You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

278 lines
8.3 KiB

  1. // Copyright 2011 The Go Authors. All rights reserved.
  2. // Use of this source code is governed by a BSD-style
  3. // license that can be found in the LICENSE file.
  4. package ssh
  5. import (
  6. "bytes"
  7. "errors"
  8. "fmt"
  9. "net"
  10. "os"
  11. "sync"
  12. "time"
  13. )
  14. // Client implements a traditional SSH client that supports shells,
  15. // subprocesses, TCP port/streamlocal forwarding and tunneled dialing.
  16. type Client struct {
  17. Conn
  18. handleForwardsOnce sync.Once // guards calling (*Client).handleForwards
  19. forwards forwardList // forwarded tcpip connections from the remote side
  20. mu sync.Mutex
  21. channelHandlers map[string]chan NewChannel
  22. }
  23. // HandleChannelOpen returns a channel on which NewChannel requests
  24. // for the given type are sent. If the type already is being handled,
  25. // nil is returned. The channel is closed when the connection is closed.
  26. func (c *Client) HandleChannelOpen(channelType string) <-chan NewChannel {
  27. c.mu.Lock()
  28. defer c.mu.Unlock()
  29. if c.channelHandlers == nil {
  30. // The SSH channel has been closed.
  31. c := make(chan NewChannel)
  32. close(c)
  33. return c
  34. }
  35. ch := c.channelHandlers[channelType]
  36. if ch != nil {
  37. return nil
  38. }
  39. ch = make(chan NewChannel, chanSize)
  40. c.channelHandlers[channelType] = ch
  41. return ch
  42. }
  43. // NewClient creates a Client on top of the given connection.
  44. func NewClient(c Conn, chans <-chan NewChannel, reqs <-chan *Request) *Client {
  45. conn := &Client{
  46. Conn: c,
  47. channelHandlers: make(map[string]chan NewChannel, 1),
  48. }
  49. go conn.handleGlobalRequests(reqs)
  50. go conn.handleChannelOpens(chans)
  51. go func() {
  52. conn.Wait()
  53. conn.forwards.closeAll()
  54. }()
  55. return conn
  56. }
  57. // NewClientConn establishes an authenticated SSH connection using c
  58. // as the underlying transport. The Request and NewChannel channels
  59. // must be serviced or the connection will hang.
  60. func NewClientConn(c net.Conn, addr string, config *ClientConfig) (Conn, <-chan NewChannel, <-chan *Request, error) {
  61. fullConf := *config
  62. fullConf.SetDefaults()
  63. if fullConf.HostKeyCallback == nil {
  64. c.Close()
  65. return nil, nil, nil, errors.New("ssh: must specify HostKeyCallback")
  66. }
  67. conn := &connection{
  68. sshConn: sshConn{conn: c},
  69. }
  70. if err := conn.clientHandshake(addr, &fullConf); err != nil {
  71. c.Close()
  72. return nil, nil, nil, fmt.Errorf("ssh: handshake failed: %v", err)
  73. }
  74. conn.mux = newMux(conn.transport)
  75. return conn, conn.mux.incomingChannels, conn.mux.incomingRequests, nil
  76. }
  77. // clientHandshake performs the client side key exchange. See RFC 4253 Section
  78. // 7.
  79. func (c *connection) clientHandshake(dialAddress string, config *ClientConfig) error {
  80. if config.ClientVersion != "" {
  81. c.clientVersion = []byte(config.ClientVersion)
  82. } else {
  83. c.clientVersion = []byte(packageVersion)
  84. }
  85. var err error
  86. c.serverVersion, err = exchangeVersions(c.sshConn.conn, c.clientVersion)
  87. if err != nil {
  88. return err
  89. }
  90. c.transport = newClientTransport(
  91. newTransport(c.sshConn.conn, config.Rand, true /* is client */),
  92. c.clientVersion, c.serverVersion, config, dialAddress, c.sshConn.RemoteAddr())
  93. if err := c.transport.waitSession(); err != nil {
  94. return err
  95. }
  96. c.sessionID = c.transport.getSessionID()
  97. return c.clientAuthenticate(config)
  98. }
  99. // verifyHostKeySignature verifies the host key obtained in the key
  100. // exchange.
  101. func verifyHostKeySignature(hostKey PublicKey, result *kexResult) error {
  102. sig, rest, ok := parseSignatureBody(result.Signature)
  103. if len(rest) > 0 || !ok {
  104. return errors.New("ssh: signature parse error")
  105. }
  106. return hostKey.Verify(result.H, sig)
  107. }
  108. // NewSession opens a new Session for this client. (A session is a remote
  109. // execution of a program.)
  110. func (c *Client) NewSession() (*Session, error) {
  111. ch, in, err := c.OpenChannel("session", nil)
  112. if err != nil {
  113. return nil, err
  114. }
  115. return newSession(ch, in)
  116. }
  117. func (c *Client) handleGlobalRequests(incoming <-chan *Request) {
  118. for r := range incoming {
  119. // This handles keepalive messages and matches
  120. // the behaviour of OpenSSH.
  121. r.Reply(false, nil)
  122. }
  123. }
  124. // handleChannelOpens channel open messages from the remote side.
