SSH server & endpoint

Author: Will O'Beirne

package.json

@@ -24,6 +24,10 @@
     "@types/safe-compare": "^1.1.0",
     "@types/semver": "^7.1.0",
     "@types/tar-fs": "^1.16.2",
+    "@types/ssh2": "0.5.39",
+    "@types/ssh2-streams": "^0.1.6",
+    "@types/tar-fs": "^1.16.1",
+    "@types/tar-stream": "^1.6.1",
     "@types/ws": "^6.0.4",
     "@typescript-eslint/eslint-plugin": "^2.0.0",
     "@typescript-eslint/parser": "^2.0.0",
@@ -50,10 +54,12 @@
     "adm-zip": "^0.4.14",
     "fs-extra": "^8.1.0",
     "httpolyglot": "^0.1.2",
+    "node-pty": "^0.9.0",
     "pem": "^1.14.2",
     "safe-compare": "^1.1.4",
     "semver": "^7.1.3",
     "tar": "^6.0.1",
+    "ssh2": "^0.8.7",
     "tar-fs": "^2.0.0",
     "ws": "^7.2.0"
   }

src/browser/pages/home.html

@@ -6,7 +6,10 @@
       name="viewport"
       content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no"
     />
-    <meta http-equiv="Content-Security-Policy" content="style-src 'self' 'unsafe-inline'; manifest-src 'self'; img-src 'self' data:;" />
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="style-src 'self' 'unsafe-inline'; manifest-src 'self'; img-src 'self' data:;"
+    />
     <title>code-server</title>
     <link rel="icon" href="{{BASE}}/static/{{COMMIT}}/src/browser/media/favicon.ico" type="image/x-icon" />
     <link

src/node/cli.ts

@@ -31,6 +31,8 @@ export interface Args extends VsArgs {
   readonly open?: boolean
   readonly port?: number
   readonly socket?: string
+  readonly "ssh-host-key"?: string
+  readonly "disable-ssh"?: boolean
   readonly version?: boolean
   readonly force?: boolean
   readonly "list-extensions"?: boolean
@@ -96,6 +98,9 @@ const options: Options<Required<Args>> = {
   version: { type: "boolean", short: "v", description: "Display version information." },
   _: { type: "string[]" },
 
+  "disable-ssh": { type: "boolean" },
+  "ssh-host-key": { type: "string", path: true },
+
   "user-data-dir": { type: "string", path: true, description: "Path to the user data directory." },
   "extensions-dir": { type: "string", path: true, description: "Path to the extensions directory." },
   "builtin-extensions-dir": { type: "string", path: true },

src/node/entry.ts

@@ -10,7 +10,8 @@ import { UpdateHttpProvider } from "./app/update"
 import { VscodeHttpProvider } from "./app/vscode"
 import { Args, optionDescriptions, parse } from "./cli"
 import { AuthType, HttpServer } from "./http"
-import { generateCertificate, generatePassword, hash, open } from "./util"
+import { SshProvider } from "./ssh/server"
+import { generateCertificate, generatePassword, generateSshHostKey, hash, open } from "./util"
 import { ipcMain, wrap } from "./wrapper"
 
 const main = async (args: Args): Promise<void> => {
@@ -29,6 +30,7 @@ const main = async (args: Args): Promise<void> => {
     auth,
     cert: args.cert ? args.cert.value : undefined,
     certKey: args["cert-key"],
+    sshHostKey: args["ssh-host-key"],
     commit: commit || "development",
     host: args.host || (args.auth === AuthType.Password && typeof args.cert !== "undefined" ? "0.0.0.0" : "localhost"),
     password: originalPassword ? hash(originalPassword) : undefined,
@@ -43,6 +45,13 @@ const main = async (args: Args): Promise<void> => {
   } else if (args.cert && !args["cert-key"]) {
     throw new Error("--cert-key is missing")
   }
+  if (!args["disable-ssh"]) {
+    if (!options.sshHostKey && typeof options.sshHostKey !== "undefined") {
+      throw new Error("--ssh-host-key cannot be blank")
+    } else if (!options.sshHostKey) {
+      options.sshHostKey = await generateSshHostKey()
+    }
+  }
 
   const httpServer = new HttpServer(options)
   const vscode = httpServer.registerHttpProvider("/", VscodeHttpProvider, args)
@@ -55,6 +64,13 @@ const main = async (args: Args): Promise<void> => {
   ipcMain().onDispose(() => httpServer.dispose())
 
   logger.info(`code-server ${require("../../package.json").version}`)
+
+  let sshPort = ""
+  if (!args["disable-ssh"]) {
+    const sshProvider = httpServer.registerHttpProvider("/ssh", SshProvider, options.sshHostKey as string)
+    sshPort = await sshProvider.listen()
+  }
+
   const serverAddress = await httpServer.listen()
   logger.info(`Server listening on ${serverAddress}`)
 
