2 * Copyright (c) 2022 PANTHEON.tech, s.r.o. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.netconf.transport.ssh;
10 import com.google.common.collect.ImmutableList;
11 import com.google.common.util.concurrent.ListenableFuture;
12 import io.netty.bootstrap.Bootstrap;
13 import io.netty.bootstrap.ServerBootstrap;
14 import io.netty.channel.group.DefaultChannelGroup;
15 import io.netty.util.concurrent.GlobalEventExecutor;
16 import java.security.cert.Certificate;
17 import org.eclipse.jdt.annotation.NonNull;
18 import org.eclipse.jdt.annotation.Nullable;
19 import org.opendaylight.netconf.shaded.sshd.client.ClientFactoryManager;
20 import org.opendaylight.netconf.shaded.sshd.client.SshClient;
21 import org.opendaylight.netconf.shaded.sshd.client.auth.UserAuthFactory;
22 import org.opendaylight.netconf.shaded.sshd.client.auth.hostbased.HostKeyIdentityProvider;
23 import org.opendaylight.netconf.shaded.sshd.client.auth.hostbased.UserAuthHostBasedFactory;
24 import org.opendaylight.netconf.shaded.sshd.client.auth.password.PasswordIdentityProvider;
25 import org.opendaylight.netconf.shaded.sshd.client.auth.password.UserAuthPasswordFactory;
26 import org.opendaylight.netconf.shaded.sshd.client.auth.pubkey.UserAuthPublicKeyFactory;
27 import org.opendaylight.netconf.shaded.sshd.client.keyverifier.AcceptAllServerKeyVerifier;
28 import org.opendaylight.netconf.shaded.sshd.client.session.ClientSessionImpl;
29 import org.opendaylight.netconf.shaded.sshd.client.session.SessionFactory;
30 import org.opendaylight.netconf.shaded.sshd.common.io.IoHandler;
31 import org.opendaylight.netconf.shaded.sshd.common.keyprovider.KeyIdentityProvider;
32 import org.opendaylight.netconf.shaded.sshd.common.util.threads.ThreadUtils;
33 import org.opendaylight.netconf.transport.api.TransportChannelListener;
34 import org.opendaylight.netconf.transport.api.TransportStack;
35 import org.opendaylight.netconf.transport.api.UnsupportedConfigurationException;
36 import org.opendaylight.netconf.transport.tcp.TCPClient;
37 import org.opendaylight.netconf.transport.tcp.TCPServer;
38 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.password.grouping.password.type.CleartextPassword;
39 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.SshClientGrouping;
40 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.ClientIdentity;
41 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.ServerAuthentication;
42 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev230417.TcpClientGrouping;
43 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev230417.TcpServerGrouping;
46 * A {@link TransportStack} acting as an SSH client.
48 public final class SSHClient extends SSHTransportStack {
49 private final ClientFactoryManager clientFactoryManager;
50 private final SessionFactory sessionFactory;
52 private SSHClient(final TransportChannelListener listener, final ClientFactoryManager clientFactoryManager,
53 final String username) {
55 this.clientFactoryManager = clientFactoryManager;
56 this.clientFactoryManager.addSessionListener(new UserAuthSessionListener(sessionAuthHandlers, sessions));
57 sessionFactory = new SessionFactory(clientFactoryManager) {
59 protected ClientSessionImpl setupSession(final ClientSessionImpl session) {
60 session.setUsername(username);
64 ioService = new SshIoService(this.clientFactoryManager,
65 new DefaultChannelGroup("sshd-client-channels", GlobalEventExecutor.INSTANCE),
70 IoHandler getSessionFactory() {
71 return sessionFactory;
74 public static @NonNull ListenableFuture<SSHClient> connect(final TransportChannelListener listener,
75 final Bootstrap bootstrap, final TcpClientGrouping connectParams,
76 final SshClientGrouping clientParams) throws UnsupportedConfigurationException {
77 final var factoryMgr = newFactoryManager(clientParams);
78 final var sshClient = new SSHClient(listener, factoryMgr, getUsername(clientParams));
79 return transformUnderlay(sshClient, TCPClient.connect(sshClient.asListener(), bootstrap, connectParams));
82 public static @NonNull ListenableFuture<SSHClient> listen(final TransportChannelListener listener,
83 final ServerBootstrap bootstrap, final TcpServerGrouping listenParams, final SshClientGrouping clientParams)
