Involved Source Filesbuffer.gocerts.gochannel.gocipher.goclient.goclient_auth.gocommon.goconnection.go Package ssh implements an SSH client and server.
SSH is a transport security protocol, an authentication protocol and a
family of application protocols. The most typical application level
protocol is a remote shell and this is specifically implemented. However,
the multiplexed nature of SSH is exposed to users that wish to support
others.
References:
[PROTOCOL]: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL?rev=HEAD
[PROTOCOL.certkeys]: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
[SSH-PARAMETERS]: http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xml#ssh-parameters-1
This package does not fall under the stability promise of the Go language itself,
so its API may be changed when pressing needs arise.handshake.gokex.gokeys.gomac.gomessages.gomux.goserver.gosession.gossh_gss.gostreamlocal.gotcpip.gotransport.go
Code Examples
package main
import (
"crypto/rand"
"crypto/rsa"
"fmt"
"log"
"golang.org/x/crypto/ssh"
)
func main() {
// Sign a certificate with a specific algorithm.
privateKey, err := rsa.GenerateKey(rand.Reader, 3072)
if err != nil {
log.Fatal("unable to generate RSA key: ", err)
}
publicKey, err := ssh.NewPublicKey(&privateKey.PublicKey)
if err != nil {
log.Fatal("unable to get RSA public key: ", err)
}
caKey, err := rsa.GenerateKey(rand.Reader, 3072)
if err != nil {
log.Fatal("unable to generate CA key: ", err)
}
signer, err := ssh.NewSignerFromKey(caKey)
if err != nil {
log.Fatal("unable to generate signer from key: ", err)
}
mas, err := ssh.NewSignerWithAlgorithms(signer.(ssh.AlgorithmSigner), []string{ssh.KeyAlgoRSASHA256})
if err != nil {
log.Fatal("unable to create signer with algoritms: ", err)
}
certificate := ssh.Certificate{
Key: publicKey,
CertType: ssh.UserCert,
}
if err := certificate.SignCert(rand.Reader, mas); err != nil {
log.Fatal("unable to sign certificate: ", err)
}
// Save the public key to a file and check that rsa-sha-256 is used for
// signing:
// ssh-keygen -L -f <path to the file>
fmt.Println(string(ssh.MarshalAuthorizedKey(&certificate)))
}
package main
import (
"bufio"
"log"
"os"
"path/filepath"
"strings"
"golang.org/x/crypto/ssh"
)
func main() {
// Every client must provide a host key check. Here is a
// simple-minded parse of OpenSSH's known_hosts file
host := "hostname"
file, err := os.Open(filepath.Join(os.Getenv("HOME"), ".ssh", "known_hosts"))
if err != nil {
log.Fatal(err)
}
defer file.Close()
scanner := bufio.NewScanner(file)
var hostKey ssh.PublicKey
for scanner.Scan() {
fields := strings.Split(scanner.Text(), " ")
if len(fields) != 3 {
continue
}
if strings.Contains(fields[0], host) {
var err error
hostKey, _, _, _, err = ssh.ParseAuthorizedKey(scanner.Bytes())
if err != nil {
log.Fatalf("error parsing %q: %v", fields[2], err)
}
break
}
}
if hostKey == nil {
log.Fatalf("no hostkey for %s", host)
}
config := ssh.ClientConfig{
User: os.Getenv("USER"),
HostKeyCallback: ssh.FixedHostKey(hostKey),
}
_, err = ssh.Dial("tcp", host+":22", &config)
log.Println(err)
}
package main
import (
"fmt"
"log"
"net/http"
"golang.org/x/crypto/ssh"
)
func main() {
var hostKey ssh.PublicKey
config := &ssh.ClientConfig{
User: "username",
Auth: []ssh.AuthMethod{
ssh.Password("password"),
},
HostKeyCallback: ssh.FixedHostKey(hostKey),
}
// Dial your ssh server.
conn, err := ssh.Dial("tcp", "localhost:22", config)
if err != nil {
log.Fatal("unable to connect: ", err)
}
defer conn.Close()
// Request the remote side to open port 8080 on all interfaces.
l, err := conn.Listen("tcp", "0.0.0.0:8080")
if err != nil {
log.Fatal("unable to register tcp forward: ", err)
}
defer l.Close()
// Serve HTTP with your SSH server acting as a reverse proxy.
http.Serve(l, http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
fmt.Fprintf(resp, "Hello world!\n")
}))
}
package main
import (
"bytes"
"fmt"
"log"
"golang.org/x/crypto/ssh"
)
func main() {
var hostKey ssh.PublicKey
// An SSH client is represented with a ClientConn.
//
// To authenticate with the remote server you must pass at least one
// implementation of AuthMethod via the Auth field in ClientConfig,
// and provide a HostKeyCallback.
config := &ssh.ClientConfig{
User: "username",
Auth: []ssh.AuthMethod{
ssh.Password("yourpassword"),
},
HostKeyCallback: ssh.FixedHostKey(hostKey),
}
client, err := ssh.Dial("tcp", "yourserver.com:22", config)
if err != nil {
log.Fatal("Failed to dial: ", err)
}
defer client.Close()
// Each ClientConn can support multiple interactive sessions,
// represented by a Session.
session, err := client.NewSession()
if err != nil {
log.Fatal("Failed to create session: ", err)
}
defer session.Close()
// Once a Session is created, you can execute a single command on
// the remote side using the Run method.
var b bytes.Buffer
session.Stdout = &b
if err := session.Run("/usr/bin/whoami"); err != nil {
log.Fatal("Failed to run: " + err.Error())
}
fmt.Println(b.String())
}
package main
import (
"fmt"
"log"
"net"
"os"
"golang.org/x/crypto/ssh"
"golang.org/x/crypto/ssh/terminal"
)
func main() {
// Public key authentication is done by comparing
// the public key of a received connection
// with the entries in the authorized_keys file.
authorizedKeysBytes, err := os.ReadFile("authorized_keys")
if err != nil {
log.Fatalf("Failed to load authorized_keys, err: %v", err)
}
authorizedKeysMap := map[string]bool{}
for len(authorizedKeysBytes) > 0 {
pubKey, _, _, rest, err := ssh.ParseAuthorizedKey(authorizedKeysBytes)
if err != nil {
log.Fatal(err)
}
authorizedKeysMap[string(pubKey.Marshal())] = true
authorizedKeysBytes = rest
}
// An SSH server is represented by a ServerConfig, which holds
// certificate details and handles authentication of ServerConns.
config := &ssh.ServerConfig{
// Remove to disable password auth.
PasswordCallback: func(c ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
// Should use constant-time compare (or better, salt+hash) in
// a production setting.
if c.User() == "testuser" && string(pass) == "tiger" {
return nil, nil
}
return nil, fmt.Errorf("password rejected for %q", c.User())
},
// Remove to disable public key auth.
