ssh3

package module
v0.1.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 29, 2024 License: Apache-2.0 Imports: 30 Imported by: 0

README

SSH3: faster and rich secure shell using HTTP/3

SSH3 is a complete revisit of the SSH protocol, mapping its semantics on top of the HTTP mechanisms. In a nutshell, SSH3 uses QUIC+TLS1.3 for secure channel establishment and the HTTP Authorization mechanisms for user authentication. Among others, SSH3 allows the following improvements:

  • Significantly faster session establishment
  • New HTTP authentication methods such as OAuth 2.0 and OpenID Connect in addition to classical SSH authentication
  • Robustness to port scanning attacks: your SSH3 server can be made invisible to other Internet users
  • UDP port forwarding in addition to classical TCP port forwarding
  • All the features allowed by the modern QUIC protocol: including connection migration (soon) and multipath connections

[!TIP] Quickly want to get started ? Checkout how to install SSH3. You will learn to setup an SSH3 server and use the SSH3 client.

SSH3 stands for the concatenation of SSH and H3.

⚡ SSH3 is faster

Faster for session establishment, not throughput ! SSH3 offers a significantly faster session establishment than SSHv2. Establishing a new session with SSHv2 can take 5 to 7 network round-trip times, which can easily be noticed by the user. SSH3 only needs 3 round-trip times. The keystroke latency in a running session is unchanged.

SSH3 (top) VS SSHv2 (bottom) session establishement with a 100ms ping towards the server.

🔒 SSH3 security

While SSHv2 defines its own protocols for user authentication and secure channel establishment, SSH3 relies on the robust and time-tested mechanisms of TLS 1.3, QUIC and HTTP. These protocols are already extensively used to secure security-critical applications on the Internet such as e-commerce and Internet banking.

SSH3 already implements the common password-based and public-key (RSA and EdDSA/ed25519) authentication methods. It also supports new authentication methods such as OAuth 2.0 and allows logging in to your servers using your Google/Microsoft/Github accounts.

🧪 SSH3 is still experimental

While SSH3 shows promise for faster session establishment, it is still at an early proof-of-concept stage. As with any new complex protocol, expert cryptographic review over an extended timeframe is required before reasonable security conclusions can be made.

We are developing SSH3 as an open source project to facilitate community feedback and analysis. However, we cannot yet endorse its appropriateness for production systems without further peer review. Please collaborate with us if you have relevant expertise!

🥷 Do not deploy the SSH3 server on your production servers for now

Given the current prototype state, we advise testing SSH3 in sandboxed environments or private networks. Be aware that making experimental servers directly Internet-accessible could introduce risk before thorough security vetting.

While hiding servers behind secret paths has potential benefits, it does not negate the need for rigorous vulnerability analysis before entering production. We are excited by SSH3's future possibilities but encourage additional scrutiny first.

🥷 Your SSH3 public server can be hidden

Using SSH3, you can avoid the usual stress of scanning and dictionary attacks against your SSH server. Similarly to your secret Google Drive documents, your SSH3 server can be hidden behind a secret link and only answer to authentication attempts that made an HTTP request to this specific link, like the following:

ssh3-server -bind 192.0.2.0:443 -url-path <my-long-secret>

By replacing <my-long-secret> by, let's say, the random value M3MzkxYWMxMjYxMjc5YzJkODZiMTAyMjU, your SSH3 server will only answer to SSH3 connection attempts made to the URL https://192.0.2.0:443/M3MzkxYWMxMjYxMjc5YzJkODZiMTAyMjU and it will respond a 404 Not Found to other requests. Attackers and crawlers on the Internet can therefore not detect the presence of your SSH3 server. They will only see a simple web server answering 404 status codes to every request.

💐 SSH3 is already feature-rich

SSH3 provides new feature that could not be provided by the SSHv2 protocol.

