typescript-virtual-container 1.2.4 → 1.2.6

package/benchmark-results.txt

@@ -1,40 +1,40 @@
 Benchmarking VirtualShell concurrency:
 
 Running 1 shells...
-  Initialized 1 shells in 86ms, RSS 82 MB
+  Initialized 1 shells in 67ms, RSS 82 MB
   Executed shell commands in 2ms, RSS now 82 MB (+0 MB)
 
 Running 2 shells...
   Initialized 2 shells in 2ms, RSS 82 MB
-  Executed shell commands in 1ms, RSS now 82 MB (+0 MB)
+  Executed shell commands in 0ms, RSS now 82 MB (+0 MB)
 
 Running 5 shells...
-  Initialized 5 shells in 5ms, RSS 82 MB
-  Executed shell commands in 2ms, RSS now 82 MB (+0 MB)
+  Initialized 5 shells in 1ms, RSS 82 MB
+  Executed shell commands in 1ms, RSS now 82 MB (+0 MB)
 
 Running 10 shells...
-  Initialized 10 shells in 5ms, RSS 84 MB
-  Executed shell commands in 3ms, RSS now 84 MB (+1 MB)
+  Initialized 10 shells in 4ms, RSS 83 MB
+  Executed shell commands in 3ms, RSS now 84 MB (+0 MB)
 
 Running 20 shells...
-  Initialized 20 shells in 12ms, RSS 84 MB
-  Executed shell commands in 6ms, RSS now 85 MB (+1 MB)
+  Initialized 20 shells in 5ms, RSS 84 MB
+  Executed shell commands in 3ms, RSS now 86 MB (+1 MB)
 
 Running 50 shells...
-  Initialized 50 shells in 30ms, RSS 87 MB
-  Executed shell commands in 12ms, RSS now 88 MB (+2 MB)
+  Initialized 50 shells in 10ms, RSS 88 MB
+  Executed shell commands in 7ms, RSS now 89 MB (+1 MB)
 
 Running 100 shells...
-  Initialized 100 shells in 52ms, RSS 91 MB
-  Executed shell commands in 28ms, RSS now 92 MB (+2 MB)
+  Initialized 100 shells in 18ms, RSS 92 MB
+  Executed shell commands in 9ms, RSS now 95 MB (+3 MB)
 
 Summary:
 
-count   init_ms cmd_ms  init_rss        final_rss
-1       86      2       82 MB   82 MB   0 MB
-2       2       1       82 MB   82 MB   0 MB
-5       5       2       82 MB   82 MB   0 MB
-10      5       3       84 MB   84 MB   1 MB
-20      12      6       84 MB   85 MB   1 MB
-50      30      12      87 MB   88 MB   2 MB
-100     52      28      91 MB   92 MB   2 MB
+count   init_ms cmd_ms  init_rss        final_rss       delta_rss
+1       67      2       82 MB           82 MB           0 MB
+2       2       0       82 MB           82 MB           0 MB
+5       1       1       82 MB           82 MB           0 MB
+10      4       3       83 MB           84 MB           0 MB
+20      5       3       84 MB           86 MB           1 MB
+50      10      7       88 MB           89 MB           1 MB
+100     18      9       92 MB           95 MB           3 MB

package/dist/SSHMimic/exec.js

@@ -1,4 +1,4 @@
-import { runCommand } from "../commands";
+import { makeDefaultEnv, runCommand } from "../commands";
 function toTtyLines(text) {
     return text
         .replace(/\r\n/g, "\n")
@@ -6,7 +6,7 @@ function toTtyLines(text) {
         .replace(/\n/g, "\r\n");
 }
 export function runExec(stream, cmd, authUser, hostname, shell) {
-    Promise.resolve(runCommand(cmd, authUser, hostname, "exec", `/home/${authUser}`, shell))
+    Promise.resolve(runCommand(cmd, authUser, hostname, "exec", `/home/${authUser}`, shell, undefined, makeDefaultEnv(authUser, hostname)))
         .then((result) => {
         if (result.stdout) {
             stream.write(`${toTtyLines(result.stdout)}\r\n`);

