tailscale/tempfork/ssh/example_test.go

// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package ssh_test

import (
	"bufio"
	"bytes"
	"crypto/rand"
	"crypto/rsa"
	"fmt"
	"log"
	"net"
	"net/http"
	"os"
	"path/filepath"
	"strings"
	"sync"

	"golang.org/x/crypto/ssh"
	"golang.org/x/crypto/ssh/terminal"
)

func ExampleNewServerConn() {
	// Public key authentication is done by comparing
	// the public key of a received connection
	// with the entries in the authorized_keys file.
	authorizedKeysBytes, err := os.ReadFile("authorized_keys")
	if err != nil {
		log.Fatalf("Failed to load authorized_keys, err: %v", err)
	}

	authorizedKeysMap := map[string]bool{}
	for len(authorizedKeysBytes) > 0 {
		pubKey, _, _, rest, err := ssh.ParseAuthorizedKey(authorizedKeysBytes)
		if err != nil {
			log.Fatal(err)
		}

		authorizedKeysMap[string(pubKey.Marshal())] = true
		authorizedKeysBytes = rest
	}

	// An SSH server is represented by a ServerConfig, which holds
	// certificate details and handles authentication of ServerConns.
	config := &ssh.ServerConfig{
		// Remove to disable password auth.
		PasswordCallback: func(c ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
			// Should use constant-time compare (or better, salt+hash) in
			// a production setting.
			if c.User() == "testuser" && string(pass) == "tiger" {
				return nil, nil
			}
			return nil, fmt.Errorf("password rejected for %q", c.User())
		},

		// Remove to disable public key auth.
		PublicKeyCallback: func(c ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.Permissions, error) {
			if authorizedKeysMap[string(pubKey.Marshal())] {
				return &ssh.Permissions{
					// Record the public key used for authentication.
					Extensions: map[string]string{
						"pubkey-fp": ssh.FingerprintSHA256(pubKey),
					},
				}, nil
			}
			return nil, fmt.Errorf("unknown public key for %q", c.User())
		},
	}

	privateBytes, err := os.ReadFile("id_rsa")
	if err != nil {
		log.Fatal("Failed to load private key: ", err)
	}

	private, err := ssh.ParsePrivateKey(privateBytes)
	if err != nil {
		log.Fatal("Failed to parse private key: ", err)
	}
	config.AddHostKey(private)

	// Once a ServerConfig has been configured, connections can be
	// accepted.
	listener, err := net.Listen("tcp", "0.0.0.0:2022")
	if err != nil {
		log.Fatal("failed to listen for connection: ", err)
	}
	nConn, err := listener.Accept()
	if err != nil {
		log.Fatal("failed to accept incoming connection: ", err)
	}

	// Before use, a handshake must be performed on the incoming
	// net.Conn.
	conn, chans, reqs, err := ssh.NewServerConn(nConn, config)
	if err != nil {
		log.Fatal("failed to handshake: ", err)
	}
	log.Printf("logged in with key %s", conn.Permissions.Extensions["pubkey-fp"])

	var wg sync.WaitGroup
	defer wg.Wait()

	// The incoming Request channel must be serviced.
	wg.Add(1)
	go func() {
		ssh.DiscardRequests(reqs)
		wg.Done()
	}()

	// Service the incoming Channel channel.
	for newChannel := range chans {
		// Channels have a type, depending on the application level
		// protocol intended. In the case of a shell, the type is
		// "session" and ServerShell may be used to present a simple
		// terminal interface.
		if newChannel.ChannelType() != "session" {
			newChannel.Reject(ssh.UnknownChannelType, "unknown channel type")
			continue
		}
		channel, requests, err := newChannel.Accept()
		if err != nil {
			log.Fatalf("Could not accept channel: %v", err)
		}

