sshportal/main.go

package main // import "moul.io/sshportal"

import (
	"fmt"
	"log"
	"math"
	"math/rand"
	"net"
	"os"
	"path"
	"time"

	"github.com/jinzhu/gorm"
	_ "github.com/jinzhu/gorm/dialects/mysql"
	_ "github.com/jinzhu/gorm/dialects/sqlite"
	"github.com/moul/ssh"
	"github.com/urfave/cli"
	gossh "golang.org/x/crypto/ssh"
)

var (
	// Version should be updated by hand at each release
	Version = "1.9.0+dev"
	// GitTag will be overwritten automatically by the build system
	GitTag string
	// GitSha will be overwritten automatically by the build system
	GitSha string
	// GitBranch will be overwritten automatically by the build system
	GitBranch string
)

func main() {
	rand.Seed(time.Now().UnixNano())

	app := cli.NewApp()
	app.Name = path.Base(os.Args[0])
	app.Author = "Manfred Touron"
	app.Version = Version + " (" + GitSha + ")"
	app.Email = "https://moul.io/sshportal"
	app.Commands = []cli.Command{
		{
			Name:  "server",
			Usage: "Start sshportal server",
			Action: func(c *cli.Context) error {
				if err := ensureLogDirectory(c.String("logs-location")); err != nil {
					return err
				}
				cfg, err := parseServeConfig(c)
				if err != nil {
					return err
				}
				return server(cfg)
			},
			Flags: []cli.Flag{
				cli.StringFlag{
					Name:   "bind-address, b",
					EnvVar: "SSHPORTAL_BIND",
					Value:  ":2222",
					Usage:  "SSH server bind address",
				},
				cli.StringFlag{
					Name:   "db-driver",
					EnvVar: "SSHPORTAL_DB_DRIVER",
					Value:  "sqlite3",
					Usage:  "GORM driver (sqlite3)",
				},
				cli.StringFlag{
					Name:   "db-conn",
					EnvVar: "SSHPORTAL_DATABASE_URL",
					Value:  "./sshportal.db",
					Usage:  "GORM connection string",
				},
				cli.BoolFlag{
					Name:   "debug, D",
					EnvVar: "SSHPORTAL_DEBUG",
					Usage:  "Display debug information",
				},
				cli.StringFlag{
					Name:   "aes-key",
					EnvVar: "SSHPORTAL_AES_KEY",
					Usage:  "Encrypt sensitive data in database (length: 16, 24 or 32)",
				},
				cli.StringFlag{
					Name:   "logs-location",
					EnvVar: "SSHPORTAL_LOGS_LOCATION",
					Value:  "./log",
					Usage:  "Store user session files",
				},
				cli.DurationFlag{
					Name:  "idle-timeout",
					Value: 0,
					Usage: "Duration before an inactive connection is timed out (0 to disable)",
				},
			},
		}, {
			Name:   "healthcheck",
			Action: func(c *cli.Context) error { return healthcheck(c.String("addr"), c.Bool("wait"), c.Bool("quiet")) },
			Flags: []cli.Flag{
				cli.StringFlag{
					Name:  "addr, a",
					Value: "localhost:2222",
					Usage: "sshportal server address",
				},
				cli.BoolFlag{
					Name:  "wait, w",
					Usage: "Loop indefinitely until sshportal is ready",
				},
				cli.BoolFlag{
					Name:  "quiet, q",
					Usage: "Do not print errors, if any",
				},
			},
		}, {
			Name:   "_test_server",
			Hidden: true,
			Action: testServer,
		},
	}
	if err := app.Run(os.Args); err != nil {
		log.Fatalf("error: %v", err)
	}
}

var defaultChannelHandler ssh.ChannelHandler

func server(c *configServe) (err error) {
	var db = (*gorm.DB)(nil)