PublicKeyCallback: func(c ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.Permissions, error) {
if authorizedKeysMap[string(pubKey.Marshal())] {
return &ssh.Permissions{
// Record the public key used for authentication.
Extensions: map[string]string{
"pubkey-fp": ssh.FingerprintSHA256(pubKey),
},
}, nil
}
return nil, fmt.Errorf("unknown public key for %q", c.User())
},
}
privateBytes, err := os.ReadFile("id_rsa")
if err != nil {
log.Fatal("Failed to load private key: ", err)
}
private, err := ssh.ParsePrivateKey(privateBytes)
if err != nil {
log.Fatal("Failed to parse private key: ", err)
}
config.AddHostKey(private)
// Once a ServerConfig has been configured, connections can be
// accepted.
listener, err := net.Listen("tcp", "0.0.0.0:2022")
if err != nil {
log.Fatal("failed to listen for connection: ", err)
}
nConn, err := listener.Accept()
if err != nil {
log.Fatal("failed to accept incoming connection: ", err)
}
// Before use, a handshake must be performed on the incoming
// net.Conn.
conn, chans, reqs, err := ssh.NewServerConn(nConn, config)
if err != nil {
log.Fatal("failed to handshake: ", err)
}
log.Printf("logged in with key %s", conn.Permissions.Extensions["pubkey-fp"])
// The incoming Request channel must be serviced.
go ssh.DiscardRequests(reqs)
// Service the incoming Channel channel.
for newChannel := range chans {
// Channels have a type, depending on the application level
// protocol intended. In the case of a shell, the type is
// "session" and ServerShell may be used to present a simple
// terminal interface.
if newChannel.ChannelType() != "session" {
newChannel.Reject(ssh.UnknownChannelType, "unknown channel type")
continue
}
channel, requests, err := newChannel.Accept()
if err != nil {
log.Fatalf("Could not accept channel: %v", err)
}
// Sessions have out-of-band requests such as "shell",
// "pty-req" and "env". Here we handle only the
// "shell" request.
go func(in <-chan *ssh.Request) {
for req := range in {
req.Reply(req.Type == "shell", nil)
}
}(requests)
term := terminal.NewTerminal(channel, "> ")
go func() {
defer channel.Close()
for {
line, err := term.ReadLine()
if err != nil {
break
}
fmt.Println(line)
}
}()
}
}
package main
import (
"log"
"os"
"golang.org/x/crypto/ssh"
)
func main() {
var hostKey ssh.PublicKey
// A public key may be used to authenticate against the remote
// server by using an unencrypted PEM-encoded private key file.
//
// If you have an encrypted private key, the crypto/x509 package
// can be used to decrypt it.
key, err := os.ReadFile("/home/user/.ssh/id_rsa")
if err != nil {
log.Fatalf("unable to read private key: %v", err)
}
// Create the Signer for this private key.
signer, err := ssh.ParsePrivateKey(key)
if err != nil {
log.Fatalf("unable to parse private key: %v", err)
}
config := &ssh.ClientConfig{
User: "user",
Auth: []ssh.AuthMethod{
// Use the PublicKeys method for remote authentication.
ssh.PublicKeys(signer),
},
HostKeyCallback: ssh.FixedHostKey(hostKey),
}
// Connect to the remote server and perform the SSH handshake.
client, err := ssh.Dial("tcp", "host.com:22", config)
if err != nil {
log.Fatalf("unable to connect: %v", err)
}
defer client.Close()
}
package main
import (
"fmt"
"log"
"os"
"golang.org/x/crypto/ssh"
)
func main() {
// Minimal ServerConfig supporting only password authentication.
config := &ssh.ServerConfig{
PasswordCallback: func(c ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
// Should use constant-time compare (or better, salt+hash) in
// a production setting.
if c.User() == "testuser" && string(pass) == "tiger" {
return nil, nil
}
return nil, fmt.Errorf("password rejected for %q", c.User())
},
}
privateBytes, err := os.ReadFile("id_rsa")
if err != nil {
log.Fatal("Failed to load private key: ", err)
}
private, err := ssh.ParsePrivateKey(privateBytes)
if err != nil {
log.Fatal("Failed to parse private key: ", err)
}
// Restrict host key algorithms to disable ssh-rsa.
signer, err := ssh.NewSignerWithAlgorithms(private.(ssh.AlgorithmSigner), []string{ssh.KeyAlgoRSASHA256, ssh.KeyAlgoRSASHA512})
if err != nil {
log.Fatal("Failed to create private key with restricted algorithms: ", err)
}
config.AddHostKey(signer)
}
package main
import (
"log"
"golang.org/x/crypto/ssh"
)
func main() {
var hostKey ssh.PublicKey
// Create client config
config := &ssh.ClientConfig{
User: "username",
Auth: []ssh.AuthMethod{
ssh.Password("password"),
},
HostKeyCallback: ssh.FixedHostKey(hostKey),
}
// Connect to ssh server
conn, err := ssh.Dial("tcp", "localhost:22", config)
if err != nil {
log.Fatal("unable to connect: ", err)
}
defer conn.Close()
// Create a session
session, err := conn.NewSession()
if err != nil {
log.Fatal("unable to create session: ", err)
}
defer session.Close()
// Set up terminal modes
modes := ssh.TerminalModes{
ssh.ECHO: 0, // disable echoing
ssh.TTY_OP_ISPEED: 14400, // input speed = 14.4kbaud
ssh.TTY_OP_OSPEED: 14400, // output speed = 14.4kbaud
}
// Request pseudo terminal
if err := session.RequestPty("xterm", 40, 80, modes); err != nil {
log.Fatal("request for pseudo terminal failed: ", err)
}
// Start remote shell
if err := session.Shell(); err != nil {
log.Fatal("failed to start shell: ", err)
}
}
Package-Level Type Names (total 36)
/* sort by: | */
An AlgorithmSigner is a Signer that also supports specifying an algorithm to
use for signing.
