This is still under heavy WIP.
Caddy SSH is an extensible, modular SSH server built as Caddy app. The project aims to provide an ssh server with safe, modern, and secure defaults.
You start by looking for the binaries in the GitHub Releases page. Download the executable then place it somewhere in your PATH.
The other way is to build the project using xcaddy with the command:
xcaddy build --with github.com/mohammed90/caddy-ssh[@<version>]
where [@<version>]
is optional and <version>
may be replaced by the desired version.
Note: The password is test
. Once satisfied with the design and implementation, the packages will be extracted outside of internal
.
Shell
{
"apps": {
"ssh": {
"grace_period": "2s",
"servers": {
"srv0": {
"address": "tcp/0.0.0.0:2000-2012",
"pty": {
"pty": "allow"
},
"configs": [
{
"config": {
"loader": "provided",
"no_client_auth": false,
"authentication": {
"username_password": {
"providers": {
"static": {
"accounts": [
{
"name": "user1",
"password": "JDJhJDE0JDcxOENoL2duS3FuR2VPRUpLa2lVM085Mk40T1JkcHBvQW4ycHU2c0FkMm1qLkhKejhzWG9t"
}
]
}
}
}
}
}
}
],
"actors": [
{
"match": [
{
"user": {
"users": [
"user1"
]
}
}
],
"act": {
"action": "shell",
"shell": "zsh"
}
}
]
}
}
}
}
}
Custom config based on remote address: allow local users, except root, to login without authentication
{
"apps": {
"ssh": {
"grace_period": "2s",
"servers": {
"srv0": {
"address": "tcp/0.0.0.0:2000-2012",
"pty": {
"pty": "allow"
},
"configs": [
{
"match": [
{
"remote_ip": {
"ranges": [
"192.168.0.0/16"
]
}
}
],
"config": {
"loader": "provided",
"no_client_auth": true
}
},
{
"config": {
"loader": "provided",
"authentication": {
"deny_users": ["root"],
"public_key": {
"providers": {
"os": {}
}
}
}
}
}
],
"actors": [
{
"act": {
"action": "shell",
"shell": "bash"
}
}
]
}
}
}
}
}
Jump server
As a jump server, the jump server establishes a local forwarding channel to upstream, per the documentation of the -J
option, so we need to enable this in the config.
Reference:
-J destination Connect to the target host by first making a ssh connection to the jump host described by destination and then establishing a TCP forwarding to the ultimate destination from there. Multiple jump hops may be specified separated by comma characters. This is a shortcut to specify a ProxyJump configuration directive. Note that configuration directives supplied on the command-line generally apply to the destination host and not any specified jump hosts. Use ~/.ssh/config to specify configuration for jump hosts.
{
"apps": {
"ssh": {
"grace_period": "2s",
"servers": {
"srv0": {
"address": "tcp/0.0.0.0:2000-2012",
"configs": [
{
"config": {
"loader": "provided",
"signer": {
"module": "fallback"
},
"authentication": {
"public_key": {
"providers": {
"os": {}
}
}
}
}
}
],
"localforward": {
"forward": "allow"
},
}
}
}
}
}
Shell Session with Authorization Module
The app provides modular authorization process to control the session authorization based on the session context details. One of the authorization modules provided is max_session
, which restricts the number of currently active sessions to a certain number. The other one is public
, which grants access without restriction and is the default if none is provided. Here's an example config of how to restrict the server to authorize only 2 active sessions:
{
"apps": {
"ssh": {
"grace_period": "2s",
"servers": {
"srv0": {
"address": "tcp/0.0.0.0:2000-2012",
"authorize": {
"authorizer": "max_session",
"max_sessions": 2
},
"pty": {
"pty": "allow"
},
"configs": [
{
"config": {
"loader": "provided",
"no_client_auth": false,
"authentication": {
"public_key": {
"providers": {
"os": {}
}
}
}
}
}
],
"actors": [
{
"act": {
"action": "shell",
"shell": "zsh"
}
}
]
}
}
}
}
}
Q: I deny PTY allocation in config, but the is processed and executed anyways. Why?
A: This is a quirk in OpenSSH which defaults to auto
if the -t
option on the client (i.e. forcing tty allocation). It asks for the tty allocation but switches the mode to auto
when denied and proceeds without the tty allocation request. The StackOverflow answer explaining the details is here.