	// try to setup the local DB
	if db, err = gorm.Open(c.dbDriver, c.dbURL); err != nil {
		return
	}
	defer func() {
		origErr := err
		err = db.Close()
		if origErr != nil {
			err = origErr
		}
	}()
	if err = db.DB().Ping(); err != nil {
		return
	}
	db.LogMode(c.debug)
	if err = dbInit(db); err != nil {
		return
	}

	// create TCP listening socket
	ln, err := net.Listen("tcp", c.bindAddr)
	if err != nil {
		return err
	}

	// configure server
	srv := &ssh.Server{
		Addr:    c.bindAddr,
		Handler: shellHandler, // ssh.Server.Handler is the handler for the DefaultSessionHandler
		Version: fmt.Sprintf("sshportal-%s", Version),
	}

	// configure channel handler
	defaultSessionHandler := srv.GetChannelHandler("session")
	defaultDirectTcpipHandler := srv.GetChannelHandler("direct-tcpip")
	defaultChannelHandler = func(srv *ssh.Server, conn *gossh.ServerConn, newChan gossh.NewChannel, ctx ssh.Context) {
		switch newChan.ChannelType() {
		case "session":
			go defaultSessionHandler(srv, conn, newChan, ctx)
		case "direct-tcpip":
			go defaultDirectTcpipHandler(srv, conn, newChan, ctx)
		default:
			if err := newChan.Reject(gossh.UnknownChannelType, "unsupported channel type"); err != nil {
				log.Printf("failed to reject chan: %v", err)
			}
		}
	}
	srv.SetChannelHandler("session", nil)
	srv.SetChannelHandler("direct-tcpip", nil)
	srv.SetChannelHandler("default", channelHandler)

	if c.idleTimeout != 0 {
		srv.IdleTimeout = c.idleTimeout
		// gliderlabs/ssh requires MaxTimeout to be non-zero if we want to use IdleTimeout.
		// So, set it to the max value, because we don't want a max timeout.
		srv.MaxTimeout = math.MaxInt64
	}

	for _, opt := range []ssh.Option{
		// custom PublicKeyAuth handler
		ssh.PublicKeyAuth(publicKeyAuthHandler(db, c)),
		ssh.PasswordAuth(passwordAuthHandler(db, c)),
		// retrieve sshportal SSH private key from database
		privateKeyFromDB(db, c.aesKey),
	} {
		if err := srv.SetOption(opt); err != nil {
			return err
		}
	}

	log.Printf("info: SSH Server accepting connections on %s, idle-timout=%v", c.bindAddr, c.idleTimeout)
	return srv.Serve(ln)
}
chore: use moul.io/sshportal canonical url 2018-11-16 22:36:14 +08:00			`package main // import "moul.io/sshportal"`
POC 2017-09-30 19:12:43 +08:00
			`import (`
			`"fmt"`
			`"log"`
add timeout and flag 2018-11-16 02:38:18 +08:00			`"math"`
Set random seed properly 2017-11-14 08:29:25 +08:00			`"math/rand"`
Add Docker healthcheck helper 2018-01-01 17:41:21 +08:00			`"net"`
POC 2017-09-30 19:12:43 +08:00			`"os"`
			`"path"`
Set random seed properly 2017-11-14 08:29:25 +08:00			`"time"`
POC 2017-09-30 19:12:43 +08:00
Add database 2017-10-30 23:48:14 +08:00			`"github.com/jinzhu/gorm"`
Add --debug options + mysql driver 2017-10-31 00:12:04 +08:00			`_ "github.com/jinzhu/gorm/dialects/mysql"`
Add database 2017-10-30 23:48:14 +08:00			`_ "github.com/jinzhu/gorm/dialects/sqlite"`
build: switch to go modules 2018-11-16 17:24:18 +08:00			`"github.com/moul/ssh"`
POC 2017-09-30 19:12:43 +08:00			`"github.com/urfave/cli"`
build: switch to go modules 2018-11-16 17:24:18 +08:00			`gossh "golang.org/x/crypto/ssh"`
POC 2017-09-30 19:12:43 +08:00			`)`

