[WIP] Add SSH tunneling settings for SSH.

This commit is contained in:
Virtually Nick 2023-02-18 08:46:11 -05:00
parent 4df9687832
commit 8394ef0ed6
5 changed files with 275 additions and 7 deletions

View File

@ -22,6 +22,7 @@
#include "argv.h" #include "argv.h"
#include "client.h" #include "client.h"
#include "common-ssh/sftp.h" #include "common-ssh/sftp.h"
#include "common-ssh/tunnel.h"
#include "ssh.h" #include "ssh.h"
#include "terminal/terminal.h" #include "terminal/terminal.h"
#include "user.h" #include "user.h"
@ -101,6 +102,9 @@ int guac_ssh_client_free_handler(guac_client* client) {
if (ssh_client->recording != NULL) if (ssh_client->recording != NULL)
guac_recording_free(ssh_client->recording); guac_recording_free(ssh_client->recording);
if (ssh_client->ssh_tunnel != NULL)
guac_common_ssh_tunnel_cleanup(ssh_client->ssh_tunnel);
/* Free interactive SSH session */ /* Free interactive SSH session */
if (ssh_client->session != NULL) if (ssh_client->session != NULL)
guac_common_ssh_destroy_session(ssh_client->session); guac_common_ssh_destroy_session(ssh_client->session);

