build(deps): bump github.com/pkg/sftp from 1.13.7 to 1.13.9 (#53)

Bumps [github.com/pkg/sftp](https://github.com/pkg/sftp) from 1.13.7 to 1.13.9.
- [Release notes](https://github.com/pkg/sftp/releases)
- [Commits](https://github.com/pkg/sftp/compare/v1.13.7...v1.13.9)

---
updated-dependencies:
- dependency-name: github.com/pkg/sftp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/dependabot.yml

@@ -10,3 +10,11 @@ updates:
   - nwtgck
   assignees:
   - nwtgck
+- package-ecosystem: github-actions
+  directory: "/"
+  schedule:
+    interval: daily
+    timezone: Asia/Tokyo
+  open-pull-requests-limit: 99
+  reviewers: [ nwtgck ]
+  assignees: [ nwtgck ]

.github/workflows/ci.yml

@@ -3,12 +3,11 @@ name: CI
 on: [push]
 
 jobs:
-  build_multi_platform:
+  test:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
-      - name: Set up Go 1.x
+      - uses: actions/setup-go@v5
-        uses: actions/setup-go@v2
         with:
           go-version: "1.20"
       - name: Build for multi-platform
@@ -29,3 +28,5 @@ jobs:
               # Build
               CGO_ENABLED=0 go build -o "${BUILD_PATH}/handy-sshd${EXTENSION}" main/main.go
           done
+      - name: Test
+        run: go test -v ./...

.github/workflows/release.yml

@@ -9,17 +9,17 @@ jobs:
   goreleaser:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
           go-version: "1.20"
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
+        uses: goreleaser/goreleaser-action@v5
         with:
-          version: v1.3.1
+          version: v1.19.2
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GH_PAT }}

CHANGELOG.md

@@ -5,8 +5,57 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 
 ## [Unreleased]
 
+## [0.4.3] - 2024-05-27
+### Changed
+* Update dependencies
+
+### Fixed
+* Wait non-nil process when pty open failed
+
+## [0.4.2] - 2024-04-05
+### Changed
+* Update dependencies
+
+## [0.4.1] - 2023-09-13
+### Changed
+* Update dependencies
+
+## [0.4.0] - 2023-08-11
+### Added
+* Add `-u` short flag for `--user`
+* Support "cancel-tcpip-forward" and "cancel-streamlocal-forward@openssh.com"
+
+### Changed
+* Add more examples to help message
+
+## [0.3.0] - 2023-08-11
+### Added
+* Support Unix domain socket local port forwarding
+* Support Unix domain socket remote port forwarding
+
+### Fixed
+* Handle multiple global requests simultaneously
+
+## [0.2.1] - 2023-08-09
+### Changed
+* Update dependencies
+
+## [0.2.0] - 2023-08-09
+### Added
+* Add permissions
+
+### Changed
+* Require one user at least
+
 ## 0.1.0 - 2023-08-08
 ### Added
 * Initial release
 
-[Unreleased]: https://github.com/nwtgck/handy-sshd/compare/v0.1.0...HEAD
+[Unreleased]: https://github.com/nwtgck/handy-sshd/compare/v0.4.2...HEAD
+[0.4.3]: https://github.com/nwtgck/handy-sshd/compare/v0.4.2...v0.4.3
+[0.4.2]: https://github.com/nwtgck/handy-sshd/compare/v0.4.1...v0.4.2
+[0.4.1]: https://github.com/nwtgck/handy-sshd/compare/v0.4.0...v0.4.1
+[0.4.0]: https://github.com/nwtgck/handy-sshd/compare/v0.3.0...v0.4.0
+[0.3.0]: https://github.com/nwtgck/handy-sshd/compare/v0.2.1...v0.3.0
+[0.2.1]: https://github.com/nwtgck/handy-sshd/compare/v0.2.0...v0.2.1
+[0.2.0]: https://github.com/nwtgck/handy-sshd/compare/v0.1.0...v0.2.0

README.md

@@ -1,24 +1,115 @@
 # handy-sshd
+[![CI](https://github.com/nwtgck/handy-sshd/actions/workflows/ci.yml/badge.svg)](https://github.com/nwtgck/handy-sshd/actions/workflows/ci.yml)
+
 Portable SSH Server
 
+## Install on Ubuntu/Debian
+
+```bash
+wget https://github.com/nwtgck/handy-sshd/releases/download/v0.4.2/handy-sshd-0.4.2-linux-amd64.deb
+sudo dpkg -i handy-sshd-0.4.2-linux-amd64.deb 
+```
+
+## Install on Mac
+
+```bash
+brew install nwtgck/handy-sshd/handy-sshd
+```
+
+Get more executables in [the releases](https://github.com/nwtgck/handy-sshd/releases).
+
 ## Examples
 
 ```bash
-# Listen on 2222 and accept user name "john" with password "mypassword"
+# Listen on 2222 and accept user name "john" with password "mypass"
-handy-sshd -p 2222 --user "john:mypassword"
+handy-sshd -p 2222 -u john:mypass
 ```
 
 ```bash
 # Listen on 2222 and accept user name "john" without password
-handy-sshd -p 2222 --user "john:"
+handy-sshd -p 2222 -u john:
 ```
 
 ```bash
 # Listen on 2222 and accept users "john" and "alice" without password
-handy-sshd -p 2222 --user "john:" --user "alice:"
+handy-sshd -p 2222 -u john: -u alice:
 ```
 
 ```bash
 # Listen on unix domain socket
-handy-sshd --unix-socket /tmp/my-unix-socket --user "john:"
+handy-sshd --unix-socket /tmp/my-unix-socket -u john:
+```
+
+## Features
+An SSH client can use
+* Shell/Interactive shell
+* Local port forwarding (ssh -L)
+* Remote port forwarding (ssh -R)
+* [SOCKS proxy](https://wikipedia.org/wiki/SOCKS) (dynamic port forwarding)
+* SFTP
+* [SSHFS](https://wikipedia.org/wiki/SSHFS)
+* Unix domain socket (local/remote port forwarding)
+
+All features are enabled by default. You can allow only some of them using permission flags.
+
+## Permissions
+There are several permissions:
+* --allow-direct-streamlocal
+* --allow-direct-tcpip
+* --allow-execute
+* --allow-sftp
+* --allow-streamlocal-forward
+* --allow-tcpip-forward
+
+**All permissions are allowed when nothing is specified.** The log shows "allowed: " and "NOT allowed: " permissions as follows:
+
+```console
+$ handy-sshd -u "john:"
+2023/08/11 11:40:44 INFO listening on :2222...
+2023/08/11 11:40:44 INFO allowed: "tcpip-forward", "direct-tcpip", "execute", "sftp", "streamlocal-forward", "direct-streamlocal"
+2023/08/11 11:40:44 INFO NOT allowed: none
+```
+
+For example, specifying `--allow-direct-tcpip` and `--allow-execute` allows only them:
+
+```console
+$ handy-sshd -u "john:" --allow-direct-tcpip --allow-execute
+2023/08/11 11:41:03 INFO listening on :2222...
+2023/08/11 11:41:03 INFO allowed: "direct-tcpip", "execute"
+2023/08/11 11:41:03 INFO NOT allowed: "tcpip-forward", "sftp", "streamlocal-forward", "direct-streamlocal"
+```
+
+## --help
+
+```
+Portable SSH server
+
+Usage:
+  handy-sshd [flags]
+
+Examples:
+# Listen on 2222 and accept user name "john" with password "mypass"
+handy-sshd -u john:mypass
+
+# Listen on 22 and accept the user without password
+handy-sshd -p 22 -u john:
+
+Permissions:
+All permissions are allowed by default.
+For example, specifying --allow-direct-tcpip and --allow-execute allows only them.
+
+Flags:
+      --allow-direct-streamlocal    client can use Unix domain socket local forwarding (ssh -L)
+      --allow-direct-tcpip          client can use local forwarding (ssh -L) and SOCKS proxy (ssh -D)
+      --allow-execute               client can use shell/interactive shell
+      --allow-sftp                  client can use SFTP and SSHFS
+      --allow-streamlocal-forward   client can use Unix domain socket remote forwarding (ssh -R)
+      --allow-tcpip-forward         client can use remote forwarding (ssh -R)
+  -h, --help                        help for handy-sshd
+      --host string                 SSH server host to listen (e.g. 127.0.0.1)
+  -p, --port uint16                 port to listen (default 2222)
+      --shell string                Shell
+      --unix-socket string          Unix domain socket to listen
+  -u, --user stringArray            SSH user name (e.g. "john:mypass")
+  -v, --version                     show version
 ```