		// Sessions have out-of-band requests such as "shell",
		// "pty-req" and "env".  Here we handle only the
		// "shell" request.
		wg.Add(1)
		go func(in <-chan *ssh.Request) {
			for req := range in {
				req.Reply(req.Type == "shell", nil)
			}
			wg.Done()
		}(requests)

		term := terminal.NewTerminal(channel, "> ")

		wg.Add(1)
		go func() {
			defer func() {
				channel.Close()
				wg.Done()
			}()
			for {
				line, err := term.ReadLine()
				if err != nil {
					break
				}
				fmt.Println(line)
			}
		}()
	}
}

func ExampleServerConfig_AddHostKey() {
	// Minimal ServerConfig supporting only password authentication.
	config := &ssh.ServerConfig{
		PasswordCallback: func(c ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
			// Should use constant-time compare (or better, salt+hash) in
			// a production setting.
			if c.User() == "testuser" && string(pass) == "tiger" {
				return nil, nil
			}
			return nil, fmt.Errorf("password rejected for %q", c.User())
		},
	}

	privateBytes, err := os.ReadFile("id_rsa")
	if err != nil {
		log.Fatal("Failed to load private key: ", err)
	}

	private, err := ssh.ParsePrivateKey(privateBytes)
	if err != nil {
		log.Fatal("Failed to parse private key: ", err)
	}
	// Restrict host key algorithms to disable ssh-rsa.
	signer, err := ssh.NewSignerWithAlgorithms(private.(ssh.AlgorithmSigner), []string{ssh.KeyAlgoRSASHA256, ssh.KeyAlgoRSASHA512})
	if err != nil {
		log.Fatal("Failed to create private key with restricted algorithms: ", err)
	}
	config.AddHostKey(signer)
}

func ExampleClientConfig_HostKeyCallback() {
	// Every client must provide a host key check.  Here is a
	// simple-minded parse of OpenSSH's known_hosts file
	host := "hostname"
	file, err := os.Open(filepath.Join(os.Getenv("HOME"), ".ssh", "known_hosts"))
	if err != nil {
		log.Fatal(err)
	}
	defer file.Close()

	scanner := bufio.NewScanner(file)
	var hostKey ssh.PublicKey
	for scanner.Scan() {
		fields := strings.Split(scanner.Text(), " ")
		if len(fields) != 3 {
			continue
		}
		if strings.Contains(fields[0], host) {
			var err error
			hostKey, _, _, _, err = ssh.ParseAuthorizedKey(scanner.Bytes())
			if err != nil {
				log.Fatalf("error parsing %q: %v", fields[2], err)
			}
			break
		}
	}

	if hostKey == nil {
		log.Fatalf("no hostkey for %s", host)
	}

	config := ssh.ClientConfig{
		User:            os.Getenv("USER"),
		HostKeyCallback: ssh.FixedHostKey(hostKey),
	}

	_, err = ssh.Dial("tcp", host+":22", &config)
	log.Println(err)
}

func ExampleDial() {
	var hostKey ssh.PublicKey
	// An SSH client is represented with a ClientConn.
	//
	// To authenticate with the remote server you must pass at least one
	// implementation of AuthMethod via the Auth field in ClientConfig,
	// and provide a HostKeyCallback.
	config := &ssh.ClientConfig{
		User: "username",
		Auth: []ssh.AuthMethod{
			ssh.Password("yourpassword"),
		},
		HostKeyCallback: ssh.FixedHostKey(hostKey),
	}
	client, err := ssh.Dial("tcp", "yourserver.com:22", config)
	if err != nil {
		log.Fatal("Failed to dial: ", err)
	}
	defer client.Close()

	// Each ClientConn can support multiple interactive sessions,
	// represented by a Session.
	session, err := client.NewSession()
	if err != nil {
		log.Fatal("Failed to create session: ", err)
	}
	defer session.Close()

	// Once a Session is created, you can execute a single command on
	// the remote side using the Run method.
	var b bytes.Buffer
	session.Stdout = &b
	if err := session.Run("/usr/bin/whoami"); err != nil {
		log.Fatal("Failed to run: " + err.Error())
	}
	fmt.Println(b.String())
}

func ExamplePublicKeys() {
	var hostKey ssh.PublicKey
	// A public key may be used to authenticate against the remote
	// server by using an unencrypted PEM-encoded private key file.
	//
	// If you have an encrypted private key, the crypto/x509 package
	// can be used to decrypt it.
	key, err := os.ReadFile("/home/user/.ssh/id_rsa")
	if err != nil {
		log.Fatalf("unable to read private key: %v", err)
	}