Brand new features
  • UDP port forwarding: you can now access your QUIC, DNS, RTP or any UDP-based server that are only reachable from your SSH3 host. UDP packets are forwarded using QUIC datagrams.
  • X.509 certificates: you can now use your classical HTTPS certificates to authenticate your SSH3 server. This mechanism is more secure than the classical SSHv2 host key mechanism. Certificates can be obtained easily using LetsEncrypt for instance.
  • Hiding your server behind a secret link.
  • Keyless secure user authentication using OpenID Connect. You can connect to your SSH3 server using the SSO of your company or your Google/Github account, and you don't need to copy the public keys of your users anymore.
Famous OpenSSH features implemented

This SSH3 implementation already provides many of the popular features of OpenSSH, so if you are used to OpenSSH, the process of adopting SSH3 will be smooth. Here is a list of some OpenSSH features that SSH3 also implements:

  • Parses ~/.ssh/authorized_keys on the server
  • Certificate-based server authentication
  • known_hosts mechanism when X.509 certificates are not used.
  • Automatically using the ssh-agent for public key authentication
  • SSH agent forwarding to use your local keys on your remote server
  • Direct TCP port forwarding (reverse port forwarding will be implemented in the future)
  • Proxy jump (see the -proxy-jump parameter). If A is an SSH3 client and B and C are both SSH3 servers, you can connect from A to C using B as a gateway/proxy. The proxy uses UDP forwarding to forward the QUIC packets from A to C, so B cannot decrypt the traffic A<->C SSH3 traffic.
  • Parses ~/.ssh/config on the client and handles the Hostname, User, Port and IdentityFile config options (the other options are currently ignored). Also parses a new UDPProxyJump that behaves similarly to OpenSSH's ProxyJump.

🙏 Community support

Help us progress SSH3 responsibly! We welcome capable security researchers to review our codebase and provide feedback. Please also connect us with relevant standards bodies to potentially advance SSH3 through the formal IETF/IRTF processes over time.

With collaborative assistance, we hope to iteratively improve SSH3 towards safe production readiness. But we cannot credibly make definitive security claims without evidence of extensive expert cryptographic review and adoption by respected security authorities. Let's work together to realize SSH3's possibilities!

Installing SSH3

You can either download the last release binaries, install it using go install or generate these binaries yourself by compiling the code from source.

[!TIP] SSH3 is still experimental and is the fruit of a research work. If you are afraid of deploying publicly a new SSH3 server, you can use the secret path feature of SSH3 to hide it behing a secret URL.

Installing ssh3 and ssh3-server using Go install
go install github.com/francoismichel/ssh3/cmd/...@latest
Compiling SSH3 from source

You need a recent Golang version to do this. Downloading the source code and compiling the binaries can be done with the following steps:

git clone https://github.com/francoismichel/ssh3    # clone the repo
cd ssh3
go build -o ssh3 cmd/ssh3/main.go                        # build the client
CGO_ENABLED=1 go build -o ssh3-server cmd/ssh3-server/main.go   # build the server, requires having gcc installed

If you have root/sudo privileges and you want to make ssh3 accessible to all you users, you can then directly copy the binaries to /usr/bin:

cp ssh3 /usr/bin/ && cp ssh3-server /usr/bin

Otherwise, you can simply add the executables to your PATH environment variable by adding the following line at the end of your .bashrc or equivalent:

export PATH=$PATH:/path/to/the/ssh3/directory
Deploying an SSH3 server

Before connecting to your host, you need to deploy an SSH3 server on it. There is currently no SSH3 daemon, so right now, you will have to run the ssh3-server executable in background using screen or a similar utility.

