diff --git a/README.md b/README.md index 327c3c5..39df25b 100644 --- a/README.md +++ b/README.md @@ -21,25 +21,37 @@ Get more executables in [the releases](https://github.com/nwtgck/handy-sshd/rele ## Examples ```bash -# Listen on 2222 and accept user name "john" with password "mypassword" -handy-sshd -p 2222 --user "john:mypassword" +# Listen on 2222 and accept user name "john" with password "mypass" +handy-sshd -p 2222 -u john:mypass ``` ```bash # Listen on 2222 and accept user name "john" without password -handy-sshd -p 2222 --user "john:" +handy-sshd -p 2222 -u john: ``` ```bash # Listen on 2222 and accept users "john" and "alice" without password -handy-sshd -p 2222 --user "john:" --user "alice:" +handy-sshd -p 2222 -u john: -u alice: ``` ```bash # Listen on unix domain socket -handy-sshd --unix-socket /tmp/my-unix-socket --user "john:" +handy-sshd --unix-socket /tmp/my-unix-socket -u john: ``` +## Features +An SSH client can use +* Shell/Interactive shell +* Local port forwarding (ssh -L) +* Remote port forwarding (ssh -R) +* [SOCKS proxy](https://wikipedia.org/wiki/SOCKS) (dynamic port forwarding) +* SFTP +* [SSHFS](https://wikipedia.org/wiki/SSHFS) +* Unix domain socket (local/remote port forwarding) + +All features are enabled by default. You can allow only some of them using permission flags. + ## Permissions There are several permissions: * --allow-direct-streamlocal @@ -52,7 +64,7 @@ There are several permissions: **All permissions are allowed when nothing is specified.** The log shows "allowed: " and "NOT allowed: " permissions as follows: ```console -$ handy-sshd --user "john:" +$ handy-sshd -u "john:" 2023/08/11 11:40:44 INFO listening on :2222... 2023/08/11 11:40:44 INFO allowed: "tcpip-forward", "direct-tcpip", "execute", "sftp", "streamlocal-forward", "direct-streamlocal" 2023/08/11 11:40:44 INFO NOT allowed: none @@ -61,7 +73,7 @@ $ handy-sshd --user "john:" For example, specifying `--allow-direct-tcpip` and `--allow-execute` allows only them: ```console -$ handy-sshd --user "john:" --allow-direct-tcpip --allow-execute +$ handy-sshd -u "john:" --allow-direct-tcpip --allow-execute 2023/08/11 11:41:03 INFO listening on :2222... 2023/08/11 11:41:03 INFO allowed: "direct-tcpip", "execute" 2023/08/11 11:41:03 INFO NOT allowed: "tcpip-forward", "sftp", "streamlocal-forward", "direct-streamlocal" @@ -75,18 +87,29 @@ Portable SSH server Usage: handy-sshd [flags] +Examples: +# Listen on 2222 and accept user name "john" with password "mypass" +handy-sshd -u john:mypass + +# Listen on 22 and accept the user without password +handy-sshd -p 22 -u john: + +Permissions: +All permissions are allowed by default. +For example, specifying --allow-direct-tcpip and --allow-execute allows only them. + Flags: - --allow-direct-streamlocal client can use Unix domain socket local forwarding - --allow-direct-tcpip client can use local forwarding and SOCKS proxy + --allow-direct-streamlocal client can use Unix domain socket local forwarding (ssh -L) + --allow-direct-tcpip client can use local forwarding (ssh -L) and SOCKS proxy (ssh -D) --allow-execute client can use shell/interactive shell --allow-sftp client can use SFTP and SSHFS - --allow-streamlocal-forward client can use Unix domain socket remote forwarding - --allow-tcpip-forward client can use remote forwarding + --allow-streamlocal-forward client can use Unix domain socket remote forwarding (ssh -R) + --allow-tcpip-forward client can use remote forwarding (ssh -R) -h, --help help for handy-sshd - --host string SSH server host (e.g. 127.0.0.1) - -p, --port uint16 SSH server port (default 2222) + --host string SSH server host to listen (e.g. 127.0.0.1) + -p, --port uint16 port to listen (default 2222) --shell string Shell - --unix-socket string Unix domain socket - --user stringArray SSH user name (e.g. "john:mypassword") + --unix-socket string Unix domain socket to listen + -u, --user