	// Create the Signer for this private key.
	signer, err := ssh.ParsePrivateKey(key)
	if err != nil {
		log.Fatalf("unable to parse private key: %v", err)
	}

	config := &ssh.ClientConfig{
		User: "user",
		Auth: []ssh.AuthMethod{
			// Use the PublicKeys method for remote authentication.
			ssh.PublicKeys(signer),
		},
		HostKeyCallback: ssh.FixedHostKey(hostKey),
	}

	// Connect to the remote server and perform the SSH handshake.
	client, err := ssh.Dial("tcp", "host.com:22", config)
	if err != nil {
		log.Fatalf("unable to connect: %v", err)
	}
	defer client.Close()
}

func ExampleClient_Listen() {
	var hostKey ssh.PublicKey
	config := &ssh.ClientConfig{
		User: "username",
		Auth: []ssh.AuthMethod{
			ssh.Password("password"),
		},
		HostKeyCallback: ssh.FixedHostKey(hostKey),
	}
	// Dial your ssh server.
	conn, err := ssh.Dial("tcp", "localhost:22", config)
	if err != nil {
		log.Fatal("unable to connect: ", err)
	}
	defer conn.Close()

	// Request the remote side to open port 8080 on all interfaces.
	l, err := conn.Listen("tcp", "0.0.0.0:8080")
	if err != nil {
		log.Fatal("unable to register tcp forward: ", err)
	}
	defer l.Close()

	// Serve HTTP with your SSH server acting as a reverse proxy.
	http.Serve(l, http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
		fmt.Fprintf(resp, "Hello world!\n")
	}))
}

func ExampleSession_RequestPty() {
	var hostKey ssh.PublicKey
	// Create client config
	config := &ssh.ClientConfig{
		User: "username",
		Auth: []ssh.AuthMethod{
			ssh.Password("password"),
		},
		HostKeyCallback: ssh.FixedHostKey(hostKey),
	}
	// Connect to ssh server
	conn, err := ssh.Dial("tcp", "localhost:22", config)
	if err != nil {
		log.Fatal("unable to connect: ", err)
	}
	defer conn.Close()
	// Create a session
	session, err := conn.NewSession()
	if err != nil {
		log.Fatal("unable to create session: ", err)
	}
	defer session.Close()
	// Set up terminal modes
	modes := ssh.TerminalModes{
		ssh.ECHO:          0,     // disable echoing
		ssh.TTY_OP_ISPEED: 14400, // input speed = 14.4kbaud
		ssh.TTY_OP_OSPEED: 14400, // output speed = 14.4kbaud
	}
	// Request pseudo terminal
	if err := session.RequestPty("xterm", 40, 80, modes); err != nil {
		log.Fatal("request for pseudo terminal failed: ", err)
	}
	// Start remote shell
	if err := session.Shell(); err != nil {
		log.Fatal("failed to start shell: ", err)
	}
}