An AlgorithmSigner can't advertise the algorithms it supports, unless it also
implements MultiAlgorithmSigner, so it should be prepared to be invoked with
every algorithm supported by the public key format. PublicKey returns the associated PublicKey. Sign returns a signature for the given data. This method will hash the
data appropriately first. The signature algorithm is expected to match
the key format returned by the PublicKey.Type method (and not to be any
alternative algorithm supported by the key format). SignWithAlgorithm is like Signer.Sign, but allows specifying a desired
signing algorithm. Callers may pass an empty string for the algorithm in
which case the AlgorithmSigner will use a default algorithm. This default
doesn't currently control any behavior in this package.MultiAlgorithmSigner(interface)
AlgorithmSigner : Signer
func NewSignerWithAlgorithms(signer AlgorithmSigner, algorithms []string) (MultiAlgorithmSigner, error)
BannerCallback is the function type used for treat the banner sent by
the server. A BannerCallback receives the message sent by the remote server.
func BannerDisplayStderr() BannerCallback
CertChecker does the work of verifying a certificate. Its methods
can be plugged into ClientConfig.HostKeyCallback and
ServerConfig.PublicKeyCallback. For the CertChecker to work,
minimally, the IsAuthority callback should be set. Clock is used for verifying time stamps. If nil, time.Now
is used. HostKeyFallback is called when CertChecker.CheckHostKey encounters a
public key that is not a certificate. It must implement host key
validation or else, if nil, all such keys are rejected. IsHostAuthority should report whether the key is recognized as
an authority for this host. This allows for certificates to be
signed by other keys, and for those other keys to only be valid
signers for particular hostnames. This must be set if this
CertChecker will be checking host certificates. IsRevoked is called for each certificate so that revocation checking
can be implemented. It should return true if the given certificate
is revoked and false otherwise. If nil, no certificates are
considered to have been revoked. IsUserAuthority should return true if the key is recognized as an
authority for the given user certificate. This allows for
certificates to be signed by other certificates. This must be set
if this CertChecker will be checking user certificates. SupportedCriticalOptions lists the CriticalOptions that the
server application layer understands. These are only used
for user certificates. UserKeyFallback is called when CertChecker.Authenticate encounters a
public key that is not a certificate. It must implement validation
of user keys or else, if nil, all such keys are rejected. Authenticate checks a user certificate. Authenticate can be used as
a value for ServerConfig.PublicKeyCallback. CheckCert checks CriticalOptions, ValidPrincipals, revocation, timestamp and
the signature of the certificate. CheckHostKey checks a host key certificate. This method can be
plugged into ClientConfig.HostKeyCallback.
An Certificate represents an OpenSSH certificate as defined in
[PROTOCOL.certkeys]?rev=1.8. The Certificate type implements the
PublicKey interface, so it can be unmarshaled using
ParsePublicKey.CertTypeuint32KeyPublicKeyKeyIdstringNonce[]bytePermissionsPermissions CriticalOptions indicate restrictions to the default
permissions, and are typically used in conjunction with
user certificates. The standard for SSH certificates
defines "force-command" (only allow the given command to
execute) and "source-address" (only allow connections from
the given address). The SSH package currently only enforces
the "source-address" critical option. It is up to server
implementations to enforce other critical options, such as
"force-command", by checking them after the SSH handshake
is successful. In general, SSH servers should reject
connections that specify critical options that are unknown
or not supported. Extensions are extra functionality that the server may
offer on authenticated connections. Lack of support for an
extension does not preclude authenticating a user. Common
extensions are "permit-agent-forwarding",
"permit-X11-forwarding". The Go SSH library currently does
not act on any extension, and it is up to server
implementations to honor them. Extensions can be used to
pass data from the authentication callbacks to the server
application layer.Reserved[]byteSerialuint64Signature*SignatureSignatureKeyPublicKeyValidAfteruint64ValidBeforeuint64ValidPrincipals[]string Marshal serializes c into OpenSSH's wire format. It is part of the
PublicKey interface. SignCert signs the certificate with an authority, setting the Nonce,
SignatureKey, and Signature fields. If the authority implements the
MultiAlgorithmSigner interface the first algorithm in the list is used. This
is useful if you want to sign with a specific algorithm. Type returns the certificate algorithm name. It is part of the PublicKey interface. Verify verifies a signature against the certificate's public
key. It is part of the PublicKey interface.
*Certificate : PublicKey
func NewCertSigner(cert *Certificate, signer Signer) (Signer, error)
func (*CertChecker).CheckCert(principal string, cert *Certificate) error
A Channel is an ordered, reliable, flow-controlled, duplex stream
that is multiplexed over an SSH connection. Close signals end of channel use. No data may be sent after this
call. CloseWrite signals the end of sending in-band
data. Requests may still be sent, and the other side may
still send data Read reads up to len(data) bytes from the channel. SendRequest sends a channel request. If wantReply is true,
it will wait for a reply and return the result as a
boolean, otherwise the return value will be false. Channel
requests are out-of-band messages so they may be sent even
if the data stream is closed or blocked by flow control.
If the channel is closed before a reply is returned, io.EOF
is returned. Stderr returns an io.ReadWriter that writes to this channel
with the extended data type set to stderr. Stderr may
safely be read and written from a different goroutine than
Read and Write respectively. Write writes len(data) bytes to the channel.
Channel : internal/bisect.Writer
Channel : io.Closer
Channel : io.ReadCloser
Channel : io.Reader
Channel : io.ReadWriteCloser
Channel : io.ReadWriter
Channel : io.WriteCloser
Channel : io.Writer
func Conn.OpenChannel(name string, data []byte) (Channel, <-chan *Request, error)
func NewChannel.Accept() (Channel, <-chan *Request, error)
Client implements a traditional SSH client that supports shells,
subprocesses, TCP port/streamlocal forwarding and tunneled dialing.ConnConn ClientVersion returns the client's version string as hashed
into the session ID. Close closes the underlying network connection Dial initiates a connection to the addr from the remote host.
The resulting connection has a zero LocalAddr() and RemoteAddr(). DialTCP connects to the remote address raddr on the network net,
which must be "tcp", "tcp4", or "tcp6". If laddr is not nil, it is used
as the local address for the connection. HandleChannelOpen returns a channel on which NewChannel requests
for the given type are sent. If the type already is being handled,
nil is returned. The channel is closed when the connection is closed. Listen requests the remote peer open a listening socket on
addr. Incoming connections will be available by calling Accept on
the returned net.Listener. The listener must be serviced, or the
SSH connection may hang.
N must be "tcp", "tcp4", "tcp6", or "unix". ListenTCP requests the remote peer open a listening socket
on laddr. Incoming connections will be available by calling
Accept on the returned net.Listener. ListenUnix is similar to ListenTCP but uses a Unix domain socket. LocalAddr returns the local address for this connection. NewSession opens a new Session for this client. (A session is a remote
execution of a program.) OpenChannel tries to open an channel. If the request is
rejected, it returns *OpenChannelError. On success it returns
the SSH Channel and a Go channel for incoming, out-of-band
requests. The Go channel must be serviced, or the
connection will hang. RemoteAddr returns the remote address for this connection. SendRequest sends a global request, and returns the
reply. If wantReply is true, it returns the response status
and payload. See also RFC 4254, section 4. ServerVersion returns the server's version string as hashed
into the session ID. SessionID returns the session hash, also denoted by H. User returns the user ID for this connection. Wait blocks until the connection has shut down, and returns the
error causing the shutdown.
