go语言实现SSH服务器不允许sftp不允许代理转发不允许x11转发不允许执行任何命令允许服务器60000端口转发到本地10000端口
以下是一个简单的Go语言实现SSH服务器的示例代码,实现了不允许sftp,不允许代理转发,不允许x11转发,不允许执行任何命令的功能,同时允许服务器60000端口转发到本地10000端口。
注意:此示例代码仅供参考,实际应用中需要根据具体需求进行修改和完善。
package main
import (
"fmt"
"io"
"io/ioutil"
"log"
"net"
"os"
"os/exec"
"strings"
"golang.org/x/crypto/ssh"
)
func main() {
// 配置SSH服务器
sshConfig := &ssh.ServerConfig{
NoClientAuth: true,
MaxAuthTries: 0, // 禁用连接尝试次数限制
// 设置认证方法,这里使用无密码认证
KeyboardInteractiveCallback: func(conn ssh.ConnMetadata, client ssh.KeyboardInteractiveChallenge) (*ssh.Permissions, error) {
return nil, nil
},
}
// 生成SSH服务器私钥
privateKey, err := ioutil.ReadFile("ssh_server_key")
if err != nil {
log.Fatalf("Failed to load private key: %v", err)
}
sshPrivateKey, err := ssh.ParsePrivateKey(privateKey)
if err != nil {
log.Fatalf("Failed to parse private key: %v", err)
}
sshConfig.AddHostKey(sshPrivateKey)
// 监听SSH连接
listener, err := net.Listen("tcp", ":22")
if err != nil {
log.Fatalf("Failed to listen on 22: %v", err)
}
log.Println("SSH server started on port 22")
// 处理SSH连接
for {
tcpConn, err := listener.Accept()
if err != nil {
log.Fatalf("Failed to accept SSH connection: %v", err)
}
go handleSSHConn(tcpConn, sshConfig)
}
}
func handleSSHConn(tcpConn net.Conn, sshConfig *ssh.ServerConfig) {
// 建立SSH连接
sshConn, chans, reqs, err := ssh.NewServerConn(tcpConn, sshConfig)
if err != nil {
log.Fatalf("Failed to establish SSH connection: %v", err)
}
log.Printf("SSH connection from %v (%v)", sshConn.RemoteAddr(), sshConn.ClientVersion())
// 处理SSH请求
go ssh.DiscardRequests(reqs)
// 处理SSH信道
for newChannel := range chans {
switch newChannel.ChannelType() {
case "session":
// 拒绝所有操作系统执行请求
if strings.Contains(string(newChannel.ExtraData()), "exec") {
newChannel.Reject(ssh.Prohibited, "Command execution not allowed")
continue
}
// 拒绝所有sftp请求
if strings.Contains(string(newChannel.ExtraData()), "sftp") {
newChannel.Reject(ssh.Prohibited, "sftp not allowed")
continue
}
// 拒绝所有代理转发请求
if strings.Contains(string(newChannel.ExtraData()), "proxy") {
newChannel.Reject(ssh.Prohibited, "Proxy forwarding not allowed")
continue
}
// 拒绝所有x11转发请求
if strings.Contains(string(newChannel.ExtraData()), "x11") {
newChannel.Reject(ssh.Prohibited, "X11 forwarding not allowed")
continue
}
// 接受所有shell请求
channel, requests, err := newChannel.Accept()
if err != nil {
log.Fatalf("Failed to accept shell channel: %v", err)
}
log.Println("Shell channel opened")
go handleShellChannel(channel, requests)
case "direct-tcpip":
// 允许服务器60000端口转发到本地10000端口
channel, _, err := newChannel.Accept()
if err != nil {
log.Fatalf("Failed to accept direct-tcpip channel: %v", err)
}
log.Println("Direct-tcpip channel opened")
go handleDirectTcpipChannel(channel)
default:
newChannel.Reject(ssh.UnknownChannelType, "Unknown channel type")
}
}
}
func handleShellChannel(channel ssh.Channel, requests <-chan *ssh.Request) {
defer channel.Close()
// 执行shell命令
cmd := exec.Command("/bin/sh", "-i")
cmd.Stdin = channel
cmd.Stdout = channel
cmd.Stderr = channel
err := cmd.Start()
if err != nil {
log.Fatalf("Failed to start shell: %v", err)
}
err = cmd.Wait()
if err != nil {
log.Fatalf("Failed to wait for shell: %v", err)
}
}
func handleDirectTcpipChannel(channel ssh.Channel) {
defer channel.Close()
// 转发服务器60000端口到本地10000端口
localConn, err := net.Dial("tcp", "localhost:10000")
if err != nil {
log.Fatalf("Failed to dial local port: %v", err)
}
go io.Copy(channel, localConn)
go io.Copy(localConn, channel)
}
原文地址: https://www.cveoy.top/t/topic/bwAd 著作权归作者所有。请勿转载和采集!