[!NOTE] As SSH3 runs on top of HTTP/3, a server needs an X.509 certificate and its corresponding private key. Public certificates can be generated automatically for your public domain name through Let's Encrypt using the -generate-public-cert command-line argument on the server. If you do not want to generate a certificate signed by a real certificate authority or if you don't have any public domain name, you can generate a self-signed one using the -generate-selfsigned-cert command-line argument. Self-signed certificates provide you with similar security guarantees to SSHv2's host keys mechanism, with the same security issue: you may be vulnerable to machine-in-the-middle attacks during your first connection to your server. Using real certificates signed by public certificate authorities such as Let's Encrypt avoids this issue.

Here is the usage of the ssh3-server executable:

Usage of ./ssh3-server:
  -bind string
        the address:port pair to listen to, e.g. 0.0.0.0:443 (default "[::]:443")
  -cert string
        the filename of the server certificate (or fullchain) (default "./cert.pem")
  -key string
        the filename of the certificate private key (default "./priv.key")
  -enable-password-login
        if set, enable password authentication (disabled by default)
  -generate-public-cert value
        Automatically produce and use a valid public certificate usingLet's Encrypt for the provided domain name. The flag can be used several times to generate several certificates.If certificates have already been generated previously using this flag, they will simply be reused without being regenerated. The public certificates are automatically renewed as long as the server is running. Automatically-generated IP public certificates are not available yet.
  -generate-selfsigned-cert
        if set, generates a self-self-signed cerificate and key that will be stored at the paths indicated by the -cert and -key args (they must not already exist)
  -url-path string
        the secret URL path on which the ssh3 server listens (default "/ssh3-term")
  -v    verbose mode, if set
  -version
        if set, displays the software version on standard output and exit

The following command starts a public SSH3 server on port 443 with a valid Let's Encrypt public certificate for domain my-domain.example.org and answers to new sessions requests querying the /ssh3 URL path:

ssh3-server -generate-public-cert my-domain.example.org -url-path /ssh3

If you don't have a public domain name (i.e. only an IP address), you can either use an existing certificate for your IP address using the -cert and -key arguments or generate a self-signed certificate using the -generate-selfsigned-cert argument.

If you have existing certificates and keys, you can run the server as follows to use them=

ssh3-server -cert /path/to/cert/or/fullchain -key /path/to/cert/private/key -url-path /ssh3

[!NOTE] Similarly to OpenSSH, the server must be run with root priviledges to log in as other users.

Authorized keys and authorized identities

By default, the SSH3 server will look for identities in the ~/.ssh/authorized_keys and ~/.ssh3/authorized_identities files for each user. ~/.ssh3/authorized_identities allows new identities such as OpenID Connect (oidc) discussed below. Popular key types such as rsa, ed25519 and keys in the OpenSSH format can be used.

Using the SSH3 client

Once you have an SSH3 server running, you can connect to it using the SSH3 client similarly to what you did with your classical SSHv2 tool.

Here is the usage of the ssh3 executable:

Usage of ssh3:
  -pubkey-for-agent string
        if set, use an agent key whose public key matches the one in the specified path
  -privkey string
        private key file
  -use-password
        if set, do classical password authentication
  -forward-agent
        if set, forwards ssh agent to be used with sshv2 connections on the remote host
  -forward-tcp string
        if set, take a localport/remoteip@remoteport forwarding localhost@localport towards remoteip@remoteport
  -forward-udp string
        if set, take a localport/remoteip@remoteport forwarding localhost@localport towards remoteip@remoteport
  -proxy-jump string
    	if set, performs a proxy jump using the specified remote host as proxy
  -insecure
        if set, skip server certificate verification
  -keylog string
        Write QUIC TLS keys and master secret in the specified keylog file: only for debugging purpose
  -use-oidc string
        if set, force the use of OpenID Connect with the specified issuer url as parameter
  -oidc-config string
        OpenID Connect json config file containing the "client_id" and "client_secret" fields needed for most identity providers
  -do-pkce
        if set, perform PKCE challenge-response with oidc
  -v    if set, enable verbose mode
Private-key authentication

