diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d1fa37d --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +go.mod +go.sum +_examples/ssh-combo/ssh_host_rsa_key +_examples/ssh-combo/ssh-combo.exe +_examples/ssh-combo/ssh_host_rsa_key.pub diff --git a/_examples/ssh-combo/authorized_keys b/_examples/ssh-combo/authorized_keys new file mode 100644 index 0000000..1efa623 --- /dev/null +++ b/_examples/ssh-combo/authorized_keys @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEApau/I6sau5qYTeB7Zl8ZMNv3wydh+pJJeMUouIuQnQ3zKUvx9oNmQ8KuibkMTm/29VZsC5aYEpiQZQJdii9TQ+ldm3HSrGfeBkfhRulSAnWfsZorz8TNoj4+LtLLBb/xAkkJ251yKTvQNBnoY8eq89NRlk9v5QtzQJjZXpSfdJSr63t+CwFbf8h7PhlkprG6xPucwFdV7TL3R5muCEUPVWiJIUBgfbrgwe+ouC9Qe9QxboWVj8ufZHqYSZHjyLKbCGumdQyCocCkFauOvRKSSnobRkHNvI6bnO0M8w/hhZn3EEkqeAVvYIwRhX7v6NpfvuO11VZQg+K5qD/vosxE/Q== koka \ No newline at end of file diff --git a/_examples/ssh-combo/main.go b/_examples/ssh-combo/main.go new file mode 100644 index 0000000..80e045a --- /dev/null +++ b/_examples/ssh-combo/main.go @@ -0,0 +1,389 @@ +package main + +import ( + "bytes" + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "embed" //no lint + "encoding/pem" + "fmt" + "io" + "io/ioutil" + "log" + "os" + "os/exec" + "path" + "path/filepath" + "syscall" + + "github.com/gliderlabs/ssh" + "github.com/pkg/sftp" + "github.com/runletapp/go-console" + gossh "golang.org/x/crypto/ssh" +) + +const ( + sshHostKey = "ssh_host_rsa_key" // OpenSSH for Windows + administratorsAuthorizedKeys = "administrators_authorized_keys" // OpenSSH for Windows + authorizedKeys = "authorized_keys" // stored from embed +) + +var ( + //go:embed authorized_keys + authorized_keys []byte + + //go:embed winpty/* + winpty_deps embed.FS + + key ssh.Signer + allowed []ssh.PublicKey +) + +func SessionRequestCallback(s ssh.Session, requestType string) bool { + log.Println(s.RemoteAddr(), requestType) + return true +} + +func SftpHandler(s ssh.Session) { + debugStream := ioutil.Discard + serverOptions := []sftp.ServerOption{ + sftp.WithDebug(debugStream), + } + server, err := sftp.NewServer( + s, + serverOptions..., + ) + if err != nil { + log.Printf("sftp server init error: %s\n", err) + return + } + if err := server.Serve(); err == io.EOF { + server.Close() + fmt.Println("sftp client exited session.") + } else if err != nil { + fmt.Println("sftp server completed with error:", err) + } +} + +func main() { + log.Println(UnloadEmbeddedDeps()) + cwd, err := os.Getwd() + if err != nil { + log.Fatal(err) + return + } + pri := filepath.Join(cwd, sshHostKey) + pub := filepath.Join(cwd, sshHostKey+".pub") + pemBytes, err := ioutil.ReadFile(pri) + if err != nil { + key, err = generateSigner(pri, pub) + } else { + key, err = gossh.ParsePrivateKey(pemBytes) + } + if err != nil { + log.Fatal(err) + return + } + + for _, akf := range []string{ + filepath.Join(os.ExpandEnv("ProgramData"), administratorsAuthorizedKeys), + filepath.Join(os.ExpandEnv("UserProfile"), ".ssh", authorizedKeys), + filepath.Join(cwd, authorizedKeys), + } { + kk := toAllowed(ioutil.ReadFile(akf)) + allowed = append(allowed, kk...) + } + + if len(allowed) == 0 { + //no files + allowed = toAllowed(authorized_keys, nil) + if len(allowed) > 0 { + ioutil.WriteFile(filepath.Join(cwd, authorizedKeys), authorized_keys, 0644) + } + } + + ForwardedTCPHandler := &ssh.ForwardedTCPHandler{} + + sshd := ssh.Server{ + Addr: ":2222", + ChannelHandlers: map[string]ssh.ChannelHandler{ + "session": ssh.DefaultSessionHandler, + "direct-tcpip": ssh.DirectTCPIPHandler, // ssh -L + }, + RequestHandlers: map[string]ssh.RequestHandler{ + "tcpip-forward": ForwardedTCPHandler.HandleSSHRequest, + "cancel-tcpip-forward": ForwardedTCPHandler.HandleSSHRequest, + }, + LocalPortForwardingCallback: ssh.LocalPortForwardingCallback(func(ctx ssh.Context, dhost string, dport uint32) bool { + log.Println("accepted