Client : Conn
Client : ConnMetadata
Client : io.Closer
func Dial(network, addr string, config *ClientConfig) (*Client, error)
func NewClient(c Conn, chans <-chan NewChannel, reqs <-chan *Request) *Client
func github.com/limanmys/render-engine/internal/bridge.InitShellWithCert(username, certificate, host, port string) (*Client, error)
func github.com/limanmys/render-engine/internal/bridge.InitShellWithPassword(username, password, host, port string) (*Client, error)
func github.com/limanmys/render-engine/internal/bridge.OpenSFTPConnection(conn *Client) *sftp.Client
func github.com/pkg/sftp.NewClient(conn *Client, opts ...sftp.ClientOption) (*sftp.Client, error)
A ClientConfig structure is used to configure a Client. It must not be
modified after having been passed to an SSH function. Auth contains possible authentication methods to use with the
server. Only the first instance of a particular RFC 4252 method will
be used during authentication. BannerCallback is called during the SSH dance to display a custom
server's message. The client configuration can supply this callback to
handle it as wished. The function BannerDisplayStderr can be used for
simplistic display on Stderr. ClientVersion contains the version identification string that will
be used for the connection. If empty, a reasonable default is used. Config contains configuration that is shared between clients and
servers. The allowed cipher algorithms. If unspecified then a sensible default is
used. Unsupported values are silently ignored. The allowed key exchanges algorithms. If unspecified then a default set
of algorithms is used. Unsupported values are silently ignored. The allowed MAC algorithms. If unspecified then a sensible default is
used. Unsupported values are silently ignored. Rand provides the source of entropy for cryptographic
primitives. If Rand is nil, the cryptographic random reader
in package crypto/rand will be used. The maximum number of bytes sent or received after which a
new key is negotiated. It must be at least 256. If
unspecified, a size suitable for the chosen cipher is used. HostKeyAlgorithms lists the public key algorithms that the client will
accept from the server for host key authentication, in order of
preference. If empty, a reasonable default is used. Any
string returned from a PublicKey.Type method may be used, or
any of the CertAlgo and KeyAlgo constants. HostKeyCallback is called during the cryptographic
handshake to validate the server's host key. The client
configuration must supply this callback for the connection
to succeed. The functions InsecureIgnoreHostKey or
FixedHostKey can be used for simplistic host key checks. Timeout is the maximum amount of time for the TCP connection to establish.
A Timeout of zero means no timeout. User contains the username to authenticate as. SetDefaults sets sensible values for unset fields in config. This is
exported for testing: Configs passed to SSH functions are copied and have
default values set automatically.
func Dial(network, addr string, config *ClientConfig) (*Client, error)
func NewClientConn(c net.Conn, addr string, config *ClientConfig) (Conn, <-chan NewChannel, <-chan *Request, error)
Config contains configuration data common to both ServerConfig and
ClientConfig. The allowed cipher algorithms. If unspecified then a sensible default is
used. Unsupported values are silently ignored. The allowed key exchanges algorithms. If unspecified then a default set
of algorithms is used. Unsupported values are silently ignored. The allowed MAC algorithms. If unspecified then a sensible default is
used. Unsupported values are silently ignored. Rand provides the source of entropy for cryptographic
primitives. If Rand is nil, the cryptographic random reader
in package crypto/rand will be used. The maximum number of bytes sent or received after which a
new key is negotiated. It must be at least 256. If
unspecified, a size suitable for the chosen cipher is used. SetDefaults sets sensible values for unset fields in config. This is
exported for testing: Configs passed to SSH functions are copied and have
default values set automatically.
Conn represents an SSH connection for both server and client roles.
Conn is the basis for implementing an application layer, such
as ClientConn, which implements the traditional shell access for
clients. ClientVersion returns the client's version string as hashed
into the session ID. Close closes the underlying network connection LocalAddr returns the local address for this connection. OpenChannel tries to open an channel. If the request is
rejected, it returns *OpenChannelError. On success it returns
the SSH Channel and a Go channel for incoming, out-of-band
requests. The Go channel must be serviced, or the
connection will hang. RemoteAddr returns the remote address for this connection. SendRequest sends a global request, and returns the
reply. If wantReply is true, it returns the response status
and payload. See also RFC 4254, section 4. ServerVersion returns the server's version string as hashed
into the session ID. SessionID returns the session hash, also denoted by H. User returns the user ID for this connection. Wait blocks until the connection has shut down, and returns the
error causing the shutdown.ClientServerConn
Conn : ConnMetadata
Conn : io.Closer
func NewClientConn(c net.Conn, addr string, config *ClientConfig) (Conn, <-chan NewChannel, <-chan *Request, error)
func NewClient(c Conn, chans <-chan NewChannel, reqs <-chan *Request) *Client
ConnMetadata holds metadata for the connection. ClientVersion returns the client's version string as hashed
into the session ID. LocalAddr returns the local address for this connection. RemoteAddr returns the remote address for this connection. ServerVersion returns the server's version string as hashed
into the session ID. SessionID returns the session hash, also denoted by H. User returns the user ID for this connection.ClientConn(interface)ServerConn
func (*CertChecker).Authenticate(conn ConnMetadata, pubKey PublicKey) (*Permissions, error)
CryptoPublicKey, if implemented by a PublicKey,
returns the underlying crypto.PublicKey form of the key.( CryptoPublicKey) CryptoPublicKey() crypto.PublicKey
An ExitError reports unsuccessful completion of a remote command.WaitmsgWaitmsg(*ExitError) Error() string ExitStatus returns the exit status of the remote command. Lang returns the language tag. See RFC 3066 Msg returns the exit message given by the remote command Signal returns the exit signal of the remote command if
it was terminated violently.( ExitError) String() string
*ExitError : error
ExitError : fmt.Stringer
ExitError : github.com/ChrisTrenkamp/goxpath/tree.Result
ExitMissingError is returned if a session is torn down cleanly, but
the server sends no confirmation of the exit status.(*ExitMissingError) Error() string
*ExitMissingError : error
GSSAPIClient provides the API to plug-in GSSAPI authentication for client logins. Whenever possible, it should be possible for
DeleteSecContext() calls to be successfully processed even
if other calls cannot succeed, thereby enabling context-related
resources to be released.
In addition to deleting established security contexts,
gss_delete_sec_context must also be able to delete "half-built"
security contexts resulting from an incomplete sequence of
InitSecContext()/AcceptSecContext() calls.
See RFC 2743 section 2.2.3. GetMIC generates a cryptographic MIC for the SSH2 message, and places
the MIC in a token for transfer to the ssh server.