cmd/root.go

@@ -13,7 +13,7 @@ import (
 	"strings"
 )
 
-var flag struct {
+type flagType struct {
 	//dnsServer    string
 	showsVersion  bool
 	sshHost       string
@@ -21,6 +21,18 @@ var flag struct {
 	sshUnixSocket string
 	sshShell      string
 	sshUsers      []string
+
+	allowTcpipForward       bool
+	allowDirectTcpip        bool
+	allowExecute            bool
+	allowSftp               bool
+	allowStreamlocalForward bool
+	allowDirectStreamlocal  bool
+}
+
+type permissionFlagType = struct {
+	name    string
+	flagPtr *bool
 }
 
 type sshUser struct {
@@ -30,29 +42,85 @@ type sshUser struct {
 
 func init() {
 	cobra.OnInitialize()
-	RootCmd.PersistentFlags().BoolVarP(&flag.showsVersion, "version", "v", false, "show version")
-	RootCmd.PersistentFlags().StringVarP(&flag.sshHost, "host", "", "", "SSH server host (e.g. 127.0.0.1)")
-	RootCmd.PersistentFlags().Uint16VarP(&flag.sshPort, "port", "p", 2222, "SSH server port")
-	// NOTE: long name 'unix-socket' is from curl (ref: https://curl.se/docs/manpage.html)
-	RootCmd.PersistentFlags().StringVarP(&flag.sshUnixSocket, "unix-socket", "", "", "Unix-domain socket")
-	RootCmd.PersistentFlags().StringVarP(&flag.sshShell, "shell", "", "", "Shell")
-	//RootCmd.PersistentFlags().StringVar(&flag.dnsServer, "dns-server", "", "DNS server (e.g. 1.1.1.1:53)")
-	RootCmd.PersistentFlags().StringArrayVarP(&flag.sshUsers, "user", "", nil, `SSH user name (e.g. "john:mypassword")`)
 }
 
-var RootCmd = &cobra.Command{
+func RootCmd() *cobra.Command {
+	var flag flagType
+	allPermissionFlags := []permissionFlagType{
+		{name: "tcpip-forward", flagPtr: &flag.allowTcpipForward},
+		{name: "direct-tcpip", flagPtr: &flag.allowDirectTcpip},
+		{name: "execute", flagPtr: &flag.allowExecute},
+		{name: "sftp", flagPtr: &flag.allowSftp},
+		{name: "streamlocal-forward", flagPtr: &flag.allowStreamlocalForward},
+		{name: "direct-streamlocal", flagPtr: &flag.allowDirectStreamlocal},
+	}
+	rootCmd := cobra.Command{
 		Use:          os.Args[0],
 		Short:        "handy-sshd",
 		Long:         "Portable SSH server",
 		SilenceUsage: true,
+		Example: `# Listen on 2222 and accept user name "john" with password "mypass"
+handy-sshd -u john:mypass
+
+# Listen on 22 and accept the user without password
+handy-sshd -p 22 -u john:
+
+Permissions:
+All permissions are allowed by default.
+For example, specifying --allow-direct-tcpip and --allow-execute allows only them.`,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			return rootRunEWithExtra(cmd, args, &flag, allPermissionFlags)
+		},
+	}
+
+	rootCmd.PersistentFlags().BoolVarP(&flag.showsVersion, "version", "v", false, "show version")
+	rootCmd.PersistentFlags().StringVarP(&flag.sshHost, "host", "", "", "SSH server host to listen (e.g. 127.0.0.1)")
+	rootCmd.PersistentFlags().Uint16VarP(&flag.sshPort, "port", "p", 2222, "port to listen")
+	// NOTE: long name 'unix-socket' is from curl (ref: https://curl.se/docs/manpage.html)
+	rootCmd.PersistentFlags().StringVarP(&flag.sshUnixSocket, "unix-socket", "", "", "Unix domain socket to listen")
+	rootCmd.PersistentFlags().StringVarP(&flag.sshShell, "shell", "", "", "Shell")
+	//rootCmd.PersistentFlags().StringVar(&flag.dnsServer, "dns-server", "", "DNS server (e.g. 1.1.1.1:53)")
+	rootCmd.PersistentFlags().StringArrayVarP(&flag.sshUsers, "user", "u", nil, `SSH user name (e.g. "john:mypass")`)
+
+	// Permission flags
+	rootCmd.PersistentFlags().BoolVarP(&flag.allowTcpipForward, "allow-tcpip-forward", "", false, "client can use remote forwarding (ssh -R)")
+	rootCmd.PersistentFlags().BoolVarP(&flag.allowDirectTcpip, "allow-direct-tcpip", "", false, "client can use local forwarding (ssh -L) and SOCKS proxy (ssh -D)")
+	rootCmd.PersistentFlags().BoolVarP(&flag.allowExecute, "allow-execute", "", false, "client can use shell/interactive shell")
+	rootCmd.PersistentFlags().BoolVarP(&flag.allowSftp, "allow-sftp", "", false, "client can use SFTP and SSHFS")
+	rootCmd.PersistentFlags().BoolVarP(&flag.allowStreamlocalForward, "allow-streamlocal-forward", "", false, "client can use Unix domain socket remote forwarding (ssh -R)")
+	rootCmd.PersistentFlags().BoolVarP(&flag.allowDirectStreamlocal, "allow-direct-streamlocal", "", false, "client can use Unix domain socket local forwarding (ssh -L)")
+
+	return &rootCmd
+}
+
+func rootRunEWithExtra(cmd *cobra.Command, args []string, flag *flagType, allPermissionFlags []permissionFlagType) error {
 	if flag.showsVersion {
-			fmt.Println(version.Version)
+		fmt.Fprintln(cmd.OutOrStdout(), version.Version)
 		return nil
 	}
 	logger := slog.Default()
+
+	// Allow all permissions if all permission is not set
+	{
+		allPermissionFalse := true
+		for _, permissionFlag := range allPermissionFlags {
+			allPermissionFalse = allPermissionFalse && !*permissionFlag.flagPtr
+		}
+		if allPermissionFalse {
+			for _, permissionFlag := range allPermissionFlags {
+				*permissionFlag.flagPtr = true
+			}
+		}
+	}
+
 	sshServer := &handy_sshd.Server{
 		Logger:                  logger,
+		AllowTcpipForward:       flag.allowTcpipForward,
+		AllowDirectTcpip:        flag.allowDirectTcpip,
+		AllowExecute:            flag.allowExecute,
+		AllowSftp:               flag.allowSftp,
+		AllowStreamlocalForward: flag.allowStreamlocalForward,
+		AllowDirectStreamlocal:  flag.allowDirectStreamlocal,
 	}
 	var sshUsers []sshUser
 	for _, u := range flag.sshUsers {
@@ -62,7 +130,11 @@ var RootCmd = &cobra.Command{
 		}
 		sshUsers = append(sshUsers, sshUser{name: splits[0], password: splits[1]})
 	}
-
+	if len(sshUsers) == 0 {
+		return fmt.Errorf(`No user specified
+e.g. --user "john:mypass"
+e.g. --user "john:"`)
+	}
 	// (base: https://gist.github.com/jpillora/b480fde82bff51a06238)
 	sshConfig := &ssh.ServerConfig{
 		//Define a function to run when a client attempts a password login
@@ -109,6 +181,9 @@ var RootCmd = &cobra.Command{
 		logger.Info(fmt.Sprintf("listening on %s...", flag.sshUnixSocket))
 	}
 	defer ln.Close()
+
+	showPermissions(logger, allPermissionFlags)
+
 	for {
 		conn, err := ln.Accept()
 		if err != nil {
@@ -121,9 +196,28 @@ var RootCmd = &cobra.Command{
 			conn.Close()
 			continue
 		}
-			logger.Info("new SSH connection", "client_version", string(sshConn.ClientVersion()))
+		logger.Info("new SSH connection", "remote_address", sshConn.RemoteAddr(), "client_version", string(sshConn.ClientVersion()))
 		go sshServer.HandleGlobalRequests(sshConn, reqs)
 		go sshServer.HandleChannels(flag.sshShell, chans)
 	}
-	},
+}
+
+func showPermissions(logger *slog.Logger, allPermissionFlags []permissionFlagType) {
+	var allowedList []string
+	var notAllowedList []string
+	for _, permissionFlag := range allPermissionFlags {
+		if *permissionFlag.flagPtr {
+			allowedList = append(allowedList, `"`+permissionFlag.name+`"`)
+		} else {
+			notAllowedList = append(notAllowedList, `"`+permissionFlag.name+`"`)
+		}
+	}
+	showList := func(l []string) string {
+		if len(l) == 0 {
+			return "none"
+		}
+		return strings.Join(l, ", ")
+	}
+	logger.Info(fmt.Sprintf("allowed: %s", showList(allowedList)))
+	logger.Info(fmt.Sprintf("NOT allowed: %s", showList(notAllowedList)))
 }

