gssh-agent 1.0.4 → 1.0.5

package/.github/workflows/ci.yml

@@ -0,0 +1,27 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - '**'
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+
+      - name: Build
+        run: go build ./...
+
+      - name: Test
+        run: go test ./...

package/.github/workflows/publish.yml

@@ -0,0 +1,104 @@
+name: Publish
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  # npm 发布
+  publish-npm:
+    if: "contains(github.event.head_commit.message, 'publish')"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+
+      - name: Get version
+        id: version
+        run: |
+          VERSION=$(echo "${{ github.event.head_commit.message }}" | sed -n 's/.*publish[: ]*\(.*\)/\1/p')
+          echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
+          echo "Publishing version: $VERSION"
+
+      - name: Build
+        run: |
+          go build -ldflags="-s -w" -o bin/gssh ./cmd/gssh
+
+      - name: Update package.json version
+        run: |
+          VERSION="${{ steps.version.outputs.VERSION }}"
+          npm version $VERSION --no-git-tag-version
+
+      - name: Build npm package
+        run: npm pack
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Configure npm
+        run: |
+          echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > .npmrc
+          cat .npmrc
+
+      - name: Publish to npm
+        run: npm publish --access public 
+
+  # GitHub Releases 发布
+  publish-github:
+    if: "startsWith(github.ref, 'refs/tags/v')"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    strategy:
+      matrix:
+        include:
+          - goos: linux
+            goarch: amd64
+          - goos: linux
+            goarch: arm64
+          - goos: darwin
+            goarch: amd64
+          - goos: darwin
+            goarch: arm64
+          - goos: windows
+            goarch: amd64
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+
+      - name: Build
+        env:
+          GOOS: ${{ matrix.goos }}
+          GOARCH: ${{ matrix.goarch }}
+        run: |
+          EXT=""
+          if [ "$GOOS" = "windows" ]; then
+            EXT=".exe"
+          fi
+          FILENAME="gssh-${GOOS}-${GOARCH}${EXT}"
+          go build -ldflags="-s -w" -o "$FILENAME" ./cmd/gssh
+          echo "$FILENAME" >> artifacts.txt
+
+      - name: Upload Release Asset
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ github.ref }}
+          files: ${{ matrix.goos }}-${{ matrix.goarch }}*
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

package/README.md

@@ -14,22 +14,13 @@ gssh 是一个供 Agent 使用的 SSH Session 管理工具。通过 Go 语言实
 
 ## 安装
 
-### 方式一：Homebrew（推荐）
+### 使用 npm（推荐）
 
 ```bash
-# 添加 tap（未来会支持）
-# brew tap forechoandlook/gssh
-# brew install gssh
-
-# 暂时使用手动安装方式
-git clone https://github.com/forechoandlook/gssh.git
-cd gssh
-go build -o bin/daemon cmd/daemon/main.go
-go build -o bin/gssh cmd/gssh/main.go
-./homebrew/install.sh
+npm install -g gssh-agent
 ```
 
-### 方式二：直接安装
+### 手动安装
 
 ```bash
 # 克隆项目
@@ -45,53 +36,11 @@ cp bin/daemon /usr/local/bin/gssh-daemon
 cp bin/gssh /usr/local/bin/gssh
 ```
 
-## 服务管理（macOS）
-
-### 使用 launchctl
+## 启动服务
 
 ```bash
-# 启动服务
-launchctl start com.gssh.daemon
-
-# 停止服务
-launchctl stop com.gssh.daemon
-
-# 查看状态
-launchctl list | grep gssh
-
-# 卸载服务
-launchctl unload ~/Library/LaunchAgents/gssh.plist
-rm ~/Library/LaunchAgents/gssh.plist
-```
-
-### 使用 Homebrew services
-
-```bash
-# 启动（首次安装后自动启动）
-brew services start gssh
-
-# 停止
-brew services stop gssh
-
-# 查看状态
-brew services list
-
-# 重启
-brew services restart gssh
-```
-
-### 使用 PM2（跨平台）
-
-```bash
-# 安装 PM2
-npm install -g pm2
-
-# 启动 daemon
-pm2 start gssh-daemon.sh --name gssh
-
-# 保存并设置开机自启
-pm2 save
-pm2 startup
+# 启动 gssh daemon
+gssh-daemon
 ```
 
