I'm writing a tool which, among other things, needs to be able to modify files over an SSH connection. However, I don't want to have to invoke CLI tools on the remote server due to security concerns (TL;DR: string escaping is really hard). How can I do this with either (a) the ssh command-line tool (invoked locally) or, (b), the golang.org/x/crypto/ssh/* packages?
EDIT: Sorry, I forgot to mention. I need to be able to do this all within a single session. On some clients, the server being connected to is behind a load balancer, so if I make multiple invocations, I might end up connecting to different servers.
Establish a master connection with ssh that you keep alive. Then you can download the file to your localhost, modify it and upload it again using scp while tunneling through the master connection.
I am not sure how you plan on doing that. SSH is a very strict protocol which allows you to do specific things: file transfer and terminal connection.
You can see here the features different ssh servers have: https://en.wikipedia.org/wiki/Comparison_of_SSH_servers#Features
But SSH is just a protocol: a set of commands the SSH server (as opposed to the SSH client, which would be your go program) will understand.
If you want to do specific actions, I recommend you to build your own server, that you secure using encryption technologies such as SSL or TLS, to which your client will connect.
PS: This question is not really Go-related, but more SSH related, as it works the same for any language.
The most portable way to manipulate files through SSH is to use the SFTP protocol. SFTP is mostly used to transfer files, but it's really a remote filesystem protocol. It has operations to do all of the following on the remote system:
SFTP exposes a POSIX (unix-like) naming scheme. The file separator is a "/" and absolute paths start with "/". File attributes also follow the POSIX model.