1
// Copyright 2011 The Go Authors. All rights reserved.
2
// Use of this source code is governed by a BSD-style
3
// license that can be found in the LICENSE file.
20
type ServerConfig struct {
23
// Rand provides the source of entropy for key exchange. If Rand is
24
// nil, the cryptographic random reader in package crypto/rand will
28
// NoClientAuth is true if clients are allowed to connect without
32
// PasswordCallback, if non-nil, is called when a user attempts to
33
// authenticate using a password. It may be called concurrently from
34
// several goroutines.
35
PasswordCallback func(conn *ServerConn, user, password string) bool
37
// PublicKeyCallback, if non-nil, is called when a client attempts public
38
// key authentication. It must return true if the given public key is
39
// valid for the given user.
40
PublicKeyCallback func(conn *ServerConn, user, algo string, pubkey []byte) bool
42
// KeyboardInteractiveCallback, if non-nil, is called when
43
// keyboard-interactive authentication is selected (RFC
44
// 4256). The client object's Challenge function should be
45
// used to query the user. The callback may offer multiple
46
// Challenge rounds. To avoid information leaks, the client
47
// should be presented a challenge even if the user is
49
KeyboardInteractiveCallback func(conn *ServerConn, user string, client ClientKeyboardInteractive) bool
51
// Cryptographic-related configuration.
55
func (c *ServerConfig) rand() io.Reader {
62
// AddHostKey adds a private key as a host key. If an existing host
63
// key exists with the same algorithm, it is overwritten.
64
func (s *ServerConfig) AddHostKey(key Signer) {
65
for i, k := range s.hostKeys {
66
if k.PublicKey().PublicKeyAlgo() == key.PublicKey().PublicKeyAlgo() {
72
s.hostKeys = append(s.hostKeys, key)
75
// SetRSAPrivateKey sets the private key for a Server. A Server must have a
76
// private key configured in order to accept connections. The private key must
77
// be in the form of a PEM encoded, PKCS#1, RSA private key. The file "id_rsa"
78
// typically contains such a key.
79
func (s *ServerConfig) SetRSAPrivateKey(pemBytes []byte) error {
80
priv, err := ParsePrivateKey(pemBytes)
88
// cachedPubKey contains the results of querying whether a public key is
89
// acceptable for a user. The cache only applies to a single ServerConn.
90
type cachedPubKey struct {
96
const maxCachedPubKeys = 16
98
// A ServerConn represents an incoming connection.
99
type ServerConn struct {
103
channels map[uint32]*serverChan
106
// lock protects err and channels.
110
// cachedPubKeys contains the cache results of tests for public keys.
111
// Since SSH clients will query whether a public key is acceptable
112
// before attempting to authenticate with it, we end up with duplicate
113
// queries for public key validity.
114
cachedPubKeys []cachedPubKey
116
// User holds the successfully authenticated user name.
117
// It is empty if no authentication is used. It is populated before
118
// any authentication callback is called and not assigned to after that.
121
// ClientVersion is the client's version, populated after
122
// Handshake is called. It should not be modified.
129
// Server returns a new SSH server connection
130
// using c as the underlying transport.
131
func Server(c net.Conn, config *ServerConfig) *ServerConn {
133
transport: newTransport(c, config.rand(), false /* not client */),
134
channels: make(map[uint32]*serverChan),
139
// signAndMarshal signs the data with the appropriate algorithm,
140
// and serializes the result in SSH wire format.
141
func signAndMarshal(k Signer, rand io.Reader, data []byte) ([]byte, error) {
142
sig, err := k.Sign(rand, data)
147
return serializeSignature(k.PublicKey().PrivateKeyAlgo(), sig), nil
150
// Close closes the connection.
151
func (s *ServerConn) Close() error { return s.transport.Close() }
153
// LocalAddr returns the local network address.
154
func (c *ServerConn) LocalAddr() net.Addr { return c.transport.LocalAddr() }
156
// RemoteAddr returns the remote network address.
157
func (c *ServerConn) RemoteAddr() net.Addr { return c.transport.RemoteAddr() }
159
// Handshake performs an SSH transport and client authentication on the given ServerConn.
160
func (s *ServerConn) Handshake() error {
162
s.serverVersion = []byte(packageVersion)
163
s.ClientVersion, err = exchangeVersions(s.transport.Conn, s.serverVersion)
167
if err := s.clientInitHandshake(nil, nil); err != nil {
172
if packet, err = s.transport.readPacket(); err != nil {
175
var serviceRequest serviceRequestMsg
176
if err := unmarshal(&serviceRequest, packet, msgServiceRequest); err != nil {
179
if serviceRequest.Service != serviceUserAuth {
180
return errors.New("ssh: requested service '" + serviceRequest.Service + "' before authenticating")
182
serviceAccept := serviceAcceptMsg{
183
Service: serviceUserAuth,
185
if err := s.transport.writePacket(marshal(msgServiceAccept, serviceAccept)); err != nil {
189
if err := s.authenticate(); err != nil {
195
func (s *ServerConn) clientInitHandshake(clientKexInit *kexInitMsg, clientKexInitPacket []byte) (err error) {
196
serverKexInit := kexInitMsg{
197
KexAlgos: s.config.Crypto.kexes(),
198
CiphersClientServer: s.config.Crypto.ciphers(),
199
CiphersServerClient: s.config.Crypto.ciphers(),
200
MACsClientServer: s.config.Crypto.macs(),
201
MACsServerClient: s.config.Crypto.macs(),
202
CompressionClientServer: supportedCompressions,
203
CompressionServerClient: supportedCompressions,
205
for _, k := range s.config.hostKeys {
206
serverKexInit.ServerHostKeyAlgos = append(
207
serverKexInit.ServerHostKeyAlgos, k.PublicKey().PublicKeyAlgo())
210
serverKexInitPacket := marshal(msgKexInit, serverKexInit)
211
if err = s.transport.writePacket(serverKexInitPacket); err != nil {
215
if clientKexInitPacket == nil {
216
clientKexInit = new(kexInitMsg)
217
if clientKexInitPacket, err = s.transport.readPacket(); err != nil {
220
if err = unmarshal(clientKexInit, clientKexInitPacket, msgKexInit); err != nil {
225
algs := findAgreedAlgorithms(clientKexInit, &serverKexInit)
227
return errors.New("ssh: no common algorithms")
230
if clientKexInit.FirstKexFollows && algs.kex != clientKexInit.KexAlgos[0] {
231
// The client sent a Kex message for the wrong algorithm,
232
// which we have to ignore.
233
if _, err = s.transport.readPacket(); err != nil {
239
for _, k := range s.config.hostKeys {
240
if algs.hostKey == k.PublicKey().PublicKeyAlgo() {
245
kex, ok := kexAlgoMap[algs.kex]
247
return fmt.Errorf("ssh: unexpected key exchange algorithm %v", algs.kex)
250
magics := handshakeMagics{
251
serverVersion: s.serverVersion,
252
clientVersion: s.ClientVersion,
253
serverKexInit: marshal(msgKexInit, serverKexInit),
254
clientKexInit: clientKexInitPacket,
256
result, err := kex.Server(s.transport, s.config.rand(), &magics, hostKey)
261
if err = s.transport.prepareKeyChange(algs, result); err != nil {
265
if err = s.transport.writePacket([]byte{msgNewKeys}); err != nil {
268
if packet, err := s.transport.readPacket(); err != nil {
270
} else if packet[0] != msgNewKeys {
271
return UnexpectedMessageError{msgNewKeys, packet[0]}
277
func isAcceptableAlgo(algo string) bool {
279
case KeyAlgoRSA, KeyAlgoDSA, KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
280
CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01, CertAlgoECDSA384v01, CertAlgoECDSA521v01:
286
// testPubKey returns true if the given public key is acceptable for the user.
