Skip to main content

ChannelServer

tailscale::ssh

Struct ChannelServer 

Source 
pub struct ChannelServer<H> { /* private fields */ }
Expand description

Implementation of russh::server::Handler which provides per-channel session handlers using a parametric ChannelHandler.

Primary motivation is to support custom console or TUI sessions over tailnet SSH connections.

§Authentication and authorization

Incoming connections are gated by the control-pushed Tailscale SSH policy: auth_none resolves the source IP to a known tailnet peer and evaluates the policy via Device::authorize_ssh (fail-closed — an unknown peer, an absent policy, or a non-matching policy all reject). The ssh policy block’s accept/reject rules, principal matching, and SSH-user mapping are honored. A rule that demands session recording (non-empty recorders) or holdAndDelegate is enforced fail-closed: since this fork has no recorder transport / delegate round-trip yet, such a session is refused rather than silently accepted un-recorded (see auth_none). Building those transports is deferred.

Trait Implementations§

Source§

impl<H> Handler for ChannelServer<H>
where H: ChannelHandler + Send, H::Error: Send,

Source§

type Error = Box<dyn Error + Send + Sync>

Source§

async fn auth_none(&mut self, user: &str) -> Result<Auth, Self::Error>

Check authentication using the “none” method. Read more
Source§

async fn channel_open_session( &mut self, channel: Channel<Msg>, session: &mut Session, ) -> Result<bool, Self::Error>

Called when a new session channel is created. Return value indicates whether the channel request should be granted.
Source§

async fn channel_close( &mut self, channel: ChannelId, session: &mut Session, ) -> Result<(), Self::Error>

Called when the client closes a channel.
Source§

async fn signal( &mut self, channel: ChannelId, signal: Sig, session: &mut Session, ) -> Result<(), Self::Error>

The client is sending a signal (usually to pass to the currently running process).
Source§

async fn data( &mut self, channel: ChannelId, data: &[u8], session: &mut Session, ) -> Result<(), Self::Error>

Called when a data packet is received. A response can be written to the response argument.
Source§

async fn channel_eof( &mut self, channel: ChannelId, session: &mut Session, ) -> Result<(), Self::Error>

Called when the client sends EOF to a channel.
Source§

async fn window_change_request( &mut self, channel: ChannelId, col_width: u32, row_height: u32, _: u32, _: u32, session: &mut Session, ) -> Result<(), Self::Error>

The client’s pseudo-terminal window size has changed. Read more
Source§

async fn pty_request( &mut self, channel: ChannelId, _: &str, col_width: u32, row_height: u32, _: u32, _: u32, _: &[(Pty, u32)], session: &mut Session, ) -> Result<(), Self::Error>

The client requests a pseudo-terminal with the given specifications. Read more
Source§

fn auth_password( &mut self, user: &str, password: &str, ) -> impl Future<Output = Result<Auth, Self::Error>> + Send

Check authentication using the “password” method. Read more
Source§

fn auth_publickey_offered( &mut self, user: &str, public_key: &PublicKey, ) -> impl Future<Output = Result<Auth, Self::Error>> + Send

Pre-authentication callback for public key authentication. This method is called when a client is: Read more
Source§

fn auth_publickey( &mut self, user: &str, public_key: &PublicKey, ) -> impl Future<Output = Result<Auth, Self::Error>> + Send

Check authentication using the “publickey” method. This method is called after the signature has been verified and key ownership has been confirmed. Read more
Source§

fn auth_openssh_certificate( &mut self, user: &str, certificate: &Certificate, ) -> impl Future<Output = Result<Auth, Self::Error>> + Send

Check authentication using an OpenSSH certificate. This method is called after the signature has been verified and key ownership has been confirmed. Read more
Source§

fn auth_keyboard_interactive<'a>( &'a mut self, user: &str, submethods: &str, response: Option<Response<'a>>, ) -> impl Future<Output = Result<Auth, Self::Error>> + Send

Check authentication using the “keyboard-interactive” method. Read more
Source§

fn auth_succeeded( &mut self, session: &mut Session, ) -> impl Future<Output = Result<(), Self::Error>> + Send

Called when authentication succeeds for a session.
Source§

fn authentication_banner( &mut self, ) -> impl Future<Output = Result<Option<String>, Self::Error>> + Send

