in pkg/sshd/ssh.go [121:198]
func NewSSHTransport(signer gossh.Signer, name, domain, root string) (*Server, error) {
var pubk gossh.PublicKey
var err error
if root != "" {
pubk, _, _, _, err = gossh.ParseAuthorizedKey([]byte(root))
if err != nil {
log.Println("No root CA key")
}
}
shell := ""
// Distroless + debug
if _, err := os.Stat("/busybox/sh"); err == nil {
shell = "/busybox/sh"
}
if _, err := os.Stat("/bin/bash"); err == nil {
shell = "/bin/bash"
}
if _, err := os.Stat("/bin/sh"); err == nil {
shell = "/bin/sh"
}
s := &Server{
signer: signer,
serverConfig: &gossh.ServerConfig{},
Port: 15022,
Shell: shell,
// Server cert checker
CertChecker: &gossh.CertChecker{
IsUserAuthority: func(auth gossh.PublicKey) bool {
if pubk == nil {
return false
}
return KeysEqual(auth, pubk)
},
},
}
authorizedKeysBytes, err := ioutil.ReadFile(os.Getenv("HOME") + "/.ssh/authorized_keys")
if err == nil {
s.AddAuthorizedFile(authorizedKeysBytes)
}
if s.Address == "" {
s.Address = ":15022"
}
s.forwardHandler = &ForwardedTCPHandler{}
s.serverConfig.PublicKeyCallback = func(conn gossh.ConnMetadata, key gossh.PublicKey) (*gossh.Permissions, error) {
if pubk != nil {
p, err := s.CertChecker.Authenticate(conn, key)
if err == nil {
return p, nil
}
}
if s.AuthorizedKeys != nil {
for _, k := range s.AuthorizedKeys {
if KeysEqual(key, k) {
return &gossh.Permissions{}, nil
}
}
}
//log.Println("SSH auth failure", key, s.AuthorizedKeys)
return nil, errors.New("SSH connection: no key found")
}
s.serverConfig.AddHostKey(signer)
// Once a ServerConfig has been configured, connections can be
// accepted.
s.Listener, err = net.Listen("tcp", s.Address)
if err != nil {
log.Println("Failed to listend on ", s.Address, err)
return nil, err
}
log.Println("SSHD listening on ", s.Address)
return s, nil
}