Stream currently waits for all stdout scanning to finish before scanning stderr. This can be quite confusing when using commands that output to both stdout and stderr, as it is not always obvious how the output from stderr lines up in time with the output from stdout.

The expected behaviour would be to see the output from stderr at the time it is output from the command.

I can put up a PR shortly.

Currently host key verification is done by checking if the host key fingerprint matches the expected one. This has a flaw in that it assumes that the server host key type will always be the one we are expecting. Servers can have multiple different host keys of different types. The host key selection is done based on the SSH protocol specification, from RFC4253 section 7.1:

      server_host_key_algorithms
         A name-list of the algorithms supported for the server host
         key.  The server lists the algorithms for which it has host
         keys; the client lists the algorithms that it is willing to
         accept.  There MAY be multiple host keys for a host, possibly
         with different algorithms.

         Some host keys may not support both signatures and encryption
         (this can be determined from the algorithm), and thus not all
         host keys are valid for all key exchange methods.

         Algorithm selection depends on whether the chosen key exchange
         algorithm requires a signature or an encryption-capable host
         key.  It MUST be possible to determine this from the public key
         algorithm name.  The first algorithm on the client's name-list
         that satisfies the requirements and is also supported by the
         server MUST be chosen.  If there is no such algorithm, both
         sides MUST disconnect.

This means that the client can choose which host key will be selected based on the sorted list of host key algorithms it sends to the server. This is also described here: https://www.bitvise.com/ssh-server-guide-host-keys

crypto/ssh has a way to set this list in ClientConfig:

	// HostKeyAlgorithms lists the key types that the client will
	// accept from the server as host key, in order of
	// preference. If empty, a reasonable default is used. Any
	// string returned from PublicKey.Type method may be used, or
	// any of the CertAlgoXxxx and KeyAlgoXxxx constants.
	HostKeyAlgorithms []string

easyssh doesn't set this list so it relies on crypto/ssh defaults which may change in the future. This means a crypto/ssh version update may break existing programs that use easyssh with fingerprint verification.

An easy improvement would be to allow specifying this list via MakeConfig. "Any string returned from PublicKey.Type method may be used", these are probably constant. Thus the host key type would always be guaranteed to match the key fingerprint.

Another improvement would be to be able to use func FixedHostKey as HostKeyCallback to allow specifying the full host public key to verify, not just the fingerprint, which would also be more secure.

proxy resources are not closed.

Hello Again,

In the MakeConfig struct Timeout is a time.Duration but in Run and Stream method timeout parameter is an int, don't you think it will be better to make every timeout a time.Duration?
If you want I can create a Pull Request.

Sebastien

See: https://godoc.org/golang.org/x/crypto/ssh#ParsePrivateKeyWithPassphrase

How can I use sshproxy to set path to rsa key in windows?

ssh := &easyssh.MakeConfig{
...
KeyPath: "/Users/username/.ssh/id_rsa",
...
}

Thanks for answer!

It seems your goroutines are leaking. When I run your SSH example, I notice that the routines you create do not terminate. I noticed this when I ran out of memory after a while.

ref:
hypersleep/easyssh#19
appleboy/drone-ssh#75

                proxyClient, err := ssh.Dial(string(ssh_conf.Proxy.Protocol), net.JoinHostPort(ssh_conf.Proxy.Server, ssh_conf.Proxy.Port), proxyConfig)

I find that when it calls Connect multiple times, the proxy client wound't been close correctly.

see golang/crypto@e4e2799

ssh: handshake failed: ssh: no common algorithm for client to server cipher; client offered: [aes128-ctr aes192-ctr aes256-ctr arcfour256 arcfour128 [email protected] [email protected] arcfour], server offered: [aes256-cbc]--- PASS: TestIncorrectPasswordCiphers (91.98s)
PASS

use " openssh_7.4p1 openssl 1.0.2k-fips " as proxy in

 ssh := &easyssh.MakeConfig{
	User:    "drone-scp",
	Server:  "localhost",
	Port:    "22",
	KeyPath: "./tests/.ssh/id_rsa",
	Proxy: easyssh.DefaultConfig{
		User:    "drone-scp",
		Server:  "localhost",
		Port:    "22",
		KeyPath: "./tests/.ssh/id_rsa",
	},
}

will failed !