Use dynamic version 2017-11-14 07:38:23 +08:00			`var (`
Lint code + fix tests 2017-12-04 01:18:17 +08:00			`// Version should be updated by hand at each release`
Post-release version bump 2018-11-18 22:48:42 +08:00			`Version = "1.9.0+dev"`
Lint code + fix tests 2017-12-04 01:18:17 +08:00			`// GitTag will be overwritten automatically by the build system`
			`GitTag string`
			`// GitSha will be overwritten automatically by the build system`
			`GitSha string`
			`// GitBranch will be overwritten automatically by the build system`
			`GitBranch string`
Use dynamic version 2017-11-14 07:38:23 +08:00			`)`
Add 'version' command 2017-11-02 05:09:08 +08:00
POC 2017-09-30 19:12:43 +08:00			`func main() {`
Set random seed properly 2017-11-14 08:29:25 +08:00			`rand.Seed(time.Now().UnixNano())`

POC 2017-09-30 19:12:43 +08:00			`app := cli.NewApp()`
			`app.Name = path.Base(os.Args[0])`
			`app.Author = "Manfred Touron"`
Lint code + fix tests 2017-12-04 01:18:17 +08:00			`app.Version = Version + " (" + GitSha + ")"`
chore: use moul.io/sshportal canonical url 2018-11-16 22:36:14 +08:00			`app.Email = "https://moul.io/sshportal"`
Use `sshportal server` instead of `sshportal` to start a new server 2017-12-31 23:31:25 +08:00			`app.Commands = []cli.Command{`
			`{`
main: remove globalContext, and move some functions outside of the main 2018-01-07 02:46:00 +08:00			`Name: "server",`
			`Usage: "Start sshportal server",`
			`Action: func(c *cli.Context) error {`
			`if err := ensureLogDirectory(c.String("logs-location")); err != nil {`
			`return err`
			`}`
			`cfg, err := parseServeConfig(c)`
			`if err != nil {`
			`return err`
			`}`
			`return server(cfg)`
			`},`
Use `sshportal server` instead of `sshportal` to start a new server 2017-12-31 23:31:25 +08:00			`Flags: []cli.Flag{`
			`cli.StringFlag{`
			`Name: "bind-address, b",`
			`EnvVar: "SSHPORTAL_BIND",`
			`Value: ":2222",`
			`Usage: "SSH server bind address",`
			`},`
			`cli.StringFlag{`
Add ability to set DB driver and DB credentials from environment variables 2018-11-19 19:49:31 +08:00			`Name: "db-driver",`
			`EnvVar: "SSHPORTAL_DB_DRIVER",`
			`Value: "sqlite3",`
			`Usage: "GORM driver (sqlite3)",`
Use `sshportal server` instead of `sshportal` to start a new server 2017-12-31 23:31:25 +08:00			`},`
			`cli.StringFlag{`
Add ability to set DB driver and DB credentials from environment variables 2018-11-19 19:49:31 +08:00			`Name: "db-conn",`
			`EnvVar: "SSHPORTAL_DATABASE_URL",`
			`Value: "./sshportal.db",`
			`Usage: "GORM connection string",`
Use `sshportal server` instead of `sshportal` to start a new server 2017-12-31 23:31:25 +08:00			`},`
