Categorygithub.com/resin-io/sshproxyresin
package
1.5.0
Repository: https://github.com/resin-io/sshproxy.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
19
Dependents
0
Files
278 SLOC

# README

sshproxy/resin

A "resin-ready" binary, requiring minimal configuration.

Configuration is possible via commandline flags, environment variables and config files.

Config files should be named sshproxy.<ext> and exist in the sshproxy work dir. The following config file formats are supported:

There are a total of 9 configuration options. With the exception of dir they can all be set via commandline, environment or config file.

NameCommandlineEnvironmentConfig
API Host--apihost -HRESIN_API_HOSTapihost
API Port--apiport -PRESIN_API_PORTapiport
API Key--apikey -KSSHPROXY_API_KEYapikey
Dir--dir -dSSHPROXY_DIR
Port--port -pSSHPROXY_PORTport
Shell--shell -sSSHPROXY_SHELLshell
Shell Uid--shell-uid -uSSHPROXY_SHELL_UIDshell-uid
Shell Gid--shell-gid -gSSHPROXY_SHELL_GIDshell-gid
Auth Failed Banner--auth-failed-banner -bSSHPROXY_AUTH_FAILED_BANNERauth-failed-banner
Max Auth Tries--max-auth-tries -mSSHPROXY_MAX_AUTH_TRIESmax-auth-tries
Allow Env--allow-env -ESSHPROXY_ALLOW_ENVallow-env
Sentry DSN--sentry-dsn -SSSHPROXY_SENTRY_DSNsentry-dsn
Usage of sshproxy:
  -E, --allow-env                   Pass environment from client to shell (default: false) (warning: security implications)
  -H, --apihost string              Resin API Host (default "api.resin.io")
  -K, --apikey string               Resin API Key (required)
  -P, --apiport string              Resin API Port (default "443")
  -b, --auth-failed-banner string   Path to template displayed after failed authentication
  -d, --dir string                  Work dir, holds ssh keys and sshproxy config (default "/etc/sshproxy")
  -m, --max-auth-tries int          Maximum number of authentication attempts per connection (default 0; unlimited)
  -p, --port int                    Port the ssh service will listen on (default 22)
  -S, --sentry-dsn string           Sentry DSN for error reporting
  -s, --shell string                Path to shell to execute post-authentication (default "shell.sh")
  -g, --shell-gid int               Group to run shell as (default: current gid)
  -u, --shell-uid int               User to run shell as (default: current uid)
      --version                     Display version and exit

Auth Failed Banner/Template

The 'auth failed banner' is a template rendered and displayed to the user after failed authentication. It should be a Go template has two available properties; .user and .fingerprints.

Example Usage

% go get github.com/resin-io/sshproxy/resin
% export SSHPROXY_DIR=$(mktemp -d /tmp/sshproxy.XXXXXXXX)
% echo -e '#!/usr/bin/env bash\nenv' > ${SSHPROXY_DIR}/shell.sh && chmod +x ${SSHPROXY_DIR}/shell.sh
  SSHPROXY_PORT=2222 \
  SSHPROXY_API_KEY=... \
  go run ${GOPATH}/src/github.com/resin-io/sshproxy/resin/main.go
...
% ssh -o 'StrictHostKeyChecking=no' \
      -o 'UserKnownHostsFile=/dev/null' \
    resin@localhost -p2222 -- some command
Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts.
SSH_USER=resin
PWD=...
LANG=en_GB.UTF-8
SHLVL=1
SSH_ORIGINAL_COMMAND=some command
LC_CTYPE=en_GB.UTF-8
_=/usr/bin/env

Building

The Makefile in the project root contains all necessary rules for linting, testing and building sshproxy packages. Building via a Docker image can be achieved with, for example: docker run --rm -v $PWD:/go/src/github.com/resin-io/sshproxy golang make -C /go/src/github.com/resin-io/sshproxy lint test release.