 ## 使用方法
@@ -99,7 +48,7 @@ pm2 startup
 ### 连接 SSH（密码认证）
 
 ```bash
-gssh connect -u admin1 -h 139.196.175.163 -p 7080 -P 1234
+gssh connect -u admin1 -h xxxx -p xxxx -P xxxxx
 ```
 
 ### 连接 SSH（密钥认证）
@@ -116,6 +65,12 @@ gssh exec "ls -la"
 
 # 指定 session
 gssh exec -s <session_id> "pwd"
+
+# 带超时命令
+gssh exec -t 10 "ls -la"
+
+# sudo 命令
+gssh exec -S password "sudo systemctl restart nginx"
 ```
 
 ### 端口转发
@@ -123,16 +78,27 @@ gssh exec -s <session_id> "pwd"
 ```bash
 # 本地端口转发：本地 8080 -> 远程 80
 gssh forward -l 8080 -r 80
+
+# 远程端口转发：远程 9000 -> 本地 3000
+gssh forward -R -l 9000 -r 3000
+
+# 列出所有端口转发
+gssh forwards
+
+# 关闭端口转发
+gssh forward-close <forward_id>
 ```
 
-### 文件传输（SFTP/SCP）
+### 文件传输与同步（SFTP/SCP/SYNC）
 
 ```bash
-# 上传文件（本地 -> 远程）
+# 上传文件或文件夹（本地 -> 远程）
 gssh scp -put /path/to/local/file.txt /path/to/remote/file.txt
+gssh sync -put /path/to/local/dir /path/to/remote/dir
 
-# 下载文件（远程 -> 本地）
+# 下载文件或文件夹（远程 -> 本地）
 gssh scp -get /path/to/remote/file.txt /path/to/local/file.txt
+gssh sync -get /path/to/remote/dir /path/to/local/dir
 
 # 列出远程目录
 gssh sftp -c ls -p /path/to/remote/dir
@@ -178,6 +144,10 @@ gssh reconnect -s <session_id>
 | `-get` | 下载模式（远程 -> 本地） |
 | `-c command` | SFTP 命令（ls/mkdir/rm） |
 | `-p path` | SFTP 路径 |
+| `-t timeout` | 命令超时时间（秒） |
+| `-S password` | sudo 密码 |
+| `--ask-pass` | 交互输入 SSH 密码 |
+| `--ask-sudo-pass` | 交互输入 sudo 密码 |
 
 ## 开发
 

package/cmd/gssh/main.go

@@ -73,7 +73,7 @@ func main() {
 		err = handleForwards(socketPath)
 	case "forward-close":
 		err = handleForwardClose(subArgs, socketPath)
-	case "scp":
+	case "scp", "sync":
 		err = handleSCP(subArgs, socketPath)
 	case "sftp":
 		err = handleSFTP(subArgs, socketPath)
@@ -309,6 +309,7 @@ func handleExec(args []string, socketPath string) error {
 	fs.SetOutput(os.Stderr)
 
 	sessionID := fs.String("s", "", "Session ID")
+	timeout := fs.Int("t", 0, "Timeout in seconds (0 = no timeout)")
 	sudoPassword := fs.String("S", "", "sudo password")
 	askSudoPassword := fs.Bool("ask-sudo-pass", false, "Interactively ask for sudo password")
 
@@ -334,6 +335,7 @@ func handleExec(args []string, socketPath string) error {
 	params := protocol.ExecParams{
 		SessionID: *sessionID,
 		Command:   command,
+		Timeout:   *timeout,
 	}
 
 	result, err := sendRequest(socketPath, "exec", params)
@@ -623,6 +625,8 @@ Usage:
   gssh forward-close <forward_id>
   gssh scp [-s session_id] -put <local> <remote>
   gssh scp [-s session_id] -get <remote> <local>
+  gssh sync [-s session_id] -put <local> <remote>
+  gssh sync [-s session_id] -get <remote> <local>
   gssh sftp [-s session_id] -c <ls|mkdir|rm> -p <path>
   gssh -v, --version
 
