Involved Source Files
Package agent implements the ssh-agent protocol, and provides both
a client and a server. The client can talk to a standard ssh-agent
that uses UNIX sockets, and one could implement an alternative
ssh-agent process using the sample server.
References:
[PROTOCOL.agent]: https://tools.ietf.org/html/draft-miller-ssh-agent-00
forward.gokeyring.goserver.go
Code Examples
package main
import (
"golang.org/x/crypto/ssh"
"golang.org/x/crypto/ssh/agent"
"log"
"net"
"os"
)
func main() {
// ssh-agent(1) provides a UNIX socket at $SSH_AUTH_SOCK.
socket := os.Getenv("SSH_AUTH_SOCK")
conn, err := net.Dial("unix", socket)
if err != nil {
log.Fatalf("Failed to open SSH_AUTH_SOCK: %v", err)
}
agentClient := agent.NewClient(conn)
config := &ssh.ClientConfig{
User: "gopher",
Auth: []ssh.AuthMethod{
// Use a callback rather than PublicKeys so we only consult the
// agent once the remote server wants it.
ssh.PublicKeysCallback(agentClient.Signers),
},
HostKeyCallback: ssh.InsecureIgnoreHostKey(),
}
sshc, err := ssh.Dial("tcp", "localhost:22", config)
if err != nil {
log.Fatal(err)
}
// Use sshc...
sshc.Close()
}
Package-Level Type Names (total 34, in which 6 are exported)
/* sort exporteds by: | */
AddedKey describes an SSH key to be added to an Agent.
Certificate, if not nil, is communicated to the agent and will be
stored with the key.
Comment is an optional, free-form string.
ConfirmBeforeUse, if true, requests that the agent confirm with the
user before each use of this key.
ConstraintExtensions are the experimental or private-use constraints
defined by users.
LifetimeSecs, if not zero, is the number of seconds that the
agent will store the key for.
PrivateKey must be a *rsa.PrivateKey, *dsa.PrivateKey,
ed25519.PrivateKey or *ecdsa.PrivateKey, which will be inserted into the
agent.
func parseDSACert(req []byte) (*AddedKey, error)
func parseDSAKey(req []byte) (*AddedKey, error)
func parseECDSACert(req []byte) (*AddedKey, error)
func parseECDSAKey(req []byte) (*AddedKey, error)
func parseEd25519Cert(req []byte) (*AddedKey, error)
func parseEd25519Key(req []byte) (*AddedKey, error)
func parseRSACert(req []byte) (*AddedKey, error)
func parseRSAKey(req []byte) (*AddedKey, error)
func Agent.Add(key AddedKey) error
func ExtendedAgent.Add(key AddedKey) error
func setConstraints(key *AddedKey, constraintBytes []byte) error
Agent represents the capabilities of an ssh-agent.
Add adds a private key to the agent.
List returns the identities known to the agent.
Lock locks the agent. Sign and Remove will fail, and List will empty an empty list.
Remove removes all identities with the given public key.
RemoveAll removes all identities.
Sign has the agent sign the data using a protocol 2 key as defined
in [PROTOCOL.agent] section 2.6.2.
Signers returns signers for all the known keys.
Unlock undoes the effect of Lock
ExtendedAgent(interface)
*client
*keyring
func NewKeyring() Agent
func github.com/xanzy/ssh-agent.New() (Agent, net.Conn, error)
func ForwardToAgent(client *ssh.Client, keyring Agent) error
func ServeAgent(agent Agent, c io.ReadWriter) error
ConstraintExtension describes an optional constraint defined by users.
ExtensionDetails contains the actual content of the extended
constraint.
ExtensionName consist of a UTF-8 string suffixed by the
implementation domain following the naming scheme defined
in Section 4.2 of [RFC4251], e.g. "foo@example.com".
func parseConstraints(constraints []byte) (lifetimeSecs uint32, confirmBeforeUse bool, extensions []ConstraintExtension, err error)
Add adds a private key to the agent.
Extension processes a custom extension request. Standard-compliant agents are not
required to support any extensions, but this method allows agents to implement
vendor-specific methods or add experimental features. See [PROTOCOL.agent] section 4.7.
If agent extensions are unsupported entirely this method MUST return an
ErrExtensionUnsupported error. Similarly, if just the specific extensionType in
the request is unsupported by the agent then ErrExtensionUnsupported MUST be
returned.
In the case of success, since [PROTOCOL.agent] section 4.7 specifies that the contents
of the response are unspecified (including the type of the message), the complete
response will be returned as a []byte slice, including the "type" byte of the message.
List returns the identities known to the agent.
Lock locks the agent. Sign and Remove will fail, and List will empty an empty list.
Remove removes all identities with the given public key.
RemoveAll removes all identities.
Sign has the agent sign the data using a protocol 2 key as defined
in [PROTOCOL.agent] section 2.6.2.