package/dist/SSHMimic/executor.d.ts

@@ -1,9 +1,8 @@
-import type { CommandMode, CommandResult } from "../types/commands";
-import type { Pipeline } from "../types/pipeline";
+import type { CommandMode, CommandResult, ShellEnv } from "../types/commands";
+import type { Pipeline, Script, Statement } from "../types/pipeline";
 import type { VirtualShell } from "../VirtualShell";
-/**
- * Execute a parsed pipeline, chaining commands and handling redirections.
- * Manages stdout/stderr flow between commands and file I/O.
- */
-export declare function executePipeline(pipeline: Pipeline, authUser: string, hostname: string, mode: CommandMode, cwd: string, shell: VirtualShell): Promise<CommandResult>;
+export declare function executeScript(script: Script, authUser: string, hostname: string, mode: CommandMode, cwd: string, shell: VirtualShell, env: ShellEnv): Promise<CommandResult>;
+/** Execute statements connected by &&/||/; */
+export declare function executeStatements(statements: Statement[], authUser: string, hostname: string, mode: CommandMode, cwd: string, shell: VirtualShell, env: ShellEnv): Promise<CommandResult>;
+export declare function executePipeline(pipeline: Pipeline, authUser: string, hostname: string, mode: CommandMode, cwd: string, shell: VirtualShell, env?: ShellEnv): Promise<CommandResult>;
 //# sourceMappingURL=executor.d.ts.map

package/dist/SSHMimic/executor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"executor.d.ts","sourceRoot":"","sources":["../../src/SSHMimic/executor.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AACpE,OAAO,KAAK,EAAE,QAAQ,EAAmB,MAAM,mBAAmB,CAAC;AACnE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpD;;;GAGG;AACH,wBAAsB,eAAe,CACpC,QAAQ,EAAE,QAAQ,EAClB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,YAAY,GACjB,OAAO,CAAC,aAAa,CAAC,CA0BxB"}
+{"version":3,"file":"executor.d.ts","sourceRoot":"","sources":["../../src/SSHMimic/executor.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAC9E,OAAO,KAAK,EAAE,QAAQ,EAAmB,MAAM,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AACtF,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAIpD,wBAAsB,aAAa,CAClC,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,YAAY,EACnB,GAAG,EAAE,QAAQ,GACX,OAAO,CAAC,aAAa,CAAC,CAiBxB;AAED,8CAA8C;AAC9C,wBAAsB,iBAAiB,CACtC,UAAU,EAAE,SAAS,EAAE,EACvB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,YAAY,EACnB,GAAG,EAAE,QAAQ,GACX,OAAO,CAAC,aAAa,CAAC,CA4BxB;AAID,wBAAsB,eAAe,CACpC,QAAQ,EAAE,QAAQ,EAClB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,YAAY,EACnB,GAAG,CAAC,EAAE,QAAQ,GACZ,OAAO,CAAC,aAAa,CAAC,CAiBxB"}