cmd/root_test.go

@@ -0,0 +1,327 @@
+package cmd
+
+import (
+	"bytes"
+	"context"
+	"github.com/nwtgck/handy-sshd/version"
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/crypto/ssh"
+	"net"
+	"strconv"
+	"testing"
+)
+
+func TestVersion(t *testing.T) {
+	rootCmd := RootCmd()
+	rootCmd.SetArgs([]string{"--version"})
+	var stdoutBuf bytes.Buffer
+	rootCmd.SetOut(&stdoutBuf)
+	assert.NoError(t, rootCmd.Execute())
+	assert.Equal(t, version.Version+"\n", stdoutBuf.String())
+}
+
+func TestZeroUsers(t *testing.T) {
+	rootCmd := RootCmd()
+	rootCmd.SetArgs([]string{})
+	var stderrBuf bytes.Buffer
+	rootCmd.SetErr(&stderrBuf)
+	assert.Error(t, rootCmd.Execute())
+	assert.Equal(t, `Error: No user specified
+e.g. --user "john:mypass"
+e.g. --user "john:"
+`, stderrBuf.String())
+}
+
+func TestAllPermissionsAllowed(t *testing.T) {
+	rootCmd := RootCmd()
+	port := getAvailableTcpPort()
+	rootCmd.SetArgs([]string{"--port", strconv.Itoa(port), "--user", "john:mypass"})
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	go func() {
+		var stderrBuf bytes.Buffer
+		rootCmd.SetErr(&stderrBuf)
+		rootCmd.ExecuteContext(ctx)
+	}()
+	waitTCPServer(port)
+	sshClientConfig := &ssh.ClientConfig{
+		User:            "john",
+		Auth:            []ssh.AuthMethod{ssh.Password("mypass")},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	}
+	address := net.JoinHostPort("127.0.0.1", strconv.Itoa(port))
+
+	client, err := ssh.Dial("tcp", address, sshClientConfig)
+	assert.NoError(t, err)
+	defer client.Close()
+	assert.NoError(t, err)
+	assertRemotePortForwarding(t, client)
+	assertLocalPortForwarding(t, client)
+	assertExec(t, client)
+	assertPtyTerminal(t, client)
+	assertSftp(t, client)
+	assertUnixRemotePortForwarding(t, client)
+	assertUnixLocalPortForwarding(t, client)
+}
+
+func TestEmptyPassword(t *testing.T) {
+	rootCmd := RootCmd()
+	port := getAvailableTcpPort()
+	rootCmd.SetArgs([]string{"--port", strconv.Itoa(port), "--user", "john:"})
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	go func() {
+		var stderrBuf bytes.Buffer
+		rootCmd.SetErr(&stderrBuf)
+		rootCmd.ExecuteContext(ctx)
+	}()
+	waitTCPServer(port)
+	sshClientConfig := &ssh.ClientConfig{
+		User:            "john",
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	}
+	address := net.JoinHostPort("127.0.0.1", strconv.Itoa(port))
+
+	client, err := ssh.Dial("tcp", address, sshClientConfig)
+	assert.NoError(t, err)
+	defer client.Close()
+}
+
+func TestMultipleUsers(t *testing.T) {
+	rootCmd := RootCmd()
+	port := getAvailableTcpPort()
+	rootCmd.SetArgs([]string{"--port", strconv.Itoa(port), "--user", "john:mypass1", "--user", "alex:mypass2"})
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	go func() {
+		var stderrBuf bytes.Buffer
+		rootCmd.SetErr(&stderrBuf)
+		rootCmd.ExecuteContext(ctx)
+	}()
+	waitTCPServer(port)
+	address := net.JoinHostPort("127.0.0.1", strconv.Itoa(port))
+
+	for _, user := range []struct {
+		name     string
+		password string
+	}{{name: "john", password: "mypass1"}, {name: "alex", password: "mypass2"}} {
+		sshClientConfig := &ssh.ClientConfig{
+			User: user.name,
+			Auth: []ssh.AuthMethod{ssh.Password(user.password)},
+			HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
+				return nil
+			},
+		}
+		client, err := ssh.Dial("tcp", address, sshClientConfig)
+		assert.NoError(t, err)
+		defer client.Close()
+	}
+}
+
+func TestWrongPassword(t *testing.T) {
+	rootCmd := RootCmd()
+	port := getAvailableTcpPort()
+	rootCmd.SetArgs([]string{"--port", strconv.Itoa(port), "--user", "john:mypass"})
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	go func() {
+		var stderrBuf bytes.Buffer
+		rootCmd.SetErr(&stderrBuf)
+		rootCmd.ExecuteContext(ctx)
+	}()
+	waitTCPServer(port)
+	sshClientConfig := &ssh.ClientConfig{
+		User:            "john",
+		Auth:            []ssh.AuthMethod{ssh.Password("mywrongpassword")},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	}
+	address := net.JoinHostPort("127.0.0.1", strconv.Itoa(port))
+	_, err := ssh.Dial("tcp", address, sshClientConfig)
+	assert.Error(t, err)
+	assert.Equal(t, `ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain`, err.Error())
+}
+
+func TestAllowExecute(t *testing.T) {
+	rootCmd := RootCmd()
+	port := getAvailableTcpPort()
+	rootCmd.SetArgs([]string{"--port", strconv.Itoa(port), "--user", "john:mypass", "--allow-execute"})
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	go func() {
+		var stderrBuf bytes.Buffer
+		rootCmd.SetErr(&stderrBuf)
+		rootCmd.ExecuteContext(ctx)
+	}()
+	waitTCPServer(port)
+	sshClientConfig := &ssh.ClientConfig{
+		User:            "john",
+		Auth:            []ssh.AuthMethod{ssh.Password("mypass")},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	}
+	address := net.JoinHostPort("127.0.0.1", strconv.Itoa(port))
+	client, err := ssh.Dial("tcp", address, sshClientConfig)
+	assert.NoError(t, err)
+	defer client.Close()
+	assert.NoError(t, err)
+	assertNoRemotePortForwarding(t, client)
+	assertNoLocalPortForwarding(t, client)
+	assertExec(t, client)
+	assertPtyTerminal(t, client)
+	assertNoSftp(t, client)
+	assertNoUnixRemotePortForwarding(t, client)
