Documentation ¶
Index ¶
- Constants
- type Actor
- type ActorList
- type ActorMatcher
- type ActorMatcherSet
- type ActorMatcherSets
- type ConfigList
- type ConfigMatcher
- type ConfigMatcherSet
- type ConfigMatcherSets
- type Configurator
- type MatchConfigLocalIP
- type MatchConfigNot
- func (MatchConfigNot) CaddyModule() caddy.ModuleInfo
- func (m MatchConfigNot) MarshalJSON() ([]byte, error)
- func (m *MatchConfigNot) Provision(ctx caddy.Context) error
- func (m MatchConfigNot) ShouldConfigure(ctx session.ConnConfigMatchingContext) bool
- func (m *MatchConfigNot) UnmarshalJSON(data []byte) error
- type MatchConfigRemoteIP
- type MatchCriticalOption
- type MatchExtension
- type MatchGroup
- type MatchNot
- type MatchRemoteIP
- type MatchUser
- type ProvidedConfig
- type RawActorMatcherSet
- type RawConfigMatcherSet
- type SSH
- type Server
- type ServerConfigurator
- type SignerAdder
- type SignerConfigurator
Constants ¶
const CtxServerName caddySshServerCtxKey = "CtxServerName"
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Actor ¶
type Actor struct { // The set of matchers consulted to know whether the Actor should act on a session MatcherSetsRaw RawActorMatcherSet `json:"match,omitempty" caddy:"namespace=ssh.actor_matchers"` // The actor that shall act on the matched session. // "act": { // "action": "<actor name>" // ... actor config // } ActorRaw json.RawMessage `json:"act,omitempty" caddy:"namespace=ssh.actors inline_key=action"` // Whether the session shoul be closed upon execution of the actor Final bool `json:"final,omitempty"` // contains filtered or unexported fields }
Actor is a collection of actor matchers and actors of an ssh session
type ActorList ¶
type ActorList []Actor
ActorList is a list of server actors that can take an action on a session
func (ActorList) ProvisionHandlers ¶
ProvisionHandlers sets up all the handlers by loading the handler modules. Only call this method directly if you need to set up matchers and handlers separately without having to provision a second time; otherwise use Provision instead.
func (ActorList) ProvisionMatchers ¶
ProvisionMatchers sets up all the matchers by loading the matcher modules. Only call this method directly if you need to set up matchers and handlers separately without having to provision a second time; otherwise use Provision instead.
type ActorMatcher ¶
type ActorMatcher interface {
ShouldAct(session.ActorMatchingContext) bool
}
ActorMatcher is an interface used to check whether an actor should act on the session
type ActorMatcherSet ¶
type ActorMatcherSet []ActorMatcher
ActorMatcherSet is a set of matchers which must all match in order for the session to be matched and acted upon.
func (ActorMatcherSet) ShouldAct ¶
func (ms ActorMatcherSet) ShouldAct(session session.ActorMatchingContext) bool
ShouldAct returns true if the session matches all matchers in ms or if there are no matchers.
type ActorMatcherSets ¶
type ActorMatcherSets []ActorMatcherSet
ActorMatcherSets is a group of matcher sets capable of checking whether a session matches any of the sets.
func (ActorMatcherSets) AnyMatch ¶
func (ms ActorMatcherSets) AnyMatch(session session.ActorMatchingContext) bool
AnyMatch returns true if session matches any of the matcher sets in ms or if there are no matchers, in which case the request always matches.
func (ActorMatcherSets) Empty ¶
func (ms ActorMatcherSets) Empty() bool
Empty returns true if the set has no entries
func (*ActorMatcherSets) FromInterface ¶
func (ms *ActorMatcherSets) FromInterface(matcherSets interface{}) error
FromInterface fills ms from an interface{} value obtained from LoadModule.
type ConfigList ¶
type ConfigList []Configurator
ConfigList is a list of server config providers that can custom configure the server based on the session
func (ConfigList) Provision ¶
func (cl ConfigList) Provision(ctx caddy.Context) error
Provision sets up both the matchers and configurators in the configurators.