package/dist/SSHMimic/executor.js

@@ -1,25 +1,66 @@
 import { runCommand as runSingleCommand } from "../commands";
 import { resolvePath } from "../commands/helpers";
-/**
- * Execute a parsed pipeline, chaining commands and handling redirections.
- * Manages stdout/stderr flow between commands and file I/O.
- */
-export async function executePipeline(pipeline, authUser, hostname, mode, cwd, shell) {
-    if (pipeline.commands.length === 0) {
-        return { exitCode: 0 };
+// ── Script executor (handles &&/||/;) ────────────────────────────────────────
+export async function executeScript(script, authUser, hostname, mode, cwd, shell, env) {
+    if (!script.isValid)
+        return { stderr: script.error || "Syntax error", exitCode: 1 };
+    let lastResult = { exitCode: 0 };
+    for (const stmt of script.statements) {
+        // Decide whether to run this statement based on previous op
+        lastResult = await executePipeline(stmt.pipeline, authUser, hostname, mode, cwd, shell, env);
+        env.lastExitCode = lastResult.exitCode ?? 0;
+        // Propagate session-control signals
+        if (lastResult.closeSession || lastResult.switchUser || lastResult.nextCwd) {
+            break;
+        }
+    }
+    return lastResult;
+}
+/** Execute statements connected by &&/||/; */
+export async function executeStatements(statements, authUser, hostname, mode, cwd, shell, env) {
+    let last = { exitCode: 0 };
+    let i = 0;
+    while (i < statements.length) {
+        const stmt = statements[i];
+        last = await executePipeline(stmt.pipeline, authUser, hostname, mode, cwd, shell, env);
+        env.lastExitCode = last.exitCode ?? 0;
+        if (last.closeSession || last.switchUser)
+            return last;
+        const op = stmt.op;
+        if (!op || op === ";") {
+            // always run next
+        }
+        else if (op === "&&") {
+            if ((last.exitCode ?? 0) !== 0) {
+                // skip until next ; or end
+                while (i < statements.length && statements[i]?.op === "&&")
+                    i++;
+            }
+        }
+        else if (op === "||") {
+            if ((last.exitCode ?? 0) === 0) {
+                // skip until next ; or end
+                while (i < statements.length && statements[i]?.op === "||")
+                    i++;
+            }
+        }
+        i++;
     }
+    return last;
+}
+// ── Pipeline executor ─────────────────────────────────────────────────────────
+export async function executePipeline(pipeline, authUser, hostname, mode, cwd, shell, env) {
+    if (!pipeline.isValid)
+        return { stderr: pipeline.error || "Syntax error", exitCode: 1 };
+    if (pipeline.commands.length === 0)
+        return { exitCode: 0 };
+    const shellEnv = env ?? { vars: {}, lastExitCode: 0 };
     if (pipeline.commands.length === 1) {
-        // Single command with possible redirections
-        return executeSingleCommandWithRedirections(pipeline.commands[0], authUser, hostname, mode, cwd, shell);
+        return executeSingleCommandWithRedirections(pipeline.commands[0], authUser, hostname, mode, cwd, shell, shellEnv);
     }
-    // Multiple commands in a pipeline
-    return executePipelineChain(pipeline.commands, authUser, hostname, mode, cwd, shell);
+    return executePipelineChain(pipeline.commands, authUser, hostname, mode, cwd, shell, shellEnv);
 }
-/**
- * Execute a single command with input/output redirections
- */
-async function executeSingleCommandWithRedirections(cmd, authUser, hostname, mode, cwd, shell) {
-    // Prepare input if input file specified
+async function executeSingleCommandWithRedirections(cmd, authUser, hostname, mode, cwd, shell, env) {
     let stdin;
     if (cmd.inputFile) {
         const inputPath = resolvePath(cwd, cmd.inputFile);
@@ -27,29 +68,23 @@ async function executeSingleCommandWithRedirections(cmd, authUser, hostname, mod
             stdin = shell.vfs.readFile(inputPath);
         }
         catch {
-            return {
-                stderr: `cat: ${cmd.inputFile}: No such file or directory`,
-                exitCode: 1,
-            };
+            return { stderr: `${cmd.inputFile}: No such file or directory`, exitCode: 1 };
         }
     }
-    // Build raw input for the command
     const rawInput = [cmd.name, ...cmd.args].join(" ");
-    // Run the command with potential input
-    const result = await runSingleCommand(rawInput, authUser, hostname, mode, cwd, shell, stdin);
-    // Handle output redirection
+    const result = await runSingleCommand(rawInput, authUser, hostname, mode, cwd, shell, stdin, env);