287
func (s *ServerConn) testPubKey(user, algo string, pubKey []byte) bool {
288
if s.config.PublicKeyCallback == nil || !isAcceptableAlgo(algo) {
292
for _, c := range s.cachedPubKeys {
293
if c.user == user && c.algo == algo && bytes.Equal(c.pubKey, pubKey) {
298
result := s.config.PublicKeyCallback(s, user, algo, pubKey)
299
if len(s.cachedPubKeys) < maxCachedPubKeys {
303
pubKey: make([]byte, len(pubKey)),
306
copy(c.pubKey, pubKey)
307
s.cachedPubKeys = append(s.cachedPubKeys, c)
313
func (s *ServerConn) authenticate() error {
314
var userAuthReq userAuthRequestMsg
320
if packet, err = s.transport.readPacket(); err != nil {
323
if err = unmarshal(&userAuthReq, packet, msgUserAuthRequest); err != nil {
327
if userAuthReq.Service != serviceSSH {
328
return errors.New("ssh: client attempted to negotiate for unknown service: " + userAuthReq.Service)
331
switch userAuthReq.Method {
333
if s.config.NoClientAuth {
337
if s.config.PasswordCallback == nil {
340
payload := userAuthReq.Payload
341
if len(payload) < 1 || payload[0] != 0 {
342
return ParseError{msgUserAuthRequest}
344
payload = payload[1:]
345
password, payload, ok := parseString(payload)
346
if !ok || len(payload) > 0 {
347
return ParseError{msgUserAuthRequest}
350
s.User = userAuthReq.User
351
if s.config.PasswordCallback(s, userAuthReq.User, string(password)) {
354
case "keyboard-interactive":
355
if s.config.KeyboardInteractiveCallback == nil {
359
s.User = userAuthReq.User
360
if s.config.KeyboardInteractiveCallback(s, s.User, &sshClientKeyboardInteractive{s}) {
364
if s.config.PublicKeyCallback == nil {
367
payload := userAuthReq.Payload
368
if len(payload) < 1 {
369
return ParseError{msgUserAuthRequest}
371
isQuery := payload[0] == 0
372
payload = payload[1:]
373
algoBytes, payload, ok := parseString(payload)
375
return ParseError{msgUserAuthRequest}
377
algo := string(algoBytes)
379
pubKey, payload, ok := parseString(payload)
381
return ParseError{msgUserAuthRequest}
384
// The client can query if the given public key
386
if len(payload) > 0 {
387
return ParseError{msgUserAuthRequest}
389
if s.testPubKey(userAuthReq.User, algo, pubKey) {
390
okMsg := userAuthPubKeyOkMsg{
392
PubKey: string(pubKey),
394
if err = s.transport.writePacket(marshal(msgUserAuthPubKeyOk, okMsg)); err != nil {
397
continue userAuthLoop
400
sig, payload, ok := parseSignature(payload)
401
if !ok || len(payload) > 0 {
402
return ParseError{msgUserAuthRequest}
404
// Ensure the public key algo and signature algo
405
// are supported. Compare the private key
406
// algorithm name that corresponds to algo with
407
// sig.Format. This is usually the same, but
408
// for certs, the names differ.
409
if !isAcceptableAlgo(algo) || !isAcceptableAlgo(sig.Format) || pubAlgoToPrivAlgo(algo) != sig.Format {
412
signedData := buildDataSignedForAuth(s.transport.sessionID, userAuthReq, algoBytes, pubKey)
413
key, _, ok := ParsePublicKey(pubKey)
415
return ParseError{msgUserAuthRequest}
418
if !key.Verify(signedData, sig.Blob) {
419
return ParseError{msgUserAuthRequest}
421
// TODO(jmpittman): Implement full validation for certificates.
422
s.User = userAuthReq.User
423
if s.testPubKey(userAuthReq.User, algo, pubKey) {
429
var failureMsg userAuthFailureMsg
430
if s.config.PasswordCallback != nil {
431
failureMsg.Methods = append(failureMsg.Methods, "password")
433
if s.config.PublicKeyCallback != nil {
434
failureMsg.Methods = append(failureMsg.Methods, "publickey")
436
if s.config.KeyboardInteractiveCallback != nil {
437
failureMsg.Methods = append(failureMsg.Methods, "keyboard-interactive")
440
if len(failureMsg.Methods) == 0 {
441
return errors.New("ssh: no authentication methods configured but NoClientAuth is also false")
444
if err = s.transport.writePacket(marshal(msgUserAuthFailure, failureMsg)); err != nil {
449
packet = []byte{msgUserAuthSuccess}
450
if err = s.transport.writePacket(packet); err != nil {
457
// sshClientKeyboardInteractive implements a ClientKeyboardInteractive by
458
// asking the client on the other side of a ServerConn.