forward", dhost, dport) // ssh -L x:dhost:dport + return true + }), + ReversePortForwardingCallback: ssh.ReversePortForwardingCallback(func(ctx ssh.Context, host string, port uint32) bool { + log.Println("attempt to bind", host, port, "granted") // ssh -R port:x:x + return true + }), + SubsystemHandlers: map[string]ssh.SubsystemHandler{ + "sftp": SftpHandler, + }, + SessionRequestCallback: SessionRequestCallback, + } + + sshd.AddHostKey(key) + if len(sshd.HostSigners) < 1 { + log.Fatal("host key was not properly added") + return + } + + publicKeyOption := ssh.PublicKeyAuth(func(ctx ssh.Context, key ssh.PublicKey) bool { + for _, k := range allowed { + if ssh.KeysEqual(key, k) { + return true + } + } + return false + }) + sshd.SetOption(publicKeyOption) + + ssh.Handle(func(s ssh.Session) { + io.WriteString(s, fmt.Sprintf("user: %s\n", s.User())) + if s.PublicKey() != nil { + authorizedKey := gossh.MarshalAuthorizedKey(s.PublicKey()) + io.WriteString(s, fmt.Sprintf("used public key:\n%s", authorizedKey)) + } + cmdPTY(s) + }) + + log.Println("starting ssh server on", sshd.Addr) + log.Fatal(sshd.ListenAndServe()) +} + +func generateSigner(pri, pub string) (ssh.Signer, error) { + key, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + return nil, err + } + Bytes := x509.MarshalPKCS1PrivateKey(key) + data := pem.EncodeToMemory(&pem.Block{ + Type: "RSA PRIVATE KEY", + Bytes: Bytes, + }) + ioutil.WriteFile(pri, data, 0644) + + Bytes, err = x509.MarshalPKIXPublicKey(&key.PublicKey) + if err == nil { + data := pem.EncodeToMemory(&pem.Block{ + Type: "RSA PUBLIC KEY", + Bytes: Bytes, + }) + + ioutil.WriteFile(pub, data, 0644) + } + + return gossh.NewSignerFromKey(key) +} + +func powerShell(s ssh.Session) { // reqs <-chan *gossh.Request + const CREATE_NEW_CONSOLE = 0x00000010 + defer s.Close() + args := []string{"powershell.exe", "-NoProfile", "-NoLogo"} + if len(s.Command()) > 0 { + args = append(args, "-command") + args = append(args, s.Command()...) + } + cmd := exec.Command(args[0], args[1:]...) + cmd.SysProcAttr = &syscall.SysProcAttr{ + CreationFlags: 0 + + // syscall.STARTF_USESTDHANDLES + + // CREATE_NEW_CONSOLE + + 0, + } + + stdout, err := cmd.StdoutPipe() + if err != nil { + fmt.Fprint(s, "unable to open stdout pipe", err) + return + } + + cmd.Stderr = cmd.Stdout + stdin, err := cmd.StdinPipe() + if err != nil { + fmt.Fprint(s, "unable to open stdin pipe", err) + return + } + + err = cmd.Start() + if err != nil { + fmt.Fprint(s, "could not start", args, err) + return + } + log.Println(args) + + // go gossh.DiscardRequests(reqs) + go func() { + + buf := make([]byte, 128) + + for { + + n, err := stdout.Read(buf) + if err != nil { + if err != io.EOF { + log.Printf("stdout.Read %s", err) + } + return + } + + _, err = s.Write(buf[:n]) + if err != nil { + log.Printf("s.Write %s", err) + return + } + } + }() + + go func() { + buf := make([]byte, 128) + defer s.Close() + + for { + n, err := s.Read(buf) + if err != nil { + if err != io.EOF { + log.Printf("s.Read %s", err) + } + return + } + + _, err = stdin.Write(buf[:n]) + if err != nil { + if err != io.EOF { + log.Printf("stdin.Write %s", err) + } + return + } + + } + }() + + done := s.Context().Done() + go func() { + defer s.Close() + <-done + log.Println(s.RemoteAddr(), "done") + if cmd != nil && cmd.Process != nil { + cmd.Process.Kill() + } + }() + err = cmd.Wait() + if err != nil { + log.Println(args[0], err) + } +} + +func cmdPTY(s ssh.Session) { + ptyReq, winCh, isPty := s.Pty() + if !isPty { + powerShell(s) + } else { + f, err := console.New(ptyReq.Window.Width, ptyReq.Window.Width) + + if err != nil { + fmt.Fprint(s, "unable to create console", err) + return + } + defer f.Close() + + f.SetENV([]string{"TERM=" + ptyReq.Term}) + args := []string{"cmd.exe"} + if len(s.Command()) > 0 { + args = append(args, "/c") + args = append(args, s.Command()...) + } + err = f.Start(args) + if err != nil { + fmt.Fprint(s, "unable to start", args, err) + return + } + log.Println(args) + + done := s.Context().Done() + go func() { + <-done + log.Println(s.RemoteAddr(), "done") + + if f != nil { + f.Close() + } + }() + + go func() { + for win := range winCh { + f.SetSize(win.Width, win.Height) + } + }() + + defer s.Close() + go func() { + io.Copy(f, s) // stdin + }() + io.Copy(s, f) // stdout + + if _, err := f.Wait(); err != nil { + log.Println(args[0], err) + } + } +} + +func toAllowed(bs []byte, err error) (allowed []ssh.PublicKey) { + if err != nil { + return + } + for _, b := range bytes.Split(bs, []byte("\n")) { + k, _, _, _, err := ssh.ParseAuthorizedKey(b) + if err == nil { + allowed = append(allowed, k) + } + } + return +} + +// github.com/runletapp/go-console +// console_windows.go +func UnloadEmbeddedDeps() (string, error) { + + executableName, err := os.Executable() + if err != nil { + return "", err + } + executableName = filepath.Base(executableName) + + dllDir := filepath.Join(os.TempDir(), fmt.Sprintf("%s_winpty", executableName)) + + if err := os.MkdirAll(dllDir, 0755); err != nil { + return "", err + } + + files := []string{"winpty.dll", "winpty-agent.exe"} + for _, file := range files { + filenameEmbedded := fmt.Sprintf("winpty/%s", file) + filenameDisk := path.Join(dllDir, file) + + _, statErr := os.Stat(filenameDisk) + if statErr == nil { + // file is already there, skip it + continue + } + + data, err := winpty_deps.ReadFile(filenameEmbedded) + if err != nil { + return "", err + } + + if err := ioutil.WriteFile(path.Join(dllDir, file), data, 0644); err != nil { + return "", err + } + } + + return dllDir, nil +} diff --git a/_examples/ssh-combo/winpty/winpty-agent.exe b/_examples/ssh-combo/winpty/winpty-agent.exe new file mode 100644 index 0000000..7b46062 Binary files /dev/null and b/_examples/ssh-combo/winpty/winpty-agent.exe differ diff --git a/_examples/ssh-combo/winpty/winpty.dll b/_examples/ssh-combo/winpty/winpty.dll new file mode 100644 index 0000000..30b3bb4 Binary files /dev/null and b/_examples/ssh-combo/winpty/winpty.dll differ diff --git a/go.mod b/go.mod index 3810ec8..df370c8 100644 --- a/go.mod +++ b/go.mod @@ -1,9 +1,11 @@ module github.com/gliderlabs/ssh -go 1.12 +go 1.16 require ( github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be - golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d + github.com/pkg/sftp v1.13.6 + github.com/runletapp/go-console v0.0.0-20211204140000-27323a28410a + golang.org/x/crypto v0.1.0 golang.org/x/term v0.5.0 // indirect ) diff --git a/go.sum b/go.sum index 2baaea8..36cece3 100644 --- a/go.sum +++ b/go.sum @@ -1,15 +1,61 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= +github.com/creack/pty v1.1.17 h1:QeVUsEDNrLBW4tMgZHvxy18sKtr6VI492kBhUfhDJNI= +github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/iamacarpet/go-winpty v1.0.2 h1:jwPVTYrjAHZx6Mcm6K5i9G4opMp5TblEHH5EQCl/Gzw= +github.com/iamacarpet/go-winpty v1.0.2/go.mod h1:/GHKJicG/EVRQIK1IQikMYBakBkhj/3hTjLgdzYsmpI= +github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8= +github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= +github.com/pkg/sftp v1.13.6 h1:JFZT4XbOU7l77xGSpOdW+pwIMqP044IyjXX6FGyEKFo= +github.com/pkg/sftp v1.13.6/go.mod h1:tz1ryNURKu77RL+GuCzmoJYxQczL3wLNNpPWagdg4Qk= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/runletapp/go-console v0.0.0-20211204140000-27323a28410a h1:1hh8CSomjZSJPk7AgHV8o33Su13bZby81PrC6pIvJqQ= +github.com/runletapp/go-console v0.0.0-20211204140000-27323a28410a/go.mod h1:9Y3jw1valnPKqsYSsBWxQNAuxqNSBuwd2ZEeElxgNUI= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d h1:3qF+Z8Hkrw9sOhrFHti9TlB1Hkac1x+DNRkv0XQiFjo= golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU= +golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=