certificate can be defined as a path relative to the configuration directory or an absolute one.
	// Certificate's public key must match a private host key otherwise it will be silently ignored.
	HostCertificates []string `json:"host_certificates" mapstructure:"host_certificates"`
	// HostKeyAlgorithms lists the public key algorithms that the server will accept for host
	// key authentication.
	HostKeyAlgorithms []string `json:"host_key_algorithms" mapstructure:"host_key_algorithms"`
	// Diffie-Hellman moduli files.
	// Each moduli file can be defined as a path relative to the configuration directory or an absolute one.
	// If set and valid, "diffie-hellman-group-exchange-sha256" and "diffie-hellman-group-exchange-sha1" KEX algorithms
	// will be available, `diffie-hellman-group-exchange-sha256` will be enabled by default if you
	// don't explicitly set KEXs
	Moduli []string `json:"moduli" mapstructure:"moduli"`
	// KexAlgorithms specifies the available KEX (Key Exchange) algorithms in
	// preference order.
	KexAlgorithms []string `json:"kex_algorithms" mapstructure:"kex_algorithms"`
	// Ciphers specifies the ciphers allowed
	Ciphers []string `json:"ciphers" mapstructure:"ciphers"`
	// MACs Specifies the available MAC (message authentication code) algorithms
	// in preference order
	MACs []string `json:"macs" mapstructure:"macs"`
	// TrustedUserCAKeys specifies a list of public keys paths of certificate authorities
	// that are trusted to sign user certificates for authentication.
	// The paths can be absolute or relative to the configuration directory
	TrustedUserCAKeys []string `json:"trusted_user_ca_keys" mapstructure:"trusted_user_ca_keys"`
	// Path to a file containing the revoked user certificates.
	// This file must contain a JSON list with the public key fingerprints of the revoked certificates.
	// Example content:
	// ["SHA256:bsBRHC/xgiqBJdSuvSTNpJNLTISP/G356jNMCRYC5Es","SHA256:119+8cL/HH+NLMawRsJx6CzPF1I3xC+jpM60bQHXGE8"]
	RevokedUserCertsFile string `json:"revoked_user_certs_file" mapstructure:"revoked_user_certs_file"`
	// LoginBannerFile the contents of the specified file, if any, are sent to
	// the remote user before authentication is allowed.
	LoginBannerFile string `json:"login_banner_file" mapstructure:"login_banner_file"`
	// List of enabled SSH commands.
	// We support the following SSH commands:
	// - "scp". SCP is an experimental feature, we have our own SCP implementation since
	//      we can't rely on scp system command to proper handle permissions, quota and
	//      user's home dir restrictions.
	// 		The SCP protocol is quite simple but there is no official docs about it,
	// 		so we need more testing and feedbacks before enabling it by default.
	// 		We may not handle some borderline cases or have sneaky bugs.
	// 		Please do accurate tests yourself before enabling SCP and let us known
	// 		if something does not work as expected for your use cases.
	//      SCP between two remote hosts is supported using the `-3` scp option.
	// - "md5sum", "sha1sum", "sha256sum", "sha384sum", "sha512sum". Useful to check message
	//      digests for uploaded files. These commands are implemented inside SFTPGo so they
	//      work even if the matching system commands are not available, for example on Windows.
	// - "cd", "pwd". Some mobile SFTP clients does not support the SFTP SSH_FXP_REALPATH and so
	//      they use "cd" and "pwd" SSH commands to get the initial directory.
	//      Currently `cd` do nothing and `pwd` always returns the "/" path.
	//
	// The following SSH commands are enabled by default: "md5sum", "sha1sum", "cd", "pwd".
	// "*" enables all supported SSH commands.
	EnabledSSHCommands []string `json:"enabled_ssh_commands" mapstructure:"enabled_ssh_commands"`
	// KeyboardInteractiveAuthentication specifies whether keyboard interactive authentication is allowed.
	// If no keyboard interactive hook or auth plugin is defined the default is to prompt for the user password and then the
	// one time authentication code, if defined.
	KeyboardInteractiveAuthentication bool `json:"keyboard_interactive_authentication" mapstructure:"keyboard_interactive_authentication"`
	// Absolute path to an external program or an HTTP URL to invoke for keyboard interactive authentication.
	// Leave empty to disable this authentication mode.
	KeyboardInteractiveHook string `json:"keyboard_interactive_auth_hook" mapstructure:"keyboard_interactive_auth_hook"`
	// PasswordAuthentication specifies whether password authentication is allowed.
	PasswordAuthentication bool `json:"password_authentication" mapstructure:"password_authentication"`
	// Virtual root folder prefix to include in all file operations (ex: /files).
	// The virtual paths used for per-directory permissions, file patterns etc. must not include the folder prefix.
	// The prefix is only applied to SFTP requests, SCP and other SSH commands will be automatically disabled if
	// you configure a prefix.
	// This setting can help some migrations from OpenSSH. It is not recommended for general usage.
	FolderPrefix string `json:"folder_prefix" mapstructure:"folder_prefix"`
	// contains filtered or unexported fields
}

Configuration for the SFTP server

func (*Configuration) AcceptInboundConnection 

func (c *Configuration) AcceptInboundConnection(conn net.Conn, config *ssh.ServerConfig)

