Implement SSH Server proxy with Sentrius safeguards integration

Co-authored-by: phrocker <1781585+phrocker@users.noreply.github.com>

Author: Copilot

pom.xml

@@ -19,6 +19,7 @@
     <module>analytics</module>
     <module>ai-agent</module>
     <module>agent-launcher</module>
+    <module>ssh-proxy</module>
   </modules>
   <properties>
     <java.version>17</java.version>

sentrius-chart/templates/ssh-proxy-deployment.yaml

@@ -0,0 +1,49 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sentrius-ssh-proxy
+  labels:
+    app: sentrius-ssh-proxy
+    release: {{ .Release.Name }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: sentrius-ssh-proxy
+  template:
+    metadata:
+      labels:
+        app: sentrius-ssh-proxy
+    spec:
+      containers:
+        - name: sentrius-ssh-proxy
+          image: "{{ .Values.sshproxy.image.repository }}:{{ .Values.sshproxy.image.tag }}"
+          imagePullPolicy: {{ .Values.sshproxy.image.pullPolicy }}
+          ports:
+            - containerPort: {{ .Values.sshproxy.port }}
+              name: ssh
+            - containerPort: 8090
+              name: http
+          env:
+            - name: SENTRIUS_SSH_PROXY_ENABLED
+              value: "{{ .Values.sshproxy.enabled }}"
+            - name: SENTRIUS_SSH_PROXY_PORT
+              value: "{{ .Values.sshproxy.port }}"
+            - name: SENTRIUS_SSH_PROXY_TARGET_SSH_DEFAULT_HOST
+              value: "{{ .Values.sshproxy.targetSsh.defaultHost }}"
+            - name: SENTRIUS_SSH_PROXY_TARGET_SSH_DEFAULT_PORT
+              value: "{{ .Values.sshproxy.targetSsh.defaultPort }}"
+          resources:
+            {{- toYaml .Values.sshproxy.resources | nindent 12 }}
+          livenessProbe:
+            httpGet:
+              path: /actuator/health
+              port: http
+            initialDelaySeconds: 30
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /actuator/health
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 5

sentrius-chart/templates/ssh-proxy-service.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: sentrius-ssh-proxy
+  labels:
+    app: sentrius-ssh-proxy
+    release: {{ .Release.Name }}
+spec:
+  type: {{ .Values.sshproxy.serviceType }}
+  ports:
+    - port: {{ .Values.sshproxy.port }}
+      targetPort: {{ .Values.sshproxy.port }}
+      protocol: TCP
+      name: ssh
+      {{- if and (eq .Values.sshproxy.serviceType "NodePort") .Values.sshproxy.nodePort }}
+      nodePort: {{ .Values.sshproxy.nodePort }}
+      {{- end }}
+    - port: 8090
+      targetPort: 8090
+      protocol: TCP
+      name: http
+  selector:
+    app: sentrius-ssh-proxy

sentrius-chart/values.yaml

@@ -365,4 +365,21 @@ neo4j:
     NEO4J_server_config_strict__validation__enabled: "true"
 
 adminer:
-  enabled: false
+  enabled: false
+
+# SSH Proxy configuration
+sshproxy:
+  enabled: true
+  image:
+    repository: sentrius-ssh-proxy
+    tag: tag
+    pullPolicy: IfNotPresent
+  port: 2222
+  serviceType: ClusterIP
+  nodePort: 30022  # Only used if serviceType is NodePort
+  resources: {}
+  targetSsh:
+    defaultHost: "localhost"
+    defaultPort: 22
+    connectionTimeout: 30000
+    keepAliveInterval: 60000