stringArray SSH user name (e.g. "john:mypassword") -v, --version show version ``` diff --git a/cmd/root.go b/cmd/root.go index a2d6b66..d35ef24 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -59,27 +59,36 @@ func RootCmd() *cobra.Command { Short: "handy-sshd", Long: "Portable SSH server", SilenceUsage: true, + Example: `# Listen on 2222 and accept user name "john" with password "mypass" +handy-sshd -u john:mypass + +# Listen on 22 and accept the user without password +handy-sshd -p 22 -u john: + +Permissions: +All permissions are allowed by default. +For example, specifying --allow-direct-tcpip and --allow-execute allows only them.`, RunE: func(cmd *cobra.Command, args []string) error { return rootRunEWithExtra(cmd, args, &flag, allPermissionFlags) }, } rootCmd.PersistentFlags().BoolVarP(&flag.showsVersion, "version", "v", false, "show version") - rootCmd.PersistentFlags().StringVarP(&flag.sshHost, "host", "", "", "SSH server host (e.g. 127.0.0.1)") - rootCmd.PersistentFlags().Uint16VarP(&flag.sshPort, "port", "p", 2222, "SSH server port") + rootCmd.PersistentFlags().StringVarP(&flag.sshHost, "host", "", "", "SSH server host to listen (e.g. 127.0.0.1)") + rootCmd.PersistentFlags().Uint16VarP(&flag.sshPort, "port", "p", 2222, "port to listen") // NOTE: long name 'unix-socket' is from curl (ref: https://curl.se/docs/manpage.html) - rootCmd.PersistentFlags().StringVarP(&flag.sshUnixSocket, "unix-socket", "", "", "Unix domain socket") + rootCmd.PersistentFlags().StringVarP(&flag.sshUnixSocket, "unix-socket", "", "", "Unix domain socket to listen") rootCmd.PersistentFlags().StringVarP(&flag.sshShell, "shell", "", "", "Shell") //rootCmd.PersistentFlags().StringVar(&flag.dnsServer, "dns-server", "", "DNS server (e.g. 1.1.1.1:53)") - rootCmd.PersistentFlags().StringArrayVarP(&flag.sshUsers, "user", "", nil, `SSH user name (e.g. "john:mypassword")`) + rootCmd.PersistentFlags().StringArrayVarP(&flag.sshUsers, "user", "u", nil, `SSH user name (e.g. "john:mypassword")`) // Permission flags - rootCmd.PersistentFlags().BoolVarP(&flag.allowTcpipForward, "allow-tcpip-forward", "", false, "client can use remote forwarding") - rootCmd.PersistentFlags().BoolVarP(&flag.allowDirectTcpip, "allow-direct-tcpip", "", false, "client can use local forwarding and SOCKS proxy") + rootCmd.PersistentFlags().BoolVarP(&flag.allowTcpipForward, "allow-tcpip-forward", "", false, "client can use remote forwarding (ssh -R)") + rootCmd.PersistentFlags().BoolVarP(&flag.allowDirectTcpip, "allow-direct-tcpip", "", false, "client can use local forwarding (ssh -L) and SOCKS proxy (ssh -D)") rootCmd.PersistentFlags().BoolVarP(&flag.allowExecute, "allow-execute", "", false, "client can use shell/interactive shell") rootCmd.PersistentFlags().BoolVarP(&flag.allowSftp, "allow-sftp", "", false, "client can use SFTP and SSHFS") - rootCmd.PersistentFlags().BoolVarP(&flag.allowStreamlocalForward, "allow-streamlocal-forward", "", false, "client can use Unix domain socket remote forwarding") - rootCmd.PersistentFlags().BoolVarP(&flag.allowDirectStreamlocal, "allow-direct-streamlocal", "", false, "client can use Unix domain socket local forwarding") + rootCmd.PersistentFlags().BoolVarP(&flag.allowStreamlocalForward, "allow-streamlocal-forward", "", false, "client can use Unix domain socket remote forwarding (ssh -R)") + rootCmd.PersistentFlags().BoolVarP(&flag.allowDirectStreamlocal, "allow-direct-streamlocal", "", false, "client can use Unix domain socket local forwarding (ssh -L)") return &rootCmd } diff --git a/server.go b/server.go index 7e1dedd..015dea9 100644 --- a/server.go +++ b/server.go @@ -123,7 +123,7 @@ func (s *Server) handleSession(shell string, newChannel ssh.NewChannel) { case "subsystem": s.handleSessionSubSystem(req, connection) default: - s.Logger.Info("unknown request", "req_type", req.Type) + s.Logger.Info("unsupported request", "req_type", req.Type) } } }