sshkrb5

package module

v1.2.0 Latest Latest Go to latest Published: Sep 20, 2023 License: BSD-3-Clause Imports: 8 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/bodgit/sshkrb5

Links

Open Source Insights

README ¶

GSSAPI middleware for crypto/ssh

The github.com/bodgit/sshkrb5 package implements the GSSAPIClient & GSSAPIServer interfaces in golang.org/x/crypto/ssh.

On non-Windows platforms GSSAPI is supported through either github.com/jcmturner/gokrb5 or github.com/openshift/gssapi. On Windows, SSPI is supported using github.com/alexbrainman/sspi.

It has been tested successfully against OpenSSH.

Sample client:

package main

import (
	"net"
	"os"
	"os/user"

	"github.com/bodgit/sshkrb5"
	"golang.org/x/crypto/ssh"
)

func main() {
	hostname := os.Args[1]

	u, err := user.Current()
	if err != nil {
		panic(err)
	}

	gssapi, err := sshkrb5.NewClient()
	if err != nil {
		panic(err)
	}
	defer gssapi.Close()

	config := &ssh.ClientConfig{
		User: u.Username,
		Auth: []ssh.AuthMethod{
			ssh.GSSAPIWithMICAuthMethod(gssapi, hostname),
		},
		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
	}

	client, err := ssh.Dial("tcp", net.JoinHostPort(hostname, "22"), config)
	if err != nil {
		panic(err)
	}
	defer client.Close()

	session, err := client.NewSession()
	if err != nil {
		panic(err)
	}
	defer session.Close()

	b, err := session.Output("whoami")
	if err != nil {
		panic(err)
	}
	os.Stdout.Write(b)
}

Sample server:

package main

import (
	"bytes"
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"net"

	"github.com/bodgit/sshkrb5"
	"golang.org/x/crypto/ssh"
)

func main() {
	key, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		panic(err)
	}

	buf := new(bytes.Buffer)
	if err := pem.Encode(buf, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}); err != nil {
		panic(err)
	}

	private, err := ssh.ParsePrivateKey(buf.Bytes())
	if err != nil {
		panic(err)
	}

	gssapi, err := sshkrb5.NewServer()
	if err != nil {
		panic(err)
	}
	defer gssapi.Close()

	config := &ssh.ServerConfig{
		GSSAPIWithMICConfig: &ssh.GSSAPIWithMICConfig{
			AllowLogin: func(c ssh.ConnMetadata, name string) (*ssh.Permissions, error) {
				return nil, nil
			},
			Server: gssapi,
		},
	}

	config.AddHostKey(private)

	listener, err := net.Listen("tcp", "0.0.0.0:22")
	if err != nil {
		panic(err)
	}
	defer listener.Close()

	go func() {
		for {
			conn, err := listener.Accept()
			if err != nil {
				continue
			}

			_, chans, reqs, err := ssh.NewServerConn(conn, config)
			if err != nil {
				continue
			}

			go ssh.DiscardRequests(reqs)
			go handleChannels(chans)
		}
	}()
}

func handleChannels(chans <-chan ssh.NewChannel) {
	for newChannel := range chans {
		go handleChannel(newChannel)
	}
}

func handleChannel(newChannel ssh.NewChannel) {
	if t := newChannel.ChannelType(); t != "session" {
		_ = newChannel.Reject(ssh.UnknownChannelType, fmt.Sprintf("unknown channel type: %s", t))

		return
	}

	_, requests, err := newChannel.Accept()
	if err != nil {
		return
	}

	go ssh.DiscardRequests(requests)
}

Documentation ¶

Rendered for

Overview ¶

Package sshkrb5 implements the GSSAPIClient and GSSAPIServer interfaces in the golang.org/x/crypto/ssh package.

Index ¶

type Client
type Option
type Server
- func NewServer(options ...Option[Server]) (*Server, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Client ¶

type Client struct {
	// contains filtered or unexported fields
}

Client implements the ssh.GSSAPIClient interface.

func NewClient ¶

func NewClient(options ...Option[Client]) (*Client, error)

NewClient returns a new Client using the current user.

func NewClientWithCredentials deprecated

func NewClientWithCredentials(domain, username, password string) (*Client, error)

NewClientWithCredentials returns a new Client using the provided credentials.

Deprecated: Use NewClient instead.

func NewClientWithKeytab deprecated

func NewClientWithKeytab(domain, username, path string) (*Client, error)

NewClientWithKeytab returns a new Client using the provided keytab.

Deprecated: Use NewClient instead.

func (*Client) Close ¶

func (c *Client) Close() error

Close deletes any active security context and unloads any underlying libraries as necessary.

func (*Client) DeleteSecContext ¶

func (c *Client) DeleteSecContext() error

DeleteSecContext is called by the ssh.Client to tear down any active security context.

func (*Client) GetMIC ¶

func (c *Client) GetMIC(micField []byte) ([]byte, error)

GetMIC is called by the ssh.Client to authenticate the user using the negotiated security context.

func (*Client) InitSecContext ¶

func (c *Client) InitSecContext(target string, token []byte, isGSSDelegCreds bool) ([]byte, bool, error)

InitSecContext is called by the ssh.Client to initialise or advance the security context.

type Option ¶ added in v1.1.0

type Option[T Client | Server] func(*T) error

Option is the signature for all constructor options.

func WithConfig ¶ added in v1.2.0

func WithConfig[T Client](config string) Option[T]

WithConfig sets the configuration in the Client.

func WithDomain ¶ added in v1.2.0

func WithDomain[T Client](domain string) Option[T]

WithDomain sets the Kerberos domain in the Client.

func WithKeytab ¶ added in v1.2.0

func WithKeytab[T Client | Server](keytab string) Option[T]

WithKeytab sets the keytab path in either a Client or Server.

func WithLogger ¶ added in v1.1.0

func WithLogger[T Client | Server](logger logr.Logger) Option[T]

WithLogger configures a logr.Logger in a Server.

func WithPassword ¶ added in v1.2.0

func WithPassword[T Client](password string) Option[T]

WithPassword sets the password in the Client.

func WithRealm ¶ added in v1.2.0

func WithRealm[T Client](realm string) Option[T]

WithRealm is an alias for WithDomain.

func WithStrictMode ¶ added in v1.1.0

func WithStrictMode[T Server](strict bool) Option[T]

WithStrictMode is the equivalent of GSSAPIStrictAcceptorCheck.

func WithUsername ¶ added in v1.2.0

func WithUsername[T Client](username string) Option[T]

WithUsername sets the username in the Client.

type Server ¶ added in v1.1.0

type Server struct {
	// contains filtered or unexported fields
}

Server implements the ssh.GSSAPIServer interface.

func NewServer ¶ added in v1.1.0

func NewServer(options ...Option[Server]) (*Server, error)

NewServer returns a new Server.

func (*Server) AcceptSecContext ¶ added in v1.1.0

func (s *Server) AcceptSecContext(token []byte) ([]byte, string, bool, error)

AcceptSecContext is called by the ssh.ServerConn to accept and advance the security context.

func (*Server) Close ¶ added in v1.1.0

func (s *Server) Close() error

Close deletes any active security context and unloads any underlying libraries as necessary.

func (*Server) DeleteSecContext ¶ added in v1.1.0

func (s *Server) DeleteSecContext() error

DeleteSecContext is called by the ssh.ServerConn to tear down any active security context.

func (*Server) VerifyMIC ¶ added in v1.1.0

func (s *Server) VerifyMIC(micField, micToken []byte) error

VerifyMIC is called by the ssh.ServerConn to authenticate the user using the negotiated security context.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL