2 * Copyright (c) 2022 PANTHEON.tech, s.r.o. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.netconf.transport.ssh;
10 import com.google.common.collect.ImmutableList;
11 import com.google.common.util.concurrent.ListenableFuture;
12 import io.netty.bootstrap.Bootstrap;
13 import io.netty.bootstrap.ServerBootstrap;
14 import io.netty.channel.group.DefaultChannelGroup;
15 import io.netty.util.concurrent.GlobalEventExecutor;
16 import java.security.cert.Certificate;
17 import org.eclipse.jdt.annotation.NonNull;
18 import org.eclipse.jdt.annotation.Nullable;
19 import org.opendaylight.netconf.shaded.sshd.client.ClientFactoryManager;
20 import org.opendaylight.netconf.shaded.sshd.client.SshClient;
21 import org.opendaylight.netconf.shaded.sshd.client.auth.UserAuthFactory;
22 import org.opendaylight.netconf.shaded.sshd.client.auth.hostbased.HostKeyIdentityProvider;
23 import org.opendaylight.netconf.shaded.sshd.client.auth.hostbased.UserAuthHostBasedFactory;
24 import org.opendaylight.netconf.shaded.sshd.client.auth.password.PasswordIdentityProvider;
25 import org.opendaylight.netconf.shaded.sshd.client.auth.password.UserAuthPasswordFactory;
26 import org.opendaylight.netconf.shaded.sshd.client.auth.pubkey.UserAuthPublicKeyFactory;
27 import org.opendaylight.netconf.shaded.sshd.client.keyverifier.AcceptAllServerKeyVerifier;
28 import org.opendaylight.netconf.shaded.sshd.client.session.ClientSessionImpl;
29 import org.opendaylight.netconf.shaded.sshd.client.session.SessionFactory;
30 import org.opendaylight.netconf.shaded.sshd.common.io.IoHandler;
31 import org.opendaylight.netconf.shaded.sshd.common.keyprovider.KeyIdentityProvider;
32 import org.opendaylight.netconf.shaded.sshd.common.util.threads.ThreadUtils;
33 import org.opendaylight.netconf.transport.api.TransportChannelListener;
34 import org.opendaylight.netconf.transport.api.TransportStack;
35 import org.opendaylight.netconf.transport.api.UnsupportedConfigurationException;
36 import org.opendaylight.netconf.transport.tcp.TCPClient;
37 import org.opendaylight.netconf.transport.tcp.TCPServer;
38 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.password.grouping.password.type.CleartextPassword;
39 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.SshClientGrouping;
40 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.ClientIdentity;
41 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.ServerAuthentication;
42 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev230417.TcpClientGrouping;
43 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev230417.TcpServerGrouping;
46 * A {@link TransportStack} acting as an SSH client.
48 public final class SSHClient extends SSHTransportStack {
50 private final ClientFactoryManager clientFactoryManager;
51 private final SessionFactory sessionFactory;
53 private SSHClient(final TransportChannelListener listener, final ClientFactoryManager clientFactoryManager,
54 final String username) {
56 this.clientFactoryManager = clientFactoryManager;
57 this.clientFactoryManager.addSessionListener(new UserAuthSessionListener(sessionAuthHandlers, sessions));
58 sessionFactory = new SessionFactory(clientFactoryManager) {
60 protected ClientSessionImpl setupSession(final ClientSessionImpl session) {
61 session.setUsername(username);
65 ioService = new SshIoService(this.clientFactoryManager,
66 new DefaultChannelGroup("sshd-client-channels", GlobalEventExecutor.INSTANCE),
71 protected IoHandler getSessionFactory() {
72 return sessionFactory;
75 public static @NonNull ListenableFuture<SSHClient> connect(final TransportChannelListener listener,
76 final Bootstrap bootstrap, final TcpClientGrouping connectParams,
77 final SshClientGrouping clientParams) throws UnsupportedConfigurationException {
78 final var factoryMgr = newFactoryManager(clientParams);
79 final var sshClient = new SSHClient(listener, factoryMgr, getUsername(clientParams));
80 return transformUnderlay(sshClient, TCPClient.connect(sshClient.asListener(), bootstrap, connectParams));
83 public static @NonNull ListenableFuture<SSHClient> listen(final TransportChannelListener listener,
84 final ServerBootstrap bootstrap, final TcpServerGrouping listenParams, final SshClientGrouping clientParams)