     if (cmd.outputFile) {
         const outputPath = resolvePath(cwd, cmd.outputFile);
         const output = result.stdout || "";
         try {
             if (cmd.appendOutput) {
-                try {
-                    const existing = shell.vfs.readFile(outputPath);
-                    shell.writeFileAsUser(authUser, outputPath, existing + output);
+                const existing = (() => { try {
+                    return shell.vfs.readFile(outputPath);
                 }
                 catch {
-                    shell.writeFileAsUser(authUser, outputPath, output);
-                }
+                    return "";
+                } })();
+                shell.writeFileAsUser(authUser, outputPath, existing + output);
             }
             else {
                 shell.writeFileAsUser(authUser, outputPath, output);
@@ -57,55 +92,40 @@ async function executeSingleCommandWithRedirections(cmd, authUser, hostname, mod
             return { ...result, stdout: "" };
         }
         catch {
-            return {
-                ...result,
-                stderr: `Failed to write to ${cmd.outputFile}`,
-                exitCode: 1,
-            };
+            return { ...result, stderr: `Failed to write to ${cmd.outputFile}`, exitCode: 1 };
         }
     }
     return result;
 }
-/**
- * Execute a chain of commands connected by pipes
- */
-async function executePipelineChain(commands, authUser, hostname, mode, cwd, shell) {
+async function executePipelineChain(commands, authUser, hostname, mode, cwd, shell, env) {
     let currentOutput = "";
     let exitCode = 0;
     for (let i = 0; i < commands.length; i++) {
         const cmd = commands[i];
-        // Handle input file for first command
         if (i === 0 && cmd.inputFile) {
             const inputPath = resolvePath(cwd, cmd.inputFile);
             try {
                 currentOutput = shell.vfs.readFile(inputPath);
             }
             catch {
-                return {
-                    stderr: `cat: ${cmd.inputFile}: No such file or directory`,
-                    exitCode: 1,
-                };
+                return { stderr: `${cmd.inputFile}: No such file or directory`, exitCode: 1 };
             }
         }
-        // Build raw input
         const rawInput = [cmd.name, ...cmd.args].join(" ");
-        // Create a modified context that might accept stdin
-        // For now, we'll append input as an additional arg for commands that support it
-        const result = await runSingleCommand(rawInput, authUser, hostname, mode, cwd, shell, currentOutput);
+        const result = await runSingleCommand(rawInput, authUser, hostname, mode, cwd, shell, currentOutput, env);
         exitCode = result.exitCode ?? 0;
-        // Handle output redirection (only for last command)
         if (i === commands.length - 1 && cmd.outputFile) {
             const outputPath = resolvePath(cwd, cmd.outputFile);
             const output = result.stdout || "";
             try {
                 if (cmd.appendOutput) {
-                    try {
-                        const existing = shell.vfs.readFile(outputPath);
-                        shell.writeFileAsUser(authUser, outputPath, existing + output);
+                    const existing = (() => { try {
+                        return shell.vfs.readFile(outputPath);
                     }
                     catch {
-                        shell.writeFileAsUser(authUser, outputPath, output);
-                    }
+                        return "";
+                    } })();
+                    shell.writeFileAsUser(authUser, outputPath, existing + output);
                 }
                 else {
                     shell.writeFileAsUser(authUser, outputPath, output);
@@ -113,19 +133,16 @@ async function executePipelineChain(commands, authUser, hostname, mode, cwd, she
                 currentOutput = "";
             }
             catch {
-                return {
-                    stderr: `Failed to write to ${cmd.outputFile}`,
-                    exitCode: 1,
-                };
+                return { stderr: `Failed to write to ${cmd.outputFile}`, exitCode: 1 };
             }
         }
         else {
-            // Pass output to next command
             currentOutput = result.stdout || "";
         }
-        if (result.stderr && exitCode !== 0) {
+        if (result.stderr && exitCode !== 0)
             return { stderr: result.stderr, exitCode };
-        }
+        if (result.closeSession || result.switchUser)
+            return result;
     }
     return { stdout: currentOutput, exitCode };
 }

