Merge pull request gliderlabs#15 from stokito/master

progrium · web-flow · commit 870190fb2a83 · 2023-12-15T14:43:47.000-06:00
Use go modules
diff --git a/Makefile b/Makefile
@@ -4,15 +4,19 @@ ARCH=$(shell uname -m)
 RMFLAG=--rm
 VERSION=0.2.1
 
-build:
+build/Linux/sshfront:
 	mkdir -p build/Linux && GOOS=linux CGO_ENABLED=0 go build -a \
 		-ldflags "-X main.Version=$(VERSION)" \
 		-installsuffix cgo \
-		-o build/Linux/$(NAME)
+		-o build/Linux/$(NAME) ./cmd/sshfront
+
+build/Darwin/sshfront:
 	mkdir -p build/Darwin && GOOS=darwin CGO_ENABLED=0 go build -a \
 		-ldflags "-X main.Version=$(VERSION)" \
 		-installsuffix cgo \
-		-o build/Darwin/$(NAME)
+		-o build/Darwin/$(NAME) ./cmd/sshfront
+
+build: build/Linux/sshfront build/Darwin/sshfront
 
 deps:
 	go get -u github.com/progrium/gh-release/...
diff --git a/README.md b/README.md
@@ -7,67 +7,80 @@ A lightweight SSH server frontend where authentication and connections
 are controlled with command handlers / shell scripts.
 
 ## Using sshfront
-```
-Usage: ./sshfront [options] <handler>
 
-  -a="": authentication hook. empty=allow all
-  -d=false: debug mode
-  -e=false: pass environment to handler
-  -h="0.0.0.0": ip to listen on
-  -k="~/.ssh/id_rsa": private host key path
-  -p="22": port to listen on
-```
+
+    Usage: ./sshfront [options] <handler>
+    
+      -a="": authentication hook. empty=allow all
+      -d=false: debug mode
+      -e=false: pass environment to handler
+      -h="0.0.0.0": ip to listen on
+      -k="~/.ssh/id_rsa": private host key path
+      -p="22": port to listen on
 
 
 #### handler $command...
 
- * `$command...` command line arguments specified to run by the SSH client
+`$command...` command line arguments specified to run by the SSH client
 
-The handler is a command that's used to handle all SSH connections. Output, stderr, and the exit code is returned to the client. If the client provides stdin, that's passed to the handler.
+The handler is a command that's used to handle all SSH connections.
+Output, stderr, and the exit code is returned to the client.
+If the client provides stdin, that's passed to the handler.
 
-If the authentication hook was specified, any output is parsed as environment variables and added to the handler environment. `$USER` is always the SSH user used to connect and `$SSH_ORIGINAL_COMMAND` is the command specified from the client if not interactive.
+If the authentication hook was specified, any output is parsed as environment variables and added to the handler environment.
+`$USER` is always the SSH user used to connect and `$SSH_ORIGINAL_COMMAND` is the command specified from the client if not interactive.
 
 #### auth-hook $user $key
 
  * `$user` argument is the name of the user being used to attempt the connection
  * `$key` argument is the public key data being provided for authentication
 
-The auth hook is a command used for authenticating incoming SSH connections. If it returns with exit status 0, the connection will be allowed, otherwise it will be denied. The output of auth hook must be empty, or key-value pairs in the form `KEY=value` separated by newlines, which will be added to the environment of connection handler.
+The auth hook is a command used for authenticating incoming SSH connections.
+If it returns with exit status 0, the connection will be allowed, otherwise it will be denied.
+The output of auth hook must be empty, or key-value pairs in the form `KEY=value` separated by newlines, which will be added to the environment of connection handler.
 
 The auth hook is optional, but if not specified then all connections are allowed.
 It is a good idea to always specify an auth hook.
 
+
+See example/authcheck auth hook that checks that the pub key is authorized. Usage:
+
+    sshfront -a example/authcheck
+
+
 ## Examples
 
 **Many of these bypass authentication and may allow remote execution, *do not* run this in production.**
 
 Echo server:
 
-```
-server$ sshfront $(which echo)
-client$ ssh $SERVER "hello world"
-hello world
-```
+    server$ sshfront $(which echo)
+    client$ ssh $SERVER "hello world"
+    hello world
 
 Echo host's environment to clients:
 
-```
-server$ sshfront -e $(env)
-client$ ssh $SERVER
-USER=root
-HOME=/root
-LANG=en_US.UTF-8
-...
-```
+    server$ sshfront -e $(env)
+    client$ ssh $SERVER
+    USER=root
+    HOME=/root
+    LANG=en_US.UTF-8
+    ...
 