func ExampleCertificate_SignCert() {
	// Sign a certificate with a specific algorithm.
	privateKey, err := rsa.GenerateKey(rand.Reader, 3072)
	if err != nil {
		log.Fatal("unable to generate RSA key: ", err)
	}
	publicKey, err := ssh.NewPublicKey(&privateKey.PublicKey)
	if err != nil {
		log.Fatal("unable to get RSA public key: ", err)
	}
	caKey, err := rsa.GenerateKey(rand.Reader, 3072)
	if err != nil {
		log.Fatal("unable to generate CA key: ", err)
	}
	signer, err := ssh.NewSignerFromKey(caKey)
	if err != nil {
		log.Fatal("unable to generate signer from key: ", err)
	}
	mas, err := ssh.NewSignerWithAlgorithms(signer.(ssh.AlgorithmSigner), []string{ssh.KeyAlgoRSASHA256})
	if err != nil {
		log.Fatal("unable to create signer with algoritms: ", err)
	}
	certificate := ssh.Certificate{
		Key:      publicKey,
		CertType: ssh.UserCert,
	}
	if err := certificate.SignCert(rand.Reader, mas); err != nil {
		log.Fatal("unable to sign certificate: ", err)
	}
	// Save the public key to a file and check that rsa-sha-256 is used for
	// signing:
	// ssh-keygen -L -f <path to the file>
	fmt.Println(string(ssh.MarshalAuthorizedKey(&certificate)))
}
tempfork/{acme,ssh}: add new package for x/crypto package forks, move We were maintaining temporary dev forks of golang.org/x/crypto/{acme,ssh} in https://github.com/tailscale/golang-x-crypto instead of using this repo's tempfork directory as we do with other packages. The reason we were doing that was because x/crypto/ssh depended on x/crypto/ssh/internal/poly1305 and I hadn't noticed there are forwarding wrappers already available in x/crypto/poly1305. It also depended internal/bcrypt_pbkdf but we don't use that so it's easy to just delete that calling code in our tempfork/ssh. This means we don't need another repo, for better or worse. (better: one repo, worse: slightly more annoying to rebase to upstream, but not terrible) The acme package is moved unmodified. This copies the code from tailscale/golang-x-crypto at git rev https://github.com/tailscale/golang-x-crypto/commit/3fde5e568aa421f641805f385e599b6e5a40e837 Updates #8593 Updates #10238 Change-Id: I8af4378c04c1f82e63d31bf4d16dba9f510f9199 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 1 month ago			`// Copyright 2011 The Go Authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

			`package ssh_test`

			`import (`
			`"bufio"`
			`"bytes"`
			`"crypto/rand"`
			`"crypto/rsa"`
			`"fmt"`
			`"log"`
			`"net"`
			`"net/http"`
			`"os"`
			`"path/filepath"`
			`"strings"`
			`"sync"`

			`"golang.org/x/crypto/ssh"`
			`"golang.org/x/crypto/ssh/terminal"`
			`)`

			`func ExampleNewServerConn() {`
			`// Public key authentication is done by comparing`
			`// the public key of a received connection`
			`// with the entries in the authorized_keys file.`
			`authorizedKeysBytes, err := os.ReadFile("authorized_keys")`
			`if err != nil {`
			`log.Fatalf("Failed to load authorized_keys, err: %v", err)`
			`}`

			`authorizedKeysMap := map[string]bool{}`
			`for len(authorizedKeysBytes) > 0 {`
			`pubKey, _, _, rest, err := ssh.ParseAuthorizedKey(authorizedKeysBytes)`
			`if err != nil {`
			`log.Fatal(err)`
			`}`

			`authorizedKeysMap[string(pubKey.Marshal())] = true`
			`authorizedKeysBytes = rest`
			`}`

			`// An SSH server is represented by a ServerConfig, which holds`
			`// certificate details and handles authentication of ServerConns.`
			`config := &ssh.ServerConfig{`
			`// Remove to disable password auth.`
			`PasswordCallback: func(c ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {`
			`// Should use constant-time compare (or better, salt+hash) in`
			`// a production setting.`
			`if c.User() == "testuser" && string(pass) == "tiger" {`
			`return nil, nil`
			`}`
			`return nil, fmt.Errorf("password rejected for %q", c.User())`
			`},`

			`// Remove to disable public key auth.`
			`PublicKeyCallback: func(c ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.Permissions, error) {`
			`if authorizedKeysMap[string(pubKey.Marshal())] {`
			`return &ssh.Permissions{`
			`// Record the public key used for authentication.`
			`Extensions: map[string]string{`
			`"pubkey-fp": ssh.FingerprintSHA256(pubKey),`
			`},`
			`}, nil`
			`}`
			`return nil, fmt.Errorf("unknown public key for %q", c.User())`
			`},`
			`}`

			`privateBytes, err := os.ReadFile("id_rsa")`
			`if err != nil {`
			`log.Fatal("Failed to load private key: ", err)`
			`}`

			`private, err := ssh.ParsePrivateKey(privateBytes)`
			`if err != nil {`
			`log.Fatal("Failed to parse private key: ", err)`
			`}`
			`config.AddHostKey(private)`

			`// Once a ServerConfig has been configured, connections can be`
			`// accepted.`
			`listener, err := net.Listen("tcp", "0.0.0.0:2022")`
			`if err != nil {`
			`log.Fatal("failed to listen for connection: ", err)`
			`}`
			`nConn, err := listener.Accept()`
			`if err != nil {`
			`log.Fatal("failed to accept incoming connection: ", err)`
			`}`

			`// Before use, a handshake must be performed on the incoming`
			`// net.Conn.`
			`conn, chans, reqs, err := ssh.NewServerConn(nConn, config)`
			`if err != nil {`
			`log.Fatal("failed to handshake: ", err)`
			`}`
			`log.Printf("logged in with key %s", conn.Permissions.Extensions["pubkey-fp"])`

			`var wg sync.WaitGroup`
			`defer wg.Wait()`

			`// The incoming Request channel must be serviced.`
			`wg.Add(1)`
			`go func() {`
			`ssh.DiscardRequests(reqs)`
			`wg.Done()`
			`}()`

			`// Service the incoming Channel channel.`
			`for newChannel := range chans {`
			`// Channels have a type, depending on the application level`
			`// protocol intended. In the case of a shell, the type is`
			`// "session" and ServerShell may be used to present a simple`
			`// terminal interface.`
			`if newChannel.ChannelType() != "session" {`
			`newChannel.Reject(ssh.UnknownChannelType, "unknown channel type")`
			`continue`
			`}`
			`channel, requests, err := newChannel.Accept()`
			`if err != nil {`
			`log.Fatalf("Could not accept channel: %v", err)`
			`}`

			`// Sessions have out-of-band requests such as "shell",`
			`// "pty-req" and "env". Here we handle only the`
			`// "shell" request.`
			`wg.Add(1)`
			`go func(in <-chan *ssh.Request) {`
			`for req := range in {`
			`req.Reply(req.Type == "shell", nil)`
			`}`
			`wg.Done()`
			`}(requests)`

			`term := terminal.NewTerminal(channel, "> ")`

			`wg.Add(1)`
			`go func() {`
			`defer func() {`
			`channel.Close()`
			`wg.Done()`
			`}()`
			`for {`
			`line, err := term.ReadLine()`
			`if err != nil {`
			`break`
			`}`
			`fmt.Println(line)`
			`}`
			`}()`
			`}`
			`}`

			`func ExampleServerConfig_AddHostKey() {`
			`// Minimal ServerConfig supporting only password authentication.`
			`config := &ssh.ServerConfig{`
			`PasswordCallback: func(c ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {`
			`// Should use constant-time compare (or better, salt+hash) in`
			`// a production setting.`
			`if c.User() == "testuser" && string(pass) == "tiger" {`
			`return nil, nil`
			`}`
			`return nil, fmt.Errorf("password rejected for %q", c.User())`
			`},`
			`}`

			`privateBytes, err := os.ReadFile("id_rsa")`
			`if err != nil {`
			`log.Fatal("Failed to load private key: ", err)`
			`}`

			`private, err := ssh.ParsePrivateKey(privateBytes)`
			`if err != nil {`
			`log.Fatal("Failed to parse private key: ", err)`
			`}`
			`// Restrict host key algorithms to disable ssh-rsa.`
			`signer, err := ssh.NewSignerWithAlgorithms(private.(ssh.AlgorithmSigner), []string{ssh.KeyAlgoRSASHA256, ssh.KeyAlgoRSASHA512})`
			`if err != nil {`
			`log.Fatal("Failed to create private key with restricted algorithms: ", err)`
			`}`
			`config.AddHostKey(signer)`
			`}`

