Initial work on private aliases (antoniomika#291)

* Initial work on private aliases

* Ensure the current user is allowed to access the alias

* Print the self ssh fingerprint

* Add pubkeyfingerprint to alias log line

* Start conn with self allowed for tcp aliases

* Cleanup

.github/workflows/build.yml

@@ -30,7 +30,7 @@ jobs:
  - name: Set up Go
  uses: actions/setup-go@v3
  with:
- go-version: 1.21.3
+ go-version: 1.21.6
  - name: Checkout repo
  uses: actions/checkout@v3
  - name: Lint the codebase

.github/workflows/release.yml

@@ -14,7 +14,7 @@ jobs:
  - name: Set up Go
  uses: actions/setup-go@v2
  with:
- go-version: 1.21.3
+ go-version: 1.21.6
  - name: Run GoReleaser
  uses: goreleaser/goreleaser-action@v2
  with:

Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.21.3-alpine as builder
+FROM --platform=$BUILDPLATFORM golang:1.21.6-alpine as builder
 LABEL maintainer="Antonio Mika <[email protected]>"
 
 ENV CGO_ENABLED 0

README.md

@@ -413,6 +413,9 @@ Flags:
  --strip-http-path Strip the http path from the forward (default true)
  --tcp-address string The address to listen for TCP connections
  --tcp-aliases Enable the use of TCP aliasing
+ --tcp-aliases-allowed-users any Enable setting allowed users to access tcp aliases.
+ Can provide tcp-aliases-allowed-users in the ssh command set to a comma separated list of ssh fingerprints that can access an alias.
+ Provide any for all.
  --tcp-load-balancer Enable the TCP load balancer (multiple clients can bind the same port)
  --time-format string The time format to use for both HTTP and general log messages (default "2006/01/02 - 15:04:05")
  --verify-dns Verify DNS information for hosts and ensure it matches a connecting users sha256 key fingerprint (default true)

cmd/sish.go

@@ -126,6 +126,7 @@ func init() {
  rootCmd.PersistentFlags().BoolP("bind-wildcards", "", false, "Allow binding wildcards when accepting an HTTP listener")
  rootCmd.PersistentFlags().BoolP("load-templates", "", true, "Load HTML templates. This is required for admin/service consoles")
  rootCmd.PersistentFlags().BoolP("rewrite-host-header", "", true, "Force rewrite the host header if the user provides host-header=host.com")
+ rootCmd.PersistentFlags().BoolP("tcp-aliases-allowed-users", "", false, "Enable setting allowed users to access tcp aliases.\nCan provide tcp-aliases-allowed-users in the ssh command set to a comma separated list of ssh fingerprints that can access an alias.\nProvide `any` for all.")
 
  rootCmd.PersistentFlags().IntP("http-port-override", "", 0, "The port to use for http command output. This does not affect ports used for connecting, it's for cosmetic use only")
  rootCmd.PersistentFlags().IntP("https-port-override", "", 0, "The port to use for https command output. This does not affect ports used for connecting, it's for cosmetic use only")

config.example.yml

@@ -90,6 +90,7 @@ ssh-address: localhost:2222
 strip-http-path: true
 tcp-address: ""
 tcp-aliases: false
+tcp-aliases-allowed-users: false
 tcp-load-balancer: false
 time-format: 2006/01/02 - 15:04:05
 verify-dns: true

go.mod

@@ -5,76 +5,73 @@ go 1.21
 require (
  github.com/ScaleFT/sshkeys v1.2.0
  github.com/antoniomika/syncmap v1.0.0
- github.com/caddyserver/certmagic v0.19.2
- github.com/fsnotify/fsnotify v1.6.0
+ github.com/caddyserver/certmagic v0.20.0
+ github.com/fsnotify/fsnotify v1.7.0
  github.com/gin-gonic/gin v1.9.1
- github.com/gorilla/websocket v1.5.0
+ github.com/gorilla/websocket v1.5.1
  github.com/jpillora/ipfilter v1.2.9
  github.com/logrusorgru/aurora v2.0.3+incompatible
  github.com/mikesmitty/edkey v0.0.0-20170222072505-3356ea4e686a
  github.com/pires/go-proxyproto v0.7.0
  github.com/radovskyb/watcher v1.0.7
  github.com/sirupsen/logrus v1.9.3
- github.com/spf13/cobra v1.7.0
- github.com/spf13/viper v1.17.0
+ github.com/spf13/cobra v1.8.0
+ github.com/spf13/viper v1.18.2
  github.com/vulcand/oxy v1.4.2
- golang.org/x/crypto v0.14.0
+ golang.org/x/crypto v0.18.0
  gopkg.in/natefinch/lumberjack.v2 v2.2.1
 )
 
