import { WebSocketServer, WebSocket, type RawData } from "ws"; import { Client, type ClientChannel, type PseudoTtyOptions, BaseAgent, utils as ssh2Utils, type ParsedKey, type SignCallback, type SigningRequestOptions, type IdentityCallback, } from "ssh2"; import net from "net"; import dgram from "dgram"; import { SSH_ALGORITHMS } from "../utils/ssh-algorithms.js"; import axios from "axios"; import { getDb } from "../database/db/index.js"; import { sshCredentials, hosts } from "../database/db/schema.js"; import { eq, and } from "drizzle-orm"; import { sshLogger, authLogger } from "../utils/logger.js"; import { SimpleDBOps } from "../utils/simple-db-ops.js"; import { AuthManager } from "../utils/auth-manager.js"; import { UserCrypto } from "../utils/user-crypto.js"; import { createSocks5Connection, type SOCKS5Config, } from "../utils/socks5-helper.js"; import { SSHAuthManager } from "./auth-manager.js"; import type { ProxyNode } from "../../types/index.js"; import { SSHHostKeyVerifier } from "./host-key-verifier.js"; import { sessionManager } from "./terminal-session-manager.js"; import { detectTmux, attachOrCreateTmuxSession, queryNewestTmuxSession, } from "./tmux-helper.js"; class MemoryAgent extends BaseAgent { private key: ParsedKey; constructor(key: ParsedKey) { super(); this.key = key; } getIdentities(cb: IdentityCallback): void { cb(null, [this.key]); } sign( pubKey: ParsedKey | Buffer | string, data: Buffer, optionsOrCb: SigningRequestOptions | SignCallback, cb?: SignCallback, ): void { const callback = typeof optionsOrCb === "function" ? optionsOrCb : cb!; const options = typeof optionsOrCb === "function" ? {} : optionsOrCb; try { const algo = options.hash === "sha256" ? "rsa-sha2-256" : options.hash === "sha512" ? "rsa-sha2-512" : undefined; const signature = this.key.sign(data, algo); callback(null, signature); } catch (err) { callback(err instanceof Error ? err : new Error(String(err))); } } } async function performPortKnocking( host: string, sequence: Array<{ port: number; protocol?: string; delay?: number }>, ): Promise { for (const knock of sequence) { const protocol = knock.protocol || "tcp"; const delay = knock.delay ?? 100; await new Promise((resolve) => { if (protocol === "udp") { const client = dgram.createSocket("udp4"); client.send(Buffer.alloc(0), knock.port, host, () => { client.close(); resolve(); }); } else { const socket = new net.Socket(); socket.once("connect", () => { socket.destroy(); resolve(); }); socket.once("error", () => { socket.destroy(); resolve(); }); socket.connect(knock.port, host); } }); if (delay > 0) { await new Promise((r) => setTimeout(r, delay)); } } } interface ConnectToHostData { cols: number; rows: number; hostConfig: { id: number; instanceId?: string; ip: string; port: number; username: string; password?: string; key?: string; keyPassword?: string; keyType?: string; authType?: string; credentialId?: number; userId?: string; forceKeyboardInteractive?: boolean; jumpHosts?: Array<{ hostId: number }>; useSocks5?: boolean; socks5Host?: string; socks5Port?: number; socks5Username?: string; socks5Password?: string; socks5ProxyChain?: unknown; portKnockSequence?: Array<{ port: number; protocol?: "tcp" | "udp"; delay?: number; }>; terminalConfig?: { keepaliveInterval?: number; keepaliveCountMax?: number; [key: string]: unknown; }; }; initialPath?: string; executeCommand?: string; } interface ResizeData { cols: number; rows: number; } interface TOTPResponseData { code?: string; } interface WebSocketMessage { type: string; data?: ConnectToHostData | ResizeData | TOTPResponseData | string | unknown; code?: string; [key: string]: unknown; } const authManager = AuthManager.getInstance(); const userCrypto = UserCrypto.getInstance(); const userConnections = new Map>(); interface JumpHostConfig { id: number; ip: string; port: number; username: string; password?: string; key?: string; keyPassword?: string; keyType?: string; authType?: string; credentialId?: number; [key: string]: unknown; } async function resolveJumpHost( hostId: number, userId: string, ): Promise { sshLogger.info("Resolving jump host", { operation: "terminal_jumphost_resolve", userId, hostId, }); try { const hostResults = await SimpleDBOps.select( getDb() .select() .from(hosts) .where(eq(hosts.id, hostId)), "ssh_data", userId, ); if (hostResults.length === 0) { return null; } const host = hostResults[0]; const ownerId = (host.userId || userId) as string; if (host.credentialId) { if (userId !== ownerId) { try { const { SharedCredentialManager } = await import("../utils/shared-credential-manager.js"); const sharedCredManager = SharedCredentialManager.getInstance(); const sharedCred = await sharedCredManager.getSharedCredentialForUser(hostId, userId); if (sharedCred) { return { ...host, password: sharedCred.password, key: sharedCred.key, keyPassword: sharedCred.keyPassword, keyType: sharedCred.keyType, authType: sharedCred.key ? "key" : sharedCred.password ? "password" : "none", } as JumpHostConfig; } } catch { // fall through to owner credential lookup } } const credentials = await SimpleDBOps.select( getDb() .select() .from(sshCredentials) .where( and( eq(sshCredentials.id, host.credentialId as number), eq(sshCredentials.userId, ownerId), ), ), "ssh_credentials", ownerId, ); if (credentials.length > 0) { const credential = credentials[0]; return { ...host, password: credential.password as string | undefined, key: credential.privateKey as string | undefined, keyPassword: credential.keyPassword as string | undefined, keyType: credential.keyType as string | undefined, authType: credential.authType as string | undefined, } as JumpHostConfig; } } return host as JumpHostConfig; } catch (error) { sshLogger.error("Failed to resolve jump host", error, { operation: "resolve_jump_host", hostId, userId, }); return null; } } async function createJumpHostChain( jumpHosts: Array<{ hostId: number }>, userId: string, socks5Config?: SOCKS5Config | null, ): Promise { if (!jumpHosts || jumpHosts.length === 0) { return null; } let currentClient: Client | null = null; const clients: Client[] = []; try { const jumpHostConfigs = await Promise.all( jumpHosts.map((jh) => resolveJumpHost(jh.hostId, userId)), ); const totalHops = jumpHostConfigs.length; for (let i = 0; i < jumpHostConfigs.length; i++) { if (!jumpHostConfigs[i]) { sshLogger.error(`Jump host ${i + 1} not found`, undefined, { operation: "jump_host_chain", hostId: jumpHosts[i].hostId, hopIndex: i, totalHops, }); clients.forEach((c) => c.end()); return null; } } let proxySocket: import("net").Socket | null = null; if (socks5Config?.useSocks5) { const firstHop = jumpHostConfigs[0]; proxySocket = await createSocks5Connection( firstHop.ip, firstHop.port || 22, socks5Config, ); } for (let i = 0; i < jumpHostConfigs.length; i++) { const jumpHostConfig = jumpHostConfigs[i]; const jumpClient = new Client(); clients.push(jumpClient); const jumpHostVerifier = await SSHHostKeyVerifier.createHostVerifier( jumpHostConfig.id, jumpHostConfig.ip, jumpHostConfig.port || 22, null, userId, true, ); const connected = await new Promise((resolve) => { const timeout = setTimeout(() => { resolve(false); }, 30000); jumpClient.on("ready", () => { clearTimeout(timeout); sshLogger.success("Jump host connection established", { operation: "terminal_jumphost_connected", userId, hostId: jumpHostConfig.id, ip: jumpHostConfig.ip, depth: i, hopIndex: i, totalHops, usedProxySocket: i === 0 && !!proxySocket, }); resolve(true); }); jumpClient.on("error", (err) => { clearTimeout(timeout); sshLogger.error( `Jump host ${i + 1}/${totalHops} connection failed`, err, { operation: "jump_host_connect", hostId: jumpHostConfig.id, ip: jumpHostConfig.ip, hopIndex: i, totalHops, previousHop: i > 0 ? jumpHostConfigs[i - 1]?.ip : proxySocket ? "proxy" : "direct", usedProxySocket: i === 0 && !!proxySocket, }, ); resolve(false); }); const connectConfig: Record = { host: jumpHostConfig.ip?.replace(/^\[|\]$/g, "") || jumpHostConfig.ip, port: jumpHostConfig.port || 22, username: jumpHostConfig.username, tryKeyboard: jumpHostConfig.authType !