+	assertNoUnixLocalPortForwarding(t, client)
+}
+
+func TestAllowTcpipForward(t *testing.T) {
+	rootCmd := RootCmd()
+	port := getAvailableTcpPort()
+	rootCmd.SetArgs([]string{"--port", strconv.Itoa(port), "--user", "john:mypass", "--allow-tcpip-forward"})
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	go func() {
+		var stderrBuf bytes.Buffer
+		rootCmd.SetErr(&stderrBuf)
+		rootCmd.ExecuteContext(ctx)
+	}()
+	waitTCPServer(port)
+	sshClientConfig := &ssh.ClientConfig{
+		User:            "john",
+		Auth:            []ssh.AuthMethod{ssh.Password("mypass")},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	}
+	address := net.JoinHostPort("127.0.0.1", strconv.Itoa(port))
+	client, err := ssh.Dial("tcp", address, sshClientConfig)
+	assert.NoError(t, err)
+	defer client.Close()
+	assert.NoError(t, err)
+	assertRemotePortForwarding(t, client)
+	assertNoLocalPortForwarding(t, client)
+	assertNoExec(t, client)
+	assertNoPtyTerminal(t, client)
+	assertNoSftp(t, client)
+	assertNoUnixRemotePortForwarding(t, client)
+	assertNoUnixLocalPortForwarding(t, client)
+}
+
+func TestAllowStreamlocalForward(t *testing.T) {
+	rootCmd := RootCmd()
+	port := getAvailableTcpPort()
+	rootCmd.SetArgs([]string{"--port", strconv.Itoa(port), "--user", "john:mypass", "--allow-streamlocal-forward"})
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	go func() {
+		var stderrBuf bytes.Buffer
+		rootCmd.SetErr(&stderrBuf)
+		rootCmd.ExecuteContext(ctx)
+	}()
+	waitTCPServer(port)
+	sshClientConfig := &ssh.ClientConfig{
+		User:            "john",
+		Auth:            []ssh.AuthMethod{ssh.Password("mypass")},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	}
+	address := net.JoinHostPort("127.0.0.1", strconv.Itoa(port))
+	client, err := ssh.Dial("tcp", address, sshClientConfig)
+	assert.NoError(t, err)
+	defer client.Close()
+	assert.NoError(t, err)
+	assertNoRemotePortForwarding(t, client)
+	assertNoLocalPortForwarding(t, client)
+	assertNoExec(t, client)
+	assertNoPtyTerminal(t, client)
+	assertNoSftp(t, client)
+	assertUnixRemotePortForwarding(t, client)
+	assertNoUnixLocalPortForwarding(t, client)
+}
+
+func TestAllowDirectTcpip(t *testing.T) {
+	rootCmd := RootCmd()
+	port := getAvailableTcpPort()
+	rootCmd.SetArgs([]string{"--port", strconv.Itoa(port), "--user", "john:mypass", "--allow-direct-tcpip"})
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	go func() {
+		var stderrBuf bytes.Buffer
+		rootCmd.SetErr(&stderrBuf)
+		rootCmd.ExecuteContext(ctx)
+	}()
+	waitTCPServer(port)
+	sshClientConfig := &ssh.ClientConfig{
+		User:            "john",
+		Auth:            []ssh.AuthMethod{ssh.Password("mypass")},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	}
+	address := net.JoinHostPort("127.0.0.1", strconv.Itoa(port))
+	client, err := ssh.Dial("tcp", address, sshClientConfig)
+	assert.NoError(t, err)
+	defer client.Close()
+	assert.NoError(t, err)
+	assertNoRemotePortForwarding(t, client)
+	assertLocalPortForwarding(t, client)
+	assertNoExec(t, client)
+	assertNoPtyTerminal(t, client)
+	assertNoSftp(t, client)
+	assertNoUnixRemotePortForwarding(t, client)
+	assertNoUnixLocalPortForwarding(t, client)
+}
+
+func TestAllowDirectStreamlocal(t *testing.T) {
+	rootCmd := RootCmd()
+	port := getAvailableTcpPort()
+	rootCmd.SetArgs([]string{"--port", strconv.Itoa(port), "--user", "john:mypass", "--allow-direct-streamlocal"})
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	go func() {
+		var stderrBuf bytes.Buffer
+		rootCmd.SetErr(&stderrBuf)
+		rootCmd.ExecuteContext(ctx)
+	}()
+	waitTCPServer(port)
+	sshClientConfig := &ssh.ClientConfig{
+		User:            "john",
+		Auth:            []ssh.AuthMethod{ssh.Password("mypass")},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	}
+	address := net.JoinHostPort("127.0.0.1", strconv.Itoa(port))
+	client, err := ssh.Dial("tcp", address, sshClientConfig)
+	assert.NoError(t, err)
+	defer client.Close()
+	assert.NoError(t, err)
+	assertNoRemotePortForwarding(t, client)
+	assertNoLocalPortForwarding(t, client)
+	assertNoExec(t, client)
+	assertNoPtyTerminal(t, client)
+	assertNoSftp(t, client)
+	assertNoUnixRemotePortForwarding(t, client)
+	assertUnixLocalPortForwarding(t, client)
+}
+
+func TestAllowSftp(t *testing.T) {
+	rootCmd := RootCmd()
+	port := getAvailableTcpPort()
+	rootCmd.SetArgs([]string{"--port", strconv.Itoa(port), "--user", "john:mypass", "--allow-sftp"})
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	go func() {
+		var stderrBuf bytes.Buffer
+		rootCmd.SetErr(&stderrBuf)
+		rootCmd.ExecuteContext(ctx)
+	}()
+	waitTCPServer(port)
+	sshClientConfig := &ssh.ClientConfig{
+		User:            "john",
+		Auth:            []ssh.AuthMethod{ssh.Password("mypass")},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	}
+	address := net.JoinHostPort("127.0.0.1", strconv.Itoa(port))
+	client, err := ssh.Dial("tcp", address, sshClientConfig)
+	assert.NoError(t, err)
+	defer client.Close()
+	assert.NoError(t, err)
+	assertNoRemotePortForwarding(t, client)
+	assertNoLocalPortForwarding(t, client)
+	assertNoExec(t, client)
+	assertNoPtyTerminal(t, client)
+	assertNoUnixRemotePortForwarding(t, client)
+	assertSftp(t, client)
+}