ssh-proxy/README.md

@@ -0,0 +1,91 @@
+# Sentrius SSH Proxy Server
+
+The SSH Proxy Server provides an SSH server that applies the same safeguards seen in Sentrius UI to any SSH client. Commands are intercepted and processed through Sentrius's trigger-based security system, with responses provided inline in the terminal.
+
+## Features
+
+- **SSH Server**: Standard SSH server accepting connections from any SSH client
+- **Inline Security Responses**: Security policy responses shown directly in the terminal
+- **Trigger Integration**: Applies the same trigger-based safeguards as the Sentrius UI
+- **Command Filtering**: Basic command filtering with DENY, WARN, and other actions
+- **Terminal-Friendly Messages**: Colored, formatted responses optimized for terminal display
+
+## Configuration
+
+The SSH proxy can be configured via application properties:
+
+```properties
+# SSH Proxy Configuration
+sentrius.ssh-proxy.enabled=true
+sentrius.ssh-proxy.port=2222
+sentrius.ssh-proxy.host-key-path=/tmp/ssh-proxy-hostkey.ser
+sentrius.ssh-proxy.max-concurrent-sessions=100
+
+# Target SSH Configuration  
+sentrius.ssh-proxy.target-ssh.default-host=localhost
+sentrius.ssh-proxy.target-ssh.default-port=22
+sentrius.ssh-proxy.target-ssh.connection-timeout=30000
+sentrius.ssh-proxy.target-ssh.keep-alive-interval=60000
+```
+
+## Usage
+
+1. **Start the SSH Proxy Server**:
+   ```bash
+   mvn spring-boot:run -pl ssh-proxy
+   ```
+
+2. **Connect with any SSH client**:
+   ```bash
+   ssh -p 2222 username@localhost
+   ```
+
+3. **Commands are processed through Sentrius safeguards**:
+   - Dangerous commands like `rm -rf` are blocked with red error messages
+   - Warning commands like `sudo` show yellow warning messages
+   - All responses appear inline in your terminal
+
+## Security Responses
+
+The SSH proxy translates Sentrius trigger actions into terminal-friendly responses:
+
+- **DENY_ACTION**: Red "COMMAND BLOCKED" message
+- **WARN_ACTION**: Yellow "WARNING" message  
+- **RECORD_ACTION**: Green "RECORDING" notification
+- **PROMPT_ACTION**: Blue interactive prompt
+- **JIT_ACTION**: Yellow "JUST-IN-TIME ACCESS" message
+
+## Built-in Commands
+
+- `help` - Show available commands
+- `status` - Show session status
+- `exit` - Close SSH session
+
+## Helm Deployment
+
+The SSH proxy is included in the Sentrius Helm chart:
+
+```yaml
+sshproxy:
+  enabled: true
+  port: 2222
+  serviceType: ClusterIP
+  targetSsh:
+    defaultHost: "target-ssh-server"
+    defaultPort: 22
+```
+
+## Architecture
+
+- **SshProxyServerService**: Main SSH server using Apache SSHD
+- **SshProxyShellHandler**: Manages individual SSH sessions  
+- **InlineTerminalResponseService**: Formats security responses for terminal
+- **SshCommandProcessor**: Applies trigger-based command filtering
+
+## Future Enhancements
+
+- Integration with full Sentrius session management
+- Command forwarding to actual target SSH servers
+- Interactive prompt handling for complex security decisions
+- Integration with Sentrius user authentication system
+- Enhanced trigger rule configuration

ssh-proxy/demo.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Sentrius SSH Proxy Demo Script
+# This script demonstrates the SSH proxy functionality
+
+echo "=== Sentrius SSH Proxy Server Demo ==="
+echo "This script shows how the SSH proxy applies safeguards to SSH commands"
+echo ""
+
+# Start SSH proxy in background
+echo "Starting SSH Proxy Server..."
+cd /home/runner/work/Sentrius/Sentrius/ssh-proxy
+
+# Create a simple test to show trigger responses
+echo "Testing trigger response formatting..."
+
+# Test the terminal response service
+mvn exec:java -Dexec.mainClass="io.sentrius.sso.sshproxy.SshProxyApplication" \
+    -Dexec.args="--spring.profiles.active=demo" \
+    -Dsentrius.ssh-proxy.port=2222 \
+    -Dsentrius.ssh-proxy.enabled=true &
+
+SSH_PID=$!
+
+echo "SSH Proxy started with PID: $SSH_PID"
+echo "You can now connect with: ssh -p 2222 testuser@localhost"
+echo ""
+echo "Try these commands to see safeguards in action:"
+echo "  - 'sudo rm -rf /' (will be BLOCKED)"
+echo "  - 'sudo ls' (will show WARNING)"  
+echo "  - 'ls' (will be allowed)"
+echo "  - 'help' (shows built-in commands)"
+echo "  - 'exit' (closes session)"
+echo ""
+echo "Press Ctrl+C to stop the demo"
+
+# Wait for user to stop
+trap "kill $SSH_PID 2>/dev/null; echo 'SSH Proxy stopped'; exit 0" INT
+wait