package/dist/SSHMimic/index.d.ts

@@ -5,19 +5,31 @@ declare class SshMimic extends EventEmitter {
     port: number;
     server: SshServer | null;
     private shell;
-    private shellHostname;
+    /** Max failed auth attempts before an IP is temporarily locked. */
+    private readonly maxAuthAttempts;
+    /** How long (ms) a locked IP must wait before retrying. */
+    private readonly lockoutDurationMs;
+    private readonly authAttempts;
     /**
      * Creates a new SSH mimic server instance.
      *
      * @param port TCP port to bind on localhost.
      * @param hostname Virtual hostname used for the SSH ident and default shell label.
      * @param shell Optional preconfigured virtual shell instance to reuse.
+     * @param maxAuthAttempts Max failed attempts per IP before lockout (default: 5).
+     * @param lockoutDurationMs Lockout window in ms after exceeding attempts (default: 60 000).
      */
-    constructor({ port, hostname, shell, }: {
+    constructor({ port, hostname, shell, maxAuthAttempts, lockoutDurationMs, }: {
         port: number;
         hostname?: string;
         shell?: VirtualShell;
+        maxAuthAttempts?: number;
+        lockoutDurationMs?: number;
     });
+    private isLockedOut;
+    private recordFailure;
+    private recordSuccess;
+    private ensureHomeDir;
     /**
      * Starts server and initializes virtual filesystem, users, and handlers.
      *
@@ -28,6 +40,11 @@ declare class SshMimic extends EventEmitter {
      * Stops server if running.
      */
     stop(): void;
+    /**
+     * Manually clears the rate-limit record for an IP address.
+     * Useful in tests or admin tooling.
+     */
+    clearLockout(ip: string): void;
 }
 export { SftpMimic } from "./sftp";
 export { SshMimic };

package/dist/SSHMimic/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/SSHMimic/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,MAAM,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAc/C,cAAM,QAAS,SAAQ,YAAY;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,SAAS,GAAG,IAAI,CAAC;IACzB,OAAO,CAAC,KAAK,CAAe;IAC5B,OAAO,CAAC,aAAa,CAAS;IAE9B;;;;;;OAMG;gBACS,EACX,IAAI,EACJ,QAA0B,EAC1B,KAAkC,GAClC,EAAE;QACF,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,YAAY,CAAC;KACrB;IASD;;;;OAIG;IACU,KAAK,IAAI,OAAO,CAAC,MAAM,CAAC;IAoJrC;;OAEG;IACI,IAAI,IAAI,IAAI;CASnB;AAED,OAAO,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACnC,OAAO,EAAE,QAAQ,EAAE,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/SSHMimic/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,MAAM,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AA0B/C,cAAM,QAAS,SAAQ,YAAY;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,SAAS,GAAG,IAAI,CAAC;IACzB,OAAO,CAAC,KAAK,CAAe;IAE5B,mEAAmE;IACnE,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;IACzC,2DAA2D;IAC3D,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAS;IAC3C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAqC;IAElE;;;;;;;;OAQG;gBACS,EACX,IAAI,EACJ,QAA0B,EAC1B,KAAkC,EAClC,eAAmB,EACnB,iBAA0B,GAC1B,EAAE;QACF,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,YAAY,CAAC;QACrB,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,iBAAiB,CAAC,EAAE,MAAM,CAAC;KAC3B;IAYD,OAAO,CAAC,WAAW;IAUnB,OAAO,CAAC,aAAa;IAUrB,OAAO,CAAC,aAAa;IAMrB,OAAO,CAAC,aAAa;IAcrB;;;;OAIG;IACU,KAAK,IAAI,OAAO,CAAC,MAAM,CAAC;IA0JrC;;OAEG;IACI,IAAI,IAAI,IAAI;IAUnB;;;OAGG;IACI,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI;CAGrC;AAED,OAAO,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACnC,OAAO,EAAE,QAAQ,EAAE,CAAC"}