@@ -652,6 +656,7 @@ Examples:
   gssh reconnect 549b6eff-f62c-4dae-a7e9-298815233cf4
   gssh forward -l 8080 -r 80
   gssh scp -put local.txt /home/user/remote.txt
+  gssh sync -put local_dir /home/user/remote_dir
 `, version)
 }
 

package/fix_manager.patch

@@ -0,0 +1,79 @@
+--- internal/session/manager.go
++++ internal/session/manager.go
+@@ -100,16 +100,24 @@
+	// Check if session already exists
+	for _, s := range m.sessions {
+		if s.Host == host && s.User == user && s.Port == port {
+-			if s.Status == "connected" {
++			s.mu.RLock()
++			status := s.Status
++			s.mu.RUnlock()
++
++			if status == "connected" {
+				return toProtocolSession(s), fmt.Errorf("session already exists")
+			}
+			// Try to reconnect
+			sshClient, err := client.Connect(user, host, port, password, keyPath)
+			if err != nil {
+				return nil, err
+			}
++
++			s.mu.Lock()
+			s.SSHClient = sshClient
+			s.Status = "connected"
++			s.mu.Unlock()
++
+			return toProtocolSession(s), nil
+		}
+	}
+@@ -159,10 +167,12 @@
+		return fmt.Errorf("session not found")
+	}
+
++	ms.mu.Lock()
+	if ms.SSHClient != nil {
+		ms.SSHClient.Close()
+	}
+-
+	ms.Status = "disconnected"
++	ms.mu.Unlock()
+
+	// Clear default ID when disconnecting
+	if m.defaultID == sessionID {
+@@ -188,10 +198,14 @@
+		return nil, fmt.Errorf("session not found")
+	}
+
++	ms.mu.RLock()
++	existingClient := ms.SSHClient
++	ms.mu.RUnlock()
++
+	// Close existing connection
+-	if ms.SSHClient != nil {
+-		ms.SSHClient.Close()
++	if existingClient != nil {
++		existingClient.Close()
+	}
+
+	// Create new connection
+	sshClient, err := client.Connect(ms.User, ms.Host, ms.Port, ms.Password, ms.KeyPath)
+@@ -239,15 +253,16 @@
+	}
+
+	ms.mu.RLock()
+-	if ms.SSHClient == nil {
++	sshClient := ms.SSHClient
++	ms.mu.RUnlock()
++
++	if sshClient == nil {
+-		ms.mu.RUnlock()
+		return nil, fmt.Errorf("session not connected")
+	}
+-	ms.mu.RUnlock()
+
+	// 复用 SSH 连接，创建新的 session 执行命令
+-	session, err := ms.SSHClient.Client.NewSession()
++	session, err := sshClient.Client.NewSession()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create session: %w", err)
+	}

package/internal/client/ssh.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/pkg/sftp"
 	"golang.org/x/crypto/ssh"
+	"golang.org/x/crypto/ssh/knownhosts"
 )
 
 // SSHClient encapsulates SSH connection logic
@@ -32,12 +33,84 @@ func (k *KeyboardInteractiveHandler) Challenge(name, instruction string, questio
 	return answers, nil
 }
 