== "none", readyTimeout: 30000, hostVerifier: jumpHostVerifier, }; if (jumpHostConfig.authType === "password" && jumpHostConfig.password) { connectConfig.password = jumpHostConfig.password; } else if (jumpHostConfig.authType === "key" && jumpHostConfig.key) { const cleanKey = jumpHostConfig.key .trim() .replace(/\r\n/g, "\n") .replace(/\r/g, "\n"); connectConfig.privateKey = Buffer.from(cleanKey, "utf8"); if (jumpHostConfig.keyPassword) { connectConfig.passphrase = jumpHostConfig.keyPassword; } } if (currentClient) { currentClient.forwardOut( "127.0.0.1", 0, jumpHostConfig.ip, jumpHostConfig.port || 22, (err, stream) => { if (err) { clearTimeout(timeout); resolve(false); return; } connectConfig.sock = stream; jumpClient.connect(connectConfig); }, ); } else if (proxySocket) { connectConfig.sock = proxySocket; jumpClient.connect(connectConfig); } else { jumpClient.connect(connectConfig); } }); if (!connected) { clients.forEach((c) => c.end()); return null; } currentClient = jumpClient; } return currentClient; } catch (error) { sshLogger.error("Failed to create jump host chain", error, { operation: "jump_host_chain", }); clients.forEach((c) => c.end()); return null; } } const wss = new WebSocketServer({ port: 30002, verifyClient: async (info) => { try { let token: string | undefined; const cookieHeader = info.req.headers.cookie; if (cookieHeader) { const match = cookieHeader.match(/(?:^|;\s*)jwt=([^;]+)/); if (match) token = decodeURIComponent(match[1]); } if (!token) { const authHeader = info.req.headers.authorization; if (authHeader?.startsWith("Bearer ")) { token = authHeader.slice("Bearer ".length); } } if (!token) { return false; } const payload = await authManager.verifyJWTToken(token); if (!payload) { return false; } if (payload.pendingTOTP) { return false; } const existingConnections = userConnections.get(payload.userId); if (existingConnections && existingConnections.size >= 10) { return false; } return true; } catch (error) { sshLogger.error("WebSocket authentication error", error, { operation: "websocket_auth_error", ip: info.req.socket.remoteAddress, }); return false; } }, }); wss.on("connection", async (ws: WebSocket, req) => { let userId: string | undefined; let sessionId: string | undefined; try { let token: string | undefined; const cookieHeader = req.headers.cookie; if (cookieHeader) { const match = cookieHeader.match(/(?:^|;\s*)jwt=([^;]+)/); if (match) token = decodeURIComponent(match[1]); } if (!token) { const authHeader = req.headers.authorization; if (authHeader?.startsWith("Bearer ")) { token = authHeader.slice("Bearer ".length); } } if (!token) { ws.close(1008, "Authentication required"); return; } const payload = await authManager.verifyJWTToken(token); if (!payload) { ws.close(1008, "Authentication required"); return; } userId = payload.userId; sessionId = payload.sessionId; } catch (error) { sshLogger.error( "WebSocket JWT verification failed during connection", error, { operation: "websocket_connection_auth_error", ip: req.socket.remoteAddress, }, ); ws.close(1008, "Authentication required"); return; } const dataKey = userCrypto.getUserDataKey(userId); if (!dataKey) { ws.send( JSON.stringify({ type: "error", message: "Data locked - re-authenticate with password", code: "DATA_LOCKED", }), ); ws.close(1008, "Data access required"); return; } if (!userConnections.has(userId)) { userConnections.set(userId, new Set()); } const userWs = userConnections.get(userId)!; userWs.add(ws); sshLogger.info("Terminal WebSocket connection established", { operation: "terminal_ws_connect", sessionId, userId, }); let currentSessionId: string | null = null; let sshConn: Client | null = null; let sshStream: ClientChannel | null = null; let lastJumpClient: Client | null = null; let keyboardInteractiveFinish: ((responses: string[]) => void) | null = null; let totpPromptSent = false; let totpTimeout: NodeJS.Timeout | null = null; let isKeyboardInteractive = false; let keyboardInteractiveResponded = false; let isConnecting = false; let isConnected = false; let isCleaningUp = false; let cwdPending = false; let cwdBuffer = ""; let isShellInitializing = false; let warpgateAuthPromptSent = false; let warpgateAuthTimeout: NodeJS.Timeout | null = null; let isAwaitingAuthCredentials = false; let wsAlive = true; ws.on("pong", () => { wsAlive = true; }); const wsPingInterval = setInterval(() => { if (ws.readyState === WebSocket.OPEN) { if (!wsAlive) { sshLogger.warn( "WebSocket pong timeout - terminating zombie connection", { operation: "ws_pong_timeout", userId, sessionId: currentSessionId, }, ); ws.terminate(); return; } wsAlive = false; ws.ping(); } }, 30000); ws.on("close", () => { clearInterval(wsPingInterval); sshLogger.info("Terminal WebSocket disconnected", { operation: "terminal_ws_disconnect", sessionId, userId, }); const userWs = userConnections.get(userId); if (userWs) { userWs.delete(ws); if (userWs.size === 0) { userConnections.delete(userId); } } if (currentSessionId) { const session = sessionManager.getSession(currentSessionId); if (session?.isConnected) { sessionManager.detachWs(currentSessionId); } else { sessionManager.destroySession(currentSessionId); currentSessionId = null; } } cleanupAuthState(); }); function resetConnectionState() { isConnecting = false; isConnected = false; isKeyboardInteractive = false; keyboardInteractiveResponded = false; keyboardInteractiveFinish = null; totpPromptSent = false; warpgateAuthPromptSent = false; } ws.on("message", async (msg: RawData) => { const currentDataKey = userCrypto.getUserDataKey(userId); if (!currentDataKey) { ws.send( JSON.stringify({ type: "error", message: "Data access expired - please re-authenticate", code: "DATA_EXPIRED", }), ); ws.close(1008, "Data access expired"); return; } let parsed: WebSocketMessage; try { parsed = JSON.parse(msg.toString()) as WebSocketMessage; } catch (e) { sshLogger.error("Invalid JSON received", e, { operation: "websocket_message_invalid_json", userId, messageLength: msg.toString().length, }); ws.send(JSON.stringify({ type: "error", message: "Invalid JSON" })); return; } const { type, data } = parsed; switch (type) { case "connectToHost": { const connectData = data as ConnectToHostData; if (connectData.hostConfig) { connectData.hostConfig.userId = userId; } handleConnectToHost(connectData).catch((error) => { const errMsg = error instanceof Error ? error.message : "Unknown error"; if ( errMsg.includes("Cannot parse privateKey") && errMsg.includes("no passphrase") ) { isAwaitingAuthCredentials = true; ws.send( JSON.stringify({ type: "passphrase_required", message: "The SSH key is encrypted. Please enter the passphrase to unlock it.", }), ); return; } sshLogger.error("Failed to connect to host", error, { operation: "ssh_connect", userId, hostId: connectData.hostConfig?.id, ip: connectData.hostConfig?.ip, }); ws.send( JSON.stringify({ type: "error", message: "Failed to connect to host: " + errMsg, }), ); }); break; } case "attachSession": { const attachData = data as { sessionId: string; cols: number; rows: number; tabInstanceId?: string; }; sshLogger.info("Attempting to attach session", { operation: "terminal_attach_session", sessionId: attachData.sessionId, tabInstanceId: attachData.tabInstanceId, userId, requestedCols: attachData.cols, requestedRows: attachData.rows, }); const session = sessionManager.attachWs( attachData.sessionId, userId, ws, attachData.tabInstanceId, ); if (session) { sshLogger.success("Session attached successfully", { operation: "terminal_attach_success", sessionId: attachData.sessionId, sessionCreatedAt: session.createdAt, wasDetached: !!session.lastDetachedAt, detachedDuration: session.lastDetachedAt ? Date.now() - session.lastDetachedAt : 0, }); currentSessionId = attachData.sessionId; sshStream = session.sshStream; sshConn = session.sshConn; isConnecting = false; isConnected = true; const buffered = sessionManager.getBuffer(session); if (buffered) { ws.send(JSON.stringify({ type: "data", data: buffered })); } if ( attachData.cols !== session.cols || attachData.rows !== session.rows ) { session.sshStream?.setWindow( attachData.rows, attachData.cols, attachData.rows, attachData.cols, ); session.cols = attachData.cols; session.rows = attachData.rows; } ws.send( JSON.stringify({ type: "sessionAttached", sessionId: attachData.sessionId, }), ); ws.send( JSON.stringify({ type: "connected", message: "Session reattached", }), ); } else { sshLogger.warn( "Session attachment failed - will create new connection", { operation: "terminal_attach_failed", sessionId: attachData.sessionId, tabInstanceId: attachData.tabInstanceId, userId, reason: "session_not_found_or_invalid", }, ); ws.send( JSON.stringify({ type: "sessionExpired", sessionId: attachData.sessionId, }), ); } break; } case "listSessions": { const sessions = sessionManager.getUserSessions(userId); ws.send( JSON.stringify({ type: "sessionList", sessions: sessions.map((s) => ({ id: s.id, hostId: s.hostId, hostName: s.hostName, createdAt: s.createdAt, lastDetachedAt: s.lastDetachedAt, tmuxSessionName: s.tmuxSessionName, })), }), ); break; } case "resize": { const resizeData = data as ResizeData; handleResize(resizeData); break; } case "disconnect": if (currentSessionId) { sessionManager.destroySession(currentSessionId); currentSessionId = null; } cleanupAuthState(); sshConn = null; sshStream = null; break; case "get_cwd": { const activeStream = sessionManager.getSession(currentSessionId)?.sshStream ?? sshStream; if (!activeStream) { ws.send(JSON.stringify({ type: "cwd", path: "/" })); break; } cwdPending = true; cwdBuffer = ""; // Split the sentinel across shell variables so the echoed command // itself never contains "TERMIX_CWD:" — only the output line does. activeStream.write('a=TERMIX_CWD; echo "$a:$(pwd)"\r'); break; } case "input": { const inputData = data as string; const inputStream = sessionManager.getSession(currentSessionId)?.sshStream ?? sshStream; if (inputStream) { if (inputData === "\t") { inputStream.write(inputData); } else if ( typeof inputData === "string" && inputData.startsWith("\x1b") ) { inputStream.write(inputData); } else { try { inputStream.write(Buffer.from(inputData, "utf8")); } catch (error) { sshLogger.error("Error writing input to SSH stream", error, { operation: "ssh_input_encoding", userId, dataLength: inputData.length, }); inputStream.write(Buffer.from(inputData, "latin1")); } } } break; } case "ping": ws.send(JSON.stringify({ type: "pong" })); break; case "tmux_attach": { const tmuxData = data as { sessionName: string }; const session = currentSessionId ? sessionManager.getSession(currentSessionId) : null; if (session?.sshStream) { const existingName = tmuxData.sessionName || undefined; attachOrCreateTmuxSession(session.sshStream, existingName); if (existingName) { session.tmuxSessionName = existingName; sshLogger.info("User selected tmux session to attach", { operation: "tmux_user_attach", sessionName: existingName, hostId: session.hostId, }); ws.send( JSON.stringify({ type: "tmux_session_attached", sessionName: existingName, }), ); } else { // New session from picker -- query name after startup const sshConn = session.sshConn; setTimeout(async () => { const sessionName = sshConn ? await queryNewestTmuxSession(sshConn) : null; session.tmuxSessionName = sessionName; sshLogger.info("User requested new tmux session", { operation: "tmux_user_create", sessionName, hostId: session.hostId, }); ws.send( JSON.stringify({ type: "tmux_session_created", sessionName, }), ); }, 500); } } break; } case "totp_response": { const totpData = data as TOTPResponseData; if (keyboardInteractiveFinish && totpData?.code) { if (totpTimeout) { clearTimeout(totpTimeout); totpTimeout = null; } const totpCode = totpData.code; keyboardInteractiveFinish([totpCode]); keyboardInteractiveFinish = null; totpPromptSent = false; } else { sshLogger.warn("TOTP response received but no callback available", { operation: "totp_response_error", userId, hasCallback: !!keyboardInteractiveFinish, hasCode: !!totpData?.code, }); ws.send( JSON.stringify({ type: "error", message: "TOTP authentication state lost. Please reconnect.", }), ); } break; } case "password_response": { const passwordData = data as TOTPResponseData; if (keyboardInteractiveFinish && passwordData?.code) { if (totpTimeout) { clearTimeout(totpTimeout); totpTimeout = null; } const password = passwordData.code; keyboardInteractiveFinish([password]); keyboardInteractiveFinish = null; } else { sshLogger.warn( "Password response received but no callback available", { operation: "password_response_error", userId, hasCallback: !!keyboardInteractiveFinish, hasCode: !!passwordData?.code, }, ); ws.send( JSON.stringify({ type: "error", message: "Password authentication state lost. Please reconnect.", }), ); } break; } case "warpgate_auth_continue": { if (keyboardInteractiveFinish) { if (warpgateAuthTimeout) { clearTimeout(warpgateAuthTimeout); warpgateAuthTimeout = null; } keyboardInteractiveFinish([""]); keyboardInteractiveFinish = null; warpgateAuthPromptSent = false; } break; } case "reconnect_with_credentials": { const credentialsData = data as { cols: number; rows: number; hostConfig: ConnectToHostData["hostConfig"]; password?: string; sshKey?: string; keyPassword?: string; }; if (credentialsData.password) { credentialsData.hostConfig.password = credentialsData.password; credentialsData.hostConfig.authType = "password"; ( credentialsData.hostConfig as Record ).userProvidedPassword = true; } else if (credentialsData.sshKey) { credentialsData.hostConfig.key = credentialsData.sshKey; credentialsData.hostConfig.keyPassword = credentialsData.keyPassword; credentialsData.hostConfig.authType = "key"; } else if (credentialsData.keyPassword) { credentialsData.hostConfig.keyPassword = credentialsData.keyPassword; } isAwaitingAuthCredentials = false; if (currentSessionId) { sessionManager.destroySession(currentSessionId); currentSessionId = null; } cleanupAuthState(); sshConn = null; sshStream = null; const reconnectData: ConnectToHostData = { cols: credentialsData.cols, rows: credentialsData.rows, hostConfig: credentialsData.hostConfig, }; handleConnectToHost(reconnectData).catch((error) => { const errMsg = error instanceof Error ? error.message : "Unknown error"; if ( errMsg.includes("Cannot