type ConfigMatcher ¶
type ConfigMatcher interface {
ShouldConfigure(session.ConnConfigMatchingContext) bool
}
ConfigMatcher should return true if the the connection needs to be configured by the accompanying set
type ConfigMatcherSet ¶
type ConfigMatcherSet []ConfigMatcher
ConfigMatcherSet is a set of matchers which must all match in order for the session to be matched and the server is configured.
func (ConfigMatcherSet) ShouldConfigure ¶
func (ms ConfigMatcherSet) ShouldConfigure(ctx session.ConnConfigMatchingContext) bool
ShouldConfigure returns true if the session matches all matchers in ms or if there are no matchers.
type ConfigMatcherSets ¶
type ConfigMatcherSets []ConfigMatcherSet
ConfigMatcherSets is a group of matcher sets capable of checking whether a session matches any of the sets.
func (ConfigMatcherSets) AnyMatch ¶
func (ms ConfigMatcherSets) AnyMatch(ctx session.ConnConfigMatchingContext) bool
AnyMatch returns true if session matches any of the matcher sets in ms or if there are no matchers, in which case the request always matches.
func (ConfigMatcherSets) Empty ¶
func (ms ConfigMatcherSets) Empty() bool
Empty returns true if the set has no entries
func (*ConfigMatcherSets) FromInterface ¶
func (ms *ConfigMatcherSets) FromInterface(matcherSets interface{}) error
FromInterface fills ms from an interface{} value obtained from LoadModule.
type Configurator ¶
type Configurator struct { // The set of matchers consulted to know whether the Actor should act on a session MatcherSetsRaw RawConfigMatcherSet `json:"match,omitempty" caddy:"namespace=ssh.config_matchers"` // The config provider that shall configure the server for the matched session. // "config": { // "loader": "<actor name>" // ... config loader config // } ConfiguratorRaw json.RawMessage `json:"config,omitempty" caddy:"namespace=ssh.config.loaders inline_key=loader"` // contains filtered or unexported fields }
Configurator holds the set of matchers and configurators that will apply custom server configurations if matched
type MatchConfigLocalIP ¶
type MatchConfigLocalIP struct { // The IPs or CIDR ranges to match. Ranges []string `json:"ranges,omitempty"` // contains filtered or unexported fields }
MatchConfigLocalIP matches requests by local IP (or CIDR range).
func (MatchConfigLocalIP) CaddyModule ¶
func (MatchConfigLocalIP) CaddyModule() caddy.ModuleInfo
This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.
func (*MatchConfigLocalIP) Provision ¶
func (m *MatchConfigLocalIP) Provision(ctx caddy.Context) error
Provision parses m's IP ranges, either from IP or CIDR expressions.
func (MatchConfigLocalIP) ShouldConfigure ¶
func (m MatchConfigLocalIP) ShouldConfigure(ctx session.ConnConfigMatchingContext) bool
ShouldConfigure returns true if ctx should configure m.
type MatchConfigNot ¶
type MatchConfigNot struct { MatcherSetsRaw []caddy.ModuleMap `json:"-" caddy:"namespace=ssh.config_matchers"` MatcherSets []ConfigMatcherSet `json:"-"` }
MatchConfigNot matches requests by negating the results of its matcher sets. A single "not" matcher takes one or more matcher sets. Each matcher set is OR'ed; in other words, if any matcher set returns true, the final result of the "not" matcher is false. Individual matchers within a set work the same (i.e. different matchers in the same set are AND'ed).