+// getHostKeyCallback returns a host key callback that verifies the host key against the user's known_hosts file.
+// If the host is unknown, it implements Trust-On-First-Use (TOFU) by adding the new key to the known_hosts file.
+func getHostKeyCallback() (ssh.HostKeyCallback, error) {
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		return nil, fmt.Errorf("could not get user home dir: %w", err)
+	}
+
+	knownHostsPath := filepath.Join(homeDir, ".ssh", "known_hosts")
+
+	// Ensure the .ssh directory exists
+	if err := os.MkdirAll(filepath.Dir(knownHostsPath), 0700); err != nil {
+		return nil, fmt.Errorf("failed to create .ssh directory: %w", err)
+	}
+
+	// Create the known_hosts file if it doesn't exist
+	if _, err := os.Stat(knownHostsPath); os.IsNotExist(err) {
+		f, err := os.OpenFile(knownHostsPath, os.O_CREATE|os.O_RDWR, 0600)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create known_hosts file: %w", err)
+		}
+		f.Close()
+	}
+
+	cb, err := knownhosts.New(knownHostsPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create knownhosts callback: %w", err)
+	}
+
+	return func(hostname string, remote net.Addr, key ssh.PublicKey) error {
+		err := cb(hostname, remote, key)
+		if err == nil {
+			return nil
+		}
+
+		keyErr, ok := err.(*knownhosts.KeyError)
+		if !ok {
+			return err
+		}
+
+		// If len(keyErr.Want) is 0, it means the key is completely unknown (not a mismatch).
+		// We implement Trust-On-First-Use (TOFU) by adding the new key to known_hosts.
+		if len(keyErr.Want) == 0 {
+			f, fErr := os.OpenFile(knownHostsPath, os.O_APPEND|os.O_WRONLY, 0600)
+			if fErr != nil {
+				return fmt.Errorf("failed to open known_hosts for appending: %w", fErr)
+			}
+			defer f.Close()
+
+			addresses := []string{knownhosts.Normalize(hostname)}
+			if remoteString := remote.String(); remoteString != hostname {
+				addresses = append(addresses, knownhosts.Normalize(remoteString))
+			}
+
+			line := knownhosts.Line(addresses, key)
+			if _, wErr := f.WriteString(line + "\n"); wErr != nil {
+				return fmt.Errorf("failed to append key to known_hosts: %w", wErr)
+			}
+			return nil
+		}
+
+		// It's a key mismatch (security risk: MITM or host key changed). Reject the connection.
+		return err
+	}, nil
+}
+
 // NewSSHClient creates a new SSH client
 func NewSSHClient(user, host string, port int, authMethods ...ssh.AuthMethod) (*SSHClient, error) {
+	hostKeyCallback, err := getHostKeyCallback()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get host key callback: %w", err)
+	}
+
 	config := &ssh.ClientConfig{
 		User:            user,
 		Auth:            authMethods,
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+		HostKeyCallback: hostKeyCallback,
+		Timeout:         10 * time.Second,
 	}
 
 	addr := fmt.Sprintf("%s:%d", host, port)
@@ -169,8 +242,56 @@ func (c *SSHClient) NewSFTPClient() (*SFTPClient, error) {
 	return &SFTPClient{Client: sftpClient}, nil
 }
 
-// Upload uploads a local file to remote
+// Upload uploads a local file or directory to remote
 func (s *SFTPClient) Upload(localPath, remotePath string) (int64, error) {
+	localInfo, err := os.Stat(localPath)
+	if err != nil {
+		return 0, fmt.Errorf("failed to stat local path: %w", err)
+	}
+
+	if !localInfo.IsDir() {
+		return s.uploadFile(localPath, remotePath)
+	}
+
+	var totalWritten int64
+	err = filepath.Walk(localPath, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		relPath, err := filepath.Rel(localPath, path)
+		if err != nil {
+			return err
+		}
+
+		targetPath := filepath.ToSlash(filepath.Join(remotePath, relPath))
+
+		if info.IsDir() {
+			s.Client.MkdirAll(targetPath)
+			return nil
+		}
+
+		// Sync logic
+		remoteInfo, err := s.Client.Stat(targetPath)
+		if err == nil && remoteInfo.Size() == info.Size() && remoteInfo.ModTime().Unix() == info.ModTime().Unix() {
+			return nil
+		}
+
+		written, err := s.uploadFile(path, targetPath)
+		if err != nil {
+			return err
+		}
+
+		totalWritten += written
+		s.Client.Chtimes(targetPath, info.ModTime(), info.ModTime())
+
+		return nil
+	})
+
+	return totalWritten, err
+}
+
+func (s *SFTPClient) uploadFile(localPath, remotePath string) (int64, error) {
 	localFile, err := os.Open(localPath)
 	if err != nil {
 		return 0, fmt.Errorf("failed to open local file: %w", err)
@@ -199,8 +320,62 @@ func (s *SFTPClient) Upload(localPath, remotePath string) (int64, error) {
 	return written, nil
 }
 