package/dist/SSHMimic/index.js

@@ -10,28 +10,76 @@ import { loadOrCreateHostKey } from "./hostKey";
  * This class is exported as `VirtualSshServer` for public API compatibility.
  * Create an instance, call {@link SshMimic.start}, and stop it with
  * {@link SshMimic.stop} when your process exits.
+ *
+ * Features:
+ * - Password authentication
+ * - Public-key authentication
+ * - Per-IP rate limiting / lockout for brute-force protection
+ * - Interactive shell sessions
+ * - Non-interactive exec sessions
  */
 const perf = createPerfLogger("SshMimic");
 class SshMimic extends EventEmitter {
     port;
     server;
     shell;
-    shellHostname;
+    /** Max failed auth attempts before an IP is temporarily locked. */
+    maxAuthAttempts;
+    /** How long (ms) a locked IP must wait before retrying. */
+    lockoutDurationMs;
+    authAttempts = new Map();
     /**
      * Creates a new SSH mimic server instance.
      *
      * @param port TCP port to bind on localhost.
      * @param hostname Virtual hostname used for the SSH ident and default shell label.
      * @param shell Optional preconfigured virtual shell instance to reuse.
+     * @param maxAuthAttempts Max failed attempts per IP before lockout (default: 5).
+     * @param lockoutDurationMs Lockout window in ms after exceeding attempts (default: 60 000).
      */
-    constructor({ port, hostname = "typescript-vm", shell = new VirtualShell(hostname), }) {
+    constructor({ port, hostname = "typescript-vm", shell = new VirtualShell(hostname), maxAuthAttempts = 5, lockoutDurationMs = 60_000, }) {
         super();
         perf.mark("constructor");
         this.port = port;
-        this.shellHostname = hostname;
         this.server = null;
         this.shell = shell;
+        this.maxAuthAttempts = maxAuthAttempts;
+        this.lockoutDurationMs = lockoutDurationMs;
+    }
+    // ── Rate limiting ────────────────────────────────────────────────────────
+    isLockedOut(ip) {
+        const entry = this.authAttempts.get(ip);
+        if (!entry)
+            return false;
+        if (Date.now() < entry.lockedUntil)
+            return true;
+        if (entry.lockedUntil > 0) {
+            this.authAttempts.delete(ip);
+        }
+        return false;
+    }
+    recordFailure(ip) {
+        const entry = this.authAttempts.get(ip) ?? { attempts: 0, lockedUntil: 0 };
+        entry.attempts += 1;
+        if (entry.attempts >= this.maxAuthAttempts) {
+            entry.lockedUntil = Date.now() + this.lockoutDurationMs;
+            this.emit("auth:lockout", { ip, until: new Date(entry.lockedUntil) });
+        }
+        this.authAttempts.set(ip, entry);
+    }
+    recordSuccess(ip) {
+        this.authAttempts.delete(ip);
+    }
+    // ── Home directory bootstrap ─────────────────────────────────────────────
+    ensureHomeDir(authUser) {
+        const homePath = `/home/${authUser}`;
+        if (!this.shell.vfs.exists(homePath)) {
+            this.shell.vfs.mkdir(homePath, 0o755);
+            this.shell.vfs.writeFile(`${homePath}/README.txt`, `Welcome to ${this.shell.hostname}\n`);
+            void this.shell.vfs.flushMirror();
+        }
     }
+    // ── Server lifecycle ─────────────────────────────────────────────────────
     /**
      * Starts server and initializes virtual filesystem, users, and handlers.
      *
@@ -41,7 +89,6 @@ class SshMimic extends EventEmitter {
         perf.mark("start");
         const shell = this.shell;
         const privateKey = loadOrCreateHostKey();
-        // Ensure VirtualShell is fully initialized before accepting connections
         await shell.ensureInitialized();
         this.server = new SshServer({
             hostKeys: [privateKey],
@@ -52,47 +99,75 @@ class SshMimic extends EventEmitter {
             let sessionId = null;
             this.emit("client:connect");
             client.on("authentication", (ctx) => {
-                shell;
+                const candidateUser = ctx.username || "root";
+                remoteAddress = ctx.ip ?? remoteAddress;
+                // Rate-limit check
+                if (this.isLockedOut(remoteAddress)) {
+                    this.emit("auth:failure", { username: candidateUser, remoteAddress, reason: "lockout" });
+                    ctx.reject();
+                    return;
+                }
+                // ── Password auth ──────────────────────────────────────
                 if (ctx.method === "password") {
-                    const candidateUser = ctx.username || "root";
-                    remoteAddress = ctx.ip ?? remoteAddress;
                     if (!shell.users.hasPassword(candidateUser)) {
                         console.log(`User ${candidateUser} has no password set, allowing login without verification`);
                         authUser = candidateUser;
                         sessionId = shell.users.registerSession(authUser, remoteAddress).id;
+                        this.recordSuccess(remoteAddress);
                         this.emit("auth:success", { username: authUser, remoteAddress });
-                        const homePath = `/home/${authUser}`;
-                        if (!shell.vfs.exists(homePath)) {
-                            shell.vfs.mkdir(homePath, 0o755);
-                            shell.vfs.writeFile(`${homePath}/README.txt`, `Welcome to ${shell?.hostname ?? this.shellHostname}`);
-                            void shell.vfs.flushMirror();
-                        }
+                        this.ensureHomeDir(authUser);
                         ctx.accept();
                         return;
                     }
                     if (!ctx.password ||
                         ctx.password === "" ||
                         !shell.users.verifyPassword(candidateUser, ctx.password)) {
-                        this.emit("auth:failure", {
-                            username: candidateUser,
-                            remoteAddress,
-                        });
+                        this.recordFailure(remoteAddress);
+                        this.emit("auth:failure", { username: candidateUser, remoteAddress });
                         ctx.reject();
                         return;
                     }
                     authUser = candidateUser;
                     sessionId = shell.users.registerSession(authUser, remoteAddress).id;
+                    this.recordSuccess(remoteAddress);
                     this.emit("auth:success", { username: authUser, remoteAddress });
-                    const homePath = `/home/${authUser}`;
-                    if (!shell.vfs.exists(homePath)) {
-                        shell.vfs.mkdir(homePath, 0o755);
-                        shell.vfs.writeFile(`${homePath}/README.txt`, `Welcome to ${shell?.hostname ?? this.shellHostname}`);
-                        void shell.vfs.flushMirror();
-                    }
+                    this.ensureHomeDir(authUser);
                     ctx.accept();
                     return;
                 }
-                ctx.reject();
+                // ── Public-key auth ────────────────────────────────────
+                if (ctx.method === "publickey") {
+                    const authorizedKeys = shell.users.getAuthorizedKeys(candidateUser);
+                    if (authorizedKeys.length === 0) {
+                        // No keys configured — reject cleanly
+                        ctx.reject();
+                        return;
+                    }
+                    const incomingKey = ctx.key;
+                    const keyMatches = authorizedKeys.some((k) => k.algo === incomingKey.algo &&
+                        k.data.equals(incomingKey.data));
+                    if (!keyMatches) {
+                        this.recordFailure(remoteAddress);
+                        this.emit("auth:failure", { username: candidateUser, remoteAddress, method: "publickey" });
+                        ctx.reject();
+                        return;
+                    }
+                    // Key matched — if this is a signature check step, accept
+                    if (ctx.signature) {
+                        authUser = candidateUser;
+                        sessionId = shell.users.registerSession(authUser, remoteAddress).id;
+                        this.recordSuccess(remoteAddress);
+                        this.emit("auth:success", { username: authUser, remoteAddress, method: "publickey" });
+                        this.ensureHomeDir(authUser);
+                        ctx.accept();
+                    }
+                    else {
+                        // Key exists but no signature yet — ssh2 will call again with signature
+                        ctx.accept();
+                    }
+                    return;
+                }
+                ctx.reject(["password", "publickey"]);
             });
             client.on("close", () => {
                 shell.users.unregisterSession(sessionId);
@@ -146,6 +221,13 @@ class SshMimic extends EventEmitter {
             });
         }
     }
+    /**
+     * Manually clears the rate-limit record for an IP address.
+     * Useful in tests or admin tooling.
+     */
+    clearLockout(ip) {
+        this.authAttempts.delete(ip);
+    }
 }
 export { SftpMimic } from "./sftp";
 export { SshMimic };