You can connect to your SSH3 server at my-server.example.org listening on /my-secret-path using the private key located in ~/.ssh/id_rsa with the following command:

  ssh3 -privkey ~/.ssh/id_rsa username@my-server.example.org/my-secret-path
Agent-based private key authentication

The SSH3 client works with the OpenSSH agent and uses the classical SSH_AUTH_SOCK environment variable to communicate with this agent. Similarly to OpenSSH, SSH3 will list the keys provided by the SSH agent and connect using the first key listen by the agent by default. If you want to specify a specific key to use with the agent, you can either specify the private key directly with the -privkey argument like above, or specify the corresponding public key using the -pubkey-for-agent argument. This allows you to authenticate in situations where only the agent has a direct access to the private key but you only have access to the public key.

Password-based authentication

While discouraged, you can connect to your server using passwords (if explicitly enabled on the ssh3-server) with the following command:

  ssh3 -use-password username@my-server.example.org/my-secret-path
Config-based session establishment

ssh3 parses your OpenSSH config. Currently, it only handles the Hostname; User, Port and IdentityFile OpenSSH options. It also adds new option only used by SSH3, such as URLPath or UDPProxyJump. URLPath allows you to omit the secret URL path in your SSH3 command. UDPProxyJump allows you to perform SSH3 (#proxy-jump)[Proxy Jump] and has the same meaning as the -proxy-jump command-line argument. Let's say you have the following lines in your OpenSSH config located in ~/.ssh/config :

IgnoreUnknown URLPath
Host my-server
  HostName 192.0.2.0
  User username
  IdentityFile ~/.ssh/id_rsa
  URLPath /my-secret-path

Similarly to what OpenSSH does, the following ssh3 command will connect you to the SSH3 server running on 192.0.2.0 on UDP port 443 using public key authentication with the private key located in .ssh/id_rsa :

  ssh3 my-server/my-secret-path

If you do not want a config-based utilization of SSH3, you can read the sections below to see how to use the CLI parameters of ssh3.

OpenID Connect authentication (still experimental)

This feature allows you to connect using an external identity provider such as the one of your company or any other provider that implements the OpenID Connect standard, such as Google Identity, Github or Microsoft Entra. The authentication flow is illustrated in the GIF below.

Secure connection without private key using a Google account.

The way it connects to your identity provider is configured in a file named ~/.ssh3/oidc_config.json. Below is an example config.json file for use with a Google account. This configuration file is an array and can contain several identity providers configurations.

[
    {
        "issuer_url": "https://accounts.google.com",
        "client_id": "<your_client_id>",
        "client_secret": "<your_client_secret>"
    }
]

This might change in the future, but currently, to make this feature work with your Google account, you will need to setup a new experimental application in your Google Cloud console and add your email as authorized users. This will provide you with a client_id and a client_secret that you can then set in your ~/.ssh3/oidc_config.json. On the server side, you just have to add the following line in your ~/.ssh3/authorized_identities:

oidc <client_id> https://accounts.google.com <email>

We currently consider removing the need of setting the client_id in the authorized_identities file in the future.

Proxy jump

It is often the case that some SSH hosts can only be accessed through a gateway. SSH3 allows you to perform a Proxy Jump similarly to what is proposed by OpenSSH. You can connect from A to C using B as a gateway/proxy. B and C must both be running a valid SSH3 server. This works by establishing UDP port forwarding on B to forward QUIC packets from A to C. The connection from A to C is therefore fully end-to-end and B cannot decrypt or alter the SSH3 traffic between A and C.

Documentation

Index

Constants

View Source 
const PROTOCOL_EXPERIMENTAL_SPEC_VERSION string = "alpha-00"
View Source 
const PROTOCOL_MAJOR int = 3

EXPERIMENTAL_SPEC_VERSION specifies which version of the protocol this software is implementing. The protocol version string format is: 

major + "." + minor[ + "_" + additional-version-information].

It currently implements a first early version with no specification (alpha). Once IETF drafts get published, we plan on having versions such as 3.0_draft-michel-ssh3-XX when implementing the IETF specification from draft-michel-ssh3-XX.

View Source 
const PROTOCOL_MINOR int = 0
View Source 
const SOFTWARE_IMPLEMENTATION_NAME string = "francoismichel/ssh3"
View Source 
const SOFTWARE_MAJOR int = 0
View Source 
const SOFTWARE_MINOR int = 1
View Source 
const SOFTWARE_PATCH int = 7
View Source 
const SOFTWARE_RC int = 0
View Source 
const SSH_FRAME_TYPE = 0xaf3627e6

Variables

View Source 
var AVAILABLE_CLIENT_VERSIONS []Version = []Version{
	ThisVersion(),
	NewVersion("SSH", NewProtocolVersion(3, 0, ""), NewSoftwareVersion(0, 1, 5, SOFTWARE_IMPLEMENTATION_NAME)),
	NewVersion("SSH", NewProtocolVersion(3, 0, ""), NewSoftwareVersion(0, 1, 4, SOFTWARE_IMPLEMENTATION_NAME)),
	NewVersion("SSH", NewProtocolVersion(3, 0, ""), NewSoftwareVersion(0, 1, 3, SOFTWARE_IMPLEMENTATION_NAME)),
}

Functions

func AppendKnownHost 

func AppendKnownHost(filename string, host string, cert *x509.Certificate) error

func GetConfigForHost 

func GetConfigForHost(host string, config *ssh_config.Config) (hostname string, port int, user string, urlPath string, authMethodsToTry []interface{}, err error)

func GetCurrentSoftwareVersion 

func GetCurrentSoftwareVersion() string

GetCurrentSoftwareVersion() returns the current software version to be displayed to the user For version string to be communicated between endpoints, use GetCurrentVersionString() instead.

func GetCurrentVersionString 

func GetCurrentVersionString() string

GetCurrentVersionString() returns the version string to be exchanged between two endpoints for version negotiation

func IsVersionSupported 

func IsVersionSupported(other Version) bool

Tells if the this version (a.k.a. the version returned by ThisVersion()) is compatible with `other`.

Types

type AgentAuthMethod 

type AgentAuthMethod struct {
	// contains filtered or unexported fields
}

func NewAgentAuthMethod 

func NewAgentAuthMethod(pubkey ssh.PublicKey) *AgentAuthMethod

func (*AgentAuthMethod) IntoIdentity 

func (m *AgentAuthMethod) IntoIdentity(agent agent.ExtendedAgent) Identity

A prerequisite of calling this methiod is that the provided pubkey is explicitly listed by the agent This can be verified beforehand by calling agent.List()

type AuthenticatedHandlerFunc 

type AuthenticatedHandlerFunc func(authenticatedUserName string, newConv *Conversation, w http.ResponseWriter, r *http.Request)

type Channel 

type Channel interface {
	ChannelID() util.ChannelID
	ConversationID() ConversationID
	ConversationStreamID() uint64
	NextMessage() (ssh3.Message, error)
	ReceiveDatagram(ctx context.Context) ([]byte, error)
	SendDatagram(datagram []byte) error
	SendRequest(r *ssh3.ChannelRequestMessage) error
	CancelRead()
	Close()
	MaxPacketSize() uint64
	WriteData(dataBuf []byte, dataType ssh3.SSHDataType) (int, error)
	ChannelType() string
	// contains filtered or unexported methods
}

func NewChannel 

func NewChannel(conversationStreamID uint64, conversationID ConversationID, channelID uint64, channelType string, maxPacketSize uint64, recv quic.ReceiveStream,
	send io.WriteCloser, datagramSender util.SSH3DatagramSenderFunc, channelCloseListener channelCloseListener, sendHeader bool, confirmSent bool,
	confirmReceived bool, datagramsQueueSize uint64, additonalHeaderBytes []byte) Channel