@@ -82,6 +98,12 @@ const main = async (args: Args): Promise<void> => {
 
   logger.info(`  - Automatic updates are ${update.enabled ? "enabled" : "disabled"}`)
 
+  if (sshPort) {
+    logger.info(`  - SSH Server - Listening :${sshPort}`)
+  } else {
+    logger.info("  - SSH Server - Disabled")
+  }
+
   if (serverAddress && !options.socket && args.open) {
     // The web socket doesn't seem to work if browsing with 0.0.0.0.
     const openAddress = serverAddress.replace(/:\/\/0.0.0.0/, "://localhost")

src/node/http.ts

@@ -525,7 +525,7 @@ export class HttpServer {
               "Set-Cookie": [
                 `${payload.cookie.key}=${payload.cookie.value}`,
                 `Path=${normalize(payload.cookie.path || "/", true)}`,
-                "HttpOnly",
+                // "HttpOnly",
                 "SameSite=strict",
               ].join(";"),
             }

src/node/ssh/server.ts

@@ -0,0 +1,110 @@
+import * as http from "http"
+import * as net from "net"
+import * as ssh from "ssh2"
+import * as ws from "ws"
+import * as fs from "fs"
+import { logger } from "@coder/logger"
+import safeCompare from "safe-compare"
+import { HttpProvider, HttpResponse, HttpProviderOptions, Route } from "../http"
+import { HttpCode } from "../../common/http"
+import { forwardSshPort, fillSshSession } from "./ssh"
+import { hash } from "../util"
+
+export class SshProvider extends HttpProvider {
+  private readonly wss = new ws.Server({ noServer: true })
+  private sshServer: ssh.Server
+
+  public constructor(options: HttpProviderOptions, hostKeyPath: string) {
+    super(options)
+    const hostKey = fs.readFileSync(hostKeyPath)
+    this.sshServer = new ssh.Server({ hostKeys: [hostKey] }, this.handleSsh)
+
+    this.sshServer.on("error", (err) => {
+      logger.error(`SSH server error: ${err.stack}`)
+    })
+  }
+
+  public async listen(): Promise<string> {
+    return new Promise((resolve, reject) => {
+      this.sshServer.once("error", reject)
+      this.sshServer.listen(() => {
+        resolve(this.sshServer.address().port.toString())
+      })
+    })
+  }
+
+  public async handleRequest(): Promise<HttpResponse> {
+    // SSH has no HTTP endpoints
+    return { code: HttpCode.NotFound }
+  }
+
+  public handleWebSocket(
+    _route: Route,
+    request: http.IncomingMessage,
+    socket: net.Socket,
+    head: Buffer,
+  ): Promise<void> {
+    // Create a fake websocket to the sshServer
+    const sshSocket = net.connect(this.sshServer.address().port, "localhost")
+
+    return new Promise((resolve) => {
+      this.wss.handleUpgrade(request, socket, head, (ws) => {
+        // Send SSH data to WS as compressed binary
+        sshSocket.on("data", (data) => {
+          ws.send(data, {
+            binary: true,
+            compress: true,
+            fin: true,
+          })
+        })
+
+        // Send WS data to SSH as buffer
+        ws.on("message", (msg) => {
+          // Buffer.from is cool with all types, but casting as string keeps typing simple
+          sshSocket.write(Buffer.from(msg as string))
+        })
+
+        ws.on("error", (err) => {
+          logger.error(`SSH websocket error: ${err.stack}`)
+        })
+
+        resolve()
+      })
+    })
+  }
+
+  /**
+   * Determine how to handle incoming SSH connections.
+   */
+  private handleSsh = (client: ssh.Connection, info: ssh.ClientInfo): void => {
+    logger.debug(`Incoming SSH connection from ${info.ip}`)
+    client.on("authentication", (ctx) => {
+      // Allow any auth to go through if we have no password
+      if (!this.options.password) {
+        return ctx.accept()
+      }
+
+      // Otherwise require the same password as code-server
+      if (ctx.method === "password") {
+        if (
+          safeCompare(this.options.password, hash(ctx.password)) ||
+          safeCompare(this.options.password, ctx.password)
+        ) {
+          return ctx.accept()
+        }
+      }
+
+      // Reject, letting them know that password is the only method we allow
+      ctx.reject(["password"])
+    })
+    client.on("tcpip", forwardSshPort)
+    client.on("session", fillSshSession)
+    client.on("error", (err) => {
+      // Don't bother logging Keepalive errors, they probably just disconnected
+      if (err.message === "Keepalive timeout") {
+        return logger.debug("SSH client keepalive timeout")
+      }
+      logger.error(`SSH client error: ${err.stack}`)
+    })
+  }
+}