Example #1
0
func fingerprintCallback(opts *options.SSHOptions, expectedFingerprint string) hostKeyCallback {
	if opts.SkipHostValidation {
		return nil
	}

	return func(hostname string, remote net.Addr, key ssh.PublicKey) error {
		switch len(expectedFingerprint) {
		case helpers.SHA1_FINGERPRINT_LENGTH:
			fingerprint := helpers.SHA1Fingerprint(key)
			if fingerprint != expectedFingerprint {
				return fmt.Errorf("Host key verification failed.\n\nThe fingerprint of the received key was %q.", fingerprint)
			}
		case helpers.MD5_FINGERPRINT_LENGTH:
			fingerprint := helpers.MD5Fingerprint(key)
			if fingerprint != expectedFingerprint {
				return fmt.Errorf("Host key verification failed.\n\nThe fingerprint of the received key was %q.", fingerprint)
			}
		case 0:
			fingerprint := helpers.MD5Fingerprint(key)
			return fmt.Errorf("Unable to verify identity of host.\n\nThe fingerprint of the received key was %q.", fingerprint)
		default:
			return errors.New("Unsupported host key fingerprint format")
		}
		return nil
	}
}
Example #2
0
func NewClientConn(logger lager.Logger, permissions *ssh.Permissions) (ssh.Conn, <-chan ssh.NewChannel, <-chan *ssh.Request, error) {
	if permissions == nil || permissions.CriticalOptions == nil {
		err := errors.New("Invalid permissions from authentication")
		logger.Error("permissions-and-critical-options-required", err)
		return nil, nil, nil, err
	}

	targetConfigJson := permissions.CriticalOptions["proxy-target-config"]
	logger = logger.Session("new-client-conn", lager.Data{
		"proxy-target-config": targetConfigJson,
	})

	var targetConfig TargetConfig
	err := json.Unmarshal([]byte(permissions.CriticalOptions["proxy-target-config"]), &targetConfig)
	if err != nil {
		logger.Error("unmarshal-failed", err)
		return nil, nil, nil, err
	}

	nConn, err := net.Dial("tcp", targetConfig.Address)
	if err != nil {
		logger.Error("dial-failed", err)
		return nil, nil, nil, err
	}

	clientConfig := &ssh.ClientConfig{}

	if targetConfig.User != "" {
		clientConfig.User = targetConfig.User
	}

	if targetConfig.PrivateKey != "" {
		key, err := ssh.ParsePrivateKey([]byte(targetConfig.PrivateKey))
		if err != nil {
			logger.Error("parsing-key-failed", err)
			return nil, nil, nil, err
		}
		clientConfig.Auth = append(clientConfig.Auth, ssh.PublicKeys(key))
	}

	if targetConfig.User != "" && targetConfig.Password != "" {
		clientConfig.Auth = append(clientConfig.Auth, ssh.Password(targetConfig.Password))
	}

	if targetConfig.HostFingerprint != "" {
		clientConfig.HostKeyCallback = func(hostname string, remote net.Addr, key ssh.PublicKey) error {
			expectedFingerprint := targetConfig.HostFingerprint

			var actualFingerprint string
			switch utf8.RuneCountInString(expectedFingerprint) {
			case helpers.MD5_FINGERPRINT_LENGTH:
				actualFingerprint = helpers.MD5Fingerprint(key)
			case helpers.SHA1_FINGERPRINT_LENGTH:
				actualFingerprint = helpers.SHA1Fingerprint(key)
			}

			if expectedFingerprint != actualFingerprint {
				err := errors.New("Host fingerprint mismatch")
				logger.Error("host-key-fingerprint-mismatch", err)
				return err
			}

			return nil
		}
	}

	conn, ch, req, err := ssh.NewClientConn(nConn, targetConfig.Address, clientConfig)
	if err != nil {
		logger.Error("handshake-failed", err)
		return nil, nil, nil, err
	}

	return conn, ch, req, nil
}
Example #3
0
		actualLRPGroupResponse      *models.ActualLRPGroupResponse
		getDesiredLRPRequest        *models.DesiredLRPByProcessGuidRequest
		desiredLRPResponse          *models.DesiredLRPResponse

		processGuid  string
		clientConfig *ssh.ClientConfig
	)

	BeforeEach(func() {
		fakeBBS = ghttp.NewServer()
		fakeUAA = ghttp.NewTLSServer()
		fakeCC = ghttp.NewTLSServer()

		privateKey, err := ssh.ParsePrivateKey([]byte(hostKeyPem))
		Expect(err).NotTo(HaveOccurred())
		hostKeyFingerprint = helpers.MD5Fingerprint(privateKey.PublicKey())

		address = fmt.Sprintf("127.0.0.1:%d", sshProxyPort)
		bbsAddress = fakeBBS.URL()
		ccAPIURL = fakeCC.URL()
		diegoCredentials = "some-creds"
		enableCFAuth = true
		enableDiegoAuth = true
		hostKey = hostKeyPem
		skipCertVerify = true
		processGuid = "app-guid-app-version"