Called when authentication starts but before it is successful. Return value is an authentication banner, usually a warning message shown to the client.
Source§

fn channel_open_x11( &mut self, channel: Channel<Msg>, originator_address: &str, originator_port: u32, session: &mut Session, ) -> impl Future<Output = Result<bool, Self::Error>> + Send

Called when a new X11 channel is created. Return value indicates whether the channel request should be granted.
Source§

fn channel_open_direct_tcpip( &mut self, channel: Channel<Msg>, host_to_connect: &str, port_to_connect: u32, originator_address: &str, originator_port: u32, session: &mut Session, ) -> impl Future<Output = Result<bool, Self::Error>> + Send

Called when a new direct TCP/IP (“local TCP forwarding”) channel is opened. Return value indicates whether the channel request should be granted.
Source§

fn channel_open_forwarded_tcpip( &mut self, channel: Channel<Msg>, host_to_connect: &str, port_to_connect: u32, originator_address: &str, originator_port: u32, session: &mut Session, ) -> impl Future<Output = Result<bool, Self::Error>> + Send

Called when a new remote forwarded TCP connection comes in. Read more
Source§

fn channel_open_direct_streamlocal( &mut self, channel: Channel<Msg>, socket_path: &str, session: &mut Session, ) -> impl Future<Output = Result<bool, Self::Error>> + Send

Called when a new direct-streamlocal (“local UNIX socket forwarding”) channel is created. Return value indicates whether the channel request should be granted.
Source§

fn channel_open_confirmation( &mut self, id: ChannelId, max_packet_size: u32, window_size: u32, session: &mut Session, ) -> impl Future<Output = Result<(), Self::Error>> + Send

Called when the client confirmed our request to open a channel. A channel can only be written to after receiving this message (this library panics otherwise).
Source§

fn extended_data( &mut self, channel: ChannelId, code: u32, data: &[u8], session: &mut Session, ) -> impl Future<Output = Result<(), Self::Error>> + Send

Called when an extended data packet is received. Code 1 means that this packet comes from stderr, other codes are not defined (see RFC4254).
Source§

fn window_adjusted( &mut self, channel: ChannelId, new_size: u32, session: &mut Session, ) -> impl Future<Output = Result<(), Self::Error>> + Send

Called when the network window is adjusted, meaning that we can send more bytes.
Source§

fn adjust_window(&mut self, channel: ChannelId, current: u32) -> u32

Called when this server adjusts the network window. Return the next target window.
Source§

fn x11_request( &mut self, channel: ChannelId, single_connection: bool, x11_auth_protocol: &str, x11_auth_cookie: &str, x11_screen_number: u32, session: &mut Session, ) -> impl Future<Output = Result<(), Self::Error>> + Send

The client requests an X11 connection. Read more
Source§

fn env_request( &mut self, channel: ChannelId, variable_name: &str, variable_value: &str, session: &mut Session, ) -> impl Future<Output = Result<(), Self::Error>> + Send

The client wants to set the given environment variable. Check these carefully, as it is dangerous to allow any variable environment to be set. Read more
Source§

fn shell_request( &mut self, channel: ChannelId, session: &mut Session, ) -> impl Future<Output = Result<(), Self::Error>> + Send

The client requests a shell. Read more
Source§

fn exec_request( &mut self, channel: ChannelId, data: &[u8], session: &mut Session, ) -> impl Future<Output = Result<(), Self::Error>> + Send

The client sends a command to execute, to be passed to a shell. Make sure to check the command before doing so. Read more
Source§

fn subsystem_request( &mut self, channel: ChannelId, name: &str, session: &mut Session, ) -> impl Future<Output = Result<(), Self::Error>> + Send

The client asks to start the subsystem with the given name (such as sftp). Read more
Source§

fn agent_request( &mut self, channel: ChannelId, session: &mut Session, ) -> impl Future<Output = Result<bool, Self::Error>> + Send

The client requests OpenSSH agent forwarding Read more
Source§

fn tcpip_forward( &mut self, address: &str, port: &mut u32, session: &mut Session, ) -> impl Future<Output = Result<bool, Self::Error>> + Send