type ChannelDataHandler 

type ChannelDataHandler func(channel Channel, dataType ssh3.SSHDataType, data string)

type ChannelInfo 

type ChannelInfo struct {
	MaxPacketSize        uint64
	ConversationStreamID uint64
	ConversationID       ConversationID
	ChannelID            uint64
	ChannelType          string
}

type ChannelOpenFailure 

type ChannelOpenFailure struct {
	ReasonCode uint64
	ErrorMsg   string
}

func (ChannelOpenFailure) Error 

func (e ChannelOpenFailure) Error() string

type ControlStreamID 

type ControlStreamID = uint64

type Conversation 

type Conversation struct {
	// contains filtered or unexported fields
}

func NewClientConversation 

func NewClientConversation(maxPacketsize uint64, defaultDatagramsQueueSize uint64, tls *tls.ConnectionState) (*Conversation, error)

func NewServerConversation 

func NewServerConversation(ctx context.Context, controlStream http3.Stream, qconn quic.Connection, messageSender util.DatagramSender, maxPacketsize uint64, peerVersion Version) (*Conversation, error)

func (*Conversation) AcceptChannel 

func (c *Conversation) AcceptChannel(ctx context.Context) (Channel, error)

func (*Conversation) AddDatagram 

func (c *Conversation) AddDatagram(ctx context.Context, datagram []byte) error

blocks until the datagram is added the first field must be the channel ID

func (*Conversation) Close 

func (c *Conversation) Close()

func (*Conversation) Context 

func (c *Conversation) Context() context.Context

func (*Conversation) ConversationID 

func (c *Conversation) ConversationID() ConversationID

func (*Conversation) EstablishClientConversation 

func (c *Conversation) EstablishClientConversation(req *http.Request, roundTripper *http3.RoundTripper, supportedVersions []Version) error

func (*Conversation) OpenChannel 

func (c *Conversation) OpenChannel(channelType string, maxPacketSize uint64, datagramsQueueSize uint64) (Channel, error)

func (*Conversation) OpenTCPForwardingChannel 

func (c *Conversation) OpenTCPForwardingChannel(maxPacketSize uint64, datagramsQueueSize uint64, localAddr *net.TCPAddr, remoteAddr *net.TCPAddr) (Channel, error)

func (*Conversation) OpenUDPForwardingChannel 

func (c *Conversation) OpenUDPForwardingChannel(maxPacketSize uint64, datagramsQueueSize uint64, localAddr *net.UDPAddr, remoteAddr *net.UDPAddr) (Channel, error)

type ConversationID 

type ConversationID [32]byte

func GenerateConversationID 

func GenerateConversationID(tls *tls.ConnectionState) (convID ConversationID, err error)

func (ConversationID) String 

func (cid ConversationID) String() string

type ExecReqHandler 

type ExecReqHandler func(channel Channel, request ssh3.ExecRequest, wantReply bool)

type ExitSignalReqHandler 

type ExitSignalReqHandler func(channel Channel, request ssh3.ExitSignalRequest, wantReply bool)

type ExitStatusReqHandler 

type ExitStatusReqHandler func(channel Channel, request ssh3.ExitStatusRequest, wantReply bool)

type Identity 

type Identity interface {
	SetAuthorizationHeader(req *http.Request, username string, conversation *Conversation) error
	// provides an authentication name that can be used as a hint for the server in the url query params
	AuthHint() string
	fmt.Stringer
}

a generic way to generate SSH3 identities to populate the HTTP Authorization header

type InvalidKnownHost 

type InvalidKnownHost struct {
	// contains filtered or unexported fields
}

func (InvalidKnownHost) Error 

func (e InvalidKnownHost) Error() string

type InvalidProtocolVersion 

type InvalidProtocolVersion struct {
	// contains filtered or unexported fields
}