cmd/test_util_test.go

@@ -0,0 +1,283 @@
+package cmd
+
+import (
+	"bytes"
+	"github.com/google/uuid"
+	"github.com/pkg/sftp"
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/crypto/ssh"
+	"io"
+	"net"
+	"os"
+	"os/exec"
+	"path"
+	"strconv"
+	"testing"
+	"time"
+)
+
+func getAvailableTcpPort() int {
+	ln, err := net.Listen("tcp", ":0")
+	if err != nil {
+		panic(err)
+	}
+	defer ln.Close()
+	return ln.Addr().(*net.TCPAddr).Port
+}
+
+func waitTCPServer(port int) {
+	for {
+		conn, err := net.Dial("tcp", net.JoinHostPort("127.0.0.1", strconv.Itoa(port)))
+		if err == nil {
+			conn.Close()
+			break
+		}
+	}
+}
+
+func assertExec(t *testing.T, client *ssh.Client) {
+	session, err := client.NewSession()
+	assert.NoError(t, err)
+	defer session.Close()
+	whoamiBytes, err := session.Output("whoami")
+	assert.NoError(t, err)
+	expectedWhoamiBytes, err := exec.Command("whoami").Output()
+	assert.NoError(t, err)
+	assert.Equal(t, string(expectedWhoamiBytes), string(whoamiBytes))
+}
+
+func assertNoExec(t *testing.T, client *ssh.Client) {
+	session, err := client.NewSession()
+	assert.NoError(t, err)
+	defer session.Close()
+	_, err = session.Output("whoami")
+	assert.Error(t, err)
+	assert.Equal(t, "ssh: command whoami failed", err.Error())
+}
+
+func assertPtyTerminal(t *testing.T, client *ssh.Client) {
+	session, err := client.NewSession()
+	assert.NoError(t, err)
+	defer session.Close()
+
+	err = session.RequestPty("xterm", 100, 200, ssh.TerminalModes{})
+	assert.NoError(t, err)
+	stdin, err := session.StdinPipe()
+	assert.NoError(t, err)
+	_, err = stdin.Write([]byte("echo helloworldviapty\r"))
+	assert.NoError(t, err)
+	stdout, err := session.StdoutPipe()
+	assert.NoError(t, err)
+	stdoutBytesChan := make(chan []byte)
+	go func() {
+		var buff bytes.Buffer
+		_, err := io.Copy(&buff, stdout)
+		assert.NoError(t, err)
+		stdoutBytesChan <- buff.Bytes()
+	}()
+	err = session.Shell()
+	assert.NoError(t, err)
+	time.Sleep(1 * time.Second)
+	session.Close()
+	stdoutBytes := <-stdoutBytesChan
+	assert.Contains(t, string(stdoutBytes), "helloworldviapty")
+}
+
+func assertNoPtyTerminal(t *testing.T, client *ssh.Client) {
+	session, err := client.NewSession()
+	assert.NoError(t, err)
+	defer session.Close()
+	err = session.RequestPty("xterm", 100, 200, ssh.TerminalModes{})
+	assert.Error(t, err)
+	assert.Equal(t, "ssh: pty-req failed", err.Error())
+}
+
+func assertLocalPortForwarding(t *testing.T, client *ssh.Client) {
+	var remoteTcpPort int
+	acceptedConnChan := make(chan net.Conn)
+	{
+		ln, err := net.Listen("tcp", ":0")
+		assert.NoError(t, err)
+		remoteTcpPort = ln.Addr().(*net.TCPAddr).Port
+		go func() {
+			conn, err := ln.Accept()
+			assert.NoError(t, err)
+			acceptedConnChan <- conn
+		}()
+	}
+	raddr := &net.TCPAddr{IP: net.ParseIP("127.0.0.1"), Port: remoteTcpPort}
+	conn, err := client.DialTCP("tcp", nil, raddr)
+	assert.NoError(t, err)
+	defer conn.Close()
+	acceptedConn := <-acceptedConnChan
+	defer acceptedConn.Close()
+	{
+		localToRemote := [3]byte{1, 2, 3}
+		_, err = conn.Write(localToRemote[:])
+		assert.NoError(t, err)
+		var buf [len(localToRemote)]byte
+		_, err = io.ReadFull(acceptedConn, buf[:])
+		assert.NoError(t, err)
+		assert.Equal(t, buf, localToRemote)
+	}
+	{
+		remoteToLocal := [4]byte{10, 20, 30, 40}
+		_, err = acceptedConn.Write(remoteToLocal[:])
+		assert.NoError(t, err)
+		var buf [len(remoteToLocal)]byte
+		_, err = io.ReadFull(conn, buf[:])
+		assert.NoError(t, err)
+		assert.Equal(t, buf, remoteToLocal)
+	}
+}
+
+func assertNoLocalPortForwarding(t *testing.T, client *ssh.Client) {
+	raddr := &net.TCPAddr{IP: net.ParseIP("127.0.0.1"), Port: 1234}
+	_, err := client.DialTCP("tcp", nil, raddr)
+	assert.Error(t, err)
+	assert.Equal(t, "ssh: rejected: administratively prohibited (direct-tcpip not allowed)", err.Error())
+}
+
+func assertUnixLocalPortForwarding(t *testing.T, client *ssh.Client) {
+	remoteUnixSocket := path.Join(os.TempDir(), "test-unix-socket-"+uuid.New().String())
+	acceptedConnChan := make(chan net.Conn)
+	{
+		ln, err := net.Listen("unix", remoteUnixSocket)
+		assert.NoError(t, err)
+		defer os.Remove(remoteUnixSocket)
+		go func() {
+			conn, err := ln.Accept()
+			assert.NoError(t, err)
+			acceptedConnChan <- conn
+		}()
+	}
+	conn, err := client.Dial("unix", remoteUnixSocket)
+	assert.NoError(t, err)
+	defer conn.Close()
+	acceptedConn := <-acceptedConnChan
+	defer acceptedConn.Close()
+	{
+		localToRemote := [3]byte{1, 2, 3}
+		_, err = conn.Write(localToRemote[:])
+		assert.NoError(t, err)
+		var buf [len(localToRemote)]byte
+		_, err = io.ReadFull(acceptedConn, buf[:])
+		assert.NoError(t, err)
+		assert.Equal(t, buf, localToRemote)
+	}
+	{
+		remoteToLocal := [4]byte{10, 20, 30, 40}
+		_, err = acceptedConn.Write(remoteToLocal[:])
+		assert.NoError(t, err)
+		var buf [len(remoteToLocal)]byte
+		_, err = io.ReadFull(conn, buf[:])
+		assert.NoError(t, err)
+		assert.Equal(t, buf, remoteToLocal)
+	}
+}
+
+func assertNoUnixLocalPortForwarding(t *testing.T, client *ssh.Client) {
+	remoteUnixSocket := path.Join(os.TempDir(), "test-unix-socket-"+uuid.New().String())
+	_, err := client.Dial("unix", remoteUnixSocket)
+	assert.Error(t, err)
+	assert.Equal(t, "ssh: rejected: administratively prohibited (direct-streamlocal (Unix domain socket) not allowed)", err.Error())
+}
+
+func assertRemotePortForwarding(t *testing.T, client *ssh.Client) {
+	remotePort := getAvailableTcpPort()
+	ln, err := client.Listen("tcp", net.JoinHostPort("127.0.0.1", strconv.Itoa(remotePort)))
+	assert.NoError(t, err)
+	defer ln.Close()
+	acceptedConnChan := make(chan net.Conn)
+	go func() {
+		conn, err := ln.Accept()
+		assert.NoError(t, err)
+		acceptedConnChan <- conn
+	}()
+	conn, err := net.Dial("tcp", net.JoinHostPort("127.0.0.1", strconv.Itoa(remotePort)))
+	assert.NoError(t, err)
+	defer conn.Close()
+	acceptedConn := <-acceptedConnChan
+	defer acceptedConn.Close()
+	{
+		localToRemote := [3]byte{1, 2, 3}
+		_, err = conn.Write(localToRemote[:])
+		assert.NoError(t, err)
+		var buf [len(localToRemote)]byte
+		_, err = io.ReadFull(acceptedConn, buf[:])
+		assert.NoError(t, err)
+		assert.Equal(t, buf, localToRemote)
+	}
+	{
+		remoteToLocal := [4]byte{10, 20, 30, 40}
+		_, err = acceptedConn.Write(remoteToLocal[:])
+		assert.NoError(t, err)
+		var buf [len(remoteToLocal)]byte
+		_, err = io.ReadFull(conn, buf[:])
+		assert.NoError(t, err)
+		assert.Equal(t, buf, remoteToLocal)
+	}
+}
+
+func assertNoRemotePortForwarding(t *testing.T, client *ssh.Client) {
+	_, err := client.Listen("tcp", "127.0.0.1:5678")
+	assert.Error(t, err)
+	assert.Equal(t, "ssh: tcpip-forward request denied by peer", err.Error())
+}
+
+func assertUnixRemotePortForwarding(t *testing.T, client *ssh.Client) {
+	remoteUnixSocket := path.Join(os.TempDir(), "test-unix-socket-"+uuid.New().String())
+	ln, err := client.ListenUnix(remoteUnixSocket)
+	assert.NoError(t, err)
+	defer os.Remove(remoteUnixSocket)
+	defer ln.Close()
+	acceptedConnChan := make(chan net.Conn)
+	go func() {
+		conn, err := ln.Accept()
+		assert.NoError(t, err)
+		acceptedConnChan <- conn
+	}()
+	conn, err := net.Dial("unix", remoteUnixSocket)
+	assert.NoError(t, err)
+	defer conn.Close()
+	acceptedConn := <-acceptedConnChan
+	defer acceptedConn.Close()
+	{
+		localToRemote := [3]byte{1, 2, 3}
+		_, err = conn.Write(localToRemote[:])
+		assert.NoError(t, err)
+		var buf [len(localToRemote)]byte
+		_, err = io.ReadFull(acceptedConn, buf[:])
+		assert.NoError(t, err)
+		assert.Equal(t, buf, localToRemote)
+	}
+	{
+		remoteToLocal := [4]byte{10, 20, 30, 40}
+		_, err = acceptedConn.Write(remoteToLocal[:])
+		assert.NoError(t, err)
+		var buf [len(remoteToLocal)]byte
+		_, err = io.ReadFull(conn, buf[:])
+		assert.NoError(t, err)
+		assert.Equal(t, buf, remoteToLocal)
+	}
+}
+
+func assertNoUnixRemotePortForwarding(t *testing.T, client *ssh.Client) {
+	remoteUnixSocket := path.Join(os.TempDir(), "test-unix-socket-"+uuid.New().String())
+	_, err := client.ListenUnix(remoteUnixSocket)
+	assert.Error(t, err)
+	assert.Equal(t, "ssh: streamlocal-forward@openssh.com request denied by peer", err.Error())
+}
+
+func assertSftp(t *testing.T, client *ssh.Client) {
+	sftpClient, err := sftp.NewClient(client)
+	assert.NoError(t, err)
+	_, err = sftpClient.Getwd()
+	assert.NoError(t, err)
+}
+
+func assertNoSftp(t *testing.T, client *ssh.Client) {
+	_, err := sftp.NewClient(client)
+	assert.Error(t, err)
+	assert.Equal(t, "ssh: subsystem request failed", err.Error())
+}