View File

@ -22,6 +22,7 @@
#include "argv.h" #include "argv.h"
#include "client.h" #include "client.h"
#include "common/defaults.h" #include "common/defaults.h"
#include "common-ssh/ssh-constants.h"
#include "settings.h" #include "settings.h"
#include "terminal/terminal.h" #include "terminal/terminal.h"
@ -47,6 +48,15 @@ const char* GUAC_SSH_CLIENT_ARGS[] = {
"sftp-disable-upload", "sftp-disable-upload",
"private-key", "private-key",
"passphrase", "passphrase",
"ssh-tunnel",
"ssh-tunnel-host",
"ssh-tunnel-port",
"ssh-tunnel-host-key",
"ssh-tunnel-username",
"ssh-tunnel-password",
"ssh-tunnel-private-key",
"ssh-tunnel-passphrase",
"ssh-tunnel-alive-interval",
#ifdef ENABLE_SSH_AGENT #ifdef ENABLE_SSH_AGENT
"enable-agent", "enable-agent",
#endif #endif
@ -148,6 +158,55 @@ enum SSH_ARGS_IDX {
*/ */
IDX_PASSPHRASE, IDX_PASSPHRASE,
/**
* True if SSH tunneling should be enabled. If false or not set, SSH
* tunneling will not be used.
*/
IDX_SSH_TUNNEL,
/**
* The hostname or IP address of the SSH server to use for tunneling.
*/
IDX_SSH_TUNNEL_HOST,
/**
* The TCP port of the SSH server to use for tunneling.
*/
IDX_SSH_TUNNEL_PORT,
/**
* If host key checking should be done, the public key of the SSH host
* to be used for tunneling.
*/
IDX_SSH_TUNNEL_HOST_KEY,
/**
* The username for authenticating to the SSH hsot for tunneling.
*/
IDX_SSH_TUNNEL_USERNAME,
/**
* The password to use to authenticate to the SSH host for tunneling.
*/
IDX_SSH_TUNNEL_PASSWORD,
/**
* The private key to use to authenticate to the SSH host for tunneling,
* as an alternative to password-based authentication.
*/
IDX_SSH_TUNNEL_PRIVATE_KEY,
/**
* The passphrase to use to decrypt the private key.
*/
IDX_SSH_TUNNEL_PASSPHRASE,
/**
* The interval at which keepalive packets should be sent to the SSH
* tunneling server, or zero if keepalive should be disabled.
*/
IDX_SSH_TUNNEL_ALIVE_INTERVAL,
#ifdef ENABLE_SSH_AGENT #ifdef ENABLE_SSH_AGENT
/** /**
* Whether SSH agent forwarding support should be enabled. * Whether SSH agent forwarding support should be enabled.
@ -418,6 +477,49 @@ guac_ssh_settings* guac_ssh_parse_args(guac_user* user,
guac_user_parse_args_boolean(user, GUAC_SSH_CLIENT_ARGS, argv, guac_user_parse_args_boolean(user, GUAC_SSH_CLIENT_ARGS, argv,
IDX_SFTP_DISABLE_UPLOAD, false); IDX_SFTP_DISABLE_UPLOAD, false);
/* Parse SSH tunneling. */
settings->ssh_tunnel =
guac_user_parse_args_boolean(user, GUAC_SSH_CLIENT_ARGS, argv,
IDX_SSH_TUNNEL, false);
/* Only parse remaining tunneling settings if it has been enabled. */
if (settings->ssh_tunnel) {
settings->ssh_tunnel_host =
guac_user_parse_args_string(user, GUAC_SSH_CLIENT_ARGS, argv,
IDX_SSH_TUNNEL_HOST, NULL);
settings->ssh_tunnel_port =
guac_user_parse_args_string(user, GUAC_SSH_CLIENT_ARGS, argv,
IDX_SSH_TUNNEL_PORT, GUAC_COMMON_SSH_DEFAULT_PORT);
settings->ssh_tunnel_host_key =
guac_user_parse_args_string(user, GUAC_SSH_CLIENT_ARGS, argv,
IDX_SSH_TUNNEL_HOST_KEY, NULL);
settings->ssh_tunnel_username =
guac_user_parse_args_string(user, GUAC_SSH_CLIENT_ARGS, argv,
IDX_SSH_TUNNEL_USERNAME, NULL);
settings->ssh_tunnel_password =
guac_user_parse_args_string(user, GUAC_SSH_CLIENT_ARGS, argv,
IDX_SSH_TUNNEL_PASSWORD, NULL);
settings->ssh_tunnel_private_key =
guac_user_parse_args_string(user, GUAC_SSH_CLIENT_ARGS, argv,
IDX_SSH_TUNNEL_PRIVATE_KEY, NULL);
settings->ssh_tunnel_passphrase =
guac_user_parse_args_string(user, GUAC_SSH_CLIENT_ARGS, argv,
IDX_SSH_TUNNEL_PASSPHRASE, NULL);
settings->ssh_tunnel_alive_interval =
guac_user_parse_args_int(user, GUAC_SSH_CLIENT_ARGS, argv,
IDX_SSH_TUNNEL_ALIVE_INTERVAL,
GUAC_COMMON_SSH_DEFAULT_ALIVE_INTERVAL);
}
#ifdef ENABLE_SSH_AGENT #ifdef ENABLE_SSH_AGENT
settings->enable_agent = settings->enable_agent =
guac_user_parse_args_boolean(user, GUAC_SSH_CLIENT_ARGS, argv, guac_user_parse_args_boolean(user, GUAC_SSH_CLIENT_ARGS, argv,
@ -427,7 +529,7 @@ guac_ssh_settings* guac_ssh_parse_args(guac_user* user,
/* Read port */ /* Read port */
settings->port = settings->port =
guac_user_parse_args_string(user, GUAC_SSH_CLIENT_ARGS, argv, guac_user_parse_args_string(user, GUAC_SSH_CLIENT_ARGS, argv,
IDX_PORT, GUAC_SSH_DEFAULT_PORT); IDX_PORT, GUAC_COMMON_SSH_DEFAULT_PORT);
/* Read-only mode */ /* Read-only mode */
settings->read_only = settings->read_only =
@ -578,6 +680,15 @@ void guac_ssh_settings_free(guac_ssh_settings* settings) {
/* Free SFTP settings */ /* Free SFTP settings */
free(settings->sftp_root_directory); free(settings->sftp_root_directory);
/* Free tunnel settings */
free(settings->ssh_tunnel_host);
free(settings->ssh_tunnel_host_key);
free(settings->ssh_tunnel_port);
free(settings->ssh_tunnel_username);
free(settings->ssh_tunnel_password);
free(settings->ssh_tunnel_private_key);
free(settings->ssh_tunnel_passphrase);
/* Free typescript settings */ /* Free typescript settings */
free(settings->typescript_name); free(settings->typescript_name);
free(settings->typescript_path); free(settings->typescript_path);