The contents of the MIC field are obtained by calling GSS_GetMIC()
over the following, using the GSS-API context that was just
established:
string session identifier
byte SSH_MSG_USERAUTH_REQUEST
string user name
string service
string "gssapi-with-mic"
See RFC 2743 section 2.3.1 and RFC 4462 3.5. InitSecContext initiates the establishment of a security context for GSS-API between the
ssh client and ssh server. Initially the token parameter should be specified as nil.
The routine may return a outputToken which should be transferred to
the ssh server, where the ssh server will present it to
AcceptSecContext. If no token need be sent, InitSecContext will indicate this by setting
needContinue to false. To complete the context
establishment, one or more reply tokens may be required from the ssh
server;if so, InitSecContext will return a needContinue which is true.
In this case, InitSecContext should be called again when the
reply token is received from the ssh server, passing the reply
token to InitSecContext via the token parameters.
See RFC 2743 section 2.2.1 and RFC 4462 section 3.4.
func GSSAPIWithMICAuthMethod(gssAPIClient GSSAPIClient, target string) AuthMethod
GSSAPIServer provides the API to plug in GSSAPI authentication for server logins. AcceptSecContext allows a remotely initiated security context between the application
and a remote peer to be established by the ssh client. The routine may return a
outputToken which should be transferred to the ssh client,
where the ssh client will present it to InitSecContext.
If no token need be sent, AcceptSecContext will indicate this
by setting the needContinue to false. To
complete the context establishment, one or more reply tokens may be
required from the ssh client. if so, AcceptSecContext
will return a needContinue which is true, in which case it
should be called again when the reply token is received from the ssh
client, passing the token to AcceptSecContext via the
token parameters.
The srcName return value is the authenticated username.
See RFC 2743 section 2.2.2 and RFC 4462 section 3.4. Whenever possible, it should be possible for
DeleteSecContext() calls to be successfully processed even
if other calls cannot succeed, thereby enabling context-related
resources to be released.
In addition to deleting established security contexts,
gss_delete_sec_context must also be able to delete "half-built"
security contexts resulting from an incomplete sequence of
InitSecContext()/AcceptSecContext() calls.
See RFC 2743 section 2.2.3. VerifyMIC verifies that a cryptographic MIC, contained in the token parameter,
fits the supplied message is received from the ssh client.
See RFC 2743 section 2.3.2.
AllowLogin, must be set, is called when gssapi-with-mic
authentication is selected (RFC 4462 section 3). The srcName is from the
results of the GSS-API authentication. The format is username@DOMAIN.
GSSAPI just guarantees to the server who the user is, but not if they can log in, and with what permissions.
This callback is called after the user identity is established with GSSAPI to decide if the user can login with
which permissions. If the user is allowed to login, it should return a nil error. Server must be set. It's the implementation
of the GSSAPIServer interface. See GSSAPIServer interface for details.
HostKeyCallback is the function type used for verifying server
keys. A HostKeyCallback must return nil if the host key is OK, or
an error to reject it. It receives the hostname as passed to Dial
or NewClientConn. The remote address is the RemoteAddr of the
net.Conn underlying the SSH connection.
func FixedHostKey(key PublicKey) HostKeyCallback
func InsecureIgnoreHostKey() HostKeyCallback
KeyboardInteractiveChallenge should print questions, optionally
disabling echoing (e.g. for passwords), and return all the answers.
Challenge may be called multiple times in a single session. After
successful authentication, the server may send a challenge with no
questions, for which the name and instruction messages should be
printed. RFC 4256 section 3.3 details how the UI should behave for
both CLI and GUI environments.
KeyboardInteractiveChallenge : AuthMethod
func KeyboardInteractive(challenge KeyboardInteractiveChallenge) AuthMethod
MultiAlgorithmSigner is an AlgorithmSigner that also reports the algorithms
supported by that signer. Algorithms returns the available algorithms in preference order. The list
must not be empty, and it must not include certificate types. PublicKey returns the associated PublicKey. Sign returns a signature for the given data. This method will hash the
data appropriately first. The signature algorithm is expected to match
the key format returned by the PublicKey.Type method (and not to be any
alternative algorithm supported by the key format). SignWithAlgorithm is like Signer.Sign, but allows specifying a desired
signing algorithm. Callers may pass an empty string for the algorithm in
which case the AlgorithmSigner will use a default algorithm. This default
doesn't currently control any behavior in this package.
MultiAlgorithmSigner : AlgorithmSigner
MultiAlgorithmSigner : Signer
func NewSignerWithAlgorithms(signer AlgorithmSigner, algorithms []string) (MultiAlgorithmSigner, error)
NewChannel represents an incoming request to a channel. It must either be
accepted for use by calling Accept, or rejected by calling Reject. Accept accepts the channel creation request. It returns the Channel
and a Go channel containing SSH requests. The Go channel must be
serviced otherwise the Channel will hang. ChannelType returns the type of the channel, as supplied by the
client. ExtraData returns the arbitrary payload for this channel, as supplied
by the client. This data is specific to the channel type. Reject rejects the channel creation request. After calling
this, no other methods on the Channel may be called.
func NewClientConn(c net.Conn, addr string, config *ClientConfig) (Conn, <-chan NewChannel, <-chan *Request, error)
func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewChannel, <-chan *Request, error)
func (*Client).HandleChannelOpen(channelType string) <-chan NewChannel
func NewClient(c Conn, chans <-chan NewChannel, reqs <-chan *Request) *Client
A PassphraseMissingError indicates that parsing this private key requires a
passphrase. Use ParsePrivateKeyWithPassphrase. PublicKey will be set if the private key format includes an unencrypted
public key along with the encrypted private key.(*PassphraseMissingError) Error() string
*PassphraseMissingError : error
The Permissions type holds fine-grained permissions that are
specific to a user or a specific authentication method for a user.