Used for reverse-forwarding ports, see RFC4254. If port is 0, you should set it to the allocated port number.
Source§

fn cancel_tcpip_forward( &mut self, address: &str, port: u32, session: &mut Session, ) -> impl Future<Output = Result<bool, Self::Error>> + Send

Used to stop the reverse-forwarding of a port, see RFC4254.
Source§

fn streamlocal_forward( &mut self, socket_path: &str, session: &mut Session, ) -> impl Future<Output = Result<bool, Self::Error>> + Send

Source§

fn cancel_streamlocal_forward( &mut self, socket_path: &str, session: &mut Session, ) -> impl Future<Output = Result<bool, Self::Error>> + Send

Source§

fn lookup_dh_gex_group( &mut self, gex_params: &GexParams, ) -> impl Future<Output = Result<Option<DhGroup>, Self::Error>> + Send

Override when enabling the diffie-hellman-group-exchange-* key exchange methods. Read more
Source§

impl<H> TailnetServer for ChannelServer<H>

Source§

fn new_client(dev: Arc<Device>, addr: SocketAddr) -> Self

Construct a new handler.

Auto Trait Implementations§

§

impl<H> !RefUnwindSafe for ChannelServer<H>

§

impl<H> !UnwindSafe for ChannelServer<H>

§

impl<H> Freeze for ChannelServer<H>

§

impl<H> Send for ChannelServer<H>

§

impl<H> Sync for ChannelServer<H>

§

impl<H> Unpin for ChannelServer<H>

§

impl<H> UnsafeUnpin for ChannelServer<H>

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> Downcast for T
where T: Any,

Source§

fn into_any(self: Box<T>) -> Box<dyn Any>

Converts Box<dyn Trait> (where Trait: Downcast) to Box<dyn Any>, which can then be downcast into Box<dyn ConcreteType> where ConcreteType implements Trait.
Source§

fn into_any_rc(self: Rc<T>) -> Rc<dyn Any>

Converts Rc<Trait> (where Trait: Downcast) to Rc<Any>, which can then be further downcast into Rc<ConcreteType> where ConcreteType implements Trait.
Source§

fn as_any(&self) -> &(dyn Any + 'static)

Converts &Trait (where Trait: Downcast) to &Any. This is needed since Rust cannot generate &Any’s vtable from &Trait’s.
Source§

fn as_any_mut(&mut self) -> &mut (dyn Any + 'static)

Converts &mut Trait (where Trait: Downcast) to &Any. This is needed since Rust cannot generate &mut Any’s vtable from &mut Trait’s.
Source§

impl<T> DowncastSend for T
where T: Any + Send,

Source§

fn into_any_send(self: Box<T>) -> Box<dyn Any + Send>

Converts Box<Trait> (where Trait: DowncastSend) to Box<dyn Any + Send>, which can then be downcast into Box<ConcreteType> where ConcreteType implements Trait.
Source§

impl<T> DowncastSync for T
where T: Any + Send + Sync,

Source§

fn into_any_sync(self: Box<T>) -> Box<dyn Any + Send + Sync>

Converts Box<Trait> (where Trait: DowncastSync) to Box<dyn Any + Send + Sync>, which can then be downcast into Box<ConcreteType> where ConcreteType implements Trait.
Source§

fn into_any_arc(self: Arc<T>) -> Arc<dyn Any + Send + Sync>

Converts Arc<Trait> (where Trait: DowncastSync) to Arc<Any>, which can then be downcast into Arc<ConcreteType> where ConcreteType implements Trait.
Source§

impl<A, T> DynMessage<A> for T
where A: Actor + Message<T>, T: Send + 'static,

Source§

fn handle_dyn<'a>( self: Box<T>, state: &'a mut A, actor_ref: ActorRef<A>, tx: Option<Sender<Result<Box<dyn Any + Send>, SendError<Box<dyn Any + Send>, Box<dyn Any + Send>>>>>, stop: &'a mut bool, ) -> Pin<Box<dyn Future<Output = Result<(), Box<dyn ReplyError>>> + Send + 'a>>

Handles the dyn message with the provided actor state, ref, and reply sender.
Source§

fn as_any(self: Box<T>) -> Box<dyn Any>

Casts the type to a Box<dyn Any>.
Source§

impl<T> ErasedDestructor for T
where T: 'static,

Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<A, B, T> HttpServerConnExec<A, B> for T
where B: Body,

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more