parse privateKey") && errMsg.includes("no passphrase") ) { isAwaitingAuthCredentials = true; ws.send( JSON.stringify({ type: "passphrase_required", message: "The SSH key is encrypted. Please enter the passphrase to unlock it.", }), ); return; } sshLogger.error("Failed to reconnect with credentials", error, { operation: "ssh_reconnect_with_credentials", userId, hostId: credentialsData.hostConfig?.id, ip: credentialsData.hostConfig?.ip, }); ws.send( JSON.stringify({ type: "error", message: "Failed to connect with provided credentials: " + errMsg, }), ); }); break; } case "opkssh_start_auth": { const opksshData = data as { hostId: number }; try { const { startOPKSSHAuth } = await import("./opkssh-auth.js"); const { getRequestOrigin } = await import("../utils/request-origin.js"); const db = getDb(); const hostRow = await db .select() .from(hosts) .where(eq(hosts.id, opksshData.hostId)) .limit(1); if (!hostRow || hostRow.length === 0) { sshLogger.error( `Host ${opksshData.hostId} not found for OPKSSH auth`, { operation: "opkssh_start_auth_host_not_found", userId, hostId: opksshData.hostId, }, ); ws.send( JSON.stringify({ type: "opkssh_error", requestId: "", error: "Host not found", }), ); break; } const hostname = hostRow[0].name || hostRow[0].ip; const requestOrigin = getRequestOrigin(req); await startOPKSSHAuth( userId, opksshData.hostId, hostname, ws, requestOrigin, ); } catch (error) { sshLogger.error("Failed to start OPKSSH auth", error, { operation: "opkssh_start_auth_error", userId, hostId: opksshData.hostId, }); ws.send( JSON.stringify({ type: "opkssh_error", requestId: "", error: "Failed to start OPKSSH authentication", }), ); } break; } case "opkssh_cancel": { const cancelData = data as { requestId: string }; try { const { cancelAuthSession } = await import("./opkssh-auth.js"); cancelAuthSession(cancelData.requestId); resetConnectionState(); } catch (error) { sshLogger.error("Failed to cancel OPKSSH auth", error, { operation: "opkssh_cancel_error", userId, }); } break; } case "opkssh_browser_opened": { break; } case "opkssh_auth_completed": { const completedData = data as { hostId: number; cols?: number; rows?: number; hostConfig?: ConnectToHostData["hostConfig"]; }; resetConnectionState(); const reconnectConfig: ConnectToHostData = { cols: completedData.cols || 80, rows: completedData.rows || 24, hostConfig: completedData.hostConfig || ({ id: completedData.hostId, ip: "", port: 22, username: "", userId, } as ConnectToHostData["hostConfig"]), }; handleConnectToHost(reconnectConfig).catch((error) => { sshLogger.error("Failed to reconnect after OPKSSH auth", error, { operation: "opkssh_reconnect_error", userId, hostId: completedData.hostId, }); ws.send( JSON.stringify({ type: "error", message: "Failed to connect after authentication: " + (error instanceof Error ? error.message : "Unknown error"), }), ); }); break; } default: sshLogger.warn("Unknown message type received", { operation: "websocket_message_unknown_type", userId, messageType: type, }); } }); async function handleConnectToHost(data: ConnectToHostData) { const { hostConfig, initialPath, executeCommand } = data; const { id, ip: rawIp, port, username, password, key, keyPassword, keyType, authType, credentialId, } = hostConfig; const ip = rawIp?.replace(/^\[|\]$/g, "").trim() || rawIp; sshLogger.info("Resolving SSH host configuration", { operation: "terminal_host_resolve", sessionId, userId, hostId: id, }); const sendLog = ( stage: string, level: string, message: string, details?: Record, ) => { ws.send( JSON.stringify({ type: "connection_log", data: { stage, level, message, details }, }), ); }; if (!username || typeof username !== "string" || username.trim() === "") { sshLogger.error("Invalid username provided", undefined, { operation: "ssh_connect", hostId: id, ip, }); ws.send( JSON.stringify({ type: "error", message: "Invalid username provided" }), ); return; } if (!ip || typeof ip !== "string" || ip.trim() === "") { sshLogger.error("Invalid IP provided", undefined, { operation: "ssh_connect", hostId: id, username, }); ws.send( JSON.stringify({ type: "error", message: "Invalid IP provided" }), ); return; } if (!port || typeof port !== "number" || port <= 0) { sshLogger.error("Invalid port provided", undefined, { operation: "ssh_connect", hostId: id, ip, username, port, }); ws.send( JSON.stringify({ type: "error", message: "Invalid port provided" }), ); return; } if (isConnecting || isConnected) { sshLogger.warn("Connection already in progress or established", { operation: "ssh_connect", hostId: id, isConnecting, isConnected, }); ws.send( JSON.stringify({ type: "error", message: "Connection already in progress", code: "DUPLICATE_CONNECTION", }), ); return; } isConnecting = true; sshConn = new Client(); sendLog("dns", "info", `Starting address resolution of ${ip}`); sendLog("tcp", "info", `Connecting to ${ip} port ${port}`); const connectionTimeout = setTimeout(() => { if (sshConn && isConnecting && !isConnected) { sshLogger.error("SSH connection timeout", undefined, { operation: "ssh_connect", hostId: id, ip, port, username, }); ws.send( JSON.stringify({ type: "error", message: "SSH connection timeout" }), ); if (currentSessionId) { sessionManager.destroySession(currentSessionId); currentSessionId = null; } cleanupAuthState(connectionTimeout); } }, 120000); // Resolve credentials server-side when frontend doesn't provide them let resolvedCredentials = { username, password, key, keyPassword, keyType, authType, }; const authMethodNotAvailable = false; if (id && userId && !password && !key) { try { const { resolveHostById } = await import("./host-resolver.js"); const resolvedHost = await resolveHostById(id, userId); if (resolvedHost) { resolvedCredentials = { username: resolvedHost.username || username, password: resolvedHost.password, key: resolvedHost.key, keyPassword: keyPassword || resolvedHost.keyPassword, keyType: resolvedHost.keyType, authType: resolvedHost.authType, }; sendLog( "auth", "info", "Credentials resolved from server-side host data", ); } } catch (error) { sshLogger.warn(`Failed to resolve host credentials for ${id}`, { operation: "ssh_credentials", hostId: id, error: error instanceof Error ? error.message : "Unknown error", }); } } else if (credentialId && id && userId) { try { const { resolveHostById } = await import("./host-resolver.js"); const resolvedHost = await resolveHostById(id, userId); if (resolvedHost) { resolvedCredentials = { username: resolvedHost.username || username, password: resolvedHost.password, key: resolvedHost.key, // Preserve user-supplied keyPassword (e.g. from passphrase dialog) over the empty DB value keyPassword: keyPassword || resolvedHost.keyPassword, keyType: resolvedHost.keyType, authType: resolvedHost.authType, }; } } catch (error) { sshLogger.warn(`Failed to resolve credentials for host ${id}`, { operation: "ssh_credentials", hostId: id, credentialId, error: error instanceof Error ? error.message : "Unknown error", }); } } sshConn.on("ready", () => { clearTimeout(connectionTimeout); sshLogger.success("SSH connection established", { operation: "terminal_ssh_connected", sessionId, userId, hostId: id, ip, }); if (totpPromptSent) { authLogger.success("TOTP verification successful for SSH session", { operation: "terminal_totp_success", sessionId, userId, hostId: id, }); } sendLog("handshake", "success", "SSH handshake completed"); sendLog("auth", "success", `Authentication successful for ${username}`); sendLog("connected", "success", "Connection established"); const hostDisplayName = `${username}@${ip}:${port}`; const tabInstanceId = hostConfig.instanceId; currentSessionId = sessionManager.createSession( userId, id, hostDisplayName, data.cols, data.rows, tabInstanceId, ); sshLogger.info("Terminal session created after SSH ready", { operation: "terminal_session_created", sessionId: currentSessionId, userId, hostId: id, tabInstanceId, ip, port, }); const conn = sshConn; if (!conn || isCleaningUp || !sshConn) { sshLogger.warn( "SSH connection was cleaned up before shell could be created", { operation: "ssh_shell", hostId: id, ip, port, username, isCleaningUp, connNull: !conn, sshConnNull: !sshConn, }, ); ws.send( JSON.stringify({ type: "error", message: "SSH connection was closed before terminal could be created", }), ); if (currentSessionId) { sessionManager.destroySession(currentSessionId); currentSessionId = null; } cleanupAuthState(connectionTimeout); return; } isShellInitializing = true; isConnecting = false; isConnected = true; if (!sshConn) { sshLogger.error( "SSH connection became null right before shell creation", { operation: "ssh_shell", hostId: id, }, ); ws.send( JSON.stringify({ type: "error", message: "SSH connection lost during setup", }), ); isShellInitializing = false; if (currentSessionId) { sessionManager.destroySession(currentSessionId); currentSessionId = null; } cleanupAuthState(connectionTimeout); return; } sshLogger.info("Creating shell", { operation: "ssh_shell_start", hostId: id, ip, port, username, }); let shellCallbackReceived = false; const shellTimeout = setTimeout(() => { if (!shellCallbackReceived && isShellInitializing) { sshLogger.error("Shell creation timeout - no response from server", { operation: "ssh_shell_timeout", hostId: id, ip, port, username, }); isShellInitializing = false; ws.send( JSON.stringify({ type: "error", message: "Shell creation timeout. The server may not support interactive shells or the connection was interrupted.", }), ); if (currentSessionId) { sessionManager.destroySession(currentSessionId); currentSessionId = null; } cleanupAuthState(connectionTimeout); } }, 15000); conn.shell( { rows: data.rows, cols: data.cols, term: "xterm-256color", } as PseudoTtyOptions, (err, stream) => { shellCallbackReceived = true; clearTimeout(shellTimeout); isShellInitializing = false; if (err) { sshLogger.error("Shell error", err, { operation: "ssh_shell", hostId: id, ip, port, username, }); ws.send( JSON.stringify({ type: "error", message: "Shell error: " + err.message, }), ); if (currentSessionId) { sessionManager.destroySession(currentSessionId); currentSessionId = null; } cleanupAuthState(connectionTimeout); return; } sshStream = stream; sshLogger.success("Terminal shell channel opened", { operation: "terminal_shell_opened", sessionId, userId, hostId: id, termType: "xterm-256color", }); if (currentSessionId) { sessionManager.setSSHState( currentSessionId, sshConn!, stream, lastJumpClient, ); sessionManager.attachWs(currentSessionId, userId, ws); ws.send( JSON.stringify({ type: "sessionCreated", sessionId: currentSessionId, }), ); sshLogger.info("Session ready for persistence", { operation: "session_ready", sessionId: currentSessionId, userId, hostId: id, }); } const boundSessionId = currentSessionId; const CWD_SENTINEL = "TERMIX_CWD:"; stream.on("data", (data: Buffer) => { try { let utf8String = data.toString("utf-8"); if (cwdPending) { cwdBuffer += utf8String; const sentinelIdx = cwdBuffer.indexOf(CWD_SENTINEL); if (sentinelIdx !== -1) { const afterSentinel = cwdBuffer.slice( sentinelIdx + CWD_SENTINEL.length, ); const newlineIdx = afterSentinel.search(/[\r\n]/); if (newlineIdx !== -1) { const cwd = afterSentinel.slice(0, newlineIdx).trim() || "/"; cwdPending = false; // Strip the sentinel line from output sent to terminal const beforeSentinel = cwdBuffer.slice(0, sentinelIdx); const afterNewline = afterSentinel.slice(newlineIdx); utf8String = beforeSentinel + afterNewline; cwdBuffer = ""; const attachedWs = sessionManager.getSession(boundSessionId)?.attachedWs ?? ws; if (attachedWs.readyState === WebSocket.OPEN) { attachedWs.send( JSON.stringify({ type: "cwd", path: cwd }), ); } } else { return; } } else { return; } } if (!utf8String) return; const session = sessionManager.getSession(boundSessionId); if (session) { sessionManager.bufferOutput(boundSessionId!, utf8String); if (session.attachedWs?.readyState === WebSocket.OPEN) { session.attachedWs.send( JSON.stringify({ type: "data", data: utf8String }), ); } } } catch (error) { sshLogger.error("Error encoding terminal data", error, { operation: "terminal_data_encoding", hostId: id, dataLength: data.length, }); const fallback = data.toString("latin1"); const session = sessionManager.getSession(boundSessionId); if (session) { sessionManager.bufferOutput(boundSessionId!, fallback); if (session.attachedWs?.readyState === WebSocket.OPEN) { session.attachedWs.send( JSON.stringify({ type: "data", data: fallback }), ); } } } }); stream.on("close", (code: number | null) => { const session = sessionManager.getSession(boundSessionId); if (session?.attachedWs?.readyState === WebSocket.OPEN) { if (code != null) { session.attachedWs.send( JSON.stringify({ type: "session_ended", code, }), ); } else { session.attachedWs.send( JSON.stringify({ type: "disconnected", message: "Connection lost", graceful: true, }), ); } } if (boundSessionId) { sessionManager.destroySession(boundSessionId); if (currentSessionId === boundSessionId) { currentSessionId = null; } } }); stream.on("error", (err: Error) => { sshLogger.error("SSH stream error", err, { operation: "ssh_stream", hostId: id, ip, port, username, }); const session = sessionManager.getSession(boundSessionId); if (session?.attachedWs?.readyState === WebSocket.OPEN) { session.attachedWs.send( JSON.stringify({ type: "error", message: "SSH stream error: " + err.message, }), ); } }); const autoTmux = hostConfig.terminalConfig?.autoTmux === true; // Helper to run initialPath/executeCommand after the shell // (or tmux session) is ready const runPostShellCommands = (delay: number) => { setTimeout(() => { if (initialPath && initialPath.trim() !== "") { const cdCommand = `cd "${initialPath.replace(/"/g, '\\"')}" && pwd\r`; stream.write(cdCommand); } if (executeCommand && executeCommand.trim() !