func (InvalidProtocolVersion) Error 

func (e InvalidProtocolVersion) Error() string

type InvalidSSHVersion 

type InvalidSSHVersion struct {
	// contains filtered or unexported fields
}

func (InvalidSSHVersion) Error 

func (e InvalidSSHVersion) Error() string

type InvalidSoftwareVersion 

type InvalidSoftwareVersion struct {
	// contains filtered or unexported fields
}

func (InvalidSoftwareVersion) Error 

func (e InvalidSoftwareVersion) Error() string

type KnownHosts 

type KnownHosts map[string][]*x509.Certificate

func ParseKnownHosts 

func ParseKnownHosts(filename string) (knownHosts KnownHosts, invalidLines []int, err error)

func (KnownHosts) Knows 

func (kh KnownHosts) Knows(hostname string) bool

type MessageOnNonConfirmedChannel 

type MessageOnNonConfirmedChannel struct {
	// contains filtered or unexported fields
}

func (MessageOnNonConfirmedChannel) Error 

func (e MessageOnNonConfirmedChannel) Error() string

type OidcAuthMethod 

type OidcAuthMethod struct {
	// contains filtered or unexported fields
}

func NewOidcAuthMethod 

func NewOidcAuthMethod(doPKCE bool, config *auth.OIDCConfig) *OidcAuthMethod

func (*OidcAuthMethod) DoPKCE 

func (m *OidcAuthMethod) DoPKCE() bool

func (*OidcAuthMethod) IntoIdentity 

func (m *OidcAuthMethod) IntoIdentity(bearerToken string) Identity

func (*OidcAuthMethod) OIDCConfig 

func (m *OidcAuthMethod) OIDCConfig() *auth.OIDCConfig

type PasswordAuthMethod 

type PasswordAuthMethod struct{}

func NewPasswordAuthMethod 

func NewPasswordAuthMethod() *PasswordAuthMethod

func (*PasswordAuthMethod) IntoIdentity 

func (m *PasswordAuthMethod) IntoIdentity(password string) Identity

type PrivkeyFileAuthMethod 

type PrivkeyFileAuthMethod struct {
	// contains filtered or unexported fields
}

func NewPrivkeyFileAuthMethod 

func NewPrivkeyFileAuthMethod(filename string) *PrivkeyFileAuthMethod

func (*PrivkeyFileAuthMethod) Filename 

func (m *PrivkeyFileAuthMethod) Filename() string

func (*PrivkeyFileAuthMethod) IntoIdentityPassphrase 

func (m *PrivkeyFileAuthMethod) IntoIdentityPassphrase(passphrase string) (Identity, error)

IntoIdentityPassphrase returns a passphrase-protected private key stored on the provided path. It supports the same keys as ssh.ParsePrivateKey If the passphrase is wrong, it returns an x509.IncorrectPasswordError.

func (*PrivkeyFileAuthMethod) IntoIdentityWithoutPassphrase 

func (m *PrivkeyFileAuthMethod) IntoIdentityWithoutPassphrase() (Identity, error)

IntoIdentityWithoutPassphrase returns an SSH3 identity stored on the provided path. It supports the same keys as ssh.ParsePrivateKey If the private key is encrypted, it returns an ssh.PassphraseMissingError.

type ProtocolVersion 

type ProtocolVersion struct {
	Major                   int
	Minor                   int
	ExperimentalSpecVersion string
}

func NewProtocolVersion 

func NewProtocolVersion(major int, minor int, experimentalspecversion string) ProtocolVersion

func ParseProtocolVersion 

func ParseProtocolVersion(versionString string) (ProtocolVersion, error)

func (ProtocolVersion) String 

func (v ProtocolVersion) String() string

type PtyReqHandler 

type PtyReqHandler func(channel Channel, request ssh3.PtyRequest, wantReply bool)

