First commit

Author: wzshiming

Dockerfile

@@ -0,0 +1,10 @@
+FROM golang:alpine AS builder
+WORKDIR /go/src/github.com/wzshiming/sshproxy/
+COPY . .
+ENV CGO_ENABLED=0
+RUN go install ./cmd/sshproxy
+
+FROM alpine
+EXPOSE 8080
+COPY --from=builder /go/bin/sshproxy /usr/local/bin/
+ENTRYPOINT [ "/usr/local/bin/sshproxy" ]

client.go

@@ -0,0 +1,235 @@
+package sshproxy
+
+import (
+	"context"
+	"io/ioutil"
+	"net"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"sync"
+
+	"golang.org/x/crypto/ssh"
+)
+
+// NewDialer returns a new Dialer that dials through the provided
+// proxy server's network and address.
+func NewDialer(addr string) (*Dialer, error) {
+	host, config, err := clientConfig(addr)
+	if err != nil {
+		return nil, err
+	}
+	return &Dialer{
+		host:   host,
+		config: config,
+	}, nil
+}
+
+func clientConfig(addr string) (host string, config *ssh.ClientConfig, err error) {
+	ur, err := url.Parse(addr)
+	if err != nil {
+		return "", nil, err
+	}
+
+	user := ""
+	pwd := ""
+	isPwd := false
+	if ur.User != nil {
+		user = ur.User.Username()
+		pwd, isPwd = ur.User.Password()
+	}
+
+	config = &ssh.ClientConfig{
+		User:            user,
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	}
+
+	if isPwd {
+		config.Auth = append(config.Auth, ssh.Password(pwd))
+	}
+
+	identityFiles := ur.Query()["identity_file"]
+	for _, ident := range identityFiles {
+		if ident == "" {
+			continue
+		}
+		if strings.HasPrefix(ident, "~") {
+			home, err := os.UserHomeDir()
+			if err == nil {
+				ident = filepath.Join(home, ident[1:])
+			}
+		}
+
+		file, err := ioutil.ReadFile(ident)
+		if err != nil {
+			return "", nil, err
+		}
+		signer, err := ssh.ParsePrivateKey(file)
+		if err != nil {
+			return "", nil, err
+		}
+		config.Auth = append(config.Auth, ssh.PublicKeys(signer))
+	}
+
+	host = ur.Hostname()
+	port := ur.Port()
+	if port == "" {
+		port = "22"
+	}
+	host = net.JoinHostPort(host, port)
+	return host, config, nil
+}
+
+type Dialer struct {
+	mut       sync.Mutex
+	localAddr net.Addr
+	// ProxyDial specifies the optional dial function for
+	// establishing the transport connection.
+	ProxyDial func(context.Context, string, string) (net.Conn, error)
+	sshCli    *ssh.Client
+	host      string
+	config    *ssh.ClientConfig
+}
+
+func (c *Dialer) reset() {
+	c.mut.Lock()
+	defer c.mut.Unlock()
+	if c.sshCli == nil {
+		return
+	}
+	c.sshCli.Close()
+	c.sshCli = nil
+}
+
+func (d *Dialer) proxyDial(ctx context.Context, network, address string) (net.Conn, error) {
+	proxyDial := d.ProxyDial
+	if proxyDial == nil {
+		var dialer net.Dialer
+		proxyDial = dialer.DialContext
+	}
+	return proxyDial(ctx, network, address)
+}
+
+func (c *Dialer) getCli(ctx context.Context) (*ssh.Client, error) {
+	c.mut.Lock()
+	defer c.mut.Unlock()
+	cli := c.sshCli
+	if cli != nil {
+		return cli, nil
+	}
+	conn, err := c.proxyDial(ctx, "tcp", c.host)
+	if err != nil {
+		return nil, err
+	}
+
+	con, chans, reqs, err := ssh.NewClientConn(conn, c.host, c.config)
+	if err != nil {
+		return nil, err
+	}
+	cli = ssh.NewClient(con, chans, reqs)
+	c.sshCli = cli
+	return cli, nil
+}
+
+func (c *Dialer) CommandDialContext(ctx context.Context, name string, args ...string) (net.Conn, error) {
+	cmd := make([]string, 0, len(args)+1)
+	cmd = append(cmd, name)
+	for _, arg := range args {
+		cmd = append(cmd, strconv.Quote(arg))
+	}
+	return c.commandDialContext(ctx, strings.Join(cmd, " "), 1)
+}
+
+func (c *Dialer) commandDialContext(ctx context.Context, cmd string, retry int) (net.Conn, error) {
+	cli, err := c.getCli(ctx)
+	if err != nil {
+		return nil, err
+	}
+	sess, err := cli.NewSession()
+	if err != nil {
+		return nil, err
+	}
+	conn1, conn2 := net.Pipe()
+	sess.Stdin = conn1
+	sess.Stdout = conn1
+	sess.Stderr = os.Stderr
+	err = sess.Start(cmd)
+	if err != nil {
+		if retry != 0 {
+			c.reset()
+			return c.commandDialContext(ctx, cmd, retry-1)
+		}
+		return nil, err
+	}
+	ctx, cancel := context.WithCancel(ctx)
+	go func() {
+		sess.Wait()
+		cancel()
+	}()
+	go func() {
+		<-ctx.Done()
+
+		// openssh does not support the signal
+		// command and will not signal remote processes. This may
+		// be resolved in openssh 7.9 or higher. Please subscribe
+		// to https://github.com/golang/go/issues/16597.
+		sess.Signal(ssh.SIGKILL)
+		sess.Close()
+		conn1.Close()
+	}()
+	conn2 = connWithCloser(conn2, func() error {
+		cancel()
+		return nil
+	})
+	conn2 = connWithAddr(conn2, c.localAddr, newNetAddr("ssh-cmd", cmd))
+	return conn2, nil
+}
+
+func (c *Dialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
+	return c.dialContext(ctx, network, address, 1)
+}
+
+func (c *Dialer) dialContext(ctx context.Context, network, address string, retry int) (net.Conn, error) {
+	cli, err := c.getCli(ctx)
+	if err != nil {
+		return nil, err
+	}
+	conn, err := cli.Dial(network, address)
+	if err != nil {
+		if retry != 0 {
+			c.reset()
+			return c.dialContext(ctx, network, address, retry-1)
+		}
+		return nil, err
+	}
+	return conn, nil
+}
+
+func (c *Dialer) Listen(ctx context.Context, network, address string) (net.Listener, error) {
+	host, port, err := net.SplitHostPort(address)
+	if err != nil {
+		return nil, err
+	}
+	if host == "" {
+		address = net.JoinHostPort("0.0.0.0", port)
+	}
+	return c.listen(ctx, network, address, 1)
+}
+
+func (c *Dialer) listen(ctx context.Context, network, address string, retry int) (net.Listener, error) {
+	cli, err := c.getCli(ctx)
+	if err != nil {
+		return nil, err
+	}
+	listener, err := cli.Listen(network, address)
+	if err != nil {
+		if retry != 0 {
+			c.reset()
+			return c.listen(ctx, network, address, retry-1)
+		}
+		return nil, err
+	}
+	return listener, nil
+}