== "") { setTimeout(() => { stream.write(`${executeCommand}\r`); }, 300); } }, delay); }; if (autoTmux && conn) { (async () => { try { const detection = await detectTmux(conn); if (!detection.available) { sshLogger.warn("tmux not found on remote host", { operation: "tmux_detection", hostId: id, }); ws.send( JSON.stringify({ type: "tmux_unavailable", message: "tmux is not installed on the remote host. Falling back to standard shell.", }), ); // tmux unavailable, run commands in plain shell runPostShellCommands(0); } else if (detection.sessions.length === 0) { attachOrCreateTmuxSession(stream); // Query the name tmux assigned after a short delay setTimeout(async () => { const sessionName = await queryNewestTmuxSession(conn); const session = sessionManager.getSession(boundSessionId); if (session) { session.tmuxSessionName = sessionName; } sshLogger.info("Created new tmux session", { operation: "tmux_new_session", sessionName, hostId: id, }); ws.send( JSON.stringify({ type: "tmux_session_created", sessionName, }), ); }, 500); // Wait for tmux to start before running commands inside it runPostShellCommands(500); } else if (detection.sessions.length === 1) { attachOrCreateTmuxSession(stream, detection.sessions[0].name); const sessionName = detection.sessions[0].name; const session = sessionManager.getSession(boundSessionId); if (session) { session.tmuxSessionName = sessionName; } sshLogger.info("Auto-attached to existing tmux session", { operation: "tmux_auto_attach", sessionName, hostId: id, }); ws.send( JSON.stringify({ type: "tmux_session_attached", sessionName, }), ); // Reattaching to existing session -- don't re-run // initialPath/executeCommand since the session already // has its own state } else { sshLogger.info( "Multiple tmux sessions found, sending list to frontend", { operation: "tmux_sessions_available", sessions: detection.sessions, hostId: id, }, ); ws.send( JSON.stringify({ type: "tmux_sessions_available", sessions: detection.sessions, }), ); // Commands deferred until user picks a session } } catch (error) { sshLogger.error("tmux detection failed", error, { operation: "tmux_detection_error", hostId: id, }); // Fallback: run commands in plain shell runPostShellCommands(0); } })(); } else { // No tmux -- run commands directly as before runPostShellCommands(0); } ws.send( JSON.stringify({ type: "connected", message: "SSH connected" }), ); if (id && hostConfig.userId) { (async () => { try { const hostResults = await SimpleDBOps.select( getDb() .select() .from(hosts) .where( and( eq(hosts.id, id), eq(hosts.userId, hostConfig.userId!), ), ), "ssh_data", hostConfig.userId!, ); const hostName = hostResults.length > 0 && hostResults[0].name ? hostResults[0].name : `${username}@${ip}:${port}`; await axios.post( "http://localhost:30006/activity/log", { type: "terminal", hostId: id, hostName, }, { headers: { Authorization: `Bearer ${await authManager.generateJWTToken(hostConfig.userId!)}`, }, }, ); } catch (error) { sshLogger.warn("Failed to log terminal activity", { operation: "activity_log_error", userId: hostConfig.userId, hostId: id, error: error instanceof Error ? error.message : "Unknown error", }); } })(); } }, ); }); sshConn.on("error", (err: Error) => { clearTimeout(connectionTimeout); sendLog("error", "error", `Connection error: ${err.message}`); sshLogger.error("SSH connection error", err, { operation: "ssh_connect", hostId: id, ip, port, username, authType: resolvedCredentials.authType, warpgateAuthPromptSent, isKeyboardInteractive, hasKeyboardInteractiveFinish: !!keyboardInteractiveFinish, keyboardInteractiveResponded, }); if ( resolvedCredentials.authType === "opkssh" && err.message.includes("All configured authentication methods failed") ) { sshLogger.warn("OPKSSH authentication failed - invalidating token", { operation: "opkssh_auth_failed", hostId: id, userId, error: err.message, }); (async () => { try { const { invalidateOPKSSHToken } = await import("./opkssh-auth.js"); await invalidateOPKSSHToken(userId, id, "SSH auth failed"); } catch (invalidateError) { sshLogger.error("Failed to invalidate OPKSSH token", { operation: "opkssh_token_invalidation_error", userId, hostId: id, error: invalidateError, }); } })(); if (currentSessionId) { sessionManager.destroySession(currentSessionId); currentSessionId = null; } cleanupAuthState(connectionTimeout); sendLog( "auth", "error", "OPKSSH certificate authentication failed. Please authenticate again.", ); ws.send( JSON.stringify({ type: "opkssh_auth_required", hostId: id, message: "OPKSSH authentication failed or expired. Please authenticate again.", }), ); return; } if ( err.message.includes("Cannot parse privateKey") && err.message.includes("no passphrase") ) { sendLog( "auth", "error", "SSH key is encrypted but no passphrase was provided", ); isAwaitingAuthCredentials = true; if (currentSessionId) { sessionManager.destroySession(currentSessionId); currentSessionId = null; } cleanupAuthState(connectionTimeout); ws.send( JSON.stringify({ type: "passphrase_required", message: "The SSH key is encrypted. Please enter the passphrase to unlock it.", }), ); return; } if ( authMethodNotAvailable && resolvedCredentials.authType === "none" && !isKeyboardInteractive ) { sendLog( "auth", "error", "Server does not support keyboard-interactive authentication", ); isAwaitingAuthCredentials = true; if (currentSessionId) { sessionManager.destroySession(currentSessionId); currentSessionId = null; } cleanupAuthState(connectionTimeout); ws.send( JSON.stringify({ type: "auth_method_not_available", message: "The server does not support keyboard-interactive authentication. Please provide credentials.", }), ); return; } if ( resolvedCredentials.authType === "none" && err.message.includes("All configured authentication methods failed") && !isKeyboardInteractive && !keyboardInteractiveResponded ) { isAwaitingAuthCredentials = true; if (currentSessionId) { sessionManager.destroySession(currentSessionId); currentSessionId = null; } cleanupAuthState(connectionTimeout); ws.send( JSON.stringify({ type: "auth_method_not_available", message: "The server does not support keyboard-interactive authentication. Please provide credentials.", }), ); return; } if ( isKeyboardInteractive && keyboardInteractiveFinish && err.message.includes("All configured authentication methods failed") ) { sshLogger.warn( "Authentication error during keyboard-interactive - SKIPPING cleanup, waiting for user response", { operation: "ssh_error_during_keyboard_interactive_skip_cleanup", hostId: id, error: err.message, }, ); resetConnectionState(); return; } sshLogger.error("Proceeding with cleanup after error", { operation: "ssh_error_cleanup", hostId: id, error: err.message, }); if ( err.message.includes("authentication") || err.message.includes("Authentication") ) { authLogger.error("SSH authentication failed", err, { operation: "terminal_ssh_auth_failed", sessionId, userId, hostId: id, authType: resolvedCredentials.authType, }); sendLog("auth", "error", `Authentication failed: ${err.message}`); } else { sendLog("error", "error", `Connection failed: ${err.message}`); } let errorMessage = "SSH error: " + err.message; if (err.message.includes("No matching key exchange algorithm")) { errorMessage = "SSH error: No compatible key exchange algorithm found. This may be due to an older SSH server or network device."; } else if (err.message.includes("No matching cipher")) { errorMessage = "SSH error: No compatible cipher found. This may be due to an older SSH server or network device."; } else if (err.message.includes("No matching MAC")) { errorMessage = "SSH error: No compatible MAC algorithm found. This may be due to an older SSH server or network device."; } else if ( err.message.includes("ENOTFOUND") || err.message.includes("ENOENT") ) { errorMessage = "SSH error: Could not resolve hostname or connect to server."; } else if (err.message.includes("ECONNREFUSED")) { errorMessage = "SSH error: Connection refused. The server may not be running or the port may be incorrect."; } else if (err.message.includes("ENETUNREACH")) { const isIPv6 = ip && ip.includes(":"); errorMessage = isIPv6 ? "SSH error: Network unreachable. IPv6 may not be available in this environment. If running in Docker, enable IPv6 in the Docker daemon and network configuration." : "SSH error: Network unreachable. Check your network configuration and routing."; } else if (err.message.includes("ETIMEDOUT")) { errorMessage = "SSH error: Connection timed out. Check your network connection and server availability."; } else if ( err.message.includes("ECONNRESET") || err.message.includes("EPIPE") ) { errorMessage = "SSH error: Connection was reset. This may be due to network issues or server timeout."; } else if ( err.message.includes("authentication failed") || err.message.includes("Permission denied") ) { errorMessage = "SSH error: Authentication failed. Please check your username and password/key."; } ws.send(JSON.stringify({ type: "error", message: errorMessage })); if (currentSessionId) { sessionManager.destroySession(currentSessionId); currentSessionId = null; } cleanupAuthState(connectionTimeout); }); sshConn.on("close", () => { clearTimeout(connectionTimeout); sshLogger.info("SSH connection closed", { operation: "terminal_ssh_disconnected", sessionId, userId, hostId: id, }); if (isAwaitingAuthCredentials) { if (currentSessionId) { sessionManager.destroySession(currentSessionId); currentSessionId = null; } cleanupAuthState(connectionTimeout); return; } if (isShellInitializing || (isConnected && !sshStream)) { sshLogger.warn("SSH connection closed during shell initialization", { operation: "ssh_close_during_init", hostId: id, ip, port, username, isShellInitializing, hasStream: !!sshStream, }); if (ws.readyState === WebSocket.OPEN) { ws.send( JSON.stringify({ type: "error", message: "Connection closed during shell initialization. The server may have rejected the shell request.", }), ); } } else { if (ws.readyState === WebSocket.OPEN) { ws.send( JSON.stringify({ type: "disconnected", message: "Connection closed", }), ); } } if (currentSessionId) { sessionManager.destroySession(currentSessionId); currentSessionId = null; } cleanupAuthState(connectionTimeout); }); const sshAuthManager = new SSHAuthManager({ userId, ws, hostId: id || 0, isKeyboardInteractive, keyboardInteractiveResponded, keyboardInteractiveFinish, totpPromptSent, warpgateAuthPromptSent, totpTimeout, warpgateAuthTimeout, totpAttempts: 0, }); sshConn.on( "keyboard-interactive", ( name: string, instructions: string, instructionsLang: string, prompts: Array<{ prompt: string; echo: boolean }>, finish: (responses: string[]) => void, ) => { if (connectionTimeout) { clearTimeout(connectionTimeout); } sshAuthManager.handleKeyboardInteractive( name, instructions, instructionsLang, prompts, finish, resolvedCredentials as unknown as Parameters< typeof sshAuthManager.handleKeyboardInteractive >[5], ); isKeyboardInteractive = sshAuthManager.context.isKeyboardInteractive; keyboardInteractiveResponded = sshAuthManager.context.keyboardInteractiveResponded; keyboardInteractiveFinish = sshAuthManager.context.keyboardInteractiveFinish; totpPromptSent = sshAuthManager.context.totpPromptSent; warpgateAuthPromptSent = sshAuthManager.context.warpgateAuthPromptSent; totpTimeout = sshAuthManager.context.totpTimeout; warpgateAuthTimeout = sshAuthManager.context.warpgateAuthTimeout; }, ); const hostKeepaliveInterval = hostConfig.terminalConfig?.keepaliveInterval; const hostKeepaliveCountMax = hostConfig.terminalConfig?.keepaliveCountMax; const connectConfig: Record = { host: ip, port, username, tryKeyboard: resolvedCredentials.authType !== "none", keepaliveInterval: typeof hostKeepaliveInterval === "number" ? hostKeepaliveInterval : 30000, keepaliveCountMax: typeof hostKeepaliveCountMax === "number" ? hostKeepaliveCountMax : 3, readyTimeout: 120000, tcpKeepAlive: true, tcpKeepAliveInitialDelay: 30000, timeout: 120000, hostVerifier: await SSHHostKeyVerifier.createHostVerifier( id, ip, port, ws, userId, false, ), env: { TERM: "xterm-256color", LANG: "en_US.UTF-8", LC_ALL: "en_US.UTF-8", LC_CTYPE: "en_US.UTF-8", LC_MESSAGES: "en_US.UTF-8", LC_MONETARY: "en_US.UTF-8", LC_NUMERIC: "en_US.UTF-8", LC_TIME: "en_US.UTF-8", LC_COLLATE: "en_US.UTF-8", COLORTERM: "truecolor", }, algorithms: { kex: [ "curve25519-sha256", "curve25519-sha256@libssh.org", "ecdh-sha2-nistp521", "ecdh-sha2-nistp384", "ecdh-sha2-nistp256", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group18-sha512", "diffie-hellman-group17-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group15-sha512", "diffie-hellman-group14-sha256", "diffie-hellman-group14-sha1", "diffie-hellman-group-exchange-sha1", "diffie-hellman-group1-sha1", ], serverHostKey: [ "ssh-ed25519", "ecdsa-sha2-nistp521", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp256", "rsa-sha2-512", "rsa-sha2-256", "ssh-rsa", "ssh-dss", ], cipher: SSH_ALGORITHMS.cipher, hmac: [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256", "hmac-sha1", "hmac-md5", ], compress: ["none", "zlib@openssh.com", "zlib"], }, }; if (resolvedCredentials.authType === "none") { // no credentials needed } else if (resolvedCredentials.authType === "password") { if (!resolvedCredentials.password) { sshLogger.error( "Password authentication requested but no password provided", ); ws.send( JSON.stringify({ type: "error", message: "Password authentication requested but no password provided", }), ); return; } if (!hostConfig.forceKeyboardInteractive) { connectConfig.password = resolvedCredentials.password; } sendLog("auth", "info", "Using password authentication"); } else if ( resolvedCredentials.authType === "key" && resolvedCredentials.key ) { sendLog("auth", "info", "Using SSH key authentication"); try { if ( !resolvedCredentials.key.includes("-----BEGIN") || !resolvedCredentials.key.includes("-----END") ) { throw new Error("Invalid private key format"); } const cleanKey = resolvedCredentials.key .trim() .replace(/\r\n/g, "\n") .replace(/\r/g, "\n"); connectConfig.privateKey = Buffer.from(cleanKey, "utf8"); if (resolvedCredentials.keyPassword) { connectConfig.passphrase = resolvedCredentials.keyPassword; } if (resolvedCredentials.password) { connectConfig.password = resolvedCredentials.password; } } catch (keyError) { sshLogger.error("SSH key format error: " + keyError.message); ws.send( JSON.stringify({ type: "error", message: "SSH key format error: Invalid private key format", }), ); return; } } else if (resolvedCredentials.authType === "key") { sendLog( "auth", "error", "SSH key authentication requested but no key provided", ); sshLogger.error("SSH key authentication requested but no key provided"); ws.send( JSON.stringify({ type: "error", message: "SSH key authentication requested but no key provided", }), ); return; } else if (resolvedCredentials.authType === "opkssh") { sendLog("auth", "info", "Using OPKSSH certificate authentication"); try { const { getOPKSSHToken } = await import("./opkssh-auth.js"); const token = await getOPKSSHToken(userId, id); if (!token) { sendLog( "auth", "info", "No valid OPKSSH token found, requesting authentication", ); ws.send( JSON.stringify({ type: "opkssh_auth_required", hostId: id, }), ); return; } sendLog("auth", "info", "Using cached OPKSSH certificate"); const { setupOPKSSHCertAuth } = await import("./opkssh-cert-auth.js"); await setupOPKSSHCertAuth(connectConfig, sshConn, token, username); } catch (opksshError) { sshLogger.error("OPKSSH authentication error", opksshError, { operation: "opkssh_auth_error", userId, hostId: id, }); ws.send( JSON.stringify({ type: "error", message: "OPKSSH authentication failed: " + (opksshError instanceof Error ? opksshError.message : "Unknown error"), }), ); return; } } else { sendLog("auth", "info", "Using keyboard-interactive authentication"); sshLogger.error("No valid authentication method provided"); ws.send( JSON.stringify({ type: "error", message: "No valid authentication method provided", }), ); return; } if ( hostConfig.terminalConfig?.agentForwarding && connectConfig.privateKey ) { try { const parsed = ssh2Utils.parseKey( connectConfig.privateKey as Buffer, connectConfig.passphrase as string | undefined, ); if (parsed && !