NOTE: The generated docs which describe the structure of this module are wrong because of how this type unmarshals JSON in a custom way. The correct structure is:
```json [
{}, {}
] ```
where each of the array elements is a matcher set, i.e. an object keyed by matcher name.
func (MatchConfigNot) CaddyModule ¶
func (MatchConfigNot) CaddyModule() caddy.ModuleInfo
This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.
func (MatchConfigNot) MarshalJSON ¶
func (m MatchConfigNot) MarshalJSON() ([]byte, error)
MarshalJSON satisfies json.Marshaler by marshaling m's raw matcher sets.
func (*MatchConfigNot) Provision ¶
func (m *MatchConfigNot) Provision(ctx caddy.Context) error
func (MatchConfigNot) ShouldConfigure ¶
func (m MatchConfigNot) ShouldConfigure(ctx session.ConnConfigMatchingContext) bool
ShouldConfigure returns true if r matches m. Since this matcher negates the embedded matchers, false is returned if any of its matcher sets return true.
func (*MatchConfigNot) UnmarshalJSON ¶
func (m *MatchConfigNot) UnmarshalJSON(data []byte) error
UnmarshalJSON satisfies json.Unmarshaler. It puts the JSON bytes directly into m's MatcherSetsRaw field.
type MatchConfigRemoteIP ¶
type MatchConfigRemoteIP struct { // The IPs or CIDR ranges to match. Ranges []string `json:"ranges,omitempty"` // contains filtered or unexported fields }
MatchConfigRemoteIP matches requests by client IP (or CIDR range).
func (MatchConfigRemoteIP) CaddyModule ¶
func (MatchConfigRemoteIP) CaddyModule() caddy.ModuleInfo
This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.
func (*MatchConfigRemoteIP) Provision ¶
func (m *MatchConfigRemoteIP) Provision(ctx caddy.Context) error
Provision parses m's IP ranges, either from IP or CIDR expressions.
func (MatchConfigRemoteIP) ShouldConfigure ¶
func (m MatchConfigRemoteIP) ShouldConfigure(ctx session.ConnConfigMatchingContext) bool
ShouldConfigure returns true if ctx should configure m.
type MatchCriticalOption ¶
MatchCriticalOption matches request by the value of critical-option of the certificate/user
func (MatchCriticalOption) CaddyModule ¶
func (m MatchCriticalOption) CaddyModule() caddy.ModuleInfo
This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.
func (MatchCriticalOption) ShouldAct ¶
func (m MatchCriticalOption) ShouldAct(ctx session.ActorMatchingContext) bool
ShouldAct returns true if any of the listed critical-options are in the critical-option of the certificate/user
type MatchExtension ¶
MatchExtension matches request by SSH protocol extension
func (MatchExtension) CaddyModule ¶
func (m MatchExtension) CaddyModule() caddy.ModuleInfo
This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.
func (MatchExtension) ShouldAct ¶
func (m MatchExtension) ShouldAct(ctx session.ActorMatchingContext) bool
ShouldAct returns true if the requested ssh protocol extension matches any of the listed extensions
type MatchGroup ¶
type MatchGroup struct { Groups []string `json:"groups,omitempty"` // contains filtered or unexported fields }
MatchGroup matches requests by user's group
func (MatchGroup) CaddyModule ¶
func (MatchGroup) CaddyModule() caddy.ModuleInfo
This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.
func (*MatchGroup) Provision ¶
func (m *MatchGroup) Provision(ctx caddy.Context) error
Provision parses m's user list
func (MatchGroup) ShouldAct ¶
func (m MatchGroup) ShouldAct(session session.ActorMatchingContext) bool
ShouldAct returns true if session should act on m.
type MatchNot ¶
type MatchNot struct { MatcherSetsRaw []caddy.ModuleMap `json:"-" caddy:"namespace=ssh.actor_matchers"` MatcherSets []ActorMatcherSet `json:"-"` }
MatchNot matches requests by negating the results of its matcher sets. A single "not" matcher takes one or more matcher sets. Each matcher set is OR'ed; in other words, if any matcher set returns true, the final result of the "not" matcher is false. Individual matchers within a set work the same (i.e. different matchers in the same set are AND'ed).
NOTE: The generated docs which describe the structure of this module are wrong because of how this type unmarshals JSON in a custom way. The correct structure is:
```json [
{}, {}
] ```
where each of the array elements is a matcher set, i.e. an object keyed by matcher name.
func (MatchNot) CaddyModule ¶
func (MatchNot) CaddyModule() caddy.ModuleInfo
This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.
func (MatchNot) MarshalJSON ¶
MarshalJSON satisfies json.Marshaler by marshaling m's raw matcher sets.
func (MatchNot) ShouldAct ¶
func (m MatchNot) ShouldAct(r session.ActorMatchingContext) bool
ShouldAct returns true if r matches m. Since this matcher negates the embedded matchers, false is returned if any of its matcher sets return true.
func (*MatchNot) UnmarshalJSON ¶
UnmarshalJSON satisfies json.Unmarshaler. It puts the JSON bytes directly into m's MatcherSetsRaw field.
type MatchRemoteIP ¶
type MatchRemoteIP struct { // The IPs or CIDR ranges to match. Ranges []string `json:"ranges,omitempty"` // contains filtered or unexported fields }
MatchRemoteIP matches requests by client IP (or CIDR range).
func (MatchRemoteIP) CaddyModule ¶
func (MatchRemoteIP) CaddyModule() caddy.ModuleInfo
This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.
func (*MatchRemoteIP) Provision ¶
func (m *MatchRemoteIP) Provision(ctx caddy.Context) error
Provision parses m's IP ranges, either from IP or CIDR expressions.
func (MatchRemoteIP) ShouldAct ¶
func (m MatchRemoteIP) ShouldAct(r session.ActorMatchingContext) bool
ShouldAct returns true if r matches m.
type MatchUser ¶
type MatchUser struct { Users []string `json:"users,omitempty"` // contains filtered or unexported fields }
MatchUser matches requests by username
func (MatchUser) CaddyModule ¶
func (MatchUser) CaddyModule() caddy.ModuleInfo
This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.
type ProvidedConfig ¶
type ProvidedConfig struct { // The session signers to be loaded. The field takes the form: // "signer": { // "module": "<signer module name>" // ... signer module config // } // If empty, the default module is "fallback", which will load existing keys, or generates and stores them if non-existent. SignerRaw json.RawMessage `json:"signer,omitempty" caddy:"namespace=ssh.signers inline_key=module"` // The allowed key exchanges algorithms. If unspecified then a // default set of algorithms is used. // WARNING: don't set it to anyting (not even empty array) unless you know the risks! KeyExchanges []string `json:"key_exchanges,omitempty"` // The allowed cipher algorithms. If unspecified then a sensible // default is used. // WARNING: don't set it to anyting (not even empty array) unless you know the risks! Ciphers []string `json:"ciphers,omitempty"` // The allowed MAC algorithms. If unspecified then a sensible default // is used. // WARNING: don't set it to anyting (not even empty array) unless you know the risks! MACs []string `json:"ma_cs,omitempty"` // NoClientAuth is true if clients are allowed to connect without // authenticating. NoClientAuth bool `json:"no_client_auth,omitempty"` // MaxAuthTries specifies the maximum number of authentication attempts // permitted per connection. If set to a negative number, the number of // attempts are unlimited. If set to zero, the number of attempts are limited // to 6. MaxAuthTries int `json:"max_auth_tries,omitempty"` // This holds the authentication suite for the various flows Authentication *authentication.Config `json:"authentication,omitempty"` // ServerVersion is the version identification string to announce in // the public handshake. // If empty, a reasonable default is used. // Note that RFC 4253 section 4.2 requires that this string start with // "SSH-2.0-". ServerVersion string `json:"server_version,omitempty"` // contains filtered or unexported fields }
Lifted and merged from golang.org/x/crypto/ssh ProvidedConfig holds server specific configuration data.
func (ProvidedConfig) CaddyModule ¶
func (pc ProvidedConfig) CaddyModule() caddy.ModuleInfo
This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.
func (*ProvidedConfig) Provision ¶
func (c *ProvidedConfig) Provision(ctx caddy.Context) error
Provision loads and provisions the dynamic modules of the config
func (*ProvidedConfig) ServerConfigCallback ¶
func (c *ProvidedConfig) ServerConfigCallback(ctx session.Context) *gossh.ServerConfig
ServerConfigCallback creates and returns ServerConfig of golang.org/x/crypto/ssh. The values are copied from the ProvidedConfig into the ServerConfig
type RawActorMatcherSet ¶
type RawActorMatcherSet []caddy.ModuleMap
RawActorMatcherSet is a group of matcher sets in their raw, JSON form.