cmd/sshproxy/main.go

@@ -0,0 +1,78 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"os"
+
+	_ "github.com/wzshiming/sshproxy"
+
+	"github.com/wzshiming/sshd"
+	"golang.org/x/crypto/ssh"
+)
+
+var address string
+var username string
+var password string
+var authorized string
+var hostkey string
+
+func init() {
+	flag.StringVar(&address, "a", ":22", "listen on the address")
+	flag.StringVar(&username, "u", "", "username")
+	flag.StringVar(&password, "p", "", "password")
+	flag.StringVar(&authorized, "f", "", "authorized file")
+	flag.StringVar(&hostkey, "h", "", "hostkey file")
+	flag.Parse()
+}
+
+func main() {
+	logger := log.New(os.Stderr, "[ssh proxy] ", log.LstdFlags)
+	svc := sshd.NewServer()
+	svc.Logger = logger
+	if hostkey != "" {
+		key, err := sshd.GetHostkey(hostkey)
+		if err != nil {
+			logger.Println(err)
+			return
+		}
+		svc.ServerConfig.AddHostKey(key)
+	} else {
+		key, err := sshd.RandomHostkey()
+		if err != nil {
+			logger.Println(err)
+			return
+		}
+		svc.ServerConfig.AddHostKey(key)
+	}
+	if username != "" {
+		svc.ServerConfig.PasswordCallback = func(conn ssh.ConnMetadata, pwd []byte) (*ssh.Permissions, error) {
+			if conn.User() == username && password == string(pwd) {
+				return nil, nil
+			}
+			return nil, fmt.Errorf("denied")
+		}
+	}
+	if authorized != "" {
+		keys, err := sshd.GetAuthorizedFile(authorized)
+		if err != nil {
+			logger.Println(err)
+			return
+		}
+		svc.ServerConfig.PublicKeyCallback = func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
+			k := string(key.Marshal())
+			if _, ok := keys[k]; ok {
+				return nil, nil
+			}
+			return nil, fmt.Errorf("denied")
+		}
+	}
+	if username == "" && authorized == "" {
+		svc.ServerConfig.NoClientAuth = true
+	}
+	err := svc.ListenAndServe("tcp", address)
+	if err != nil {
+		logger.Println(err)
+	}
+}

go.mod

@@ -0,0 +1,10 @@
+module github.com/wzshiming/sshproxy
+
+go 1.17
+
+require (
+	github.com/wzshiming/sshd v0.1.0
+	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519
+)
+
+require golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect

go.sum

@@ -0,0 +1,13 @@
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
+github.com/wzshiming/sshd v0.1.0 h1:qwayh3xmWl9rKnrPQKjKDfuIO8idFdMOYno8y1WVgcc=
+github.com/wzshiming/sshd v0.1.0/go.mod h1:1sQ9cDYmq9xyRQbGh8OB9186sJXLRW8qlPkiADMn5iU=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 h1:7I4JAnoQBe7ZtJcBaYHi5UtiO8tQHbUSXxL+pnGRANg=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

server.go

@@ -0,0 +1,9 @@
+package sshproxy
+
+import (
+	_ "github.com/wzshiming/sshd/directtcp"
+
+	"github.com/wzshiming/sshd"
+)
+
+type Server = sshd.Server