View File

@ -26,12 +26,6 @@
#include <stdbool.h> #include <stdbool.h>
/**
* The port to connect to when initiating any SSH connection, if no other port
* is specified.
*/
#define GUAC_SSH_DEFAULT_PORT "22"
/** /**
* The filename to use for the typescript, if not specified. * The filename to use for the typescript, if not specified.
*/ */
@ -178,6 +172,68 @@ typedef struct guac_ssh_settings {
*/ */
bool sftp_disable_upload; bool sftp_disable_upload;
/**
* Whether to enable tunneling of this connection through the specified
* SSH server. If set to "true", guacd will attempt to connect to the SSH
* server and tunnel all of the traffic through the SSH connection. If
* set to "false" or not set, SSH tunneling will not be used.
*/
bool ssh_tunnel;
/**
* The hostname or address of the host through which traffic should be
* tunneled over SSH. If tunneling is enabled, this is required, or the
* connection will be aborted.
*/
char* ssh_tunnel_host;
/**
* The port on which to connect to the SSH server to tunnel traffic, if
* SSH tunneling is enabled. If not specified, this will default to 22, the
* normal SSH port.
*/
char* ssh_tunnel_port;
/**
* The public key of the SSH host through which this connection will be
* tunneled. If unset, no host key checking will be done and the connection
* will be attempted regardless of the identity of the remote host.
*/
char* ssh_tunnel_host_key;
/**
* The username to use when connecting to the SSH host to tunnel traffic.
* This is required if SSH tunneling is enabled.
*/
char* ssh_tunnel_username;
/**
* The password to use when connecting to the SSH host to tunnel traffic,
* if password authentication is used.
*/
char* ssh_tunnel_password;
/**
* The private key to use to authenticate to the SSH server to tunnel traffic,
* if key-based authentication is used.
*/
char* ssh_tunnel_private_key;
/**
* The passphrase of the private key to use to decrypt the private key when
* using key-based authentication, if the key is encrypted.
*/
char* ssh_tunnel_passphrase;
/**
* The interval at which keepalive messages will be sent to the SSH server
* over which the connection is being tunneled. The default is 0, meaning
* that keepalive messages will be disabled. The minimum value is 2 to avoid
* busy loop scenarios, and a value of 1 is automatically increased to 2 by
* the underlying libssh2 implementation.
*/
int ssh_tunnel_alive_interval;
#ifdef ENABLE_SSH_AGENT #ifdef ENABLE_SSH_AGENT
/** /**
* Whether the SSH agent is enabled. * Whether the SSH agent is enabled.