459
type sshClientKeyboardInteractive struct {
463
func (c *sshClientKeyboardInteractive) Challenge(user, instruction string, questions []string, echos []bool) (answers []string, err error) {
464
if len(questions) != len(echos) {
465
return nil, errors.New("ssh: echos and questions must have equal length")
469
for i := range questions {
470
prompts = appendString(prompts, questions[i])
471
prompts = appendBool(prompts, echos[i])
474
if err := c.transport.writePacket(marshal(msgUserAuthInfoRequest, userAuthInfoRequestMsg{
475
Instruction: instruction,
476
NumPrompts: uint32(len(questions)),
482
packet, err := c.transport.readPacket()
486
if packet[0] != msgUserAuthInfoResponse {
487
return nil, UnexpectedMessageError{msgUserAuthInfoResponse, packet[0]}
491
n, packet, ok := parseUint32(packet)
492
if !ok || int(n) != len(questions) {
493
return nil, &ParseError{msgUserAuthInfoResponse}
496
for i := uint32(0); i < n; i++ {
497
ans, rest, ok := parseString(packet)
499
return nil, &ParseError{msgUserAuthInfoResponse}
502
answers = append(answers, string(ans))
505
if len(packet) != 0 {
506
return nil, errors.New("ssh: junk at end of message")
512
const defaultWindowSize = 32768
514
// Accept reads and processes messages on a ServerConn. It must be called
515
// in order to demultiplex messages to any resulting Channels.
516
func (s *ServerConn) Accept() (Channel, error) {
517
// TODO(dfc) s.lock is not held here so visibility of s.err is not guaranteed.
523
packet, err := s.transport.readPacket()
530
// TODO(dfc) s.lock protects s.channels but isn't being held here.
531
for _, c := range s.channels {
542
// malformed data packet
543
return nil, ParseError{msgChannelData}
545
remoteId := binary.BigEndian.Uint32(packet[1:5])
547
c, ok := s.channels[remoteId]
552
if length := binary.BigEndian.Uint32(packet[5:9]); length > 0 {
554
c.handleData(packet[:length])
558
decoded, err := decode(packet)
562
switch msg := decoded.(type) {
563
case *channelOpenMsg:
564
if msg.MaxPacketSize < minPacketLength || msg.MaxPacketSize > 1<<31 {
565
return nil, errors.New("ssh: invalid MaxPacketSize from peer")
569
packetConn: s.transport,
570
remoteId: msg.PeersId,
571
remoteWin: window{Cond: newCond()},
572
maxPacket: msg.MaxPacketSize,
574
chanType: msg.ChanType,
575
extraData: msg.TypeSpecificData,
576
myWindow: defaultWindowSize,
579
pendingData: make([]byte, defaultWindowSize),
581
c.remoteWin.add(msg.PeersWindow)
583
c.localId = s.nextChanId
585
s.channels[c.localId] = c
589
case *channelRequestMsg:
591
c, ok := s.channels[msg.PeersId]
599
case *windowAdjustMsg:
601
c, ok := s.channels[msg.PeersId]
611
c, ok := s.channels[msg.PeersId]
619
case *channelCloseMsg:
621
c, ok := s.channels[msg.PeersId]
629
case *globalRequestMsg:
631
if err := s.transport.writePacket([]byte{msgRequestFailure}); err != nil {
638
if err := s.clientInitHandshake(msg, packet); err != nil {
646
// Unknown message. Ignore.
654
// A Listener implements a network listener (net.Listener) for SSH connections.
655
type Listener struct {
656
listener net.Listener
660
// Addr returns the listener's network address.
661
func (l *Listener) Addr() net.Addr {
662
return l.listener.Addr()
665
// Close closes the listener.
666
func (l *Listener) Close() error {
667
return l.listener.Close()
670
// Accept waits for and returns the next incoming SSH connection.
671
// The receiver should call Handshake() in another goroutine
672
// to avoid blocking the accepter.
673
func (l *Listener) Accept() (*ServerConn, error) {
674
c, err := l.listener.Accept()
678
return Server(c, l.config), nil
681
// Listen creates an SSH listener accepting connections on
682
// the given network address using net.Listen.
683
func Listen(network, addr string, config *ServerConfig) (*Listener, error) {
684
l, err := net.Listen(network, addr)