(parsed instanceof Error)) { connectConfig.agent = new MemoryAgent(parsed); connectConfig.agentForward = true; sendLog("auth", "info", "SSH agent forwarding enabled"); } } catch { sshLogger.warn("Failed to set up agent forwarding", { operation: "agent_forward_setup", hostId: id, }); } } if ( hostConfig.portKnockSequence && hostConfig.portKnockSequence.length > 0 ) { try { sshLogger.info( `Port knocking ${hostConfig.ip} (${hostConfig.portKnockSequence.length} ports)`, { operation: "port_knock", hostId: hostConfig.id }, ); await performPortKnocking(hostConfig.ip, hostConfig.portKnockSequence); } catch { sshLogger.warn("Port knocking failed, attempting connection anyway", { operation: "port_knock", hostId: hostConfig.id, }); } } const proxyConfig: SOCKS5Config | null = hostConfig.useSocks5 && (hostConfig.socks5Host || (hostConfig.socks5ProxyChain && (hostConfig.socks5ProxyChain as ProxyNode[]).length > 0)) ? { useSocks5: hostConfig.useSocks5, socks5Host: hostConfig.socks5Host, socks5Port: hostConfig.socks5Port, socks5Username: hostConfig.socks5Username, socks5Password: hostConfig.socks5Password, socks5ProxyChain: hostConfig.socks5ProxyChain as ProxyNode[], } : null; const hasJumpHosts = hostConfig.jumpHosts && hostConfig.jumpHosts.length > 0 && hostConfig.userId; // Cloudflare Tunnel: connect via WebSocket proxy const cfConfig = hostConfig.terminalConfig as Record | undefined; if (cfConfig?.cfAccessClientId && cfConfig?.cfAccessClientSecret) { try { const WebSocket = (await import("ws")).default; const cfHostname = (cfConfig.cfTunnelHostname as string) || ip; const wsUrl = `wss://${cfHostname}/cdn-cgi/access/ssh-connect`; const cfWs = new WebSocket(wsUrl, { headers: { "CF-Access-Client-Id": cfConfig.cfAccessClientId as string, "CF-Access-Client-Secret": cfConfig.cfAccessClientSecret as string, }, }); await new Promise((resolve, reject) => { cfWs.on("open", () => resolve()); cfWs.on("error", (err) => reject(err)); setTimeout(() => reject(new Error("Cloudflare tunnel timeout")), 30000); }); const { Duplex } = await import("stream"); const duplexStream = new Duplex({ read() {}, write(chunk, _encoding, callback) { cfWs.send(chunk, callback); }, }); cfWs.on("message", (data) => duplexStream.push(data)); cfWs.on("close", () => duplexStream.push(null)); connectConfig.sock = duplexStream as unknown as typeof connectConfig.sock; sendLog("handshake", "info", "Connected via Cloudflare Tunnel"); } catch (cfError) { sshLogger.error("Cloudflare tunnel connection failed", cfError, { operation: "cf_tunnel_connect", hostId: id, }); ws.send( JSON.stringify({ type: "error", message: "Cloudflare tunnel connection failed: " + (cfError instanceof Error ? cfError.message : "Unknown error"), }), ); cleanupAuthState(connectionTimeout); return; } } if (hasJumpHosts) { try { const jumpClient = await createJumpHostChain( hostConfig.jumpHosts!, hostConfig.userId!, proxyConfig, ); if (!jumpClient) { sshLogger.error("Failed to establish jump host chain"); ws.send( JSON.stringify({ type: "error", message: "Failed to connect through jump hosts", }), ); if (currentSessionId) { sessionManager.destroySession(currentSessionId); currentSessionId = null; } cleanupAuthState(connectionTimeout); return; } lastJumpClient = jumpClient; jumpClient.forwardOut("127.0.0.1", 0, ip, port, (err, stream) => { if (err) { sshLogger.error("Failed to forward through jump host", err, { operation: "ssh_jump_forward", hostId: id, ip, port, }); ws.send( JSON.stringify({ type: "error", message: "Failed to forward through jump host: " + err.message, }), ); jumpClient.end(); if (currentSessionId) { sessionManager.destroySession(currentSessionId); currentSessionId = null; } cleanupAuthState(connectionTimeout); return; } connectConfig.sock = stream; sendLog( "handshake", "info", "Starting SSH session through jump host" + (proxyConfig ? " (via proxy)" : ""), ); sendLog("auth", "info", `Authenticating as ${username}`); sshLogger.info("Initiating SSH connection", { operation: "terminal_ssh_connect_attempt", sessionId, userId, hostId: id, ip, port, username, authType: resolvedCredentials.authType, viaProxy: !!proxyConfig, }); sshConn.connect(connectConfig); }); } catch (error) { sshLogger.error("Jump host error", error, { operation: "ssh_jump_host", hostId: id, }); ws.send( JSON.stringify({ type: "error", message: "Failed to connect through jump hosts", }), ); if (currentSessionId) { sessionManager.destroySession(currentSessionId); currentSessionId = null; } cleanupAuthState(connectionTimeout); return; } } else if (proxyConfig) { try { const proxySocket = await createSocks5Connection(ip, port, proxyConfig); if (proxySocket) { connectConfig.sock = proxySocket; } } catch (proxyError) { sshLogger.error("Proxy connection failed", proxyError, { operation: "proxy_connect", hostId: id, proxyHost: hostConfig.socks5Host, proxyPort: hostConfig.socks5Port || 1080, }); ws.send( JSON.stringify({ type: "error", message: "Proxy connection failed: " + (proxyError instanceof Error ? proxyError.message : "Unknown error"), }), ); if (currentSessionId) { sessionManager.destroySession(currentSessionId); currentSessionId = null; } cleanupAuthState(connectionTimeout); return; } sendLog("handshake", "info", "Starting SSH session (via proxy)"); sendLog("auth", "info", `Authenticating as ${username}`); sshLogger.info("Initiating SSH connection", { operation: "terminal_ssh_connect_attempt", sessionId, userId, hostId: id, ip, port, username, authType: resolvedCredentials.authType, viaProxy: true, }); sshConn.connect(connectConfig); } else { sendLog("handshake", "info", "Starting SSH session"); sendLog("auth", "info", `Authenticating as ${username}`); sshLogger.info("Initiating SSH connection", { operation: "terminal_ssh_connect_attempt", sessionId, userId, hostId: id, ip, port, username, authType: resolvedCredentials.authType, }); sshConn.connect(connectConfig); } } function handleResize(data: ResizeData) { const resizeStream = sessionManager.getSession(currentSessionId)?.sshStream ?? sshStream; if (resizeStream && resizeStream.setWindow) { resizeStream.setWindow(data.rows, data.cols, data.rows, data.cols); const session = sessionManager.getSession(currentSessionId); if (session) { session.cols = data.cols; session.rows = data.rows; } ws.send( JSON.stringify({ type: "resized", cols: data.cols, rows: data.rows }), ); } } function cleanupAuthState(timeoutId?: NodeJS.Timeout) { if (timeoutId) { clearTimeout(timeoutId); } if (totpTimeout) { clearTimeout(totpTimeout); totpTimeout = null; } if (warpgateAuthTimeout) { clearTimeout(warpgateAuthTimeout); warpgateAuthTimeout = null; } sshStream = null; sshConn = null; lastJumpClient = null; resetConnectionState(); isCleaningUp = false; isAwaitingAuthCredentials = false; } // Note: PTY-level keepalive (writing \x00 to the stream) was removed. // It was causing ^@ characters to appear in terminals with echoctl enabled. // SSH-level keepalive is configured via connectConfig (keepaliveInterval, // keepaliveCountMax, tcpKeepAlive), which handles connection health monitoring // without producing visible output on the terminal. // // See: https://github.com/Termix-SSH/Support/issues/232 // See: https://github.com/Termix-SSH/Support/issues/309 });