README
¶
nassh-relay
Basic implementation of the nassh relay protocol in Go. This can be used for relaying SSH sessions in the ChromeOS SSH app, but worth noting is that it doesn't contain any SSH specific code - it could be used to relay any TCP connections.
This repository doesn't contain any usable client/server implementations, it's just a library. An example bastion that uses OpenID Connect for auth can be found in https://github.com/lstoll/ssh-bastion.
Documentation
¶
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func LoginSessionID ¶
LoginSessionID returns the identifier of the login session from the given context
func RemoteAddr ¶
RemoteAddr returns the remote address of the caller
func SSHSessionID ¶
SSHSessionID returns the identifier of the relay session
Types ¶
type Relay ¶
type Relay struct {
// Logger to output information to. If not set, it will be initialized to a
// null logger.
Logger logrus.FieldLogger
// Dialer is called to establish the connection to the backend. If not set,
// the host:port is dialed with a default net.Dialer
Dialer func(ctx context.Context, add string) (io.ReadWriteCloser, error)
// HTTPSession is a HTTP session store. It is used to track state across
// calls. It should be resistent to tampering, to ensure sessions are not
// spoofed. If not set, it will be initialized to a new cookie store with a
// random secret on first use.
HTTPSession sessions.Store
// contains filtered or unexported fields
}
Relay is a server implementation of the nassh relay protocol.
Example ¶
// Bare minimum server
r := Relay{}
m := http.NewServeMux()
// cookie is the URL the client calls first
m.HandleFunc("/cookie", func(w http.ResponseWriter, req *http.Request) {
// this is where you'd handle your authentication flow.
// Assuming auth is done, this is the last step to continue the SSH
// process.
userID := "User from auth flow"
authSessID := "unique ID to track this login flow"
ext := req.URL.Query().Get("ext")
path := req.URL.Query().Get("path")
version := req.URL.Query().Get("version")
method := req.URL.Query().Get("method")
r.StartSession(w, req, userID, authSessID, ext, path, version, method)
})
m.HandleFunc("/proxy", r.ProxyHandler)
m.HandleFunc("/connect", r.ConnectHandler)
Output:
func (*Relay) ConnectHandler ¶
func (r *Relay) ConnectHandler(w http.ResponseWriter, req *http.Request)
ConnectHandler handles the /connect from the client https://chromium.googlesource.com/apps/libapps/+show/c4b90ef4973513b8e9052f0cff56e8717dc9faf9/nassh/doc/relay-protocol.md#178
func (*Relay) ProxyHandler ¶
func (r *Relay) ProxyHandler(w http.ResponseWriter, req *http.Request)
ProxyHandler starts the remote connection. Serve at /proxy https://chromium.googlesource.com/apps/libapps/+show/c4b90ef4973513b8e9052f0cff56e8717dc9faf9/nassh/doc/relay-protocol.md#153
func (*Relay) StartSession ¶
func (r *Relay) StartSession(w http.ResponseWriter, req *http.Request, userID, loginSessID, ext, path, version, method string)
StartSession should be called at the end of the authentication flow that was initialized by a call to /cookie . userID corresponds to a unique identifier for the user, for tracking. loginSessID can track the auth session in use, for referencing later on. The values of ext, path, version, and method should correspond to the query values for the original /cookie call. It should be provided an unused ResponseWriter
Source Files