package/dist/SSHMimic/sftp.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sftp.d.ts","sourceRoot":"","sources":["../../src/SSHMimic/sftp.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,OAAO,EAAE,MAAM,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAI3C,OAAO,KAAK,iBAAiB,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AA4HhE,MAAM,WAAW,gBAAgB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,YAAY,CAAC;IACrB,GAAG,CAAC,EAAE,iBAAiB,CAAC;IACxB,KAAK,CAAC,EAAE,kBAAkB,CAAC;CAC3B;AAED,qBAAa,SAAU,SAAQ,YAAY;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,SAAS,GAAG,IAAI,CAAC;IACzB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAsB;IAC5C,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAoB;IACxC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAqB;IAC3C,OAAO,CAAC,YAAY,CAAK;IACzB,OAAO,CAAC,OAAO,CAAiC;gBAEpC,EACX,IAAI,EACJ,QAA0B,EAC1B,KAAK,EACL,GAAG,EACH,KAAK,GACL,EAAE,gBAAgB;IAwBnB,OAAO,CAAC,MAAM;IAId,OAAO,CAAC,QAAQ;IAIH,KAAK,IAAI,OAAO,CAAC,MAAM,CAAC;IAyJ9B,IAAI,IAAI,IAAI;IAUnB;;;;OAIG;IACH,OAAO,CAAC,kBAAkB;IAiB1B;;;;;;OAMG;IACH,OAAO,CAAC,gBAAgB;IAkBxB,OAAO,CAAC,WAAW;IAcnB,OAAO,CAAC,UAAU;IAQlB,OAAO,CAAC,SAAS;IAIjB,OAAO,CAAC,WAAW;IAInB,OAAO,CAAC,kBAAkB;CA6a1B"}
+{"version":3,"file":"sftp.d.ts","sourceRoot":"","sources":["../../src/SSHMimic/sftp.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,OAAO,EAAE,MAAM,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAI3C,OAAO,KAAK,iBAAiB,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AA4HhE,MAAM,WAAW,gBAAgB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,YAAY,CAAC;IACrB,GAAG,CAAC,EAAE,iBAAiB,CAAC;IACxB,KAAK,CAAC,EAAE,kBAAkB,CAAC;CAC3B;AAED,qBAAa,SAAU,SAAQ,YAAY;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,SAAS,GAAG,IAAI,CAAC;IACzB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAsB;IAC5C,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAoB;IACxC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAqB;IAC3C,OAAO,CAAC,YAAY,CAAK;IACzB,OAAO,CAAC,OAAO,CAAiC;gBAEpC,EACX,IAAI,EACJ,QAA0B,EAC1B,KAAK,EACL,GAAG,EACH,KAAK,GACL,EAAE,gBAAgB;IAwBnB,OAAO,CAAC,MAAM;IAId,OAAO,CAAC,QAAQ;IAIH,KAAK,IAAI,OAAO,CAAC,MAAM,CAAC;IAwK9B,IAAI,IAAI,IAAI;IAUnB;;;;OAIG;IACH,OAAO,CAAC,kBAAkB;IAiB1B;;;;;;OAMG;IACH,OAAO,CAAC,gBAAgB;IAkBxB,OAAO,CAAC,WAAW;IAcnB,OAAO,CAAC,UAAU;IAQlB,OAAO,CAAC,SAAS;IAIjB,OAAO,CAAC,WAAW;IAInB,OAAO,CAAC,kBAAkB;CA6a1B"}