type ReceivedDatagramOnNonDatagramChannel 

type ReceivedDatagramOnNonDatagramChannel struct {
	// contains filtered or unexported fields
}

func (ReceivedDatagramOnNonDatagramChannel) Error 

func (e ReceivedDatagramOnNonDatagramChannel) Error() string

type SentDatagramOnNonDatagramChannel 

type SentDatagramOnNonDatagramChannel struct {
	// contains filtered or unexported fields
}

func (SentDatagramOnNonDatagramChannel) Error 

func (e SentDatagramOnNonDatagramChannel) Error() string

type Server 

type Server struct {
	// contains filtered or unexported fields
}

func NewServer 

func NewServer(maxPacketSize uint64, defaultDatagramQueueSize uint64, h3Server *http3.Server, conversationHandler ServerConversationHandler) *Server

func (*Server) GetHTTPHandlerFunc 

func (s *Server) GetHTTPHandlerFunc(ctx context.Context) AuthenticatedHandlerFunc

type ServerConversationHandler 

type ServerConversationHandler func(authenticatedUsername string, conversation *Conversation) error

type ShellReqHandler 

type ShellReqHandler func(channel Channel, request ssh3.ShellRequest, wantReply bool)

type SignalReqHandler 

type SignalReqHandler func(channel Channel, request ssh3.SignalRequest, wantReply bool)

type SoftwareVersion 

type SoftwareVersion struct {
	ImplementationName string
	Major              int
	Minor              int
	Patch              int
}

func NewSoftwareVersion 

func NewSoftwareVersion(major int, minor int, patch int, implementationName string) SoftwareVersion

func ParseSoftwareVersion 

func ParseSoftwareVersion(implementationName string, versionString string) (SoftwareVersion, error)

func (SoftwareVersion) String 

func (v SoftwareVersion) String() string

type StreamByteReader 

type StreamByteReader struct {
	http3.Stream
}

func (*StreamByteReader) ReadByte 

func (r *StreamByteReader) ReadByte() (byte, error)

type SubsystemReqHandler 

type SubsystemReqHandler func(channel Channel, request ssh3.SubsystemRequest, wantReply bool)

type TCPForwardingChannelImpl 

type TCPForwardingChannelImpl struct {
	RemoteAddr *net.TCPAddr
	Channel
}

type UDPForwardingChannelImpl 

type UDPForwardingChannelImpl struct {
	RemoteAddr *net.UDPAddr
	Channel
}

type UnauthenticatedBearerFunc 

type UnauthenticatedBearerFunc func(unauthenticatedBearerString string, base64ConversationID string, w http.ResponseWriter, r *http.Request)

type UnsupportedSSHVersion 

type UnsupportedSSHVersion struct {
	// contains filtered or unexported fields
}

func (UnsupportedSSHVersion) Error 

func (e UnsupportedSSHVersion) Error() string

type Version 

type Version struct {
	// contains filtered or unexported fields
}

func NewVersion 

func NewVersion(protocolName string, protocolVersion ProtocolVersion, softwareVersion SoftwareVersion) Version

func ParseVersionString 

func ParseVersionString(versionString string) (version Version, err error)

func ThisVersion 

func ThisVersion() Version

func (Version) GetProtocolVersion 

func (v Version) GetProtocolVersion() ProtocolVersion

func (Version) GetSoftwareVersion 

func (v Version) GetSoftwareVersion() SoftwareVersion

func (Version) GetVersionString 

func (v Version) GetVersionString() string

GetVersionString() returns the version string to be exchanged between two endpoints for version negotiation

type WindowChangeReqHandler 

type WindowChangeReqHandler func(channel Channel, request ssh3.WindowChangeRequest, wantReply bool)

type X11ReqHandler 

type X11ReqHandler func(channel Channel, request ssh3.X11Request, wantReply bool)

Source Files

View all Source files

Directories

Path Synopsis
winsize
cmd
ssh3
ssh3-server
unix_util

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.