go.mod

@@ -3,19 +3,26 @@ module github.com/nwtgck/handy-sshd
 go 1.20
 
 require (
-	github.com/creack/pty v1.1.18
+	github.com/creack/pty v1.1.21
+	github.com/google/uuid v1.6.0
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/pkg/errors v0.9.1
-	github.com/pkg/sftp v1.13.5
+	github.com/pkg/sftp v1.13.9
-	github.com/spf13/cobra v1.7.0
+	github.com/spf13/cobra v1.9.1
-	golang.org/x/crypto v0.12.0
+	github.com/stretchr/testify v1.10.0
-	golang.org/x/exp v0.0.0-20230807204917-050eac23e9de
+	golang.org/x/crypto v0.33.0
+	golang.org/x/exp v0.0.0-20240525044651-4c93da0ed11d
 )
 
 require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/kr/fs v0.1.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
-	github.com/stretchr/testify v1.8.4 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/sys v0.11.0 // indirect
+	github.com/rogpeppe/go-internal v1.12.0 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -1,46 +1,120 @@
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
-github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0=
+github.com/creack/pty v1.1.21/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
 github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/sftp v1.13.5 h1:a3RLUqkyjYRtBTZJZ1VRrKbN3zhuPLlUc3sphVz81go=
+github.com/pkg/sftp v1.13.9 h1:4NGkvGudBL7GteO3m6qnaQ4pC0Kvf0onSVc9gR3EWBw=
-github.com/pkg/sftp v1.13.5/go.mod h1:wHDZ0IZX6JcBYRK1TH9bcVq8G7TLpVHYIGJRFnmPfxg=
+github.com/pkg/sftp v1.13.9/go.mod h1:OBN7bVXdstkFFN/gdnHPUb5TE8eb8G1Rp9wCItqjkkA=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-golang.org/x/exp v0.0.0-20230807204917-050eac23e9de h1:l5Za6utMv/HsBWWqzt4S8X17j+kt1uVETUX5UFhn2rE=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/exp v0.0.0-20230807204917-050eac23e9de/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
+golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+golang.org/x/exp v0.0.0-20240525044651-4c93da0ed11d h1:N0hmiNbwsSNwHBAvR3QB5w25pUwH4tK0Y/RltD1j1h4=
+golang.org/x/exp v0.0.0-20240525044651-4c93da0ed11d/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

main/main.go

@@ -1,14 +1,12 @@
 package main
 
 import (
-	"fmt"
 	"github.com/nwtgck/handy-sshd/cmd"
 	"os"
 )
 
 func main() {
-	if err := cmd.RootCmd.Execute(); err != nil {
+	if err := cmd.RootCmd().Execute(); err != nil {
-		_, _ = fmt.Fprintf(os.Stderr, err.Error())
 		os.Exit(-1)
 	}
 }

pty_related_unix.go

@@ -31,10 +31,12 @@ func (s *Server) createPty(shell string, connection ssh.Channel) (*os.File, erro
 			Status: 0,
 		}))
 		connection.Close()
+		if sh.Process != nil {
 			_, err := sh.Process.Wait()
 			if err != nil {
 				s.Logger.Info("failed to exit shell", err)
 			}
+		}
 		s.Logger.Info("session closed")
 	}
 

server.go

@@ -15,6 +15,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"github.com/mattn/go-shellwords"
+	"github.com/nwtgck/handy-sshd/sync_generics"
 	"github.com/pkg/sftp"
 	"golang.org/x/crypto/ssh"
 	"golang.org/x/exp/slog"
@@ -28,6 +29,16 @@ import (
 
 type Server struct {
 	Logger                *slog.Logger
+	bindAddressToListener sync_generics.Map[string, net.Listener]
+
+	// Permissions
+	AllowTcpipForward       bool
+	AllowDirectTcpip        bool
+	AllowExecute            bool // this should not be split into "allow-exec" and "allow-pty-req" for now because "pty-req" can be used not for shell execution.
+	AllowSftp               bool
+	AllowStreamlocalForward bool
+	AllowDirectStreamlocal  bool
+
 	// TODO: DNS server ?
 }
 