-// Download downloads a remote file to local
+// Download downloads a remote file or directory to local
 func (s *SFTPClient) Download(remotePath, localPath string) (int64, error) {
+	remoteInfo, err := s.Client.Stat(remotePath)
+	if err != nil {
+		return 0, fmt.Errorf("failed to stat remote path: %w", err)
+	}
+
+	if !remoteInfo.IsDir() {
+		return s.downloadFile(remotePath, localPath)
+	}
+
+	var totalWritten int64
+	walker := s.Client.Walk(remotePath)
+	for walker.Step() {
+		if walker.Err() != nil {
+			return totalWritten, walker.Err()
+		}
+
+		path := walker.Path()
+		info := walker.Stat()
+
+		relPath, err := filepath.Rel(remotePath, path)
+		if err != nil {
+			return totalWritten, err
+		}
+
+		if err := checkPathTraversal(relPath); err != nil {
+			return totalWritten, err
+		}
+
+		targetPath := filepath.Join(localPath, relPath)
+
+		if info.IsDir() {
+			os.MkdirAll(targetPath, info.Mode())
+			continue
+		}
+
+		// Sync logic
+		localInfo, err := os.Stat(targetPath)
+		if err == nil && localInfo.Size() == info.Size() && localInfo.ModTime().Unix() == info.ModTime().Unix() {
+			continue
+		}
+
+		written, err := s.downloadFile(path, targetPath)
+		if err != nil {
+			return totalWritten, err
+		}
+
+		totalWritten += written
+		os.Chtimes(targetPath, info.ModTime(), info.ModTime())
+	}
+
+	return totalWritten, nil
+}
+
+func (s *SFTPClient) downloadFile(remotePath, localPath string) (int64, error) {
 	remoteFile, err := s.Client.Open(remotePath)
 	if err != nil {
 		return 0, fmt.Errorf("failed to open remote file: %w", err)
@@ -380,6 +555,14 @@ func (pw *progressWriter) Write(p []byte) (n int, err error) {
 	return
 }
 
+// checkPathTraversal ensures that relPath does not escape the destination directory
+func checkPathTraversal(relPath string) error {
+	if !filepath.IsLocal(relPath) {
+		return fmt.Errorf("path traversal detected: %s escapes destination", relPath)
+	}
+	return nil
+}
+
 // expandPath expands ~ to home directory
 func expandPath(path string) string {
 	if len(path) > 0 && path[0] == '~' {

package/internal/client/ssh_test.go

@@ -31,3 +31,46 @@ func TestNewAuthMethodsFromKeyPath(t *testing.T) {
 		t.Error("expected error for non-existent key")
 	}
 }
+
+func TestCheckPathTraversal(t *testing.T) {
+	tests := []struct {
+		name    string
+		relPath string
+		wantErr bool
+	}{
+		{
+			name:    "safe path within directory",
+			relPath: "safe_file.txt",
+			wantErr: false,
+		},
+		{
+			name:    "safe path same as directory",
+			relPath: ".",
+			wantErr: false,
+		},
+		{
+			name:    "path traversal attempt with ../",
+			relPath: "../etc/passwd",
+			wantErr: true,
+		},
+		{
+			name:    "absolute path traversal",
+			relPath: "/etc/passwd",
+			wantErr: true,
+		},
+		{
+			name:    "deep nested safe path",
+			relPath: "a/b/c/d.txt",
+			wantErr: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := checkPathTraversal(tt.relPath)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("checkPathTraversal() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}