SignWithFlags signs like Sign, but allows for additional flags to be sent/received
Signers returns signers for all the known keys.
Unlock undoes the effect of Lock
*client
*keyring
T : Agent
func NewClient(rw io.ReadWriter) ExtendedAgent
Key represents a protocol 2 public key as defined in
[PROTOCOL.agent], section 2.5.2.
Blob[]byteCommentstringFormatstring
Marshal returns key blob to satisfy the ssh.PublicKey interface.
String returns the storage form of an agent key with the format, base64
encoded serialized key, and the comment if it is not empty.
Type returns the public key type.
Verify satisfies the ssh.PublicKey interface.
*T : golang.org/x/crypto/ssh.PublicKey
*T : expvar.Var
*T : fmt.Stringer
*T : context.stringer
*T : runtime.stringer
func Agent.List() ([]*Key, error)
func ExtendedAgent.List() ([]*Key, error)
func parseKey(in []byte) (out *Key, rest []byte, err error)
func marshalKey(k *Key) []byte
client is a client for an ssh-agent process.
conn is typically a *net.UnixConn
mu is used to prevent concurrent access to the agent
Add adds a private key to the agent. If a certificate is given,
that certificate is added instead as public key.
Calls an extension method. It is up to the agent implementation as to whether or not
any particular extension is supported and may always return an error. Because the
type of the response is up to the implementation, this returns the bytes of the
response and does not attempt any type of unmarshalling.
List returns the identities known to the agent.
(*T) Lock(passphrase []byte) error(*T) Remove(key ssh.PublicKey) error(*T) RemoveAll() error
Sign has the agent sign the data using a protocol 2 key as defined
in [PROTOCOL.agent] section 2.6.2.
(*T) SignWithFlags(key ssh.PublicKey, data []byte, flags SignatureFlags) (*ssh.Signature, error)
Signers provides a callback for client authentication.
(*T) Unlock(passphrase []byte) error
call sends an RPC to the agent. On success, the reply is
unmarshaled into reply and replyType is set to the first byte of
the reply, which contains the type of the message.
callRaw sends an RPC to the agent. On success, the raw
bytes of the response are returned; no unmarshalling is
performed on the response.
(*T) insertCert(s interface{}, cert *ssh.Certificate, comment string, constraints []byte) error
Insert adds a private key to the agent.
(*T) simpleCall(req []byte) error
*T : Agent
*T : ExtendedAgent
keys[]privKeylockedboolmusync.Mutexpassphrase[]byte
Insert adds a private key to the keyring. If a certificate
is given, that certificate is added as public key. Note that
any constraints given are ignored.
The keyring does not support any extensions
List returns the identities known to the agent.
Lock locks the agent. Sign and Remove will fail, and List will return an empty list.
Remove removes all identities with the given public key.
RemoveAll removes all identities.
Sign returns a signature for the data.
(*T) SignWithFlags(key ssh.PublicKey, data []byte, flags SignatureFlags) (*ssh.Signature, error)
Signers returns signers for all the known keys.
Unlock undoes the effect of Lock
expireKeysLocked removes expired keys from the keyring. If a key was added
with a lifetimesecs contraint and seconds >= lifetimesecs seconds have
ellapsed, it is removed. The caller *must* be holding the keyring mutex.
removeLocked does the actual key removal. The caller must already be holding the
keyring mutex.
*T : Agent
*T : ExtendedAgent
Package-Level Functions (total 22, in which 6 are exported)
ForwardToAgent routes authentication requests to the given keyring.
ForwardToRemote routes authentication requests to the ssh-agent
process serving on the given unix socket.
NewClient returns an Agent that talks to an ssh-agent process over
the given connection.
NewKeyring returns an Agent that holds keys in memory. It is safe
for concurrent use by multiple goroutines.
RequestAgentForwarding sets up agent forwarding for the session.
ForwardToAgent or ForwardToRemote should be called to route
the authentication requests.
ServeAgent serves the agent protocol on the given connection. It
returns when an I/O error occurs.
Package-Level Variables (total 2, in which 1 are exported)
ErrExtensionUnsupported indicates that an extension defined in
[PROTOCOL.agent] section 4.7 is unsupported by the agent. Specifically this
error indicates that the agent returned a standard SSH_AGENT_FAILURE message
as the result of a SSH_AGENTC_EXTENSION request. Note that the protocol
specification (and therefore this error) does not distinguish between a
specific extension being unsupported and extensions being unsupported entirely.
maxAgentResponseBytes is the maximum agent reply size that is accepted. This
is a sanity check, not a limit in the spec.
The pages are generated with Goldsv0.3.2-preview. (GOOS=darwin GOARCH=amd64)
Golds is a Go 101 project developed by Tapir Liu.
PR and bug reports are welcome and can be submitted to the issue list.
Please follow @Go100and1 (reachable from the left QR code) to get the latest news of Golds.