84 throws UnsupportedConfigurationException {
85 final var factoryMgr = newFactoryManager(clientParams);
86 final var sshClient = new SSHClient(listener, factoryMgr, getUsername(clientParams));
87 return transformUnderlay(sshClient, TCPServer.listen(sshClient.asListener(), bootstrap, listenParams));
90 private static String getUsername(final SshClientGrouping clientParams) {
91 final var clientIdentity = clientParams.getClientIdentity();
92 return clientIdentity == null ? "" : clientIdentity.getUsername();
95 private static ClientFactoryManager newFactoryManager(final SshClientGrouping parameters)
96 throws UnsupportedConfigurationException {
97 final var factoryMgr = SshClient.setUpDefaultClient();
99 ConfigUtils.setTransportParams(factoryMgr, parameters.getTransportParams());
100 ConfigUtils.setKeepAlives(factoryMgr, parameters.getKeepalives());
102 setClientIdentity(factoryMgr, parameters.getClientIdentity());
103 setServerAuthentication(factoryMgr, parameters.getServerAuthentication());
105 factoryMgr.setServiceFactories(SshClient.DEFAULT_SERVICE_FACTORIES);
106 factoryMgr.setScheduledExecutorService(ThreadUtils.newSingleThreadScheduledExecutor("sshd-client-pool"));
110 private static void setClientIdentity(@NonNull final ClientFactoryManager factoryMgr,
111 final @Nullable ClientIdentity clientIdentity) throws UnsupportedConfigurationException {
112 if (clientIdentity == null || clientIdentity.getNone() != null) {
115 final var authFactoriesListBuilder = ImmutableList.<UserAuthFactory>builder();
116 final var password = clientIdentity.getPassword();
117 if (password != null) {
118 if (password.getPasswordType() instanceof CleartextPassword clearTextPassword) {
119 factoryMgr.setPasswordIdentityProvider(
120 PasswordIdentityProvider.wrapPasswords(clearTextPassword.requireCleartextPassword()));
121 authFactoriesListBuilder.add(new UserAuthPasswordFactory());
123 // TODO support encrypted password -- requires augmentation of default schema
125 final var hostBased = clientIdentity.getHostbased();
126 if (hostBased != null) {
127 var keyPair = ConfigUtils.extractKeyPair(hostBased.getInlineOrKeystore());
128 var factory = new UserAuthHostBasedFactory();
129 factory.setClientHostKeys(HostKeyIdentityProvider.wrap(keyPair));
130 factory.setClientUsername(clientIdentity.getUsername());
131 factory.setClientHostname(null); // not provided via config
132 factory.setSignatureFactories(factoryMgr.getSignatureFactories());
133 authFactoriesListBuilder.add(factory);
135 final var publicKey = clientIdentity.getPublicKey();
136 if (publicKey != null) {
137 final var keyPairs = ConfigUtils.extractKeyPair(publicKey.getInlineOrKeystore());
138 factoryMgr.setKeyIdentityProvider(KeyIdentityProvider.wrapKeyPairs(keyPairs));
139 final var factory = new UserAuthPublicKeyFactory();
140 factory.setSignatureFactories(factoryMgr.getSignatureFactories());
141 authFactoriesListBuilder.add(factory);
143 // FIXME implement authentication using X509 certificate
144 final var userAuthFactories = authFactoriesListBuilder.build();
145 if (userAuthFactories.isEmpty()) {
146 throw new UnsupportedConfigurationException("Client Identity has no authentication mechanism defined");
148 factoryMgr.setUserAuthFactories(userAuthFactories);
151 private static void setServerAuthentication(final @NonNull ClientFactoryManager factoryMgr,
152 final @Nullable ServerAuthentication serverAuthentication) throws UnsupportedConfigurationException {
153 if (serverAuthentication == null) {
154 factoryMgr.setServerKeyVerifier(AcceptAllServerKeyVerifier.INSTANCE);
157 final var certificatesList = ImmutableList.<Certificate>builder()
158 .addAll(ConfigUtils.extractCertificates(serverAuthentication.getCaCerts()))
159 .addAll(ConfigUtils.extractCertificates(serverAuthentication.getEeCerts()))
161 final var publicKeys = ConfigUtils.extractPublicKeys(serverAuthentication.getSshHostKeys());
162 if (!certificatesList.isEmpty() || !publicKeys.isEmpty()) {
163 factoryMgr.setServerKeyVerifier(new ServerPublicKeyVerifier(certificatesList, publicKeys));
165 throw new UnsupportedConfigurationException("Server authentication should contain either ssh-host-keys "
166 + "or ca-certs or ee-certs");