			`func ExampleClientConfig_HostKeyCallback() {`
			`// Every client must provide a host key check. Here is a`
			`// simple-minded parse of OpenSSH's known_hosts file`
			`host := "hostname"`
			`file, err := os.Open(filepath.Join(os.Getenv("HOME"), ".ssh", "known_hosts"))`
			`if err != nil {`
			`log.Fatal(err)`
			`}`
			`defer file.Close()`

			`scanner := bufio.NewScanner(file)`
			`var hostKey ssh.PublicKey`
			`for scanner.Scan() {`
			`fields := strings.Split(scanner.Text(), " ")`
			`if len(fields) != 3 {`
			`continue`
			`}`
			`if strings.Contains(fields[0], host) {`
			`var err error`
			`hostKey, _, _, _, err = ssh.ParseAuthorizedKey(scanner.Bytes())`
			`if err != nil {`
			`log.Fatalf("error parsing %q: %v", fields[2], err)`
			`}`
			`break`
			`}`
			`}`

			`if hostKey == nil {`
			`log.Fatalf("no hostkey for %s", host)`
			`}`

			`config := ssh.ClientConfig{`
			`User: os.Getenv("USER"),`
			`HostKeyCallback: ssh.FixedHostKey(hostKey),`
			`}`

			`_, err = ssh.Dial("tcp", host+":22", &config)`
			`log.Println(err)`
			`}`

			`func ExampleDial() {`
			`var hostKey ssh.PublicKey`
			`// An SSH client is represented with a ClientConn.`
			`//`
			`// To authenticate with the remote server you must pass at least one`
			`// implementation of AuthMethod via the Auth field in ClientConfig,`
			`// and provide a HostKeyCallback.`
			`config := &ssh.ClientConfig{`
			`User: "username",`
			`Auth: []ssh.AuthMethod{`
			`ssh.Password("yourpassword"),`
			`},`
			`HostKeyCallback: ssh.FixedHostKey(hostKey),`
			`}`
			`client, err := ssh.Dial("tcp", "yourserver.com:22", config)`
			`if err != nil {`
			`log.Fatal("Failed to dial: ", err)`
			`}`
			`defer client.Close()`

			`// Each ClientConn can support multiple interactive sessions,`
			`// represented by a Session.`
			`session, err := client.NewSession()`
			`if err != nil {`
			`log.Fatal("Failed to create session: ", err)`
			`}`
			`defer session.Close()`

			`// Once a Session is created, you can execute a single command on`
			`// the remote side using the Run method.`
			`var b bytes.Buffer`
			`session.Stdout = &b`
			`if err := session.Run("/usr/bin/whoami"); err != nil {`
			`log.Fatal("Failed to run: " + err.Error())`
			`}`
			`fmt.Println(b.String())`
			`}`

			`func ExamplePublicKeys() {`
			`var hostKey ssh.PublicKey`
			`// A public key may be used to authenticate against the remote`
			`// server by using an unencrypted PEM-encoded private key file.`
			`//`
			`// If you have an encrypted private key, the crypto/x509 package`
			`// can be used to decrypt it.`
			`key, err := os.ReadFile("/home/user/.ssh/id_rsa")`
			`if err != nil {`
			`log.Fatalf("unable to read private key: %v", err)`
			`}`

			`// Create the Signer for this private key.`
			`signer, err := ssh.ParsePrivateKey(key)`
			`if err != nil {`
			`log.Fatalf("unable to parse private key: %v", err)`
			`}`

			`config := &ssh.ClientConfig{`
			`User: "user",`
			`Auth: []ssh.AuthMethod{`
			`// Use the PublicKeys method for remote authentication.`
			`ssh.PublicKeys(signer),`
			`},`
			`HostKeyCallback: ssh.FixedHostKey(hostKey),`
			`}`

			`// Connect to the remote server and perform the SSH handshake.`
			`client, err := ssh.Dial("tcp", "host.com:22", config)`
			`if err != nil {`
			`log.Fatalf("unable to connect: %v", err)`
			`}`
			`defer client.Close()`
			`}`

