add ssh tunnel

2021-12-19 17:24:51 +08:00
parent 10bcc59370
commit 34d6e393a1
12 changed files with 561 additions and 50 deletions
--- a/pkg/listener/ssh/listener.go
+++ b/pkg/listener/ssh/listener.go
@ -0,0 +1,136 @@
+package ssh
+
+import (
+	"fmt"
+	"net"
+
+	ssh_util "github.com/go-gost/gost/pkg/internal/util/ssh"
+	"github.com/go-gost/gost/pkg/listener"
+	"github.com/go-gost/gost/pkg/logger"
+	md "github.com/go-gost/gost/pkg/metadata"
+	"github.com/go-gost/gost/pkg/registry"
+	"golang.org/x/crypto/ssh"
+)
+
+func init() {
+	registry.RegisterListener("ssh", NewListener)
+}
+
+type sshListener struct {
+	addr string
+	net.Listener
+	config  *ssh.ServerConfig
+	cqueue  chan net.Conn
+	errChan chan error
+	logger  logger.Logger
+	md      metadata
+}
+
+func NewListener(opts ...listener.Option) listener.Listener {
+	options := &listener.Options{}
+	for _, opt := range opts {
+		opt(options)
+	}
+	return &sshListener{
+		addr:   options.Addr,
+		logger: options.Logger,
+	}
+}
+
+func (l *sshListener) Init(md md.Metadata) (err error) {
+	if err = l.parseMetadata(md); err != nil {
+		return
+	}
+
+	ln, err := net.Listen("tcp", l.addr)
+	if err != nil {
+		return err
+	}
+
+	l.Listener = ln
+
+	config := &ssh.ServerConfig{
+		PasswordCallback:  ssh_util.PasswordCallback(l.md.authenticator),
+		PublicKeyCallback: ssh_util.PublicKeyCallback(l.md.authorizedKeys),
+	}
+
+	config.AddHostKey(l.md.signer)
+
+	if l.md.authenticator == nil && len(l.md.authorizedKeys) == 0 {
+		config.NoClientAuth = true
+	}
+
+	l.config = config
+	l.cqueue = make(chan net.Conn, l.md.backlog)
+	l.errChan = make(chan error, 1)
+
+	go l.listenLoop()
+
+	return
+}
+
+func (l *sshListener) Accept() (conn net.Conn, err error) {
+	var ok bool
+	select {
+	case conn = <-l.cqueue:
+	case err, ok = <-l.errChan:
+		if !ok {
+			err = listener.ErrClosed
+		}
+	}
+	return
+}
+
+func (l *sshListener) listenLoop() {
+	for {
+		conn, err := l.Listener.Accept()
+		if err != nil {
+			l.logger.Error("accept:", err)
+			l.errChan <- err
+			close(l.errChan)
+			return
+		}
+		go l.serveConn(conn)
+	}
+}
+
+func (l *sshListener) serveConn(conn net.Conn) {
+	sc, chans, reqs, err := ssh.NewServerConn(conn, l.config)
+	if err != nil {
+		l.logger.Error(err)
+		conn.Close()
+		return
+	}
+	defer sc.Close()
+
+	go ssh.DiscardRequests(reqs)
+	go func() {
+		for newChannel := range chans {
+			// Check the type of channel
+			t := newChannel.ChannelType()
+			switch t {
+			case ssh_util.GostSSHTunnelRequest:
+				channel, requests, err := newChannel.Accept()
+				if err != nil {
+					l.logger.Warnf("could not accept channel: %s", err.Error())
+					continue
+				}
+
+				go ssh.DiscardRequests(requests)
+				cc := ssh_util.NewConn(conn, channel)
+				select {
+				case l.cqueue <- cc:
+				default:
+					cc.Close()
+					l.logger.Warnf("connection queue is full, client %s discarded", conn.RemoteAddr())
+				}
+
+			default:
+				l.logger.Warnf("unsupported channel type: %s", t)
+				newChannel.Reject(ssh.UnknownChannelType, fmt.Sprintf("unsupported channel type: %s", t))
+			}
+		}
+	}()
+
+	sc.Wait()
+}
--- a/pkg/listener/ssh/metadata.go
+++ b/pkg/listener/ssh/metadata.go
@ -0,0 +1,87 @@
+package ssh
+
+import (
+	"io/ioutil"
+	"strings"
+
+	"github.com/go-gost/gost/pkg/auth"
+	tls_util "github.com/go-gost/gost/pkg/common/util/tls"
+	ssh_util "github.com/go-gost/gost/pkg/internal/util/ssh"
+	md "github.com/go-gost/gost/pkg/metadata"
+	"golang.org/x/crypto/ssh"
+)
+
+const (
+	defaultBacklog = 128
+)
+
+type metadata struct {
+	authenticator  auth.Authenticator
+	signer         ssh.Signer
+	authorizedKeys map[string]bool
+	backlog        int
+}
+
+func (l *sshListener) parseMetadata(md md.Metadata) (err error) {
+	const (
+		users          = "users"
+		authorizedKeys = "authorizedKeys"
+		privateKeyFile = "privateKeyFile"
+		passphrase     = "passphrase"
+		backlog        = "backlog"
+	)
+
+	if v, _ := md.Get(users).([]interface{}); len(v) > 0 {
+		authenticator := auth.NewLocalAuthenticator(nil)
+		for _, auth := range v {
+			if s, _ := auth.(string); s != "" {
+				ss := strings.SplitN(s, ":", 2)
+				if len(ss) == 1 {
+					authenticator.Add(ss[0], "")
+				} else {
+					authenticator.Add(ss[0], ss[1])
+				}
+			}
+		}
+		l.md.authenticator = authenticator
+	}
+
+	if key := md.GetString(privateKeyFile); key != "" {
+		data, err := ioutil.ReadFile(key)
+		if err != nil {
+			return err
+		}
+
+		pp := md.GetString(passphrase)
+		if pp == "" {
+			l.md.signer, err = ssh.ParsePrivateKey(data)
+		} else {
+			l.md.signer, err = ssh.ParsePrivateKeyWithPassphrase(data, []byte(pp))
+		}
+		if err != nil {
+			return err
+		}
+	}
+	if l.md.signer == nil {
+		signer, err := ssh.NewSignerFromKey(tls_util.DefaultConfig.Clone().Certificates[0].PrivateKey)
+		if err != nil {
+			return err
+		}
+		l.md.signer = signer
+	}
+
+	if name := md.GetString(authorizedKeys); name != "" {
+		m, err := ssh_util.ParseAuthorizedKeysFile(name)
+		if err != nil {
+			return err
+		}
+		l.md.authorizedKeys = m
+	}
+
+	l.md.backlog = md.GetInt(backlog)
+	if l.md.backlog <= 0 {
+		l.md.backlog = defaultBacklog
+	}
+
+	return
+}