package/dist/SSHMimic/sftp.js

@@ -110,6 +110,13 @@ export class SftpMimic extends EventEmitter {
                 remoteAddress = ctx.ip ?? remoteAddress;
                 console.log(`[SFTP] Auth attempt: user=${candidateUser}, method=${ctx.method}, ip=${remoteAddress}`);
                 if (ctx.method === "password") {
+                    // If no password is set for the user, allow login without verification
+                    if (!this.getUsers().hasPassword(candidateUser)) {
+                        acceptSession(candidateUser);
+                        this.emit("auth:success", { username: authUser, remoteAddress });
+                        ctx.accept();
+                        return;
+                    }
                     if (!this.getUsers().verifyPassword(candidateUser, ctx.password ?? "")) {
                         this.emit("auth:failure", {
                             username: candidateUser,
@@ -125,6 +132,13 @@ export class SftpMimic extends EventEmitter {
                 }
                 if (ctx.method === "keyboard-interactive") {
                     const keyboardCtx = ctx;
+                    // If no password is set, accept immediately
+                    if (!this.getUsers().hasPassword(candidateUser)) {
+                        acceptSession(candidateUser);
+                        this.emit("auth:success", { username: authUser, remoteAddress });
+                        keyboardCtx.accept();
+                        return;
+                    }
                     keyboardCtx.prompt([{ prompt: "Password: ", echo: false }], (answers) => {
                         const password = answers[0] ?? "";
                         if (!this.getUsers().verifyPassword(candidateUser, password)) {