		u, err := url.Parse(fakeUAA.URL())
		Expect(err).NotTo(HaveOccurred())

		u.Path = "/oauth/token"
Example #4
0
			{"file-server", fileServer},
			{"rep", componentMaker.Rep()},
			{"converger", componentMaker.Converger()},
			{"auctioneer", componentMaker.Auctioneer()},
			{"route-emitter", componentMaker.RouteEmitter()},
			{"ssh-proxy", componentMaker.SSHProxy()},
		}))

		tgCompressor := compressor.NewTgz()
		err := tgCompressor.Compress(componentMaker.Artifacts.Executables["sshd"], filepath.Join(fileServerStaticDir, "sshd.tgz"))
		Expect(err).NotTo(HaveOccurred())

		sshRoute := routes.SSHRoute{
			ContainerPort:   3456,
			PrivateKey:      componentMaker.SSHConfig.PrivateKeyPem,
			HostFingerprint: ssh_helpers.MD5Fingerprint(componentMaker.SSHConfig.HostKey.PublicKey()),
		}

		sshRoutePayload, err := json.Marshal(sshRoute)
		Expect(err).NotTo(HaveOccurred())

		sshRouteMessage := json.RawMessage(sshRoutePayload)

		envVars := []receptor.EnvironmentVariable{
			{Name: "TEST", Value: "foobar"},
		}

		lrp = receptor.DesiredLRPCreateRequest{
			ProcessGuid: processGuid,
			Domain:      "inigo",
			Instances:   2,
Example #5
0
		It("correctly represents the private key", func() {
			privateKey, err := ssh.ParsePrivateKey([]byte(keyPair.PEMEncodedPrivateKey()))
			Expect(err).NotTo(HaveOccurred())

			Expect(privateKey.PublicKey().Marshal()).To(Equal(keyPair.PublicKey().Marshal()))
		})
	})

	Describe("PublicKey", func() {
		It("equals the public key associated with the private key", func() {
			Expect(keyPair.PrivateKey().PublicKey().Marshal()).To(Equal(keyPair.PublicKey().Marshal()))
		})
	})

	Describe("Fingerprint", func() {
		It("equals the MD5 fingerprint of the public key", func() {
			expectedFingerprint := helpers.MD5Fingerprint(keyPair.PublicKey())

			Expect(keyPair.Fingerprint()).To(Equal(expectedFingerprint))
		})
	})

	Describe("AuthorizedKey", func() {
		It("equals the authorized key formatted public key", func() {
			expectedAuthorizedKey := string(ssh.MarshalAuthorizedKey(keyPair.PublicKey()))

			Expect(keyPair.AuthorizedKey()).To(Equal(expectedAuthorizedKey))
		})
	})
})
Example #6
0
			daemonSSHConfig.AddHostKey(TestHostKey)
			daemonGlobalRequestHandlers = map[string]handlers.GlobalRequestHandler{}
			daemonNewChannelHandlers = map[string]handlers.NewChannelHandler{}

			var err error
			proxyListener, err = net.Listen("tcp", "127.0.0.1:0")
			Expect(err).NotTo(HaveOccurred())
			proxyAddress = proxyListener.Addr().String()

			sshdListener, err = net.Listen("tcp", "127.0.0.1:0")
			Expect(err).NotTo(HaveOccurred())
			daemonAddress = sshdListener.Addr().String()

			daemonTargetConfig = proxy.TargetConfig{
				Address:         daemonAddress,
				HostFingerprint: helpers.MD5Fingerprint(TestHostKey.PublicKey()),
				User:            "******",
				Password:        "******",
			}

			targetConfigJson, err := json.Marshal(daemonTargetConfig)
			Expect(err).NotTo(HaveOccurred())

			logMessageJson, err := json.Marshal(proxy.LogMessage{
				Guid:    "a-guid",
				Message: "a-message",
				Index:   1,
			})
			Expect(err).NotTo(HaveOccurred())

			permissions := &ssh.Permissions{
Example #7
0
func (k *rsaKeyPair) Fingerprint() string {
	return helpers.MD5Fingerprint(k.PublicKey())
}
)

var _ = Describe("Fingerprint", func() {
	var publicKey ssh.PublicKey
	var fingerprint string

	BeforeEach(func() {
		privateKey, err := ssh.ParsePrivateKey([]byte(TestPrivateKeyPem))
		Expect(err).NotTo(HaveOccurred())

		publicKey = privateKey.PublicKey()
	})

	Describe("MD5 Fingerprint", func() {
		BeforeEach(func() {
			fingerprint = helpers.MD5Fingerprint(publicKey)
		})

		It("should have the correct length", func() {
			Expect(utf8.RuneCountInString(fingerprint)).To(Equal(helpers.MD5_FINGERPRINT_LENGTH))
		})

		It("should match the expected fingerprint", func() {
			Expect(fingerprint).To(Equal(ExpectedMD5Fingerprint))
		})
	})

	Describe("SHA1 Fingerprint", func() {
		BeforeEach(func() {
			fingerprint = helpers.SHA1Fingerprint(publicKey)
		})