 require (
  github.com/HdrHistogram/hdrhistogram-go v1.1.2 // indirect
  github.com/bytedance/sonic v1.10.2 // indirect
  github.com/chenzhuoyu/base64x v0.0.0-20230717121745-296ad89f973d // indirect
- github.com/chenzhuoyu/iasm v0.9.0 // indirect
+ github.com/chenzhuoyu/iasm v0.9.1 // indirect
  github.com/dchest/bcrypt_pbkdf v0.0.0-20150205184540-83f37f9c154a // indirect
  github.com/gabriel-vasile/mimetype v1.4.3 // indirect
  github.com/gin-contrib/sse v0.1.0 // indirect
  github.com/go-playground/locales v0.14.1 // indirect
  github.com/go-playground/universal-translator v0.18.1 // indirect
- github.com/go-playground/validator/v10 v10.15.5 // indirect
+ github.com/go-playground/validator/v10 v10.17.0 // indirect
  github.com/goccy/go-json v0.10.2 // indirect
  github.com/hashicorp/hcl v1.0.0 // indirect
  github.com/inconshreveable/mousetrap v1.1.0 // indirect
  github.com/json-iterator/go v1.1.12 // indirect
- github.com/klauspost/cpuid/v2 v2.2.5 // indirect
+ github.com/klauspost/cpuid/v2 v2.2.6 // indirect
  github.com/leodido/go-urn v1.2.4 // indirect
  github.com/libdns/libdns v0.2.1 // indirect
  github.com/magiconair/properties v1.8.7 // indirect
  github.com/mailgun/timetools v0.0.0-20170619190023-f3a7b8ffff47 // indirect
- github.com/mattn/go-isatty v0.0.19 // indirect
+ github.com/mattn/go-isatty v0.0.20 // indirect
  github.com/mholt/acmez v1.2.0 // indirect
- github.com/miekg/dns v1.1.56 // indirect
+ github.com/miekg/dns v1.1.58 // indirect
  github.com/mitchellh/mapstructure v1.5.0 // indirect
  github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
  github.com/modern-go/reflect2 v1.0.2 // indirect
- github.com/pelletier/go-toml v1.9.5 // indirect
- github.com/pelletier/go-toml/v2 v2.1.0 // indirect
- github.com/phuslu/iploc v1.0.20230929 // indirect
- github.com/sagikazarmark/locafero v0.3.0 // indirect
+ github.com/pelletier/go-toml/v2 v2.1.1 // indirect
+ github.com/phuslu/iploc v1.0.20231229 // indirect
+ github.com/sagikazarmark/locafero v0.4.0 // indirect
  github.com/sagikazarmark/slog-shim v0.1.0 // indirect
  github.com/segmentio/fasthash v1.0.3 // indirect
  github.com/sourcegraph/conc v0.3.0 // indirect
- github.com/spf13/afero v1.10.0 // indirect
- github.com/spf13/cast v1.5.1 // indirect
- github.com/spf13/jwalterweatherman v1.1.0 // indirect
+ github.com/spf13/afero v1.11.0 // indirect
+ github.com/spf13/cast v1.6.0 // indirect
  github.com/spf13/pflag v1.0.5 // indirect
  github.com/subosito/gotenv v1.6.0 // indirect
  github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce // indirect
  github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
- github.com/ugorji/go/codec v1.2.11 // indirect
+ github.com/ugorji/go/codec v1.2.12 // indirect
  github.com/zeebo/blake3 v0.2.3 // indirect
- go.uber.org/atomic v1.11.0 // indirect
  go.uber.org/multierr v1.11.0 // indirect
  go.uber.org/zap v1.26.0 // indirect
- golang.org/x/arch v0.5.0 // indirect
- golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
- golang.org/x/mod v0.13.0 // indirect
- golang.org/x/net v0.17.0 // indirect
- golang.org/x/sys v0.13.0 // indirect
- golang.org/x/text v0.13.0 // indirect
- golang.org/x/tools v0.14.0 // indirect
- google.golang.org/protobuf v1.31.0 // indirect
+ golang.org/x/arch v0.7.0 // indirect
+ golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect
+ golang.org/x/mod v0.14.0 // indirect
+ golang.org/x/net v0.20.0 // indirect
+ golang.org/x/sys v0.16.0 // indirect
+ golang.org/x/text v0.14.0 // indirect
+ golang.org/x/tools v0.17.0 // indirect
+ google.golang.org/protobuf v1.32.0 // indirect
  gopkg.in/ini.v1 v1.67.0 // indirect
  gopkg.in/mgo.v2 v2.0.0-20190816093944-a6b53ec6cb22 // indirect
  gopkg.in/yaml.v2 v2.4.0 // indirect