The Permissions value for a successful authentication attempt is
available in ServerConn, so it can be used to pass information from
the user-authentication phase to the application layer. CriticalOptions indicate restrictions to the default
permissions, and are typically used in conjunction with
user certificates. The standard for SSH certificates
defines "force-command" (only allow the given command to
execute) and "source-address" (only allow connections from
the given address). The SSH package currently only enforces
the "source-address" critical option. It is up to server
implementations to enforce other critical options, such as
"force-command", by checking them after the SSH handshake
is successful. In general, SSH servers should reject
connections that specify critical options that are unknown
or not supported. Extensions are extra functionality that the server may
offer on authenticated connections. Lack of support for an
extension does not preclude authenticating a user. Common
extensions are "permit-agent-forwarding",
"permit-X11-forwarding". The Go SSH library currently does
not act on any extension, and it is up to server
implementations to honor them. Extensions can be used to
pass data from the authentication callbacks to the server
application layer.
func (*CertChecker).Authenticate(conn ConnMetadata, pubKey PublicKey) (*Permissions, error)
ServerAuthError represents server authentication errors and is
sometimes returned by NewServerConn. It appends any authentication
errors that may occur, and is returned if all of the authentication
methods provided by the user failed to authenticate. Errors contains authentication errors returned by the authentication
callback methods. The first entry is typically ErrNoAuth.( ServerAuthError) Error() string
ServerAuthError : error
ServerConfig holds server specific configuration data. AuthLogCallback, if non-nil, is called to log all authentication
attempts. BannerCallback, if present, is called and the return string is sent to
the client after key exchange completed but before authentication. Config contains configuration shared between client and server. The allowed cipher algorithms. If unspecified then a sensible default is
used. Unsupported values are silently ignored. The allowed key exchanges algorithms. If unspecified then a default set
of algorithms is used. Unsupported values are silently ignored. The allowed MAC algorithms. If unspecified then a sensible default is
used. Unsupported values are silently ignored. Rand provides the source of entropy for cryptographic
primitives. If Rand is nil, the cryptographic random reader
in package crypto/rand will be used. The maximum number of bytes sent or received after which a
new key is negotiated. It must be at least 256. If
unspecified, a size suitable for the chosen cipher is used. GSSAPIWithMICConfig includes gssapi server and callback, which if both non-nil, is used
when gssapi-with-mic authentication is selected (RFC 4462 section 3). KeyboardInteractiveCallback, if non-nil, is called when
keyboard-interactive authentication is selected (RFC
4256). The client object's Challenge function should be
used to query the user. The callback may offer multiple
Challenge rounds. To avoid information leaks, the client
should be presented a challenge even if the user is
unknown. MaxAuthTries specifies the maximum number of authentication attempts
permitted per connection. If set to a negative number, the number of
attempts are unlimited. If set to zero, the number of attempts are limited
to 6. NoClientAuth is true if clients are allowed to connect without
authenticating.
To determine NoClientAuth at runtime, set NoClientAuth to true
and the optional NoClientAuthCallback to a non-nil value. NoClientAuthCallback, if non-nil, is called when a user
attempts to authenticate with auth method "none".
NoClientAuth must also be set to true for this be used, or
this func is unused. PasswordCallback, if non-nil, is called when a user
attempts to authenticate using a password. PublicKeyCallback, if non-nil, is called when a client
offers a public key for authentication. It must return a nil error
if the given public key can be used to authenticate the
given user. For example, see CertChecker.Authenticate. A
call to this function does not guarantee that the key
offered is in fact used to authenticate. To record any data
depending on the public key, store it inside a
Permissions.Extensions entry. ServerVersion is the version identification string to announce in
the public handshake.
If empty, a reasonable default is used.
Note that RFC 4253 section 4.2 requires that this string start with
"SSH-2.0-". AddHostKey adds a private key as a host key. If an existing host
key exists with the same public key format, it is replaced. Each server
config must have at least one host key. SetDefaults sets sensible values for unset fields in config. This is
exported for testing: Configs passed to SSH functions are copied and have
default values set automatically.
func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewChannel, <-chan *Request, error)
ServerConn is an authenticated SSH connection, as seen from the
serverConnConn If the succeeding authentication callback returned a
non-nil Permissions pointer, it is stored here. ClientVersion returns the client's version string as hashed
into the session ID. Close closes the underlying network connection LocalAddr returns the local address for this connection. OpenChannel tries to open an channel. If the request is
rejected, it returns *OpenChannelError. On success it returns
the SSH Channel and a Go channel for incoming, out-of-band
requests. The Go channel must be serviced, or the
connection will hang. RemoteAddr returns the remote address for this connection. SendRequest sends a global request, and returns the
reply. If wantReply is true, it returns the response status
and payload. See also RFC 4254, section 4. ServerVersion returns the server's version string as hashed
into the session ID. SessionID returns the session hash, also denoted by H. User returns the user ID for this connection. Wait blocks until the connection has shut down, and returns the
error causing the shutdown.
ServerConn : Conn
ServerConn : ConnMetadata
ServerConn : io.Closer
func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewChannel, <-chan *Request, error)
A Session represents a connection to a remote command or shell.Stderrio.Writer Stdin specifies the remote process's standard input.
If Stdin is nil, the remote process reads from an empty
bytes.Buffer. Stdout and Stderr specify the remote process's standard
output and error.
If either is nil, Run connects the corresponding file
descriptor to an instance of io.Discard. There is a
fixed amount of buffering that is shared for the two streams.
If either blocks it may eventually cause the remote
command to block.(*Session) Close() error CombinedOutput runs cmd on the remote host and returns its combined
standard output and standard error. Output runs cmd on the remote host and returns its standard output. RequestPty requests the association of a pty with the session on the remote host. RequestSubsystem requests the association of a subsystem with the session on the remote host.
A subsystem is a predefined command that runs in the background when the ssh session is initiated Run runs cmd on the remote host. Typically, the remote
server passes cmd to the shell for interpretation.
A Session only accepts one call to Run, Start, Shell, Output,
or CombinedOutput.
The returned error is nil if the command runs, has no problems
copying stdin, stdout, and stderr, and exits with a zero exit
status.
If the remote server does not send an exit status, an error of type
*ExitMissingError is returned. If the command completes
unsuccessfully or is interrupted by a signal, the error is of type
*ExitError. Other error types may be returned for I/O problems. SendRequest sends an out-of-band channel request on the SSH channel
underlying the session. Setenv sets an environment variable that will be applied to any
command executed by Shell or Run. Shell starts a login shell on the remote host. A Session only
accepts one call to Run, Start, Shell, Output, or CombinedOutput. Signal sends the given signal to the remote process.
sig is one of the SIG* constants. Start runs cmd on the remote host. Typically, the remote
server passes cmd to the shell for interpretation.
A Session only accepts one call to Run, Start or Shell. StderrPipe returns a pipe that will be connected to the
remote command's standard error when the command starts.
There is a fixed amount of buffering that is shared between
stdout and stderr streams. If the StderrPipe reader is
not serviced fast enough it may eventually cause the
remote command to block. StdinPipe returns a pipe that will be connected to the
remote command's standard input when the command starts. StdoutPipe returns a pipe that will be connected to the
remote command's standard output when the command starts.
There is a fixed amount of buffering that is shared between
stdout and stderr streams. If the StdoutPipe reader is
not serviced fast enough it may eventually cause the
remote command to block. Wait waits for the remote command to exit.
The returned error is nil if the command runs, has no problems
copying stdin, stdout, and stderr, and exits with a zero exit
status.