			`func ExampleClient_Listen() {`
			`var hostKey ssh.PublicKey`
			`config := &ssh.ClientConfig{`
			`User: "username",`
			`Auth: []ssh.AuthMethod{`
			`ssh.Password("password"),`
			`},`
			`HostKeyCallback: ssh.FixedHostKey(hostKey),`
			`}`
			`// Dial your ssh server.`
			`conn, err := ssh.Dial("tcp", "localhost:22", config)`
			`if err != nil {`
			`log.Fatal("unable to connect: ", err)`
			`}`
			`defer conn.Close()`

			`// Request the remote side to open port 8080 on all interfaces.`
			`l, err := conn.Listen("tcp", "0.0.0.0:8080")`
			`if err != nil {`
			`log.Fatal("unable to register tcp forward: ", err)`
			`}`
			`defer l.Close()`

			`// Serve HTTP with your SSH server acting as a reverse proxy.`
			`http.Serve(l, http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {`
			`fmt.Fprintf(resp, "Hello world!\n")`
			`}))`
			`}`

			`func ExampleSession_RequestPty() {`
			`var hostKey ssh.PublicKey`
			`// Create client config`
			`config := &ssh.ClientConfig{`
			`User: "username",`
			`Auth: []ssh.AuthMethod{`
			`ssh.Password("password"),`
			`},`
			`HostKeyCallback: ssh.FixedHostKey(hostKey),`
			`}`
			`// Connect to ssh server`
			`conn, err := ssh.Dial("tcp", "localhost:22", config)`
			`if err != nil {`
			`log.Fatal("unable to connect: ", err)`
			`}`
			`defer conn.Close()`
			`// Create a session`
			`session, err := conn.NewSession()`
			`if err != nil {`
			`log.Fatal("unable to create session: ", err)`
			`}`
			`defer session.Close()`
			`// Set up terminal modes`
			`modes := ssh.TerminalModes{`
			`ssh.ECHO: 0, // disable echoing`
			`ssh.TTY_OP_ISPEED: 14400, // input speed = 14.4kbaud`
			`ssh.TTY_OP_OSPEED: 14400, // output speed = 14.4kbaud`
			`}`
			`// Request pseudo terminal`
			`if err := session.RequestPty("xterm", 40, 80, modes); err != nil {`
			`log.Fatal("request for pseudo terminal failed: ", err)`
			`}`
			`// Start remote shell`
			`if err := session.Shell(); err != nil {`
			`log.Fatal("failed to start shell: ", err)`
			`}`
			`}`

			`func ExampleCertificate_SignCert() {`
			`// Sign a certificate with a specific algorithm.`
			`privateKey, err := rsa.GenerateKey(rand.Reader, 3072)`
			`if err != nil {`
			`log.Fatal("unable to generate RSA key: ", err)`
			`}`
			`publicKey, err := ssh.NewPublicKey(&privateKey.PublicKey)`
			`if err != nil {`
			`log.Fatal("unable to get RSA public key: ", err)`
			`}`
			`caKey, err := rsa.GenerateKey(rand.Reader, 3072)`
			`if err != nil {`
			`log.Fatal("unable to generate CA key: ", err)`
			`}`
			`signer, err := ssh.NewSignerFromKey(caKey)`
			`if err != nil {`
			`log.Fatal("unable to generate signer from key: ", err)`
			`}`
			`mas, err := ssh.NewSignerWithAlgorithms(signer.(ssh.AlgorithmSigner), []string{ssh.KeyAlgoRSASHA256})`
			`if err != nil {`
			`log.Fatal("unable to create signer with algoritms: ", err)`
			`}`
			`certificate := ssh.Certificate{`
			`Key: publicKey,`
			`CertType: ssh.UserCert,`
			`}`
			`if err := certificate.SignCert(rand.Reader, mas); err != nil {`
			`log.Fatal("unable to sign certificate: ", err)`
			`}`
			`// Save the public key to a file and check that rsa-sha-256 is used for`
			`// signing:`
			`// ssh-keygen -L -f <path to the file>`
			`fmt.Println(string(ssh.MarshalAuthorizedKey(&certificate)))`
			`}`