mirror of
https://github.com/moul/sshportal.git
synced 2025-01-23 16:15:47 +08:00
6068e6e48e
Co-authored-by: Jordan Craven <jordan.craven@wearepop.com>
158 lines
3.9 KiB
Go
158 lines
3.9 KiB
Go
package main
|
|
|
|
import (
|
|
"fmt"
|
|
"log"
|
|
"math"
|
|
"net"
|
|
"os"
|
|
"time"
|
|
|
|
"gorm.io/driver/mysql"
|
|
"gorm.io/driver/postgres"
|
|
"gorm.io/driver/sqlite"
|
|
"gorm.io/gorm"
|
|
"gorm.io/gorm/logger"
|
|
|
|
"github.com/gliderlabs/ssh"
|
|
"github.com/urfave/cli"
|
|
gossh "golang.org/x/crypto/ssh"
|
|
"moul.io/sshportal/pkg/bastion"
|
|
)
|
|
|
|
type serverConfig struct {
|
|
aesKey string
|
|
dbDriver, dbURL string
|
|
logsLocation string
|
|
bindAddr string
|
|
debug, demo bool
|
|
idleTimeout time.Duration
|
|
aclCheckCmd string
|
|
}
|
|
|
|
func parseServerConfig(c *cli.Context) (*serverConfig, error) {
|
|
ret := &serverConfig{
|
|
aesKey: c.String("aes-key"),
|
|
dbDriver: c.String("db-driver"),
|
|
dbURL: c.String("db-conn"),
|
|
bindAddr: c.String("bind-address"),
|
|
debug: c.Bool("debug"),
|
|
demo: c.Bool("demo"),
|
|
logsLocation: c.String("logs-location"),
|
|
idleTimeout: c.Duration("idle-timeout"),
|
|
aclCheckCmd: c.String("acl-check-cmd"),
|
|
}
|
|
switch len(ret.aesKey) {
|
|
case 0, 16, 24, 32:
|
|
default:
|
|
return nil, fmt.Errorf("invalid aes key size, should be 16 or 24, 32")
|
|
}
|
|
return ret, nil
|
|
}
|
|
|
|
func ensureLogDirectory(location string) error {
|
|
// check for the logdir existence
|
|
logsLocation, err := os.Stat(location)
|
|
if err != nil {
|
|
if os.IsNotExist(err) {
|
|
return os.MkdirAll(location, os.ModeDir|os.FileMode(0750))
|
|
}
|
|
return err
|
|
}
|
|
if !logsLocation.IsDir() {
|
|
return fmt.Errorf("log directory cannot be created")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func dbConnect(c *serverConfig, config gorm.Option) (*gorm.DB, error) {
|
|
var dbOpen func(string) gorm.Dialector
|
|
if c.dbDriver == "sqlite3" {
|
|
dbOpen = sqlite.Open
|
|
}
|
|
if c.dbDriver == "postgres" {
|
|
dbOpen = postgres.Open
|
|
}
|
|
|
|
if c.dbDriver == "mysql" {
|
|
dbOpen = mysql.Open
|
|
}
|
|
return gorm.Open(dbOpen(c.dbURL), config)
|
|
}
|
|
|
|
func server(c *serverConfig) (err error) {
|
|
// configure db logging
|
|
|
|
db, err := dbConnect(c, &gorm.Config{
|
|
Logger: logger.Default.LogMode(logger.Silent),
|
|
})
|
|
sqlDB, err := db.DB()
|
|
|
|
defer func() {
|
|
origErr := err
|
|
err = sqlDB.Close()
|
|
if origErr != nil {
|
|
err = origErr
|
|
}
|
|
}()
|
|
|
|
if err = sqlDB.Ping(); err != nil {
|
|
return
|
|
}
|
|
|
|
if err = bastion.DBInit(db); err != nil {
|
|
return
|
|
}
|
|
|
|
// create TCP listening socket
|
|
ln, err := net.Listen("tcp", c.bindAddr)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// configure server
|
|
srv := &ssh.Server{
|
|
Addr: c.bindAddr,
|
|
Handler: func(s ssh.Session) { bastion.ShellHandler(s, GitTag, GitSha, GitTag) }, // ssh.Server.Handler is the handler for the DefaultSessionHandler
|
|
Version: fmt.Sprintf("sshportal-%s", GitTag),
|
|
ChannelHandlers: map[string]ssh.ChannelHandler{
|
|
"default": bastion.ChannelHandler,
|
|
},
|
|
}
|
|
|
|
// configure channel handler
|
|
bastion.DefaultChannelHandler = func(srv *ssh.Server, conn *gossh.ServerConn, newChan gossh.NewChannel, ctx ssh.Context) {
|
|
switch newChan.ChannelType() {
|
|
case "session":
|
|
go ssh.DefaultSessionHandler(srv, conn, newChan, ctx)
|
|
case "direct-tcpip":
|
|
go ssh.DirectTCPIPHandler(srv, conn, newChan, ctx)
|
|
default:
|
|
if err := newChan.Reject(gossh.UnknownChannelType, "unsupported channel type"); err != nil {
|
|
log.Printf("failed to reject chan: %v", err)
|
|
}
|
|
}
|
|
}
|
|
|
|
if c.idleTimeout != 0 {
|
|
srv.IdleTimeout = c.idleTimeout
|
|
// gliderlabs/ssh requires MaxTimeout to be non-zero if we want to use IdleTimeout.
|
|
// So, set it to the max value, because we don't want a max timeout.
|
|
srv.MaxTimeout = math.MaxInt64
|
|
}
|
|
|
|
for _, opt := range []ssh.Option{
|
|
// custom PublicKeyAuth handler
|
|
ssh.PublicKeyAuth(bastion.PublicKeyAuthHandler(db, c.logsLocation, c.aclCheckCmd, c.aesKey, c.dbDriver, c.dbURL, c.bindAddr, c.demo)),
|
|
ssh.PasswordAuth(bastion.PasswordAuthHandler(db, c.logsLocation, c.aclCheckCmd, c.aesKey, c.dbDriver, c.dbURL, c.bindAddr, c.demo)),
|
|
// retrieve sshportal SSH private key from database
|
|
bastion.PrivateKeyFromDB(db, c.aesKey),
|
|
} {
|
|
if err := srv.SetOption(opt); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
log.Printf("info: SSH Server accepting connections on %s, idle-timout=%v", c.bindAddr, c.idleTimeout)
|
|
return srv.Serve(ln)
|
|
}
|