AcceptInboundConnection handles an inbound connection to the server instance and determines if the request should be served or not.

func (*Configuration) Initialize 

func (c *Configuration) Initialize(configDir string) error

Initialize the SFTP server and add a persistent listener to handle inbound SFTP connections.

func (*Configuration) ShouldBind 

func (c *Configuration) ShouldBind() bool

ShouldBind returns true if there is at least a valid binding

type Connection 

type Connection struct {
	*common.BaseConnection
	// client's version string
	ClientVersion string
	// Remote address for this connection
	RemoteAddr net.Addr
	LocalAddr  net.Addr
	// contains filtered or unexported fields
}

Connection details for an authenticated user

func (*Connection) Disconnect 

func (c *Connection) Disconnect() error

Disconnect disconnects the client by closing the channel

func (*Connection) Filecmd 

func (c *Connection) Filecmd(request *sftp.Request) error

Filecmd hander for basic SFTP system calls related to files, but not anything to do with reading or writing to those files.

func (*Connection) Filelist 

func (c *Connection) Filelist(request *sftp.Request) (sftp.ListerAt, error)

Filelist is the handler for SFTP filesystem list calls. This will handle calls to list the contents of a directory as well as perform file/folder stat calls.

func (*Connection) Fileread 

func (c *Connection) Fileread(request *sftp.Request) (io.ReaderAt, error)

Fileread creates a reader for a file on the system and returns the reader back.

func (*Connection) Filewrite 

func (c *Connection) Filewrite(request *sftp.Request) (io.WriterAt, error)

Filewrite handles the write actions for a file on the system.

func (*Connection) GetClientVersion 

func (c *Connection) GetClientVersion() string

GetClientVersion returns the connected client's version

func (*Connection) GetCommand 

func (c *Connection) GetCommand() string

GetCommand returns the SSH command, if any

func (*Connection) GetLocalAddress 

func (c *Connection) GetLocalAddress() string

GetLocalAddress returns local connection address

func (*Connection) GetRemoteAddress 

func (c *Connection) GetRemoteAddress() string

GetRemoteAddress returns the connected client's address

func (*Connection) Lstat 

func (c *Connection) Lstat(request *sftp.Request) (sftp.ListerAt, error)

Lstat implements LstatFileLister interface

func (*Connection) OpenFile 

func (c *Connection) OpenFile(request *sftp.Request) (sftp.WriterAtReaderAt, error)

OpenFile implements OpenFileWriter interface 

func (c *Connection) Readlink(filePath string) (string, error)

Readlink implements the ReadlinkFileLister interface

func (*Connection) RealPath 

func (c *Connection) RealPath(p string) (string, error)

RealPath implements the RealPathFileLister interface

func (*Connection) StatVFS 

func (c *Connection) StatVFS(r *sftp.Request) (*sftp.StatVFS, error)

StatVFS implements StatVFSFileCmder interface

type HostKey 

type HostKey struct {
	Path        string   `json:"path"`
	Fingerprint string   `json:"fingerprint"`
	Algorithms  []string `json:"algorithms"`
}

HostKey defines the details for a used host key

func (*HostKey) GetAlgosAsString added in v2.4.6 

func (h *HostKey) GetAlgosAsString() string

GetAlgosAsString returns the host key algorithms as comma separated string

type Middleware 

type Middleware interface {
	sftp.FileReader
	sftp.FileWriter
	sftp.OpenFileWriter
	sftp.FileCmder
	sftp.StatVFSFileCmder
	sftp.FileLister
	sftp.LstatFileLister
}

Middleware defines the interface for SFTP middlewares

type ServiceStatus 

type ServiceStatus struct {
	IsActive        bool      `json:"is_active"`
	Bindings        []Binding `json:"bindings"`
	SSHCommands     []string  `json:"ssh_commands"`
	HostKeys        []HostKey `json:"host_keys"`
	Authentications []string  `json:"authentications"`
	MACs            []string  `json:"macs"`
	KexAlgorithms   []string  `json:"kex_algorithms"`
	Ciphers         []string  `json:"ciphers"`
}

ServiceStatus defines the service status

func GetStatus 

func GetStatus() ServiceStatus

GetStatus returns the server status

func (*ServiceStatus) GetCiphersAsString added in v2.5.0 

func (s *ServiceStatus) GetCiphersAsString() string

GetCiphersAsString returns the enabled ciphers as comma separated string

func (*ServiceStatus) GetKEXsAsString added in v2.5.0 

func (s *ServiceStatus) GetKEXsAsString() string

GetKEXsAsString returns the enabled KEX algorithms as comma separated string

func (*ServiceStatus) GetMACsAsString added in v2.5.0 

func (s *ServiceStatus) GetMACsAsString() string

GetMACsAsString returns the enabled MAC algorithms as comma separated string

func (*ServiceStatus) GetSSHCommandsAsString 

func (s *ServiceStatus) GetSSHCommandsAsString() string

GetSSHCommandsAsString returns enabled SSH commands as comma separated string

func (*ServiceStatus) GetSupportedAuthsAsString 

func (s *ServiceStatus) GetSupportedAuthsAsString() string

GetSupportedAuthsAsString returns the supported authentications as comma separated string

Source Files

View all Source files

Directories

Path Synopsis
Package mocks is a generated GoMock package.
 Package mocks is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.