 Bash server:
 
-```
-server$ sshfront $(which bash)
-client$ ssh $SERVER
-bash-4.3$ echo "this is a bash instance running on the server"
-this is a bash instance running on the server
-```
+    server$ sshfront $(which bash)
+    client$ ssh $SERVER
+    bash-4.3$ echo "this is a bash instance running on the server"
+    this is a bash instance running on the server
+
+
+SSH forwarding:
+
+    server$ sshfront example/sshforward
+    client$ ssh alice@$SERVER
+    Forward ssh alice@another.server...
+    Welcome to another.server
 
 
 ## Sponsors
diff --git a/cmd/sshfront/sshfront.go b/cmd/sshfront/sshfront.go
@@ -3,6 +3,7 @@ package main
 import (
 	"flag"
 	"fmt"
+	. "github.com/gliderlabs/sshfront/internal"
 	"log"
 	"net"
 	"os"
@@ -12,36 +13,21 @@ import (
 
 var Version string
 
-var (
-	listenHost = flag.String("h", "0.0.0.0", "ip to listen on")
-	listenPort = flag.String("p", "22", "port to listen on")
-	hostKey    = flag.String("k", "~/.ssh/id_rsa", "private host key path")
-	authHook   = flag.String("a", "", "authentication hook. empty=allow all")
-	debugMode  = flag.Bool("d", false, "debug mode")
-	useEnv     = flag.Bool("e", false, "pass environment to handler")
-)
-
-func debug(v ...interface{}) {
-	if *debugMode {
-		log.Println(v...)
-	}
-}
-
 func handleConn(conn net.Conn, conf *ssh.ServerConfig) {
 	defer conn.Close()
 	sshConn, chans, reqs, err := ssh.NewServerConn(conn, conf)
 	if err != nil {
-		debug("handshake failed:", err)
+		Debug("handshake failed:", err)
 		return
 	}
 	go ssh.DiscardRequests(reqs)
 	for ch := range chans {
 		if ch.ChannelType() != "session" {
 			ch.Reject(ssh.UnknownChannelType, "unsupported channel type")
-			debug("channel rejected, unsupported type:", ch.ChannelType())
+			Debug("channel rejected, unsupported type:", ch.ChannelType())
 			continue
 		}
-		go handleChannel(sshConn, ch)
+		go HandleChannel(sshConn, ch)
 	}
 }
 
@@ -61,14 +47,14 @@ func main() {
 
 	config := &ssh.ServerConfig{
 		PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
-			return handleAuth(conn, key)
+			return HandleAuth(conn, key)
 		},
 	}
-	setupHostKey(config)
+	SetupHostKey(config)
 
-	var listenAddr string
-	if listenAddr = os.Getenv("SSHFRONT_LISTEN"); listenAddr == "" {
-		listenAddr = fmt.Sprintf("%s:%s", *listenHost, *listenPort)
+	listenAddr := os.Getenv("SSHFRONT_LISTEN")
+	if listenAddr == "" {
+		listenAddr = net.JoinHostPort(*ListenHost, *ListenPort)
 	}
 
 	log.Printf("sshfront v%s listening on %s ...\n", Version, listenAddr)
@@ -80,7 +66,7 @@ func main() {
 	for {
 		conn, err := listener.Accept()
 		if err != nil {
-			debug("accept failed:", err)
+			Debug("accept failed:", err)
 			continue
 		}
 		go handleConn(conn, config)
diff --git a/example/authcheck b/example/authcheck
@@ -1,2 +1,3 @@
 #!/bin/bash
+# check that the user's pubkey is authorized
 grep "$2" "/home/$1/.ssh/authorized_keys" > /dev/null 2>&1
diff --git a/example/helloworld b/example/helloworld
@@ -1,6 +1,8 @@
 #!/bin/bash
-echo "Hello world: $@"
+echo "Execute command: $@"
+echo "Env vars:"
 env
+# if FD = 1 then this is an interactive shell
 if [[ -t 1 ]]; then
   exec bash
 fi
diff --git a/example/sshforward b/example/sshforward
@@ -0,0 +1,3 @@
+#!/bin/bash
+echo "Forward ssh ${USER}@localhost..."
+ssh "${USER}@localhost"
diff --git a/go.mod b/go.mod
@@ -0,0 +1,14 @@
+module github.com/gliderlabs/sshfront
+
+go 1.21.3
+
+require (
+	github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568
+	github.com/kr/pty v1.1.8
+	golang.org/x/crypto v0.16.0
+)
+
+require (
+	github.com/creack/pty v1.1.21 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+)
diff --git a/go.sum b/go.sum
@@ -0,0 +1,14 @@
+github.com/creack/pty v1.1.7 h1:6pwm8kMQKCmgUg0ZHTm5+/YvRK0s3THD/28+T6/kk4A=
+github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
+github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0=
+github.com/creack/pty v1.1.21/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
+github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
+github.com/kr/pty v1.1.8 h1:AkaSdXYQOWeaO3neb8EM634ahkXXe3jYbVh/F9lq+GI=
+github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
+golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
+golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
diff --git a/internal/config.go b/internal/config.go
@@ -0,0 +1,21 @@
+package internal
+
+import (
+	"flag"
+	"log"
+)
+
+var (
+	ListenHost = flag.String("h", "0.0.0.0", "ip to listen on")
+	ListenPort = flag.String("p", "22", "port to listen on")
+	HostKey    = flag.String("k", "~/.ssh/id_rsa", "private host key path")
+	AuthHook   = flag.String("a", "", "authentication hook. empty=allow all")
+	DebugMode  = flag.Bool("d", false, "debug mode")
+	UseEnv     = flag.Bool("e", false, "pass environment to handler")
+)
+
+func Debug(v ...interface{}) {
+	if *DebugMode {
+		log.Println(v...)
+	}
+}
diff --git a/internal/handlers.go b/internal/handlers.go
@@ -1,4 +1,4 @@
-package main
+package internal
 
 import (
 	"bytes"
@@ -57,8 +57,8 @@ func handlerCmd(handler string, appendArgs ...string) (*exec.Cmd, error) {
 	return exec.Command(execPath, append(args, appendArgs...)...), nil
 }
 
