Lukko¶
What is Lukko?¶
Lukko is a SSH server.
This project is work in progress.
Configuration¶
Lukko loads the configuration file
/etc/cm4all/lukko/lukko.conf.
The following top-level settings are recognized:
translation_server: consult this translation server to configure child processes; must start with/(absolute path) or@(abstract socket).
Listener¶
The listener section describes how Lukko listens for incoming SSH
connections. Example:
listener {
bind "*:22"
#interface "eth0"
#zeroconf_service "lukko"
}
Known attributes:
bind: an adddress to bind to. May be the wildcard*or an IPv4/IPv6 address followed by a port. IPv6 addresses should be enclosed in square brackets to disambiguate the port separator. Local sockets start with a slash/, and abstract sockets start with the symbol@.interface: limit this listener to the given network interface.mode: for local socket files, this specifies the octal file mode.mptcp:yesenables Multi-Path TCPack_timeout: close the connection if transmitted data remains unacknowledged by the client for this number of seconds. By default, dead connections can remain open for up to 20 minutes.keepalive:yesenables the socket optionSO_KEEPALIVE. This causes some traffic for the keepalive probes, but allows detecting disappeared clients even when there is no traffic.v6only:nodisables IPv4 support on IPv6 listeners (IPV6_V6ONLY). The default isyes.reuse_port:yesenables the socket optionSO_REUSEPORT, which allows multiple sockets to bind to the same port.zeroconf_service: if specified, then register this listener as Zeroconf service in the local Avahi daemon.zeroconf_interface: publish the Zeroconf service only on the given interface.tag: a string sent to the translation server in aLISTENER_TAGpacket.max_connections_per_ip: specifies the maximum number of connections from each IP address.tarpit:yesenables a naive denial-of-service protection: clients that connect too often or fail authentication get delayed responses. The exact conditions and the delay is currently hard-coded. The default isno.
Control Listener¶
The control section creates a listener for control datagrams that
can be used to control certain behavior at runtime. Example:
control {
bind "@lukko-control"
}
control {
bind "*"
interface "eth1"
multicast_group "224.0.0.123"
}
Known attributes:
bind: an adddress to bind to. May be the wildcard*or an IPv4/IPv6 address followed by a port. IPv6 addresses should be enclosed in square brackets to disambiguate the port separator. Local sockets start with a slash/, and abstract sockets start with the symbol@.multicast_group: join this multicast group, which allows receiving multicast commands. Value is a multicast IPv4/IPv6 address. IPv6 addresses may contain a scope identifier after a percent sign (%).interface: limit this listener to the given network interface.
The protocol is defined here: https://github.com/CM4all/libcommon/blob/master/src/net/control/Protocol.hxx
Lukko implements only a subset of the commands:
VERBOSEDISABLE_ZEROCONFENABLE_ZEROCONFTERMINATE_CHILDREN
Prometheus Exporter¶
The prometheus_exporter section is optional and can describe a
simple HTTP listener which exposes statistics in the Prometheus
format.
Example:
prometheus_exporter {
bind "*:8022"
interface "eth1"
}
prometheus_exporter {
bind "/run/cm4all/lukko/prometheus_exporter.socket"
}
Known attributes (same meaning as in a listener block):
bindinterfacemodev6onlyreuse_port
Translation Server¶
Lukko can delegate certain decisions (user database, how to execute
commands) to a different process running on the same computer, called
a “translation server”. This translation server may, for example,
consult a database to look up user accounts instead of reading
/etc/passwd and can make complex decicions based on that data.
Only the translation server has access to all of Lukko’s process
spawner features, which includes a light-weight container engine.
Information about the translation protocol can be found here: