internalcaddyssh

package
v0.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 15, 2023 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const CtxServerName caddySshServerCtxKey = "CtxServerName"

Variables

This section is empty.

Functions

This section is empty.

Types

type Actor 

type Actor struct {
	// The set of matchers consulted to know whether the Actor should act on a session
	MatcherSetsRaw RawActorMatcherSet `json:"match,omitempty" caddy:"namespace=ssh.actor_matchers"`

	// The actor that shall act on the matched session.
	// "act": {
	// 		"action": "<actor name>"
	// 		... actor config
	// }
	ActorRaw json.RawMessage `json:"act,omitempty" caddy:"namespace=ssh.actors inline_key=action"`

	// Whether the session shoul be closed upon execution of the actor
	Final bool `json:"final,omitempty"`
	// contains filtered or unexported fields
}

Actor is a collection of actor matchers and actors of an ssh session

type ActorList 

type ActorList []Actor

ActorList is a list of server actors that can take an action on a session

func (ActorList) Provision 

func (routes ActorList) Provision(ctx caddy.Context) error

Provision sets up both the matchers and handlers in the actors.

func (ActorList) ProvisionHandlers 

func (actors ActorList) ProvisionHandlers(ctx caddy.Context) error

ProvisionHandlers sets up all the handlers by loading the handler modules. Only call this method directly if you need to set up matchers and handlers separately without having to provision a second time; otherwise use Provision instead.

func (ActorList) ProvisionMatchers 

func (actors ActorList) ProvisionMatchers(ctx caddy.Context) error

ProvisionMatchers sets up all the matchers by loading the matcher modules. Only call this method directly if you need to set up matchers and handlers separately without having to provision a second time; otherwise use Provision instead.

type ActorMatcher 

type ActorMatcher interface {
	ShouldAct(session.ActorMatchingContext) bool
}

ActorMatcher is an interface used to check whether an actor should act on the session

type ActorMatcherSet 

type ActorMatcherSet []ActorMatcher

ActorMatcherSet is a set of matchers which must all match in order for the session to be matched and acted upon.

func (ActorMatcherSet) ShouldAct 

func (ms ActorMatcherSet) ShouldAct(session session.ActorMatchingContext) bool

ShouldAct returns true if the session matches all matchers in ms or if there are no matchers.

type ActorMatcherSets 

type ActorMatcherSets []ActorMatcherSet

ActorMatcherSets is a group of matcher sets capable of checking whether a session matches any of the sets.

func (ActorMatcherSets) AnyMatch 

func (ms ActorMatcherSets) AnyMatch(session session.ActorMatchingContext) bool

AnyMatch returns true if session matches any of the matcher sets in ms or if there are no matchers, in which case the request always matches.

func (ActorMatcherSets) Empty 

func (ms ActorMatcherSets) Empty() bool

Empty returns true if the set has no entries

func (*ActorMatcherSets) FromInterface 

func (ms *ActorMatcherSets) FromInterface(matcherSets interface{}) error

FromInterface fills ms from an interface{} value obtained from LoadModule.

type ConfigList 

type ConfigList []Configurator

ConfigList is a list of server config providers that can custom configure the server based on the session

func (ConfigList) Provision 

func (cl ConfigList) Provision(ctx caddy.Context) error

Provision sets up both the matchers and configurators in the configurators.

type ConfigMatcher 

type ConfigMatcher interface {
	ShouldConfigure(session.ConnConfigMatchingContext) bool
}

ConfigMatcher should return true if the the connection needs to be configured by the accompanying set

type ConfigMatcherSet 

type ConfigMatcherSet []ConfigMatcher

ConfigMatcherSet is a set of matchers which must all match in order for the session to be matched and the server is configured.

func (ConfigMatcherSet) ShouldConfigure 

func (ms ConfigMatcherSet) ShouldConfigure(ctx session.ConnConfigMatchingContext) bool

ShouldConfigure returns true if the session matches all matchers in ms or if there are no matchers.

type ConfigMatcherSets 

type ConfigMatcherSets []ConfigMatcherSet

ConfigMatcherSets is a group of matcher sets capable of checking whether a session matches any of the sets.

func (ConfigMatcherSets) AnyMatch 

func (ms ConfigMatcherSets) AnyMatch(ctx session.ConnConfigMatchingContext) bool

AnyMatch returns true if session matches any of the matcher sets in ms or if there are no matchers, in which case the request always matches.

func (ConfigMatcherSets) Empty 

func (ms ConfigMatcherSets) Empty() bool

Empty returns true if the set has no entries

func (*ConfigMatcherSets) FromInterface 

func (ms *ConfigMatcherSets) FromInterface(matcherSets interface{}) error

FromInterface fills ms from an interface{} value obtained from LoadModule.

type Configurator 

type Configurator struct {
	// The set of matchers consulted to know whether the Actor should act on a session
	MatcherSetsRaw RawConfigMatcherSet `json:"match,omitempty" caddy:"namespace=ssh.config_matchers"`

	// The config provider that shall configure the server for the matched session.
	// "config": {
	// 		"loader": "<actor name>"
	// 		... config loader config
	// }
	ConfiguratorRaw json.RawMessage `json:"config,omitempty" caddy:"namespace=ssh.config.loaders inline_key=loader"`
	// contains filtered or unexported fields
}

Configurator holds the set of matchers and configurators that will apply custom server configurations if matched

type MatchConfigLocalIP 

type MatchConfigLocalIP struct {
	// The IPs or CIDR ranges to match.
	Ranges []string `json:"ranges,omitempty"`
	// contains filtered or unexported fields
}

MatchConfigLocalIP matches requests by local IP (or CIDR range).

func (MatchConfigLocalIP) CaddyModule 

func (MatchConfigLocalIP) CaddyModule() caddy.ModuleInfo

This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.

func (*MatchConfigLocalIP) Provision 

func (m *MatchConfigLocalIP) Provision(ctx caddy.Context) error

Provision parses m's IP ranges, either from IP or CIDR expressions.

func (MatchConfigLocalIP) ShouldConfigure 

func (m MatchConfigLocalIP) ShouldConfigure(ctx session.ConnConfigMatchingContext) bool

ShouldConfigure returns true if ctx should configure m.

type MatchConfigNot 

type MatchConfigNot struct {
	MatcherSetsRaw []caddy.ModuleMap  `json:"-" caddy:"namespace=ssh.config_matchers"`
	MatcherSets    []ConfigMatcherSet `json:"-"`
}

MatchConfigNot matches requests by negating the results of its matcher sets. A single "not" matcher takes one or more matcher sets. Each matcher set is OR'ed; in other words, if any matcher set returns true, the final result of the "not" matcher is false. Individual matchers within a set work the same (i.e. different matchers in the same set are AND'ed).

NOTE: The generated docs which describe the structure of this module are wrong because of how this type unmarshals JSON in a custom way. The correct structure is:

```json [ 

{},
{}

] ```

where each of the array elements is a matcher set, i.e. an object keyed by matcher name.

func (MatchConfigNot) CaddyModule 

func (MatchConfigNot) CaddyModule() caddy.ModuleInfo

This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.

func (MatchConfigNot) MarshalJSON 

func (m MatchConfigNot) MarshalJSON() ([]byte, error)

MarshalJSON satisfies json.Marshaler by marshaling m's raw matcher sets.

func (*MatchConfigNot) Provision 

func (m *MatchConfigNot) Provision(ctx caddy.Context) error

func (MatchConfigNot) ShouldConfigure 

func (m MatchConfigNot) ShouldConfigure(ctx session.ConnConfigMatchingContext) bool

ShouldConfigure returns true if r matches m. Since this matcher negates the embedded matchers, false is returned if any of its matcher sets return true.

func (*MatchConfigNot) UnmarshalJSON 

func (m *MatchConfigNot) UnmarshalJSON(data []byte) error

UnmarshalJSON satisfies json.Unmarshaler. It puts the JSON bytes directly into m's MatcherSetsRaw field.

type MatchConfigRemoteIP 

type MatchConfigRemoteIP struct {
	// The IPs or CIDR ranges to match.
	Ranges []string `json:"ranges,omitempty"`
	// contains filtered or unexported fields
}

MatchConfigRemoteIP matches requests by client IP (or CIDR range).

func (MatchConfigRemoteIP) CaddyModule 

func (MatchConfigRemoteIP) CaddyModule() caddy.ModuleInfo

This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.

func (*MatchConfigRemoteIP) Provision 

func (m *MatchConfigRemoteIP) Provision(ctx caddy.Context) error

Provision parses m's IP ranges, either from IP or CIDR expressions.

func (MatchConfigRemoteIP) ShouldConfigure 

func (m MatchConfigRemoteIP) ShouldConfigure(ctx session.ConnConfigMatchingContext) bool

ShouldConfigure returns true if ctx should configure m.

type MatchCriticalOption 

type MatchCriticalOption map[string][]string

MatchCriticalOption matches request by the value of critical-option of the certificate/user

func (MatchCriticalOption) CaddyModule 

func (m MatchCriticalOption) CaddyModule() caddy.ModuleInfo

This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.

func (MatchCriticalOption) ShouldAct 

func (m MatchCriticalOption) ShouldAct(ctx session.ActorMatchingContext) bool

ShouldAct returns true if any of the listed critical-options are in the critical-option of the certificate/user

type MatchExtension 

type MatchExtension map[string][]string

MatchExtension matches request by SSH protocol extension

func (MatchExtension) CaddyModule 

func (m MatchExtension) CaddyModule() caddy.ModuleInfo

This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.

func (MatchExtension) ShouldAct 

func (m MatchExtension) ShouldAct(ctx session.ActorMatchingContext) bool

ShouldAct returns true if the requested ssh protocol extension matches any of the listed extensions

type MatchGroup 

type MatchGroup struct {
	Groups []string `json:"groups,omitempty"`
	// contains filtered or unexported fields
}

MatchGroup matches requests by user's group

func (MatchGroup) CaddyModule 

func (MatchGroup) CaddyModule() caddy.ModuleInfo

This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.

func (*MatchGroup) Provision 

func (m *MatchGroup) Provision(ctx caddy.Context) error

Provision parses m's user list

func (MatchGroup) ShouldAct 

func (m MatchGroup) ShouldAct(session session.ActorMatchingContext) bool

ShouldAct returns true if session should act on m.

type MatchNot 

type MatchNot struct {
	MatcherSetsRaw []caddy.ModuleMap `json:"-" caddy:"namespace=ssh.actor_matchers"`
	MatcherSets    []ActorMatcherSet `json:"-"`
}

MatchNot matches requests by negating the results of its matcher sets. A single "not" matcher takes one or more matcher sets. Each matcher set is OR'ed; in other words, if any matcher set returns true, the final result of the "not" matcher is false. Individual matchers within a set work the same (i.e. different matchers in the same set are AND'ed).

NOTE: The generated docs which describe the structure of this module are wrong because of how this type unmarshals JSON in a custom way. The correct structure is:

```json [ 

{},
{}

] ```

where each of the array elements is a matcher set, i.e. an object keyed by matcher name.

func (MatchNot) CaddyModule 

func (MatchNot) CaddyModule() caddy.ModuleInfo

This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.

func (MatchNot) MarshalJSON 

func (m MatchNot) MarshalJSON() ([]byte, error)

MarshalJSON satisfies json.Marshaler by marshaling m's raw matcher sets.

func (*MatchNot) Provision 

func (m *MatchNot) Provision(ctx caddy.Context) error

Provision loads the matcher modules to be negated.

func (MatchNot) ShouldAct 

func (m MatchNot) ShouldAct(r session.ActorMatchingContext) bool

ShouldAct returns true if r matches m. Since this matcher negates the embedded matchers, false is returned if any of its matcher sets return true.

func (*MatchNot) UnmarshalJSON 

func (m *MatchNot) UnmarshalJSON(data []byte) error

UnmarshalJSON satisfies json.Unmarshaler. It puts the JSON bytes directly into m's MatcherSetsRaw field.

type MatchRemoteIP 

type MatchRemoteIP struct {
	// The IPs or CIDR ranges to match.
	Ranges []string `json:"ranges,omitempty"`
	// contains filtered or unexported fields
}

MatchRemoteIP matches requests by client IP (or CIDR range).

func (MatchRemoteIP) CaddyModule 

func (MatchRemoteIP) CaddyModule() caddy.ModuleInfo

This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.

func (*MatchRemoteIP) Provision 

func (m *MatchRemoteIP) Provision(ctx caddy.Context) error

Provision parses m's IP ranges, either from IP or CIDR expressions.

func (MatchRemoteIP) ShouldAct 

func (m MatchRemoteIP) ShouldAct(r session.ActorMatchingContext) bool

ShouldAct returns true if r matches m.

type MatchUser 

type MatchUser struct {
	Users []string `json:"users,omitempty"`
	// contains filtered or unexported fields
}

MatchUser matches requests by username

func (MatchUser) CaddyModule 

func (MatchUser) CaddyModule() caddy.ModuleInfo

This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.

func (*MatchUser) Provision 

func (m *MatchUser) Provision(ctx caddy.Context) error

Provision parses m's user list

func (MatchUser) ShouldAct 

func (m MatchUser) ShouldAct(session session.ActorMatchingContext) bool

ShouldAct returns true if session should act on m.

type ProvidedConfig 

type ProvidedConfig struct {
	// The session signers to be loaded. The field takes the form:
	// "signer": {
	// 		"module": "<signer module name>"
	// 		... signer module config
	// }
	// If empty, the default module is "fallback", which will load existing keys, or generates and stores them if non-existent.
	SignerRaw json.RawMessage `json:"signer,omitempty"  caddy:"namespace=ssh.signers inline_key=module"`

	// The allowed key exchanges algorithms. If unspecified then a
	// default set of algorithms is used.
	// WARNING: don't set it to anyting (not even empty array) unless you know the risks!
	KeyExchanges []string `json:"key_exchanges,omitempty"`

	// The allowed cipher algorithms. If unspecified then a sensible
	// default is used.
	// WARNING: don't set it to anyting (not even empty array) unless you know the risks!
	Ciphers []string `json:"ciphers,omitempty"`

	// The allowed MAC algorithms. If unspecified then a sensible default
	// is used.
	// WARNING: don't set it to anyting (not even empty array) unless you know the risks!
	MACs []string `json:"ma_cs,omitempty"`

	// NoClientAuth is true if clients are allowed to connect without
	// authenticating.
	NoClientAuth bool `json:"no_client_auth,omitempty"`

	// MaxAuthTries specifies the maximum number of authentication attempts
	// permitted per connection. If set to a negative number, the number of
	// attempts are unlimited. If set to zero, the number of attempts are limited
	// to 6.
	MaxAuthTries int `json:"max_auth_tries,omitempty"`

	// This holds the authentication suite for the various flows
	Authentication *authentication.Config `json:"authentication,omitempty"`

	// ServerVersion is the version identification string to announce in
	// the public handshake.
	// If empty, a reasonable default is used.
	// Note that RFC 4253 section 4.2 requires that this string start with
	// "SSH-2.0-".
	ServerVersion string `json:"server_version,omitempty"`
	// contains filtered or unexported fields
}

Lifted and merged from golang.org/x/crypto/ssh ProvidedConfig holds server specific configuration data.

func (ProvidedConfig) CaddyModule 

func (pc ProvidedConfig) CaddyModule() caddy.ModuleInfo

This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.

func (*ProvidedConfig) Provision 

func (c *ProvidedConfig) Provision(ctx caddy.Context) error

Provision loads and provisions the dynamic modules of the config

func (*ProvidedConfig) ServerConfigCallback 

func (c *ProvidedConfig) ServerConfigCallback(ctx session.Context) *gossh.ServerConfig

ServerConfigCallback creates and returns ServerConfig of golang.org/x/crypto/ssh. The values are copied from the ProvidedConfig into the ServerConfig

type RawActorMatcherSet 

type RawActorMatcherSet []caddy.ModuleMap

RawActorMatcherSet is a group of matcher sets in their raw, JSON form.

type RawConfigMatcherSet 

type RawConfigMatcherSet []caddy.ModuleMap

RawConfigMatcherSet is a group of matcher sets in their raw, JSON form.

type SSH 

type SSH struct {
	// GracePeriod is the duration a server should wait for open connections to close during shutdown
	// before closing them forcefully
	GracePeriod caddy.Duration `json:"grace_period,omitempty"`

	// The set of ssh servers keyed by custom names
	Servers map[string]*Server `json:"servers,omitempty"`
	// contains filtered or unexported fields
}

SSH is the app providing ssh services

func (SSH) CaddyModule 

func (SSH) CaddyModule() caddy.ModuleInfo

This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.

func (*SSH) Provision 

func (app *SSH) Provision(ctx caddy.Context) error

Provision sets up the configuration for the SSH app.

func (*SSH) Start 

func (app *SSH) Start() error

Start starts the SSH app.

func (*SSH) Stop 

func (app *SSH) Stop() error

Stop stops the SSH app.

type Server 

type Server struct {
	// Socket addresses to which to bind listeners. Accepts
	// [network addresses](/docs/conventions#network-addresses)
	// that may include port ranges. Listener addresses must
	// be unique; they cannot be repeated across all defined
	// servers. TCP is the only acceptable network (for now, perhaps).
	Address string `json:"address,omitempty"`

	// The configuration of local-forward permission module. The config structure is:
	// "localforward": {
	// 		"forward": "<module name>"
	// 		... config
	// }
	// defaults to: { "forward": "deny" }
	LocalForwardRaw json.RawMessage `json:"localforward,omitempty" caddy:"namespace=ssh.ask.localforward inline_key=forward"`

	// The configuration of reverse-forward permission module. The config structure is:
	// "reverseforward": {
	// 		"forward": "<module name>"
	// 		... config
	// }
	// defaults to: { "reverseforward": "deny" }
	ReverseForwardRaw json.RawMessage `json:"reverseforward,omitempty" caddy:"namespace=ssh.ask.reverseforward inline_key=forward"`

	// The configuration of PTY permission module. The config structure is:
	// "pty": {
	// 		"pty": "<module name>"
	// 		... config
	// }
	// defaults to: { "forward": "deny" }
	PtyAskRaw json.RawMessage `json:"pty,omitempty" caddy:"namespace=ssh.ask.pty inline_key=pty"`

	// connection timeout when no activity, none if empty
	IdleTimeout caddy.Duration `json:"idle_timeout,omitempty"`
	// absolute connection timeout, none if empty
	MaxTimeout caddy.Duration `json:"max_timeout,omitempty"`

	// The configuration of the authorizer module. The config structure is:
	// "authorize": {
	// 		"authorizer": "<module name>"
	// 		... config
	// }
	// default to: { "authorizer": "public" }.
	AuthorizeRaw json.RawMessage `json:"authorize,omitempty" caddy:"namespace=ssh.session.authorizers inline_key=authorizer"`

	// The list of defined subsystems in a json structure keyed by the arbitrary name of the subsystem.
	// TODO: The current implementation is naive and can be expanded to follow the Authorzation and Actors model
	SubsystemRaw caddy.ModuleMap `json:"subsystems,omitempty" caddy:"namespace=ssh.subsystem"`

	// List of configurators that could configure the server per matchers and config providers
	Config ConfigList `json:"configs,omitempty"`

	// The actors that can act on a session per the matching criteria
	Actors ActorList `json:"actors,omitempty"`
	// contains filtered or unexported fields
}

type ServerConfigurator 

type ServerConfigurator interface {
	ServerConfigCallback(session.Context) *gossh.ServerConfig
}

ServerConfigurator is implemented by config loaders which should produce ServerConfig of golang.org/x/crypto/ssh given a session context

type SignerAdder 

type SignerAdder interface {
	AddHostKey(key gossh.Signer)
}

SignerAdder interface is an abstraction so signer modules can configure *ServerConfig of golang.org/x/crypto/ssh without having to reference it directly to restrict their manipulation to adding hostkeys

type SignerConfigurator 

type SignerConfigurator interface {
	Configure(session.Context, SignerAdder)
}

SignerConfigurator is the target interface abstraction for signers that load and add keys to a session based on the session context

Source Files

View all Source files

Directories

Path Synopsis
ca
os
static
pty
passwd
ssh
package ssh wraps the crypto/ssh package with a higher-level API for building SSH servers.
 package ssh wraps the crypto/ssh package with a higher-level API for building SSH servers.
_examples/ssh-docker
_examples/ssh-forwardagent
_examples/ssh-pty
_examples/ssh-publickey
_examples/ssh-remoteforward
_examples/ssh-simple
_examples/ssh-timeouts

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.