@@ -47,7 +58,17 @@ func (s *Server) handleChannel(shell string, newChannel ssh.NewChannel) {
 	case "session":
 		s.handleSession(shell, newChannel)
 	case "direct-tcpip":
+		if !s.AllowDirectTcpip {
+			newChannel.Reject(ssh.Prohibited, "direct-tcpip not allowed")
+			break
+		}
 		s.handleDirectTcpip(newChannel)
+	case "direct-streamlocal@openssh.com":
+		if !s.AllowDirectStreamlocal {
+			newChannel.Reject(ssh.Prohibited, "direct-streamlocal (Unix domain socket) not allowed")
+			break
+		}
+		s.handleDirectStreamlocal(newChannel)
 	default:
 		newChannel.Reject(ssh.UnknownChannelType, fmt.Sprintf("unknown channel type: %s", newChannel.ChannelType()))
 	}
@@ -67,6 +88,11 @@ func (s *Server) handleSession(shell string, newChannel ssh.NewChannel) {
 	for req := range requests {
 		switch req.Type {
 		case "exec":
+			if !s.AllowExecute {
+				s.Logger.Info("execution not allowed (exec)")
+				req.Reply(false, nil)
+				break
+			}
 			s.handleExecRequest(req, connection)
 		case "shell":
 			// We only accept the default shell
@@ -75,6 +101,11 @@ func (s *Server) handleSession(shell string, newChannel ssh.NewChannel) {
 				req.Reply(true, nil)
 			}
 		case "pty-req":
+			if !s.AllowExecute {
+				s.Logger.Info("execution not allowed (pty-req)")
+				req.Reply(false, nil)
+				break
+			}
 			termLen := req.Payload[3]
 			w, h := parseDims(req.Payload[termLen+4:])
 			shf, err = s.createPty(shell, connection)
@@ -93,6 +124,8 @@ func (s *Server) handleSession(shell string, newChannel ssh.NewChannel) {
 			}
 		case "subsystem":
 			s.handleSessionSubSystem(req, connection)
+		default:
+			s.Logger.Info("unsupported request", "req_type", req.Type)
 		}
 	}
 }
@@ -140,9 +173,17 @@ func (s *Server) handleExecRequest(req *ssh.Request, connection ssh.Channel) {
 
 func (s *Server) handleSessionSubSystem(req *ssh.Request, connection ssh.Channel) {
 	// https://github.com/pkg/sftp/blob/42e9800606febe03f9cdf1d1283719af4a5e6456/examples/go-sftp-server/main.go#L111
-	ok := string(req.Payload[4:]) == "sftp"
+	if string(req.Payload[4:]) != "sftp" {
-	req.Reply(ok, nil)
+		req.Reply(false, nil)
+		return
+	}
+	if !s.AllowSftp {
+		s.Logger.Info("sftp not allowed")
+		req.Reply(false, nil)
+		return
+	}
 
+	req.Reply(true, nil)
 	serverOptions := []sftp.ServerOption{
 		sftp.WithDebug(os.Stderr),
 	}
@@ -168,7 +209,7 @@ func (s *Server) handleDirectTcpip(newChannel ssh.NewChannel) {
 		SourcePort uint32
 	}
 	if err := ssh.Unmarshal(newChannel.ExtraData(), &msg); err != nil {
-		s.Logger.Info("failed to parse message", "err", err)
+		s.Logger.Info("failed to parse direct-tcpip message", "err", err)
 		return
 	}
 	channel, reqs, err := newChannel.Accept()
@@ -198,6 +239,44 @@ func (s *Server) handleDirectTcpip(newChannel ssh.NewChannel) {
 	return
 }
 
+// client side: https://github.com/golang/crypto/blob/b4ddeeda5bc71549846db71ba23e83ecb26f36ed/ssh/streamlocal.go#L52
+func (s *Server) handleDirectStreamlocal(newChannel ssh.NewChannel) {
+	// https://github.com/openssh/openssh-portable/blob/f9f18006678d2eac8b0c5a5dddf17ab7c50d1e9f/PROTOCOL#L237
+	var msg struct {
+		SocketPath string
+		Reserved0  string
+		Reserved1  uint32
+	}
+	if err := ssh.Unmarshal(newChannel.ExtraData(), &msg); err != nil {
+		s.Logger.Info("failed to parse direct-streamlocal message", "err", err)
+		return
+	}
+	channel, reqs, err := newChannel.Accept()
+	if err != nil {
+		s.Logger.Info("failed to accept", "err", err)
+		return
+	}
+	go ssh.DiscardRequests(reqs)
+	conn, err := net.Dial("unix", msg.SocketPath)
+	if err != nil {
+		s.Logger.Info("failed to dial", "err", err)
+		channel.Close()
+		return
+	}
+	var closeOnce sync.Once
+	closer := func() {
+		channel.Close()
+		conn.Close()
+	}
+	go func() {
+		io.Copy(channel, conn)
+		closeOnce.Do(closer)
+	}()
+	io.Copy(conn, channel)
+	closeOnce.Do(closer)
+	return
+}
+
 // =======================
 
 // parseDims extracts terminal dimensions (width x height) from the provided buffer.
@@ -232,7 +311,31 @@ func (s *Server) HandleGlobalRequests(sshConn *ssh.ServerConn, reqs <-chan *ssh.
 	for req := range reqs {
 		switch req.Type {
 		case "tcpip-forward":
+			if !s.AllowTcpipForward {
+				s.Logger.Info("tcpip-forward not allowed")
+				req.Reply(false, nil)
+				break
+			}
+			go func() {
 				s.handleTcpipForward(sshConn, req)
+			}()
+		case "cancel-tcpip-forward":
+			go func() {
+				s.cancelTcpipForward(req)
+			}()
+		case "streamlocal-forward@openssh.com":
+			if !s.AllowStreamlocalForward {
+				s.Logger.Info("streamlocal-forward not allowed")
+				req.Reply(false, nil)
+				break
+			}
+			go func() {
+				s.handleStreamlocalForward(sshConn, req)
+			}()
+		case "cancel-streamlocal-forward@openssh.com":
+			go func() {
+				s.cancelStreamlocalForward(req)
+			}()
 		default:
 			// discard
 			if req.WantReply {
@@ -253,11 +356,14 @@ func (s *Server) handleTcpipForward(sshConn *ssh.ServerConn, req *ssh.Request) {
 		req.Reply(false, nil)
 		return
 	}
-	ln, err := net.Listen("tcp", net.JoinHostPort(msg.Addr, strconv.Itoa(int(msg.Port))))
+	address := net.JoinHostPort(msg.Addr, strconv.Itoa(int(msg.Port)))
+	ln, err := net.Listen("tcp", address)
 	if err != nil {
 		req.Reply(false, nil)
 		return
 	}
+	s.bindAddressToListener.Store(address, ln)
+	req.Reply(true, nil)
 	go func() {
 		sshConn.Wait()
 		ln.Close()
@@ -266,6 +372,7 @@ func (s *Server) handleTcpipForward(sshConn *ssh.ServerConn, req *ssh.Request) {
 	for {
 		conn, err := ln.Accept()
 		if err != nil {
+			s.Logger.Info("failed to accept", "err", err)
 			return
 		}
 		var replyMsg struct {
@@ -276,6 +383,14 @@ func (s *Server) handleTcpipForward(sshConn *ssh.ServerConn, req *ssh.Request) {
 		}
 		replyMsg.Addr = msg.Addr
 		replyMsg.Port = msg.Port
+		originatorAddr, originatorPortStr, err := net.SplitHostPort(conn.RemoteAddr().String())
+		if err == nil {
+			originatorPort, _ := strconv.Atoi(originatorPortStr)
+			replyMsg.OriginatorAddr = originatorAddr
+			replyMsg.OriginatorPort = uint32(originatorPort)
+		} else {
+			s.Logger.Error("failed to split remote address", "remote_address", conn.RemoteAddr())
+		}
 