  125. func (c *Client) handleChannelOpens(in <-chan NewChannel) {
  126. for ch := range in {
  127. c.mu.Lock()
  128. handler := c.channelHandlers[ch.ChannelType()]
  129. c.mu.Unlock()
  130. if handler != nil {
  131. handler <- ch
  132. } else {
  133. ch.Reject(UnknownChannelType, fmt.Sprintf("unknown channel type: %v", ch.ChannelType()))
  134. }
  135. }
  136. c.mu.Lock()
  137. for _, ch := range c.channelHandlers {
  138. close(ch)
  139. }
  140. c.channelHandlers = nil
  141. c.mu.Unlock()
  142. }
  143. // Dial starts a client connection to the given SSH server. It is a
  144. // convenience function that connects to the given network address,
  145. // initiates the SSH handshake, and then sets up a Client. For access
  146. // to incoming channels and requests, use net.Dial with NewClientConn
  147. // instead.
  148. func Dial(network, addr string, config *ClientConfig) (*Client, error) {
  149. conn, err := net.DialTimeout(network, addr, config.Timeout)
  150. if err != nil {
  151. return nil, err
  152. }
  153. c, chans, reqs, err := NewClientConn(conn, addr, config)
  154. if err != nil {
  155. return nil, err
  156. }
  157. return NewClient(c, chans, reqs), nil
  158. }
  159. // HostKeyCallback is the function type used for verifying server
  160. // keys. A HostKeyCallback must return nil if the host key is OK, or
  161. // an error to reject it. It receives the hostname as passed to Dial
  162. // or NewClientConn. The remote address is the RemoteAddr of the
  163. // net.Conn underlying the SSH connection.
  164. type HostKeyCallback func(hostname string, remote net.Addr, key PublicKey) error
  165. // BannerCallback is the function type used for treat the banner sent by
  166. // the server. A BannerCallback receives the message sent by the remote server.
  167. type BannerCallback func(message string) error
  168. // A ClientConfig structure is used to configure a Client. It must not be
  169. // modified after having been passed to an SSH function.
  170. type ClientConfig struct {
  171. // Config contains configuration that is shared between clients and
  172. // servers.
  173. Config
  174. // User contains the username to authenticate as.
  175. User string
  176. // Auth contains possible authentication methods to use with the
  177. // server. Only the first instance of a particular RFC 4252 method will
  178. // be used during authentication.
  179. Auth []AuthMethod
  180. // HostKeyCallback is called during the cryptographic
  181. // handshake to validate the server's host key. The client
  182. // configuration must supply this callback for the connection
  183. // to succeed. The functions InsecureIgnoreHostKey or
  184. // FixedHostKey can be used for simplistic host key checks.
  185. HostKeyCallback HostKeyCallback
  186. // BannerCallback is called during the SSH dance to display a custom
  187. // server's message. The client configuration can supply this callback to
  188. // handle it as wished. The function BannerDisplayStderr can be used for
  189. // simplistic display on Stderr.
  190. BannerCallback BannerCallback
  191. // ClientVersion contains the version identification string that will
  192. // be used for the connection. If empty, a reasonable default is used.
  193. ClientVersion string
  194. // HostKeyAlgorithms lists the key types that the client will
  195. // accept from the server as host key, in order of
  196. // preference. If empty, a reasonable default is used. Any
  197. // string returned from PublicKey.Type method may be used, or
  198. // any of the CertAlgoXxxx and KeyAlgoXxxx constants.
  199. HostKeyAlgorithms []string
  200. // Timeout is the maximum amount of time for the TCP connection to establish.
  201. //
  202. // A Timeout of zero means no timeout.
  203. Timeout time.Duration
  204. }
  205. // InsecureIgnoreHostKey returns a function that can be used for
  206. // ClientConfig.HostKeyCallback to accept any host key. It should
  207. // not be used for production code.
  208. func InsecureIgnoreHostKey() HostKeyCallback {
  209. return func(hostname string, remote net.Addr, key PublicKey) error {
  210. return nil
  211. }
  212. }
  213. type fixedHostKey struct {
  214. key PublicKey
  215. }
  216. func (f *fixedHostKey) check(hostname string, remote net.Addr, key PublicKey) error {
  217. if f.key == nil {
  218. return fmt.Errorf("ssh: required host key was nil")
  219. }
  220. if !bytes.Equal(key.Marshal(), f.key.Marshal()) {
  221. return fmt.Errorf("ssh: host key mismatch")
  222. }
  223. return nil
  224. }
  225. // FixedHostKey returns a function for use in
  226. // ClientConfig.HostKeyCallback to accept only a specific host key.
  227. func FixedHostKey(key PublicKey) HostKeyCallback {
  228. hk := &fixedHostKey{key}
  229. return hk.check
  230. }
  231. // BannerDisplayStderr returns a function that can be used for
  232. // ClientConfig.BannerCallback to display banners on os.Stderr.
  233. func BannerDisplayStderr() BannerCallback {
  234. return func(banner string) error {
  235. _, err := os.Stderr.WriteString(banner)
  236. return err
  237. }
  238. }