obfssh/obfsshd/server.go

package main

import (
	"bytes"
	"crypto/tls"
	"errors"
	"flag"
	"fmt"
	"io/ioutil"
	"net"
	"os"
	"os/signal"
	"syscall"

	"github.com/fangdingjun/go-log"
	"github.com/fangdingjun/obfssh"
	"golang.org/x/crypto/ssh"
)

func main() {

	var configfile string
	var logfile string
	var logFileCount int
	var logFileSize int64
	var loglevel string

	flag.StringVar(&configfile, "c", "config.yaml", "configure file")
	flag.StringVar(&logfile, "log_file", "", "log file, default stdout")
	flag.IntVar(&logFileCount, "log_count", 10, "max count of log to keep")
	flag.Int64Var(&logFileSize, "log_size", 10, "max log file size MB")
	flag.StringVar(&loglevel, "log_level", "INFO", "log level, values:\nOFF, FATAL, PANIC, ERROR, WARN, INFO, DEBUG")

	flag.Parse()

	if logfile != "" {
		log.Default.Out = &log.FixedSizeFileWriter{
			MaxCount: logFileCount,
			Name:     logfile,
			MaxSize:  logFileSize * 1024 * 1024,
		}
	}

	if loglevel != "" {
		lv, err := log.ParseLevel(loglevel)
		if err != nil {
			fmt.Fprintln(os.Stderr, err)
			os.Exit(1)
		}
		log.Default.Level = lv
	}

	conf, err := loadConfig(configfile)
	if err != nil {
		log.Fatal(err)
	}

	sconf := &obfssh.Conf{}

	config := &ssh.ServerConfig{
		PasswordCallback: func(c ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
			if u, err := conf.getUser(c.User()); err == nil {
				if u.Password != "" && c.User() == u.Username && string(pass) == u.Password {
					return nil, nil
				}
			}
			return nil, fmt.Errorf("password reject for user %s", c.User())
		},

		PublicKeyCallback: func(c ssh.ConnMetadata, k ssh.PublicKey) (*ssh.Permissions, error) {
			checker := &ssh.CertChecker{
				IsUserAuthority: func(k ssh.PublicKey) bool {
					if u, err := conf.getUser(c.User()); err == nil {
						for _, pk := range u.publicKeys {
							if k.Type() == pk.Type() &&
								bytes.Compare(k.Marshal(), pk.Marshal()) == 0 {
								return true
							}
						}
					}
					return false
				},
			}
			checker.UserKeyFallback = func(c1 ssh.ConnMetadata, k1 ssh.PublicKey) (*ssh.Permissions, error) {
				log.Debug("user key fallback")
				if checker.IsUserAuthority(k1) {
					return nil, nil
				}
				return nil, errors.New("public not acceptable")
			}
			return checker.Authenticate(c, k)
		},

		// auth log
		AuthLogCallback: func(c ssh.ConnMetadata, method string, err error) {
			if err != nil {
				log.Debugf("%s", err.Error())
				log.Errorf("%s auth failed for %s from %s", method, c.User(), c.RemoteAddr())
			} else {
				log.Printf("Accepted %s for user %s from %s", method, c.User(), c.RemoteAddr())
			}
		},
	}

	privateBytes, err := ioutil.ReadFile(conf.HostKey)
	if err != nil {
		log.Fatal(err)
	}

	private, err := ssh.ParsePrivateKey(privateBytes)
	if err != nil {
		log.Fatal(err)
	}

	config.AddHostKey(private)
	for _, lst := range conf.Listen {
		go func(lst listen) {
			var l net.Listener
			var err error

			l, err = net.Listen("tcp", fmt.Sprintf(":%d", lst.Port))
			if err != nil {
				log.Fatal(err)
			}
			defer l.Close()

			if lst.Key != "" && lst.Cert != "" {
				cert, err := tls.LoadX509KeyPair(lst.Cert, lst.Key)
				if err != nil {
					log.Fatal(err)
				}
				l = tls.NewListener(&protoListener{l}, &tls.Config{
					Certificates: []tls.Certificate{cert},
				})
			}

			for {
				c, err := l.Accept()
				if err != nil {
					fmt.Println(err)
					return
				}

				log.Infof("accept tcp connection from %s", c.RemoteAddr())

				go func(c net.Conn) {
					defer c.Close()
					sc, err := obfssh.NewServer(c, config, sconf)
					if err != nil {
						c.Close()
						log.Errorf("%s", err.Error())
						return
					}
					sc.Run()
				}(c)
			}
		}(lst)
	}

	ch := make(chan os.Signal, 2)
	signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM)
	select {
	case s := <-ch:
		log.Printf("received signal %s, exit.", s)
	}

}
first version 8 years ago			`package main`

			`import (`
			`"bytes"`
remove obfsucation, use tls instead 7 years ago			`"crypto/tls"`
use CertChecker for public key auth 6 years ago			`"errors"`
first version 8 years ago			`"flag"`
			`"fmt"`
			`"io/ioutil"`
			`"net"`
change log library 7 years ago			`"os"`
add signal handler 6 years ago			`"os/signal"`
			`"syscall"`
change log library 7 years ago
			`"github.com/fangdingjun/go-log"`
			`"github.com/fangdingjun/obfssh"`
			`"golang.org/x/crypto/ssh"`
first version 8 years ago			`)`