If the remote server does not send an exit status, an error of type
*ExitMissingError is returned. If the command completes
unsuccessfully or is interrupted by a signal, the error is of type
*ExitError. Other error types may be returned for I/O problems. WindowChange informs the remote host about a terminal window dimension change to h rows and w columns.
*Session : io.Closer
func (*Client).NewSession() (*Session, error)
Waitmsg stores the information about an exited remote command
as reported by Wait. ExitStatus returns the exit status of the remote command. Lang returns the language tag. See RFC 3066 Msg returns the exit message given by the remote command Signal returns the exit signal of the remote command if
it was terminated violently.( Waitmsg) String() string
Waitmsg : fmt.Stringer
Waitmsg : github.com/ChrisTrenkamp/goxpath/tree.Result
Package-Level Functions (total 35)
BannerDisplayStderr returns a function that can be used for
ClientConfig.BannerCallback to display banners on os.Stderr.
Dial starts a client connection to the given SSH server. It is a
convenience function that connects to the given network address,
initiates the SSH handshake, and then sets up a Client. For access
to incoming channels and requests, use net.Dial with NewClientConn
instead.
DiscardRequests consumes and rejects all requests from the
passed-in channel.
FingerprintLegacyMD5 returns the user presentation of the key's
fingerprint as described by RFC 4716 section 4.
FingerprintSHA256 returns the user presentation of the key's
fingerprint as unpadded base64 encoded sha256 hash.
This format was introduced from OpenSSH 6.8.
https://www.openssh.com/txt/release-6.8
https://tools.ietf.org/html/rfc4648#section-3.2 (unpadded base64 encoding)
FixedHostKey returns a function for use in
ClientConfig.HostKeyCallback to accept only a specific host key.
GSSAPIWithMICAuthMethod is an AuthMethod with "gssapi-with-mic" authentication.
See RFC 4462 section 3
gssAPIClient is implementation of the GSSAPIClient interface, see the definition of the interface for details.
target is the server host you want to log in to.
InsecureIgnoreHostKey returns a function that can be used for
ClientConfig.HostKeyCallback to accept any host key. It should
not be used for production code.
KeyboardInteractive returns an AuthMethod using a prompt/response
sequence controlled by the server.
Marshal serializes the message in msg to SSH wire format. The msg
argument should be a struct or pointer to struct. If the first
member has the "sshtype" tag set to a number in decimal, that
number is prepended to the result. If the last of member has the
"ssh" tag set to "rest", its contents are appended to the output.
MarshalAuthorizedKey serializes key for inclusion in an OpenSSH
authorized_keys file. The return value ends with newline.
MarshalPrivateKey returns a PEM block with the private key serialized in the
OpenSSH format.
MarshalPrivateKeyWithPassphrase returns a PEM block holding the encrypted
private key serialized in the OpenSSH format.
NewCertSigner returns a Signer that signs with the given Certificate, whose
private key is held by signer. It returns an error if the public key in cert
doesn't match the key used by signer.
NewClient creates a Client on top of the given connection.
NewClientConn establishes an authenticated SSH connection using c
as the underlying transport. The Request and NewChannel channels
must be serviced or the connection will hang.
NewPublicKey takes an *rsa.PublicKey, *dsa.PublicKey, *ecdsa.PublicKey,
or ed25519.PublicKey returns a corresponding PublicKey instance.
ECDSA keys must use P-256, P-384 or P-521.
NewServerConn starts a new SSH server with c as the underlying
transport. It starts with a handshake and, if the handshake is
unsuccessful, it closes the connection and returns an error. The
Request and NewChannel channels must be serviced, or the connection
will hang.
The returned error may be of type *ServerAuthError for
authentication errors.
NewSignerFromKey takes an *rsa.PrivateKey, *dsa.PrivateKey,
*ecdsa.PrivateKey or any other crypto.Signer and returns a
corresponding Signer instance. ECDSA keys must use P-256, P-384 or
P-521. DSA keys must use parameter size L1024N160.
NewSignerFromSigner takes any crypto.Signer implementation and
returns a corresponding Signer interface. This can be used, for
example, with keys kept in hardware modules.
NewSignerWithAlgorithms returns a signer restricted to the specified
algorithms. The algorithms must be set in preference order. The list must not
be empty, and it must not include certificate types. An error is returned if
the specified algorithms are incompatible with the public key type.
ParseAuthorizedKey parses a public key from an authorized_keys
file used in OpenSSH according to the sshd(8) manual page.
ParseDSAPrivateKey returns a DSA private key from its ASN.1 DER encoding, as
specified by the OpenSSL DSA man page.
ParseKnownHosts parses an entry in the format of the known_hosts file.
The known_hosts format is documented in the sshd(8) manual page. This
function will parse a single entry from in. On successful return, marker
will contain the optional marker value (i.e. "cert-authority" or "revoked")
or else be empty, hosts will contain the hosts that this entry matches,
pubKey will contain the public key and comment will contain any trailing
comment at the end of the line. See the sshd(8) manual page for the various
forms that a host string can take.
The unparsed remainder of the input will be returned in rest. This function
can be called repeatedly to parse multiple entries.
If no entries were found in the input then err will be io.EOF. Otherwise a
non-nil err value indicates a parse error.
ParsePrivateKey returns a Signer from a PEM encoded private key. It supports
the same keys as ParseRawPrivateKey. If the private key is encrypted, it
will return a PassphraseMissingError.
ParsePrivateKeyWithPassphrase returns a Signer from a PEM encoded private
key and passphrase. It supports the same keys as
ParseRawPrivateKeyWithPassphrase.
ParsePublicKey parses an SSH public key formatted for use in
the SSH wire protocol according to RFC 4253, section 6.6.
ParseRawPrivateKey returns a private key from a PEM encoded private key. It supports
RSA, DSA, ECDSA, and Ed25519 private keys in PKCS#1, PKCS#8, OpenSSL, and OpenSSH
formats. If the private key is encrypted, it will return a PassphraseMissingError.
ParseRawPrivateKeyWithPassphrase returns a private key decrypted with
passphrase from a PEM encoded private key. If the passphrase is wrong, it
will return x509.IncorrectPasswordError.
Password returns an AuthMethod using the given password.
PasswordCallback returns an AuthMethod that uses a callback for
fetching a password.
PublicKeys returns an AuthMethod that uses the given key
pairs.
PublicKeysCallback returns an AuthMethod that runs the given
function to obtain a list of key pairs.
RetryableAuthMethod is a decorator for other auth methods enabling them to
be retried up to maxTries before considering that AuthMethod itself failed.
