Skip to content

gRPC-based Remote Command Execution Agent

License

Notifications You must be signed in to change notification settings

square/rce-agent

Repository files navigation

RCE Agent

Build and Tests Go Report Card Go Reference

rce-agent is a gRPC-based Remote Command Execution (RCE) client and server. The server (or "agent") runs on a remote host and executes a whitelist of shell commands specified in a file. The client calls the agent to execute whitelist commands. TLS is used to secure and authenticate both client and server.

rce-agent replaces SSH and other methods of remote code execution. There are no passwords—only TLS certificates—and commands are limited to a whitelist. This eliminates the need for SSH keys, passwords, or forwarding.

RCE Agent diagram

This package is meant to be integrated into your code. The rce.Client and rce.Server objects do all the heavy lifting so your client and agent code can focus on their domain-specific logic. See example/ for example code.

RCE Agent is also meant to be used with your private certificate authority (CA) for TLS-encrypted communication and mutual authentication of client and agent. (Setting up a private CA is beyond the scope of this project, but we highly suggest you use one!) Normally, only the client verifies the server's TLS certificate (cert). For additional security, your code should use rce.TLSFiles to create Go tls.Config which makes the server (agent) verify the client's cert, too.