Need to add in config readtimeout and writetimeout. This will avoid situations where the connection is established, but nothing further happens, and the console freezes. This can happen if the port on the remote server is open, but there is no ssh!

func (ssh_conf *MakeConfig) Stream(command string, timeout ...time.Duration) (<-chan string, <-chan string, <-chan bool, <-chan error, error) {
	... ...
	// combine outputs, create a line-by-line scanner
	stdoutReader := io.MultiReader(outReader)
	stderrReader := io.MultiReader(errReader)
	stdoutScanner := bufio.NewScanner(stdoutReader)
	stderrScanner := bufio.NewScanner(stderrReader)
	... ...

The default buf size is 4096. This results in an incomplete output when the command stdout or stderr is greater than this value

Hello,
First of all, thank you for your great job.
Don't you think it will be good to give public visibility to the connect method, to authorize access to the ssh.Session()?
Sébastien

I am able to do ssh using the password, But not using the go code.

username = "xxxxxxx"
passwords = []string{"026aaa9f-01fa-0850-095c-3d3daa0a4bd3", "4e58232c-2b79-cf4b-5e98-2bd6f0ba4946"}
fmt.Println(bastiondc)
fmt.Println(dchost)
easyconfig := &easyssh.MakeConfig{
	User:     username,
	Server:   dchost,
	Port:     "22",
	Password: passwords[1],
	Proxy: easyssh.DefaultConfig{
		User:     username,
		Server:   bastiondc,
		Port:     "22",
		Password: passwords[0],
	},
}

ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

goroutine 1 [running]:

panic: Can't run remote command: dial tcp: i/o timeout

package main

import (
        "fmt"

        "github.com/appleboy/easyssh-proxy"
)

func main() {
        // Create MakeConfig instance with remote username, server address and path to private key.
        ssh := &easyssh.MakeConfig{
                Server: "localhost",
                // Optional key or Password without either we try to contact your agent SOCKET
                //Password: "password",
                Key:     "/.ssh/id_rsa",
                Port:    "22",
                Timeout: 60,
        }

        // Call Run method with command you want to run on remote server.
        stdout, stderr, done, err := ssh.Run("ls -al", 60)
        // Handle errors
        if err != nil {
                panic("Can't run remote command: " + err.Error())
        } else {
                fmt.Println("don is :", done, "stdout is :", stdout, ";   stderr is :", stderr)
        }

}

I had to manually add support for Pty to get commands run with sudo to work. I created a patch file. Is this something you would like to incorporate? I added the lines to the Connect() function to update the session with requestPty().

easyssh_pty.patch.txt

Hi, I'm trying to run a remote command to a host but it fails with the following error message and I can't find what is wrong:

ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

Here is the code:

const (
    PKEY = "/root/.ssh/id_rsa"
)
...
output, err := utils.RunSSHCommand(user, host, PKEY, "cat /some/file")
...
func RunSSHCommand(user, addr, key, cmd string) (string, error) {
	ssh := &easyssh.MakeConfig{
		User:    user,
		Server:  addr,
		KeyPath: key,
		Port:    "22",
		Timeout: 60 * time.Second,
	}
	stdout, stderr, done, err := ssh.Run(cmd, 60*time.Second)
	if err != nil {
		color.Error.Printf("[SSH Error] Cant run remote command (%s), error msg: %s\n", cmd, err.Error())
	} else {
		if done {
			return stdout, err
		} else {
			color.Error.Printf("[SSH Error] Command error execution msg: %s\n", stderr)
		}
	}
	return "", err
}

Any ideas of what could be the problem here? I've already check that the key exists. I'm running this code from a docker container, and I pass the private key from the server running the container to the container it self on the docker-compose file like these:

...
volumes:
- /root/.ssh/id_rsa:/root/.ssh/id_rsa
...

Update Key attribute to KeyPath

Is it possible to add the sudo function, and automatically enter the password when the interactive prompt "[sudo] password for" appears ？

Because I encountered the need to remotely log in to multiple machines at work and sudo to root to execute commands, and the sudoer of each machine was configured to have to enter a password every time sudo