View File

@ -37,6 +37,7 @@
#include <guacamole/client.h> #include <guacamole/client.h>
#include <guacamole/recording.h> #include <guacamole/recording.h>
#include <guacamole/socket.h> #include <guacamole/socket.h>
#include <guacamole/string.h>
#include <guacamole/timestamp.h> #include <guacamole/timestamp.h>
#include <guacamole/wol.h> #include <guacamole/wol.h>
#include <openssl/err.h> #include <openssl/err.h>
@ -226,6 +227,96 @@ void* ssh_client_thread(void* data) {
return NULL; return NULL;
} }
if (settings->ssh_tunnel) {
/* Allocate memory for the SSH tunnel data. */
ssh_client->ssh_tunnel = malloc(sizeof(guac_ssh_tunnel));
guac_client_log(client, GUAC_LOG_DEBUG,
"SSH tunneling is enabled, connecting via SSH.");
/* Associate the guac_client object with the tunnel. */
ssh_client->ssh_tunnel->client = client;
/* Abort if tunnel username is missing */
if (settings->ssh_tunnel_username == NULL) {
guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
"An SSH tunnel-specific username is required if "
"SSH tunneling is enabled.");
return NULL;
}
ssh_client->ssh_tunnel->user =
guac_common_ssh_create_user(settings->ssh_tunnel_username);
/* Import SSH tunnel private key, if given */
if (settings->ssh_tunnel_private_key != NULL) {
guac_client_log(client, GUAC_LOG_DEBUG,
"Authenticating SSH tunnel with private key.");
/* Abort if SSH tunnel private key cannot be read */
if (guac_common_ssh_user_import_key(ssh_client->ssh_tunnel->user,
settings->ssh_tunnel_private_key,
settings->ssh_tunnel_passphrase)) {
guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
"SSH tunnel private key unreadable.");
return NULL;
}
}
/* Otherwise, use specified SSH tunnel password */
else {
guac_client_log(client, GUAC_LOG_DEBUG,
"Authenticating SSH tunnel with password.");
guac_common_ssh_user_set_password(ssh_client->ssh_tunnel->user,
settings->ssh_tunnel_password);
}
/* Attempt SSH tunnel connection */
ssh_client->ssh_tunnel->session =
guac_common_ssh_create_session(client, settings->ssh_tunnel_host,
settings->ssh_tunnel_port, ssh_client->ssh_tunnel->user,
settings->ssh_tunnel_alive_interval,
settings->ssh_tunnel_host_key, NULL);
/* Fail if SSH tunnel connection does not succeed */
if (ssh_client->ssh_tunnel->session == NULL) {
/* Already aborted within guac_common_ssh_create_session() */
return NULL;
}
guac_client_log(client, GUAC_LOG_DEBUG,
"SSH session created for tunneling, initializing the tunnel.");
/* Initialize the tunnel or fail. */
if (guac_common_ssh_tunnel_init(ssh_client->ssh_tunnel,
settings->hostname, strtol(settings->port, NULL, 10))) {
guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
"Unable to initialize SSH tunnel, aborting connection.");
return NULL;
}
/* If tunnel socket is not returned, bail out. */
if (ssh_client->ssh_tunnel->socket_path == NULL) {
guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
"Unable to obtain socket for SSH tunnel, aborting.");
return NULL;
}
/* Overwrite the hostname with the path to the socket and zero out port. */
settings->hostname = guac_strdup(ssh_client->ssh_tunnel->socket_path);
settings->port = 0;
guac_client_log(client, GUAC_LOG_DEBUG,
"SSH tunnel connection succeeded.");
}
char ssh_ttymodes[GUAC_SSH_TTYMODES_SIZE(1)]; char ssh_ttymodes[GUAC_SSH_TTYMODES_SIZE(1)];
/* Set up screen recording, if requested */ /* Set up screen recording, if requested */

View File

@ -25,6 +25,7 @@
#include "common/clipboard.h" #include "common/clipboard.h"
#include "common-ssh/sftp.h" #include "common-ssh/sftp.h"
#include "common-ssh/ssh.h" #include "common-ssh/ssh.h"
#include "common-ssh/tunnel.h"
#include "common-ssh/user.h" #include "common-ssh/user.h"
#include "settings.h" #include "settings.h"
#include "terminal/terminal.h" #include "terminal/terminal.h"
@ -60,6 +61,11 @@ typedef struct guac_ssh_client {
*/ */
pthread_t client_thread; pthread_t client_thread;
/**
* If SSH tunneling is enabled, this is the object that tracks the tunnel.
*/
guac_ssh_tunnel* ssh_tunnel;
/** /**
* The user and credentials to use for all SSH sessions. * The user and credentials to use for all SSH sessions.
*/ */