85 throws UnsupportedConfigurationException {
86 final var factoryMgr = newFactoryManager(clientParams);
87 final var sshClient = new SSHClient(listener, factoryMgr, getUsername(clientParams));
88 return transformUnderlay(sshClient, TCPServer.listen(sshClient.asListener(), bootstrap, listenParams));
91 private static String getUsername(final SshClientGrouping clientParams) {
92 final var clientIdentity = clientParams.getClientIdentity();
93 return clientIdentity == null ? "" : clientIdentity.getUsername();
96 private static ClientFactoryManager newFactoryManager(final SshClientGrouping parameters)
97 throws UnsupportedConfigurationException {
98 final var factoryMgr = SshClient.setUpDefaultClient();
100 ConfigUtils.setTransportParams(factoryMgr, parameters.getTransportParams());
101 ConfigUtils.setKeepAlives(factoryMgr, parameters.getKeepalives());
103 setClientIdentity(factoryMgr, parameters.getClientIdentity());
104 setServerAuthentication(factoryMgr, parameters.getServerAuthentication());
106 factoryMgr.setServiceFactories(SshClient.DEFAULT_SERVICE_FACTORIES);
107 factoryMgr.setScheduledExecutorService(ThreadUtils.newSingleThreadScheduledExecutor("sshd-client-pool"));
111 private static void setClientIdentity(@NonNull final ClientFactoryManager factoryMgr,
112 final @Nullable ClientIdentity clientIdentity) throws UnsupportedConfigurationException {
113 if (clientIdentity == null || clientIdentity.getNone() != null) {
116 final var authFactoriesListBuilder = ImmutableList.<UserAuthFactory>builder();
117 final var password = clientIdentity.getPassword();
118 if (password != null) {
119 if (password.getPasswordType() instanceof CleartextPassword clearTextPassword) {
120 factoryMgr.setPasswordIdentityProvider(
121 PasswordIdentityProvider.wrapPasswords(clearTextPassword.requireCleartextPassword()));
122 authFactoriesListBuilder.add(new UserAuthPasswordFactory());
124 // TODO support encrypted password -- requires augmentation of default schema
126 final var hostBased = clientIdentity.getHostbased();
127 if (hostBased != null) {
128 var keyPair = ConfigUtils.extractKeyPair(hostBased.getInlineOrKeystore());
129 var factory = new UserAuthHostBasedFactory();
130 factory.setClientHostKeys(HostKeyIdentityProvider.wrap(keyPair));
131 factory.setClientUsername(clientIdentity.getUsername());
132 factory.setClientHostname(null); // not provided via config
133 factory.setSignatureFactories(factoryMgr.getSignatureFactories());
134 authFactoriesListBuilder.add(factory);
136 final var publicKey = clientIdentity.getPublicKey();
137 if (publicKey != null) {
138 final var keyPairs = ConfigUtils.extractKeyPair(publicKey.getInlineOrKeystore());
139 factoryMgr.setKeyIdentityProvider(KeyIdentityProvider.wrapKeyPairs(keyPairs));
140 final var factory = new UserAuthPublicKeyFactory();
141 factory.setSignatureFactories(factoryMgr.getSignatureFactories());
142 authFactoriesListBuilder.add(factory);
144 // FIXME implement authentication using X509 certificate
145 final var userAuthFactories = authFactoriesListBuilder.build();
146 if (userAuthFactories.isEmpty()) {
147 throw new UnsupportedConfigurationException("Client Identity has no authentication mechanism defined");
149 factoryMgr.setUserAuthFactories(userAuthFactories);
152 private static void setServerAuthentication(final @NonNull ClientFactoryManager factoryMgr,
153 final @Nullable ServerAuthentication serverAuthentication) throws UnsupportedConfigurationException {
154 if (serverAuthentication == null) {
155 factoryMgr.setServerKeyVerifier(AcceptAllServerKeyVerifier.INSTANCE);
158 final var certificatesList = ImmutableList.<Certificate>builder()
159 .addAll(ConfigUtils.extractCertificates(serverAuthentication.getCaCerts()))
160 .addAll(ConfigUtils.extractCertificates(serverAuthentication.getEeCerts()))
162 final var publicKeys = ConfigUtils.extractPublicKeys(serverAuthentication.getSshHostKeys());
163 if (!certificatesList.isEmpty() || !publicKeys.isEmpty()) {
164 factoryMgr.setServerKeyVerifier(new ServerPublicKeyVerifier(certificatesList, publicKeys));
166 throw new UnsupportedConfigurationException("Server authentication should contain either ssh-host-keys "
167 + "or ca-certs or ee-certs");