{"id":29821791,"url":"https://github.com/mohammed90/caddy-ssh","last_synced_at":"2025-07-29T00:11:50.942Z","repository":{"id":39637592,"uuid":"260565805","full_name":"kadeessh/kadeessh","owner":"kadeessh","description":"Kadeessh (formerly Caddy-SSH) is a general-purpose, extensible, modular, memory-safe SSH server built in Go","archived":false,"fork":false,"pushed_at":"2025-04-14T21:44:33.000Z","size":285,"stargazers_count":553,"open_issues_count":12,"forks_count":12,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-07-09T00:04:33.461Z","etag":null,"topics":["authentication","caddy","go","openssh","ssh","ssh-server"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kadeessh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-05-01T21:54:38.000Z","updated_at":"2025-06-23T18:49:42.000Z","dependencies_parsed_at":"2023-12-01T20:34:30.984Z","dependency_job_id":"c02db994-a79a-4a88-9c99-b1c35b72daf0","html_url":"https://github.com/kadeessh/kadeessh","commit_stats":null,"previous_names":["mohammed90/caddy-ssh"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/kadeessh/kadeessh","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kadeessh%2Fkadeessh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kadeessh%2Fkadeessh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kadeessh%2Fkadeessh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kadeessh%2Fkadeessh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kadeessh","download_url":"https://codeload.github.com/kadeessh/kadeessh/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kadeessh%2Fkadeessh/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267607025,"owners_count":24114823,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-28T02:00:09.689Z","response_time":68,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","caddy","go","openssh","ssh","ssh-server"],"created_at":"2025-07-29T00:11:41.941Z","updated_at":"2025-07-29T00:11:50.937Z","avatar_url":"https://github.com/kadeessh.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kadeessh\n\n_This is still under heavy WIP._\n\nKadeessh (formerly Caddy-SSH) is an extensible, modular SSH server built as Caddy app. The project aims to provide an ssh server with safe, modern, and secure defaults.\n\n## What's Kadeessh?\n\nKadeesh (كديش) is the Levantine Arabic word for [hinny](https://en.wikipedia.org/wiki/Hinny), the reciprocal of mule. This name is a hat-tip to the basic components of the project, i.e. Caddy and SSH.\n\n## Install\n\nYou start by looking for the binaries in the [GitHub Releases](https://github.com/kadeessh/kadeessh/releases) page. Download the executable then place it somewhere in your PATH.\n\nThe other way is to build the project using [xcaddy](https://github.com/caddyserver/xcaddy) with the command:\n\n```shell\nxcaddy build --with github.com/kadeessh/kadeessh[@\u003cversion\u003e]\n```\n\nwhere `[@\u003cversion\u003e]` is optional and `\u003cversion\u003e` may be replaced by the desired version.\n\n## Sample Config\n\nNote: The password is `test`. Once satisfied with the design and implementation, the packages will be extracted outside of `internal`.\n\n\u003cdetails\u003e\n\u003csummary\u003eShell\u003c/summary\u003e\n\n```json\n{\n \"apps\": {\n \"ssh\": {\n \"grace_period\": \"2s\",\n \"servers\": {\n \"srv0\": {\n \"address\": \"tcp/0.0.0.0:2000-2012\",\n \"pty\": {\n \"pty\": \"allow\"\n },\n \"configs\": [\n {\n \"config\": {\n \"loader\": \"provided\",\n \"no_client_auth\": false,\n \"authentication\": {\n \"username_password\": {\n \"providers\": {\n \"static\": {\n \"accounts\": [\n {\n \"name\": \"user1\",\n \"password\": \"JDJhJDE0JDcxOENoL2duS3FuR2VPRUpLa2lVM085Mk40T1JkcHBvQW4ycHU2c0FkMm1qLkhKejhzWG9t\"\n }\n ]\n }\n }\n }\n }\n }\n }\n ],\n \"actors\": [\n {\n \"match\": [\n {\n \"user\": {\n \"users\": [\n \"user1\"\n ]\n }\n }\n ],\n \"act\": {\n \"action\": \"shell\"\n }\n }\n ]\n }\n }\n }\n }\n}\n```\n\n\u003c/details\u003e \n\n\u003cdetails\u003e\n\u003csummary\u003eCustom config based on remote address: allow local users, except root, to login without authentication\u003c/summary\u003e\n\n```json\n{\n \"apps\": {\n \"ssh\": {\n \"grace_period\": \"2s\",\n \"servers\": {\n \"srv0\": {\n \"address\": \"tcp/0.0.0.0:2000-2012\",\n \"pty\": {\n \"pty\": \"allow\"\n },\n \"configs\": [\n {\n \"match\": [\n {\n \"remote_ip\": {\n \"ranges\": [\n \"192.168.0.0/16\"\n ]\n }\n }\n ],\n \"config\": {\n \"loader\": \"provided\",\n \"no_client_auth\": true\n }\n },\n {\n \"config\": {\n \"loader\": \"provided\",\n \"authentication\": {\n \"deny_users\": [\"root\"],\n \"public_key\": {\n \"providers\": {\n \"os\": {}\n }\n }\n }\n }\n }\n ],\n \"actors\": [\n {\n \"act\": {\n \"action\": \"shell\"\n }\n }\n ]\n }\n }\n }\n }\n}\n```\n\n\u003c/details\u003e \n\n\u003cdetails\u003e\n\u003csummary\u003eJump server\u003c/summary\u003e\n\nAs a jump server, the jump server establishes a local forwarding channel to upstream, per the documentation of the `-J` option, so we need to enable this in the config.\n\nReference:\n\n\u003e -J destination\n Connect to the target host by first making a ssh connection to the jump host described by destination and then establishing a TCP forwarding to the ultimate\n destination from there. Multiple jump hops may be specified separated by comma characters. This is a shortcut to specify a ProxyJump configuration directive.\n Note that configuration directives supplied on the command-line generally apply to the destination host and not any specified jump hosts. Use ~/.ssh/config to\n specify configuration for jump hosts.\n\n```json\n{\n \"apps\": {\n \"ssh\": {\n \"grace_period\": \"2s\",\n \"servers\": {\n \"srv0\": {\n \"address\": \"tcp/0.0.0.0:2000-2012\",\n \"configs\": [\n {\n \"config\": {\n \"loader\": \"provided\",\n \"signer\": {\n \"module\": \"fallback\"\n },\n \"authentication\": {\n \"public_key\": {\n \"providers\": {\n \"os\": {}\n }\n }\n }\n }\n }\n ],\n \"localforward\": {\n \"forward\": \"allow\"\n }\n }\n }\n }\n }\n}\n```\n\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eShell Session with Authorization Module\u003c/summary\u003e\n\nThe app provides modular authorization process to control the session authorization based on the session context details. One of the authorization modules provided is `max_session`, which restricts the number of currently active sessions to a certain number. The other one is `public`, which grants access without restriction and is the default if none is provided. Here's an example config of how to restrict the server to authorize only 2 active sessions:\n\n```json\n{\n \"apps\": {\n \"ssh\": {\n \"grace_period\": \"2s\",\n \"servers\": {\n \"srv0\": {\n \"address\": \"tcp/0.0.0.0:2000-2012\",\n \"authorize\": {\n \"authorizer\": \"max_session\",\n \"max_sessions\": 2\n },\n \"pty\": {\n \"pty\": \"allow\"\n },\n \"configs\": [\n {\n \"config\": {\n \"loader\": \"provided\",\n \"no_client_auth\": false,\n \"authentication\": {\n \"public_key\": {\n \"providers\": {\n \"os\": {}\n }\n }\n }\n }\n }\n ],\n \"actors\": [\n {\n \"act\": {\n \"action\": \"shell\"\n }\n }\n ]\n }\n }\n }\n }\n}\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eShell with `force_command`\u003c/summary\u003e\n\nRuns the `go version` command for authenticated users, regardless of the command the user has sent.\n\n```json\n{\n \"apps\": {\n \"ssh\": {\n \"grace_period\": \"2s\",\n \"servers\": {\n \"srv0\": {\n \"address\": \"tcp/0.0.0.0:2000-2012\",\n \"pty\": {\n \"pty\": \"allow\"\n },\n \"configs\": [\n {\n \"config\": {\n \"loader\": \"provided\",\n \"no_client_auth\": false,\n \"authentication\": {\n \"public_key\": {\n \"providers\": {\n \"os\": {}\n }\n }\n }\n }\n }\n ],\n \"actors\": [\n {\n \"act\": {\n \"action\": \"shell\",\n \"force_command\": \"go 'version'\"\n }\n }\n ]\n }\n }\n }\n }\n}\n```\n\u003c/details\u003e\n\n## Reference\n\n- [OpenSSH Spec](https://www.openssh.com/specs.html)\n\n## Questions\n\nQ: I deny PTY allocation in config, but the request is processed and executed anyways. Why?\n\nA: This is a quirk in OpenSSH which defaults to `auto` if the `-t` option on the client (i.e. forcing tty allocation). It asks for the tty allocation but switches the mode to `auto` when denied and proceeds without the tty allocation request. The StackOverflow answer explaining the details is [here](https://stackoverflow.com/a/10346575).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmohammed90%2Fcaddy-ssh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmohammed90%2Fcaddy-ssh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmohammed90%2Fcaddy-ssh/lists"}