ssh-proxy/pom.xml

@@ -0,0 +1,97 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>io.sentrius</groupId>
+        <artifactId>sentrius</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>ssh-proxy</artifactId>
+    <packaging>jar</packaging>
+    <name>ssh-proxy</name>
+    <description>SSH proxy server that applies Sentrius safeguards</description>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <maven.compiler.source>17</maven.compiler.source>
+        <maven.compiler.target>17</maven.compiler.target>
+    </properties>
+
+    <dependencies>
+        <!-- Sentrius core dependencies -->
+        <dependency>
+            <groupId>io.sentrius</groupId>
+            <artifactId>sentrius-core</artifactId>
+            <version>1.0.0-SNAPSHOT</version>
+        </dependency>
+        <dependency>
+            <groupId>io.sentrius</groupId>
+            <artifactId>sentrius-dataplane</artifactId>
+            <version>1.0.0-SNAPSHOT</version>
+        </dependency>
+
+        <!-- Spring Boot -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+
+        <!-- SSH Library -->
+        <dependency>
+            <groupId>com.github.mwiede</groupId>
+            <artifactId>jsch</artifactId>
+            <version>${jsch-version}</version>
+        </dependency>
+
+        <!-- Apache SSHD for SSH server -->
+        <dependency>
+            <groupId>org.apache.sshd</groupId>
+            <artifactId>sshd-core</artifactId>
+            <version>2.12.0</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sshd</groupId>
+            <artifactId>sshd-sftp</artifactId>
+            <version>2.12.0</version>
+        </dependency>
+
+        <!-- Lombok -->
+        <dependency>
+            <groupId>org.projectlombok</groupId>
+            <artifactId>lombok</artifactId>
+            <scope>provided</scope>
+        </dependency>
+
+        <!-- Testing -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+                <configuration>
+                    <excludes>
+                        <exclude>
+                            <groupId>org.projectlombok</groupId>
+                            <artifactId>lombok</artifactId>
+                        </exclude>
+                    </excludes>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>

ssh-proxy/src/main/java/io/sentrius/sso/sshproxy/SshProxyApplication.java

@@ -0,0 +1,18 @@
+package io.sentrius.sso.sshproxy;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.ComponentScan;
+
+@SpringBootApplication
+@ComponentScan(basePackages = {
+    "io.sentrius.sso.sshproxy",
+    "io.sentrius.sso.core",
+    "io.sentrius.sso.automation"
+})
+public class SshProxyApplication {
+
+    public static void main(String[] args) {
+        SpringApplication.run(SshProxyApplication.class, args);
+    }
+}

ssh-proxy/src/main/java/io/sentrius/sso/sshproxy/config/SshProxyConfig.java

@@ -0,0 +1,27 @@
+package io.sentrius.sso.sshproxy.config;
+
+import lombok.Data;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.stereotype.Component;
+
+@Data
+@Component
+@ConfigurationProperties(prefix = "sentrius.ssh-proxy")
+public class SshProxyConfig {
+    
+    private int port = 2222; // Default port for SSH proxy
+    private String hostKeyPath = "/tmp/hostkey.ser";
+    private boolean enabled = true;
+    private int maxConcurrentSessions = 100;
+    
+    // Target SSH configuration
+    private TargetSsh targetSsh = new TargetSsh();
+    
+    @Data
+    public static class TargetSsh {
+        private String defaultHost = "localhost";
+        private int defaultPort = 22;
+        private int connectionTimeout = 30000;
+        private int keepAliveInterval = 60000;
+    }
+}