type RawConfigMatcherSet ¶
type RawConfigMatcherSet []caddy.ModuleMap
RawConfigMatcherSet is a group of matcher sets in their raw, JSON form.
type SSH ¶
type SSH struct { // GracePeriod is the duration a server should wait for open connections to close during shutdown // before closing them forcefully GracePeriod caddy.Duration `json:"grace_period,omitempty"` // The set of ssh servers keyed by custom names Servers map[string]*Server `json:"servers,omitempty"` // contains filtered or unexported fields }
SSH is the app providing ssh services
func (SSH) CaddyModule ¶
func (SSH) CaddyModule() caddy.ModuleInfo
This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.
type Server ¶
type Server struct { // Socket addresses to which to bind listeners. Accepts // [network addresses](/docs/conventions#network-addresses) // that may include port ranges. Listener addresses must // be unique; they cannot be repeated across all defined // servers. TCP is the only acceptable network (for now, perhaps). Address string `json:"address,omitempty"` // The configuration of local-forward permission module. The config structure is: // "localforward": { // "forward": "<module name>" // ... config // } // defaults to: { "forward": "deny" } LocalForwardRaw json.RawMessage `json:"localforward,omitempty" caddy:"namespace=ssh.ask.localforward inline_key=forward"` // The configuration of reverse-forward permission module. The config structure is: // "reverseforward": { // "forward": "<module name>" // ... config // } // defaults to: { "reverseforward": "deny" } ReverseForwardRaw json.RawMessage `json:"reverseforward,omitempty" caddy:"namespace=ssh.ask.reverseforward inline_key=forward"` // The configuration of PTY permission module. The config structure is: // "pty": { // "pty": "<module name>" // ... config // } // defaults to: { "forward": "deny" } PtyAskRaw json.RawMessage `json:"pty,omitempty" caddy:"namespace=ssh.ask.pty inline_key=pty"` // connection timeout when no activity, none if empty IdleTimeout caddy.Duration `json:"idle_timeout,omitempty"` // absolute connection timeout, none if empty MaxTimeout caddy.Duration `json:"max_timeout,omitempty"` // The configuration of the authorizer module. The config structure is: // "authorize": { // "authorizer": "<module name>" // ... config // } // default to: { "authorizer": "public" }. AuthorizeRaw json.RawMessage `json:"authorize,omitempty" caddy:"namespace=ssh.session.authorizers inline_key=authorizer"` // The list of defined subsystems in a json structure keyed by the arbitrary name of the subsystem. // TODO: The current implementation is naive and can be expanded to follow the Authorzation and Actors model SubsystemRaw caddy.ModuleMap `json:"subsystems,omitempty" caddy:"namespace=ssh.subsystem"` // List of configurators that could configure the server per matchers and config providers Config ConfigList `json:"configs,omitempty"` // The actors that can act on a session per the matching criteria Actors ActorList `json:"actors,omitempty"` // contains filtered or unexported fields }
type ServerConfigurator ¶
type ServerConfigurator interface {
ServerConfigCallback(session.Context) *gossh.ServerConfig
}
ServerConfigurator is implemented by config loaders which should produce ServerConfig of golang.org/x/crypto/ssh given a session context
type SignerAdder ¶
SignerAdder interface is an abstraction so signer modules can configure *ServerConfig of golang.org/x/crypto/ssh without having to reference it directly to restrict their manipulation to adding hostkeys
type SignerConfigurator ¶
type SignerConfigurator interface {
Configure(session.Context, SignerAdder)
}
SignerConfigurator is the target interface abstraction for signers that load and add keys to a session based on the session context
Directories ¶
Path | Synopsis |
---|---|
package ssh wraps the crypto/ssh package with a higher-level API for building SSH servers.
|
package ssh wraps the crypto/ssh package with a higher-level API for building SSH servers. |