			`func main() {`

			`var configfile string`
change log library 7 years ago			`var logfile string`
			`var logFileCount int`
			`var logFileSize int64`
			`var loglevel string`
first version 8 years ago
			`flag.StringVar(&configfile, "c", "config.yaml", "configure file")`
change log library 7 years ago			`flag.StringVar(&logfile, "log_file", "", "log file, default stdout")`
			`flag.IntVar(&logFileCount, "log_count", 10, "max count of log to keep")`
			`flag.Int64Var(&logFileSize, "log_size", 10, "max log file size MB")`
			`flag.StringVar(&loglevel, "log_level", "INFO", "log level, values:\nOFF, FATAL, PANIC, ERROR, WARN, INFO, DEBUG")`

first version 8 years ago			`flag.Parse()`

change log library 7 years ago			`if logfile != "" {`
log library updated 6 years ago			`log.Default.Out = &log.FixedSizeFileWriter{`
change log library 7 years ago			`MaxCount: logFileCount,`
			`Name: logfile,`
			`MaxSize: logFileSize * 1024 * 1024,`
			`}`
			`}`

			`if loglevel != "" {`
			`lv, err := log.ParseLevel(loglevel)`
			`if err != nil {`
			`fmt.Fprintln(os.Stderr, err)`
			`os.Exit(1)`
			`}`
			`log.Default.Level = lv`
			`}`

first version 8 years ago			`conf, err := loadConfig(configfile)`
			`if err != nil {`
			`log.Fatal(err)`
			`}`

remove obfsucation, use tls instead 7 years ago			`sconf := &obfssh.Conf{}`
add more commandline options client add keepalive, timeout options all add disable obfs after handshake option 8 years ago
first version 8 years ago			`config := &ssh.ServerConfig{`
			`PasswordCallback: func(c ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {`
			`if u, err := conf.getUser(c.User()); err == nil {`
			`if u.Password != "" && c.User() == u.Username && string(pass) == u.Password {`
			`return nil, nil`
			`}`
			`}`
			`return nil, fmt.Errorf("password reject for user %s", c.User())`
			`},`

			`PublicKeyCallback: func(c ssh.ConnMetadata, k ssh.PublicKey) (*ssh.Permissions, error) {`
use CertChecker for public key auth 6 years ago			`checker := &ssh.CertChecker{`
			`IsUserAuthority: func(k ssh.PublicKey) bool {`
			`if u, err := conf.getUser(c.User()); err == nil {`
			`for _, pk := range u.publicKeys {`
			`if k.Type() == pk.Type() &&`
			`bytes.Compare(k.Marshal(), pk.Marshal()) == 0 {`
			`return true`
			`}`
			`}`
first version 8 years ago			`}`
use CertChecker for public key auth 6 years ago			`return false`
			`},`
			`}`
			`checker.UserKeyFallback = func(c1 ssh.ConnMetadata, k1 ssh.PublicKey) (*ssh.Permissions, error) {`
			`log.Debug("user key fallback")`
			`if checker.IsUserAuthority(k1) {`
			`return nil, nil`
first version 8 years ago			`}`
use CertChecker for public key auth 6 years ago			`return nil, errors.New("public not acceptable")`
first version 8 years ago			`}`
use CertChecker for public key auth 6 years ago			`return checker.Authenticate(c, k)`
first version 8 years ago			`},`

			`// auth log`
			`AuthLogCallback: func(c ssh.ConnMetadata, method string, err error) {`
			`if err != nil {`
use CertChecker for public key auth 6 years ago			`log.Debugf("%s", err.Error())`
change log level for server 6 years ago			`log.Errorf("%s auth failed for %s from %s", method, c.User(), c.RemoteAddr())`
first version 8 years ago			`} else {`
change log level for server 6 years ago			`log.Printf("Accepted %s for user %s from %s", method, c.User(), c.RemoteAddr())`
first version 8 years ago			`}`
			`},`
			`}`

			`privateBytes, err := ioutil.ReadFile(conf.HostKey)`
			`if err != nil {`
			`log.Fatal(err)`
			`}`

			`private, err := ssh.ParsePrivateKey(privateBytes)`
			`if err != nil {`
			`log.Fatal(err)`
			`}`

			`config.AddHostKey(private)`
remove obfsucation, use tls instead 7 years ago			`for _, lst := range conf.Listen {`
			`go func(lst listen) {`
			`var l net.Listener`
			`var err error`
add proxy proto support 6 years ago
			`l, err = net.Listen("tcp", fmt.Sprintf(":%d", lst.Port))`
			`if err != nil {`
			`log.Fatal(err)`
			`}`
			`defer l.Close()`

			`if lst.Key != "" && lst.Cert != "" {`
remove obfsucation, use tls instead 7 years ago			`cert, err := tls.LoadX509KeyPair(lst.Cert, lst.Key)`
			`if err != nil {`
			`log.Fatal(err)`
			`}`
add proxy proto support 6 years ago			`l = tls.NewListener(&protoListener{l}, &tls.Config{`
remove obfsucation, use tls instead 7 years ago			`Certificates: []tls.Certificate{cert},`
			`})`
			`}`

			`for {`
			`c, err := l.Accept()`
			`if err != nil {`
			`fmt.Println(err)`
			`return`
			`}`

change log level for server 6 years ago			`log.Infof("accept tcp connection from %s", c.RemoteAddr())`
remove obfsucation, use tls instead 7 years ago
			`go func(c net.Conn) {`
			`defer c.Close()`
			`sc, err := obfssh.NewServer(c, config, sconf)`
			`if err != nil {`
			`c.Close()`
change log library 7 years ago			`log.Errorf("%s", err.Error())`
remove obfsucation, use tls instead 7 years ago			`return`
			`}`
			`sc.Run()`
			`}(c)`
first version 8 years ago			`}`
remove obfsucation, use tls instead 7 years ago			`}(lst)`
first version 8 years ago			`}`
add signal handler 6 years ago
			`ch := make(chan os.Signal, 2)`
			`signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM)`
			`select {`
			`case s := <-ch:`
			`log.Printf("received signal %s, exit.", s)`
			`}`
first version 8 years ago
			`}`