Documentation ¶
Index ¶
- Constants
- type Comparer
- type Config
- func (c Config) InteractiveCallback(ctx session.Context) ...
- func (c Config) PasswordCallback(ctx session.Context) func(conn gossh.ConnMetadata, password []byte) (*gossh.Permissions, error)
- func (c *Config) Provision(ctx caddy.Context) error
- func (c Config) PublicKeyCallback(ctx session.Context) func(conn gossh.ConnMetadata, key gossh.PublicKey) (*gossh.Permissions, error)
- type Group
- type InteractiveFlow
- type PasswordAuthFlow
- type PublicKeyFlow
- type User
- type UserCertificateAuthenticator
- type UserInteractiveAuthenticator
- type UserPasswordAuthenticator
- type UserPublicKeyAuthenticator
Constants ¶
const (
// The context key pointing to the authenticated user value
UserCtxKey ctxKey = "user"
)
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Comparer ¶
type Comparer interface { // Compare returns true if the result of hashing // plaintextPassword with salt is hashedPassword, // false otherwise. An error is returned only if // there is a technical/configuration error. Compare(hashedPassword, plaintextPassword, salt []byte) (bool, error) }
Comparer is a type that can securely compare a plaintext password with a hashed password in constant-time. Comparers should hash the plaintext password and then use constant-time comparison. As defined in github.com/caddyserver/caddy
type Config ¶
type Config struct { AllowUsers []string `json:"allow_users,omitempty"` DenyUsers []string `json:"deny_users,omitempty"` AllowGroups []string `json:"allow_groups,omitempty"` DenyGroups []string `json:"deny_groups,omitempty"` // UsernamePassword holds the configuration of the password-based // authentication flow. nil value disables the authentication flow. UsernamePassword *PasswordAuthFlow `json:"username_password,omitempty"` // PublicKey holds the configuration of the public-key-based // authentication flow. nil value disables the authentication flow. PublicKey *PublicKeyFlow `json:"public_key,omitempty"` // Interactive holds the configuration of the interactive-based // authentication flow. nil value disables the authentication flow. Interactive *InteractiveFlow `json:"interactive,omitempty"` // contains filtered or unexported fields }
Config holds the configuration of the various authentication flows, including allow/deny users/groups.
func (Config) InteractiveCallback ¶
func (c Config) InteractiveCallback(ctx session.Context) func(conn gossh.ConnMetadata, client gossh.KeyboardInteractiveChallenge) (*gossh.Permissions, error)
InteractiveCallback returns an authentiction callback conforming to the interactive authentication callback func needed by ServerConfig of golang.org/x/crypto/ssh. The method returns nil if the field Interactive is nil to disable interactive authentication.
func (Config) PasswordCallback ¶
func (c Config) PasswordCallback(ctx session.Context) func(conn gossh.ConnMetadata, password []byte) (*gossh.Permissions, error)
PasswordCallback returns an authentiction callback conforming to the password callback func needed by ServerConfig of golang.org/x/crypto/ssh. The method returns nil if the field UsernamePassword is nil to disable password authentication.
func (*Config) Provision ¶
Provision sets up the allowed/denied users/groups and provisions the non-nil authentication flows
func (Config) PublicKeyCallback ¶
func (c Config) PublicKeyCallback(ctx session.Context) func(conn gossh.ConnMetadata, key gossh.PublicKey) (*gossh.Permissions, error)
PublicKeyCallback returns an authentiction callback conforming to the public key authentication callback func needed by ServerConfig of golang.org/x/crypto/ssh. The method returns nil if the field PublicKey is nil to disable public key authentication.
type Group ¶
Group is an abstraction of the group of the authenticated user when stored in the session context
type InteractiveFlow ¶
type InteractiveFlow struct { // A set of authentication providers implementing the UserInteractiveAuthenticator interface. If none are specified, // all requests will always be unauthenticated. ProvidersRaw caddy.ModuleMap `json:"providers,omitempty" caddy:"namespace=ssh.providers.interactive"` // contains filtered or unexported fields }
InteractiveFlow holds the interactive authentication providers
func (InteractiveFlow) CaddyModule ¶
func (upf InteractiveFlow) CaddyModule() caddy.ModuleInfo
This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.
func (*InteractiveFlow) Provision ¶
func (upf *InteractiveFlow) Provision(ctx caddy.Context) error
Provision sets up and loads the providers of conforming to UserInteractiveAuthenticator interface
type PasswordAuthFlow ¶
type PasswordAuthFlow struct { // A set of authentication providers implementing the UserPasswordAuthenticator interface. If none are specified, // all requests will always be unauthenticated. ProvidersRaw caddy.ModuleMap `json:"providers,omitempty" caddy:"namespace=ssh.authentication.providers.password"` PermitEmptyPasswords bool `json:"permit_empty_passwords,omitempty"` // contains filtered or unexported fields }
// PasswordAuthFlow holds the password-based authentication providers
func (PasswordAuthFlow) CaddyModule ¶
func (paf PasswordAuthFlow) CaddyModule() caddy.ModuleInfo
This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.
func (*PasswordAuthFlow) Provision ¶
func (paf *PasswordAuthFlow) Provision(ctx caddy.Context) error
Provision sets up and loads the providers of conforming to UserPasswordAuthenticator interface
type PublicKeyFlow ¶
type PublicKeyFlow struct { // A set of authentication providers implementing the UserPublicKeyAuthenticator interface. If none are specified, // all requests will always be unauthenticated. ProvidersRaw caddy.ModuleMap `json:"providers,omitempty" caddy:"namespace=ssh.authentication.providers.public_key"` // contains filtered or unexported fields }
PublicKeyFlow holds the public key authentication providers
func (PublicKeyFlow) CaddyModule ¶
func (PublicKeyFlow) CaddyModule() caddy.ModuleInfo
This method indicates that the type is a Caddy module. The returned ModuleInfo must have both a name and a constructor function. This method must not have any side-effects.
func (*PublicKeyFlow) Provision ¶
func (pk *PublicKeyFlow) Provision(ctx caddy.Context) error
Provision sets up and loads the providers of conforming to UserPublicKeyAuthenticator interface
type User ¶
type User interface { Uid() string Gid() string Username() string Name() string HomeDir() string GroupIDs() ([]string, error) Groups() []Group Metadata() map[string]interface{} Permissions() *gossh.Permissions }
User is the type of the authenticated user when stored in the session context
type UserCertificateAuthenticator ¶
type UserCertificateAuthenticator interface {
AuthenticateUser(ctx session.ConnMetadata, key gossh.PublicKey) (User, bool, error)
}
TODO: TBD -- the implementation should take into consideration: https://pkg.go.dev/golang.org/x/crypto/ssh#CertChecker
type UserInteractiveAuthenticator ¶
type UserInteractiveAuthenticator interface {
AuthenticateUser(conn session.ConnMetadata, client gossh.KeyboardInteractiveChallenge) (User, bool, error)
}
UserInteractiveAuthenticator is the interface authentication providers should implement to be used in ssh.authentication.flows.interactive
type UserPasswordAuthenticator ¶
type UserPasswordAuthenticator interface {
AuthenticateUser(ctx session.ConnMetadata, password []byte) (User, bool, error)
}
UserPasswordAuthenticator is the interface authentication providers should implement to be used in ssh.authentication.flows.password_auth
type UserPublicKeyAuthenticator ¶
type UserPublicKeyAuthenticator interface {
AuthenticateUser(ctx session.ConnMetadata, key gossh.PublicKey) (User, bool, error)
}
UserPublicKeyAuthenticator is the interface authentication providers should implement to be used in ssh.authentication.flows.public_key