 		go func() {
 			channel, reqs, err := sshConn.OpenChannel("forwarded-tcpip", ssh.Marshal(&replyMsg))
@@ -298,3 +413,105 @@ func (s *Server) handleTcpipForward(sshConn *ssh.ServerConn, req *ssh.Request) {
 		}()
 	}
 }
+
+// https://datatracker.ietf.org/doc/html/rfc4254#section-7.1
+func (s *Server) cancelTcpipForward(req *ssh.Request) {
+	var msg struct {
+		Addr string
+		Port uint32
+	}
+	if err := ssh.Unmarshal(req.Payload, &msg); err != nil {
+		req.Reply(false, nil)
+		return
+	}
+	address := net.JoinHostPort(msg.Addr, strconv.Itoa(int(msg.Port)))
+	ln, loaded := s.bindAddressToListener.LoadAndDelete(address)
+	if !loaded {
+		req.Reply(false, nil)
+		s.Logger.Info("failed to find listener", "address", address)
+	}
+	if err := ln.Close(); err != nil {
+		req.Reply(false, nil)
+		s.Logger.Info("failed to close", "err", err)
+	}
+	req.Reply(true, nil)
+}
+
+// client side: https://github.com/golang/crypto/blob/b4ddeeda5bc71549846db71ba23e83ecb26f36ed/ssh/streamlocal.go#L34
+func (s *Server) handleStreamlocalForward(sshConn *ssh.ServerConn, req *ssh.Request) {
+	// https://github.com/openssh/openssh-portable/blob/f9f18006678d2eac8b0c5a5dddf17ab7c50d1e9f/PROTOCOL#L272
+	var msg struct {
+		SocketPath string
+	}
+	if err := ssh.Unmarshal(req.Payload, &msg); err != nil {
+		req.Reply(false, nil)
+		return
+	}
+	ln, err := net.Listen("unix", msg.SocketPath)
+	if err != nil {
+		req.Reply(false, nil)
+		return
+	}
+	s.bindAddressToListener.Store(msg.SocketPath, ln)
+	req.Reply(true, nil)
+	go func() {
+		sshConn.Wait()
+		ln.Close()
+		s.Logger.Info("connection closed", "address", ln.Addr().String())
+	}()
+	for {
+		conn, err := ln.Accept()
+		if err != nil {
+			s.Logger.Info("failed to accept", "err", err)
+			return
+		}
+		// https://github.com/openssh/openssh-portable/blob/f9f18006678d2eac8b0c5a5dddf17ab7c50d1e9f/PROTOCOL#L255
+		var replyMsg struct {
+			SocketPath string
+			Reserved   string
+		}
+		replyMsg.SocketPath = msg.SocketPath
+
+		go func() {
+			channel, reqs, err := sshConn.OpenChannel("forwarded-streamlocal@openssh.com", ssh.Marshal(&replyMsg))
+			if err != nil {
+				req.Reply(false, nil)
+				conn.Close()
+				return
+			}
+			go ssh.DiscardRequests(reqs)
+			go func() {
+				io.Copy(channel, conn)
+				conn.Close()
+				channel.Close()
+			}()
+			go func() {
+				io.Copy(conn, channel)
+				conn.Close()
+				channel.Close()
+			}()
+		}()
+	}
+}
+
+func (s *Server) cancelStreamlocalForward(req *ssh.Request) {
+	// https://github.com/openssh/openssh-portable/blob/f9f18006678d2eac8b0c5a5dddf17ab7c50d1e9f/PROTOCOL#L280
+	var msg struct {
+		SocketPath string
+	}
+	if err := ssh.Unmarshal(req.Payload, &msg); err != nil {
+		req.Reply(false, nil)
+		return
+	}
+	ln, loaded := s.bindAddressToListener.LoadAndDelete(msg.SocketPath)
+	if !loaded {
+		s.Logger.Info("failed to find listener", "address", msg.SocketPath)
+		req.Reply(false, nil)
+		return
+	}
+	if err := ln.Close(); err != nil {
+		req.Reply(false, nil)
+		s.Logger.Info("failed to close", "err", err)
+	}
+	req.Reply(true, nil)
+}

sync_generics/map.go

@@ -0,0 +1,62 @@
+package sync_generics
+
+import "sync"
+
+type Map[K any, V any] struct {
+	inner sync.Map
+}
+
+func (m *Map[K, V]) CompareAndDelete(key K, old V) (deleted bool) {
+	deleted = m.inner.CompareAndDelete(key, old)
+	return
+}
+
+func (m *Map[K, V]) CompareAndSwap(key K, old V, new V) bool {
+	return m.inner.CompareAndSwap(key, old, new)
+}
+
+func (m *Map[K, V]) Delete(key K) {
+	m.inner.Delete(key)
+}
+
+func (m *Map[K, V]) Load(key K) (value V, ok bool) {
+	_value, ok := m.inner.Load(key)
+	value = nilSafeTypeAssertion[V](_value)
+	return
+}
+
+func (m *Map[K, V]) LoadAndDelete(key K) (value V, loaded bool) {
+	_value, loaded := m.inner.LoadAndDelete(key)
+	value = nilSafeTypeAssertion[V](_value)
+	return
+}
+
+func (m *Map[K, V]) LoadOrStore(key K, value V) (actual V, loaded bool) {
+	_actual, loaded := m.inner.LoadOrStore(key, value)
+	actual = nilSafeTypeAssertion[V](_actual)
+	return
+}
+
+func (m *Map[K, V]) Range(f func(key K, value V) bool) {
+	m.inner.Range(func(key, value any) bool {
+		return f(nilSafeTypeAssertion[K](key), nilSafeTypeAssertion[V](value))
+	})
+}
+
+func (m *Map[K, V]) Store(key K, value V) {
+	m.inner.Store(key, value)
+}
+
+func (m *Map[K, V]) Swap(key K, value V) (previous V, loaded bool) {
+	_previous, loaded := m.inner.Swap(key, value)
+	previous = nilSafeTypeAssertion[V](_previous)
+	return
+}
+
+func nilSafeTypeAssertion[T any](value any) T {
+	var zero T
+	if value == nil {
+		return zero
+	}
+	return value.(T)
+}

version/version.go

@@ -1,3 +1,3 @@
 package version
 
-const Version = "0.1.0"
+const Version = "0.4.3"