			`cli.BoolFlag{`
Add ability to set DB driver and DB credentials from environment variables 2018-11-19 19:49:31 +08:00			`Name: "debug, D",`
			`EnvVar: "SSHPORTAL_DEBUG",`
			`Usage: "Display debug information",`
Use `sshportal server` instead of `sshportal` to start a new server 2017-12-31 23:31:25 +08:00			`},`
			`cli.StringFlag{`
Add ability to set DB driver and DB credentials from environment variables 2018-11-19 19:49:31 +08:00			`Name: "aes-key",`
			`EnvVar: "SSHPORTAL_AES_KEY",`
			`Usage: "Encrypt sensitive data in database (length: 16, 24 or 32)",`
Use `sshportal server` instead of `sshportal` to start a new server 2017-12-31 23:31:25 +08:00			`},`
add audit feature. 2018-01-02 23:31:34 +08:00			`cli.StringFlag{`
Add ability to set DB driver and DB credentials from environment variables 2018-11-19 19:49:31 +08:00			`Name: "logs-location",`
			`EnvVar: "SSHPORTAL_LOGS_LOCATION",`
			`Value: "./log",`
			`Usage: "Store user session files",`
add audit feature. 2018-01-02 23:31:34 +08:00			`},`
add timeout and flag 2018-11-16 02:38:18 +08:00			`cli.DurationFlag{`
			`Name: "idle-timeout",`
			`Value: 0,`
			`Usage: "Duration before an inactive connection is timed out (0 to disable)",`
			`},`
Use `sshportal server` instead of `sshportal` to start a new server 2017-12-31 23:31:25 +08:00			`},`
Add Docker healthcheck helper 2018-01-01 17:41:21 +08:00			`}, {`
			`Name: "healthcheck",`
main: remove globalContext, and move some functions outside of the main 2018-01-07 02:46:00 +08:00			`Action: func(c *cli.Context) error { return healthcheck(c.String("addr"), c.Bool("wait"), c.Bool("quiet")) },`
Add Docker healthcheck helper 2018-01-01 17:41:21 +08:00			`Flags: []cli.Flag{`
			`cli.StringFlag{`
			`Name: "addr, a",`
			`Value: "localhost:2222",`
Add healthcheck --wait and --quiet options 2018-01-01 17:54:58 +08:00			`Usage: "sshportal server address",`
			`},`
			`cli.BoolFlag{`
			`Name: "wait, w",`
			`Usage: "Loop indefinitely until sshportal is ready",`
			`},`
			`cli.BoolFlag{`
			`Name: "quiet, q",`
			`Usage: "Do not print errors, if any",`
Add Docker healthcheck helper 2018-01-01 17:41:21 +08:00			`},`
			`},`
Add '_test_server' hidden handler 2018-01-02 17:57:18 +08:00			`}, {`
			`Name: "_test_server",`
			`Hidden: true,`
			`Action: testServer,`
Add option to encrypt sensitive data 2017-11-24 21:29:41 +08:00			`},`
POC 2017-09-30 19:12:43 +08:00			`}`
Return a better message when running without the demo mode 2017-11-02 17:32:35 +08:00			`if err := app.Run(os.Args); err != nil {`
			`log.Fatalf("error: %v", err)`
			`}`
POC 2017-09-30 19:12:43 +08:00			`}`

build: switch to go modules 2018-11-16 17:24:18 +08:00			`var defaultChannelHandler ssh.ChannelHandler`

main: remove globalContext, and move some functions outside of the main 2018-01-07 02:46:00 +08:00			`func server(c *configServe) (err error) {`
			`var db = (*gorm.DB)(nil)`

			`// try to setup the local DB`
			`if db, err = gorm.Open(c.dbDriver, c.dbURL); err != nil {`
			`return`
Add database 2017-10-30 23:48:14 +08:00			`}`
Lint code + fix tests 2017-12-04 01:18:17 +08:00			`defer func() {`
main: remove globalContext, and move some functions outside of the main 2018-01-07 02:46:00 +08:00			`origErr := err`
			`err = db.Close()`
			`if origErr != nil {`
			`err = origErr`
Lint code + fix tests 2017-12-04 01:18:17 +08:00			`}`
			`}()`
Use a database migration system 2017-11-19 08:18:17 +08:00			`if err = db.DB().Ping(); err != nil {`
main: remove globalContext, and move some functions outside of the main 2018-01-07 02:46:00 +08:00			`return`
Add --debug options + mysql driver 2017-10-31 00:12:04 +08:00			`}`
main: remove globalContext, and move some functions outside of the main 2018-01-07 02:46:00 +08:00			`db.LogMode(c.debug)`
Refactor sshportal: create a custom bastion session handler 2017-12-28 05:43:21 +08:00			`if err = dbInit(db); err != nil {`
main: remove globalContext, and move some functions outside of the main 2018-01-07 02:46:00 +08:00			`return`
add log directory creation if it does not exist. 2018-01-04 20:41:14 +08:00			`}`
Small fixes 2018-01-05 18:02:13 +08:00
Refactor bastion handler to forward every requests properly 2017-12-31 17:38:33 +08:00			`// create TCP listening socket`
main: remove globalContext, and move some functions outside of the main 2018-01-07 02:46:00 +08:00			`ln, err := net.Listen("tcp", c.bindAddr)`
Refactor sshportal: create a custom bastion session handler 2017-12-28 05:43:21 +08:00			`if err != nil {`
			`return err`
			`}`
Refactor bastion handler to forward every requests properly 2017-12-31 17:38:33 +08:00
			`// configure server`
			`srv := &ssh.Server{`
build: switch to go modules 2018-11-16 17:24:18 +08:00			`Addr: c.bindAddr,`
			`Handler: shellHandler, // ssh.Server.Handler is the handler for the DefaultSessionHandler`
			`Version: fmt.Sprintf("sshportal-%s", Version),`
Refactor bastion handler to forward every requests properly 2017-12-31 17:38:33 +08:00			`}`
build: switch to go modules 2018-11-16 17:24:18 +08:00
			`// configure channel handler`
			`defaultSessionHandler := srv.GetChannelHandler("session")`
			`defaultDirectTcpipHandler := srv.GetChannelHandler("direct-tcpip")`
			`defaultChannelHandler = func(srv ssh.Server, conn gossh.ServerConn, newChan gossh.NewChannel, ctx ssh.Context) {`
			`switch newChan.ChannelType() {`
			`case "session":`
			`go defaultSessionHandler(srv, conn, newChan, ctx)`
			`case "direct-tcpip":`
			`go defaultDirectTcpipHandler(srv, conn, newChan, ctx)`
			`default:`
build: switch to golangci-lint 2018-11-16 22:44:29 +08:00			`if err := newChan.Reject(gossh.UnknownChannelType, "unsupported channel type"); err != nil {`
			`log.Printf("failed to reject chan: %v", err)`
			`}`
build: switch to go modules 2018-11-16 17:24:18 +08:00			`}`
			`}`
			`srv.SetChannelHandler("session", nil)`
			`srv.SetChannelHandler("direct-tcpip", nil)`
			`srv.SetChannelHandler("default", channelHandler)`

add timeout and flag 2018-11-16 02:38:18 +08:00			`if c.idleTimeout != 0 {`
			`srv.IdleTimeout = c.idleTimeout`
			`// gliderlabs/ssh requires MaxTimeout to be non-zero if we want to use IdleTimeout.`
			`// So, set it to the max value, because we don't want a max timeout.`
			`srv.MaxTimeout = math.MaxInt64`
			`}`
main: remove globalContext, and move some functions outside of the main 2018-01-07 02:46:00 +08:00
			`for _, opt := range []ssh.Option{`
			`// custom PublicKeyAuth handler`
			`ssh.PublicKeyAuth(publicKeyAuthHandler(db, c)),`
			`ssh.PasswordAuth(passwordAuthHandler(db, c)),`
			`// retrieve sshportal SSH private key from database`
			`privateKeyFromDB(db, c.aesKey),`
			`} {`
Refactor sshportal: create a custom bastion session handler 2017-12-28 05:43:21 +08:00			`if err := srv.SetOption(opt); err != nil {`
			`return err`
			`}`
			`}`

add logging 2018-11-16 02:56:10 +08:00			`log.Printf("info: SSH Server accepting connections on %s, idle-timout=%v", c.bindAddr, c.idleTimeout)`
Refactor sshportal: create a custom bastion session handler 2017-12-28 05:43:21 +08:00			`return srv.Serve(ln)`
POC 2017-09-30 19:12:43 +08:00			`}`