If maxTries is <= 0, will retry indefinitely
This is useful for interactive clients using challenge/response type
authentication (e.g. Keyboard-Interactive, Password, etc) where the user
could mistype their response resulting in the server issuing a
SSH_MSG_USERAUTH_FAILURE (rfc4252 #8 [password] and rfc4256 #3.4
[keyboard-interactive]); Without this decorator, the non-retryable
AuthMethod would be removed from future consideration, and never tried again
(and so the user would never be able to retry their entry).
Unmarshal parses data in SSH wire format into a structure. The out
argument should be a pointer to struct. If the first member of the
struct has the "sshtype" tag set to a '|'-separated set of numbers
in decimal, the packet must start with one of those numbers. In
case of error, Unmarshal returns a ParseError or
UnexpectedMessageError.
Package-Level Variables (only one)
ErrNoAuth is the error value returned if no
authentication method has been passed yet. This happens as a normal
part of the authentication loop, since the client first tries
'none' authentication to discover available methods.
It is returned in ServerAuthError.Errors from NewServerConn.
Package-Level Constants (total 102)
Certificate algorithm names from [PROTOCOL.certkeys]. These values can appear
in Certificate.Type, PublicKey.Type, and ClientConfig.HostKeyAlgorithms.
Unlike key algorithm names, these are not passed to AlgorithmSigner nor
returned by MultiAlgorithmSigner and don't appear in the Signature.Format
field.
Certificate algorithm names from [PROTOCOL.certkeys]. These values can appear
in Certificate.Type, PublicKey.Type, and ClientConfig.HostKeyAlgorithms.
Unlike key algorithm names, these are not passed to AlgorithmSigner nor
returned by MultiAlgorithmSigner and don't appear in the Signature.Format
field.
Certificate algorithm names from [PROTOCOL.certkeys]. These values can appear
in Certificate.Type, PublicKey.Type, and ClientConfig.HostKeyAlgorithms.
Unlike key algorithm names, these are not passed to AlgorithmSigner nor
returned by MultiAlgorithmSigner and don't appear in the Signature.Format
field.
Certificate algorithm names from [PROTOCOL.certkeys]. These values can appear
in Certificate.Type, PublicKey.Type, and ClientConfig.HostKeyAlgorithms.
Unlike key algorithm names, these are not passed to AlgorithmSigner nor
returned by MultiAlgorithmSigner and don't appear in the Signature.Format
field.
Certificate algorithm names from [PROTOCOL.certkeys]. These values can appear
in Certificate.Type, PublicKey.Type, and ClientConfig.HostKeyAlgorithms.
Unlike key algorithm names, these are not passed to AlgorithmSigner nor
returned by MultiAlgorithmSigner and don't appear in the Signature.Format
field.
CertAlgoRSASHA256v01 and CertAlgoRSASHA512v01 can't appear as a
Certificate.Type (or PublicKey.Type), but only in
ClientConfig.HostKeyAlgorithms.
Certificate algorithm names from [PROTOCOL.certkeys]. These values can appear
in Certificate.Type, PublicKey.Type, and ClientConfig.HostKeyAlgorithms.
Unlike key algorithm names, these are not passed to AlgorithmSigner nor
returned by MultiAlgorithmSigner and don't appear in the Signature.Format
field.
Certificate algorithm names from [PROTOCOL.certkeys]. These values can appear
in Certificate.Type, PublicKey.Type, and ClientConfig.HostKeyAlgorithms.
Unlike key algorithm names, these are not passed to AlgorithmSigner nor
returned by MultiAlgorithmSigner and don't appear in the Signature.Format
field.
Certificate algorithm names from [PROTOCOL.certkeys]. These values can appear
in Certificate.Type, PublicKey.Type, and ClientConfig.HostKeyAlgorithms.
Unlike key algorithm names, these are not passed to AlgorithmSigner nor
returned by MultiAlgorithmSigner and don't appear in the Signature.Format
field.
Certificate algorithm names from [PROTOCOL.certkeys]. These values can appear
in Certificate.Type, PublicKey.Type, and ClientConfig.HostKeyAlgorithms.
Unlike key algorithm names, these are not passed to AlgorithmSigner nor
returned by MultiAlgorithmSigner and don't appear in the Signature.Format
field.
Deprecated: use CertAlgoRSASHA256v01.
Deprecated: use CertAlgoRSASHA512v01.
Deprecated: use CertAlgoRSAv01.
CertTimeInfinity can be used for OpenSSHCertV01.ValidBefore to indicate that
a certificate does not expire.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
Certificate types distinguish between host and user
certificates. The values can be set in the CertType field of
Certificate.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
Public key algorithms names. These values can appear in PublicKey.Type,
ClientConfig.HostKeyAlgorithms, Signature.Format, or as AlgorithmSigner
arguments.
Public key algorithms names. These values can appear in PublicKey.Type,
ClientConfig.HostKeyAlgorithms, Signature.Format, or as AlgorithmSigner
arguments.
Public key algorithms names. These values can appear in PublicKey.Type,
ClientConfig.HostKeyAlgorithms, Signature.Format, or as AlgorithmSigner
arguments.
Public key algorithms names. These values can appear in PublicKey.Type,
ClientConfig.HostKeyAlgorithms, Signature.Format, or as AlgorithmSigner
arguments.
Public key algorithms names. These values can appear in PublicKey.Type,
ClientConfig.HostKeyAlgorithms, Signature.Format, or as AlgorithmSigner
arguments.
Public key algorithms names. These values can appear in PublicKey.Type,
ClientConfig.HostKeyAlgorithms, Signature.Format, or as AlgorithmSigner
arguments.
KeyAlgoRSASHA256 and KeyAlgoRSASHA512 are only public key algorithms, not
public key formats, so they can't appear as a PublicKey.Type. The
corresponding PublicKey.Type is KeyAlgoRSA. See RFC 8332, Section 2.
Public key algorithms names. These values can appear in PublicKey.Type,
ClientConfig.HostKeyAlgorithms, Signature.Format, or as AlgorithmSigner
arguments.
Public key algorithms names. These values can appear in PublicKey.Type,
ClientConfig.HostKeyAlgorithms, Signature.Format, or as AlgorithmSigner
arguments.
Public key algorithms names. These values can appear in PublicKey.Type,
ClientConfig.HostKeyAlgorithms, Signature.Format, or as AlgorithmSigner
arguments.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
Certificate types distinguish between host and user
certificates. The values can be set in the CertType field of
Certificate.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
POSIX terminal mode flags as listed in RFC 4254 Section 8.
The pages are generated with Goldsv0.6.7. (GOOS=linux GOARCH=amd64)
Golds is a Go 101 project developed by Tapir Liu.
PR and bug reports are welcome and can be submitted to the issue list.
Please follow @Go100and1 (reachable from the left QR code) to get the latest news of Golds.
