GSSAPI middleware for crypto/ssh

The github.com/bodgit/sshkrb5 package implements the GSSAPIClient & GSSAPIServer interfaces in golang.org/x/crypto/ssh.

On non-Windows platforms GSSAPI is supported through either github.com/jcmturner/gokrb5 or github.com/openshift/gssapi. On Windows, SSPI is supported using github.com/alexbrainman/sspi.

It has been tested successfully against OpenSSH.

Sample client:

package main

import (
	"net"
	"os"
	"os/user"

	"github.com/bodgit/sshkrb5"
	"golang.org/x/crypto/ssh"
)

func main() {
	hostname := os.Args[1]

	u, err := user.Current()
	if err != nil {
		panic(err)
	}

	gssapi, err := sshkrb5.NewClient()
	if err != nil {
		panic(err)
	}
	defer gssapi.Close()

	config := &ssh.ClientConfig{
		User: u.Username,
		Auth: []ssh.AuthMethod{
			ssh.GSSAPIWithMICAuthMethod(gssapi, hostname),
		},
		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
	}

	client, err := ssh.Dial("tcp", net.JoinHostPort(hostname, "22"), config)
	if err != nil {
		panic(err)
	}
	defer client.Close()

	session, err := client.NewSession()
	if err != nil {
		panic(err)
	}
	defer session.Close()

	b, err := session.Output("whoami")
	if err != nil {
		panic(err)
	}
	os.Stdout.Write(b)
}

Sample server:

package main

import (
	"bytes"
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"net"

	"github.com/bodgit/sshkrb5"
	"golang.org/x/crypto/ssh"
)

func main() {
	key, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		panic(err)
	}

	buf := new(bytes.Buffer)
	if err := pem.Encode(buf, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}); err != nil {
		panic(err)
	}

	private, err := ssh.ParsePrivateKey(buf.Bytes())
	if err != nil {
		panic(err)
	}

	gssapi, err := sshkrb5.NewServer()
	if err != nil {
		panic(err)
	}
	defer gssapi.Close()

	config := &ssh.ServerConfig{
		GSSAPIWithMICConfig: &ssh.GSSAPIWithMICConfig{
			AllowLogin: func(c ssh.ConnMetadata, name string) (*ssh.Permissions, error) {
				return nil, nil
			},
			Server: gssapi,
		},
	}

	config.AddHostKey(private)

	listener, err := net.Listen("tcp", "0.0.0.0:22")
	if err != nil {
		panic(err)
	}
	defer listener.Close()

	go func() {
		for {
			conn, err := listener.Accept()
			if err != nil {
				continue
			}

			_, chans, reqs, err := ssh.NewServerConn(conn, config)
			if err != nil {
				continue
			}

			go ssh.DiscardRequests(reqs)
			go handleChannels(chans)
		}
	}()
}

func handleChannels(chans <-chan ssh.NewChannel) {
	for newChannel := range chans {
		go handleChannel(newChannel)
	}
}

func handleChannel(newChannel ssh.NewChannel) {
	if t := newChannel.ChannelType(); t != "session" {
		_ = newChannel.Reject(ssh.UnknownChannelType, fmt.Sprintf("unknown channel type: %s", t))

		return
	}

	_, requests, err := newChannel.Accept()
	if err != nil {
		return
	}

	go ssh.DiscardRequests(requests)
}

Name	Name	Last commit message	Last commit date
Latest commit dependabot[bot] chore(deps): Bump golang.org/x/crypto from 0.26.0 to 0.31.0 (#106 ) Dec 14, 2024 a9af65b · Dec 14, 2024 History 156 Commits
.github	.github	chore(deps): Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#104	Dec 12, 2024
testdata	testdata	ci: Downgrade Docker (#99 )	Jul 29, 2024
.gitignore	.gitignore	feat: Implement ssh.GSSAPIServer interface (#48 )	Sep 19, 2023
.golangci.yaml	.golangci.yaml	chore(deps): Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#104	Dec 12, 2024
.pre-commit-config.yaml	.pre-commit-config.yaml	chore(deps): Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#104	Dec 12, 2024
.release-please-manifest.json	.release-please-manifest.json	chore(main): release 1.2.0 (#67 )	Sep 20, 2023
CHANGELOG.md	CHANGELOG.md	chore(main): release 1.2.0 (#67 )	Sep 20, 2023
LICENSE	LICENSE	chore(deps): Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#104	Dec 12, 2024
README.md	README.md	chore(deps): Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#104	Dec 12, 2024
apcera.go	apcera.go	style: Remove variable declarations and naked returns (#70 )	Sep 27, 2023
apcera_test.go	apcera_test.go	feat: Implement ssh.GSSAPIServer interface (#48 )	Sep 19, 2023
export_test.go	export_test.go	feat: Implement ssh.GSSAPIServer interface (#48 )	Sep 19, 2023
go.mod	go.mod	chore(deps): Bump golang.org/x/crypto from 0.26.0 to 0.31.0 (#106 )	Dec 14, 2024
go.sum	go.sum	chore(deps): Bump golang.org/x/crypto from 0.26.0 to 0.31.0 (#106 )	Dec 14, 2024
gokrb5.go	gokrb5.go	style: Lint fixes (#87 )	Feb 28, 2024
gokrb5_test.go	gokrb5_test.go	style: Remove variable declarations and naked returns (#70 )	Sep 27, 2023
options.go	options.go	feat: Add function options to NewClient (#66 )	Sep 20, 2023
options_posix.go	options_posix.go	feat: Implement ssh.GSSAPIServer interface (#48 )	Sep 19, 2023
options_windows.go	options_windows.go	feat: Add function options to NewClient (#66 )	Sep 20, 2023
release-please-config.json	release-please-config.json	feat: Add function options to NewClient (#66 )	Sep 20, 2023
sshkrb5.go	sshkrb5.go	style: Remove variable declarations and naked returns (#70 )	Sep 27, 2023
sshkrb5_test.go	sshkrb5_test.go	style: Remove variable declarations and naked returns (#70 )	Sep 27, 2023
sspi.go	sspi.go	feat: Add function options to NewClient (#66 )	Sep 20, 2023
sspi_test.go	sspi_test.go	feat: Implement ssh.GSSAPIServer interface (#48 )	Sep 19, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

GSSAPI middleware for crypto/ssh

About

Releases 3

Contributors 3

Languages

License

bodgit/sshkrb5

Folders and files

Latest commit

History

Repository files navigation

GSSAPI middleware for crypto/ssh

About

Topics

Resources

License

Stars

Watchers

Forks

Releases 3

Contributors 3

Languages