-func handleAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
-	if *authHook == "" {
+func HandleAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
+	if *AuthHook == "" {
 		// allow all
 		return &ssh.Permissions{
 			Extensions: map[string]string{
@@ -67,8 +67,8 @@ func handleAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, err
 		}, nil
 	}
 
-	keydata := string(bytes.TrimSpace(ssh.MarshalAuthorizedKey(key)))
-	cmd, err := handlerCmd(*authHook, conn.User(), keydata)
+	pubKey := string(bytes.TrimSpace(ssh.MarshalAuthorizedKey(key)))
+	cmd, err := handlerCmd(*AuthHook, conn.User(), pubKey)
 	if err != nil {
 		return nil, err
 	}
@@ -87,11 +87,11 @@ func handleAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, err
 			},
 		}, nil
 	}
-	debug("authentication hook status:", status.Status)
+	Debug("authentication hook status:", status.Status)
 	return nil, fmt.Errorf("authentication failed")
 }
 
-func handleChannel(conn *ssh.ServerConn, newChan ssh.NewChannel) {
+func HandleChannel(conn *ssh.ServerConn, newChan ssh.NewChannel) {
 	ch, reqs, err := newChan.Accept()
 	if err != nil {
 		log.Println("newChan.Accept failed:", err)
@@ -100,7 +100,7 @@ func handleChannel(conn *ssh.ServerConn, newChan ssh.NewChannel) {
 
 	// Setup stdout/stderr
 	var stdout, stderr io.Writer
-	if *debugMode {
+	if *DebugMode {
 		stdout = io.MultiWriter(ch, os.Stdout)
 		stderr = io.MultiWriter(ch.Stderr(), os.Stdout)
 	} else {
@@ -115,7 +115,7 @@ func handleChannel(conn *ssh.ServerConn, newChan ssh.NewChannel) {
 	}
 
 	// Load default environment
-	if *useEnv {
+	if *UseEnv {
 		handler.Env = os.Environ()
 	}
 	if conn.Permissions != nil {
@@ -192,6 +192,8 @@ func (h *sshHandler) handleEnv(req *ssh.Request) {
 	req.Reply(true, nil)
 }
 
+// handleExec when executed a command e.g.
+// ssh user@localhost -p 2222 'echo Hello'
 func (h *sshHandler) handleExec(req *ssh.Request) {
 	h.Lock()
 	defer h.Unlock()
@@ -200,14 +202,14 @@ func (h *sshHandler) handleExec(req *ssh.Request) {
 	ssh.Unmarshal(req.Payload, &payload)
 	cmdargs, err := shlex.Split(payload.Value)
 	if err != nil {
-		debug("failed exec split:", err)
+		Debug("failed exec split:", err)
 		h.channel.Close()
 		return
 	}
 
 	cmd, err := handlerCmd(flag.Arg(0), cmdargs...)
 	if err != nil {
-		debug("failed handler init:", err)
+		Debug("failed handler init:", err)
 		h.channel.Close()
 		return
 	}
@@ -234,6 +236,8 @@ func (h *sshHandler) handleExec(req *ssh.Request) {
 	h.Exit(cmd.Run())
 }
 
+// handlePty when executed a command e.g.
+// ssh user@localhost -p 2222
 func (h *sshHandler) handlePty(req *ssh.Request) {
 	h.Lock()
 	defer h.Unlock()
@@ -246,9 +250,10 @@ func (h *sshHandler) handlePty(req *ssh.Request) {
 
 	width, height, okSize := parsePtyRequest(req.Payload)
 
-	cmd, err := handlerCmd(flag.Arg(0))
+	scriptName := flag.Arg(0)
+	cmd, err := handlerCmd(scriptName)
 	if err != nil {
-		debug("failed handler init:", err)
+		Debug("failed handler init:", err)
 		h.channel.Close()
 		return
 	}
diff --git a/internal/keys.go b/internal/keys.go
diff --git a/internal/pty.go b/internal/pty.go

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`#!/bin/bash`
	`2`	`+# check that the user's pubkey is authorized`
`2`	`3`	`grep "$2" "/home/$1/.ssh/authorized_keys" > /dev/null 2>&1`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+#!/bin/bash`
	`2`	`+echo "Forward ssh ${USER}@localhost..."`
	`3`	`+ssh "${USER}@localhost"`