func openLog(path string) (io.WriteCloser, error) {
m := scpPathRe.FindStringSubmatch(path)
if m == nil {
return os.OpenFile(path, os.O_WRONLY|os.O_CREATE, 0600)
} else {
user, pass, host, port, path := m[1], m[2], m[3], m[4], m[5]
if path == "" {
return nil, errors.New("blank remote file path")
}
if port == "" {
port = "22"
} else {
port = port[1:]
}
config := ssh.ClientConfig{
User: user,
Auth: []ssh.AuthMethod{ssh.KeyboardInteractive(sshKeyboardAuth)},
}
if pass != "" {
config.Auth = append([]ssh.AuthMethod{ssh.Password(pass[1:])}, config.Auth...)
} else {
config.Auth = append([]ssh.AuthMethod{ssh.PasswordCallback(func() (string, error) {
fmt.Printf("Password: "******"tcp", net.JoinHostPort(host, port), &config)
if err != nil {
return nil, err
}
session, err := client.NewSession()
if err != nil {
return nil, err
}
inputStream, err := session.StdinPipe()
if err != nil {
session.Close()
return nil, err
}
cmd := fmt.Sprintf("cat > %s", shellEscape(path))
if err := session.Start(cmd); err != nil {
session.Close()
return nil, err
}
return inputStream, nil
}
}
func (ssc *SSHConfig) Connect() (err tree_lib.TreeError) {
var (
client_conf ssh.ClientConfig
)
err.From = tree_lib.FROM_SSH_CONNECT
client_conf.User = ssc.Username
if len(ssc.Password) > 0 {
client_conf.Auth = []ssh.AuthMethod{ssh.Password(ssc.Password)}
} else {
client_conf.Auth = []ssh.AuthMethod{ssh_agent()}
}
ssc.conn, err.Err = ssh.Dial("tcp", fmt.Sprintf("%s:%d", ssc.Host, ssc.Port), &client_conf)
return
}
func (ih *InputHandler) createSession(config *InputEntry) (session *ssh.Session, err error) {
var authMethod []ssh.AuthMethod
var key *ssh.Signer
if !config.Cred.IsPasswordAuth() {
key, err = ih.parsePrivateKey(config.Cred.Identity)
if err != nil {
return
}
authMethod = []ssh.AuthMethod{ssh.PublicKeys(*key)}
} else {
authMethod = []ssh.AuthMethod{ssh.Password(config.Cred.Pass)}
}
sshConfig := new(ssh.ClientConfig)
sshConfig.User = config.Cred.User
sshConfig.Auth = authMethod
port := uint16(22)
if config.Port != 0 {
port = config.Port
}
hostNameString := fmt.Sprintf("%s:%d", config.Host, port)
client, err := ssh.Dial("tcp", hostNameString, sshConfig)
if err != nil {
return
}
session, err = client.NewSession()
return
}
func AddSSHIdentity(sshConfig *ssh.ClientConfig, p string) error {
a, err := parsePrivateKeyFile(p)
if err != nil {
return err
}
sshConfig.Auth = append(sshConfig.Auth, a)
return nil
}
func sshConfig(state multistep.StateBag) (*ssh.ClientConfig, error) {
config := state.Get("config").(Config)
clientConfig := ssh.ClientConfig{User: config.SSHUsername}
if config.OsSnapshot == "" && config.IpxeUrl == "" {
// default case where vultr generated the password
password := state.Get("default_password").(string)
clientConfig.Auth = []ssh.AuthMethod{ssh.Password(password)}
} else if config.SSHPassword != "" {
// special case but we got a password
clientConfig.Auth = []ssh.AuthMethod{ssh.Password(config.SSHPassword)}
} else {
// special case and we got a key
signer, err := ssh.ParsePrivateKey([]byte(config.SSHPrivateKey))
if err != nil {
return nil, fmt.Errorf("Error setting up SSH config: %s", err)
}
clientConfig.Auth = []ssh.AuthMethod{ssh.PublicKeys(signer)}
}
return &clientConfig, nil
}
func TestServer(t *testing.T) {
shellScript := `#!/bin/sh
echo $*
exit
`
shell, err := ioutil.TempFile("", "govcs-ssh-shell")
if err != nil {
t.Fatal(err)
}
shell.WriteString(shellScript)
if err := shell.Chmod(0700); err != nil {
t.Fatal(err)
}
if err := shell.Close(); err != nil {
t.Fatal(err)
}
defer os.RemoveAll(shell.Name())
s, err := NewServer(shell.Name(), "/tmp", PrivateKey(SamplePrivKey))
if err != nil {
t.Fatal(err)
}
if err := s.Start(); err != nil {
t.Fatal(err)
}
// Client
cauth, err := clientAuth(SamplePrivKey)
if err != nil {
t.Fatal(err)
}
cconf := ssh.ClientConfig{User: "******"}
cconf.Auth = append(cconf.Auth, cauth)
sshc, err := ssh.Dial(s.l.Addr().Network(), s.l.Addr().String(), &cconf)
if err != nil {
t.Fatal(err)
}
defer sshc.Close()
session, err := sshc.NewSession()
if err != nil {
t.Fatal(err)
}
defer session.Close()
out, err := session.CombinedOutput("git-upload-pack 'foo'")
if err != nil {
t.Fatal(err)
}
if got, want := string(out), "-c git-upload-pack 'foo'\n"; got != want {
t.Errorf("got ssh session output %q, want %q", got, want)
}
}
func TestAuth(t *testing.T) {
a, b, err := netPipe()
if err != nil {
t.Fatalf("netPipe: %v", err)
}
defer a.Close()
defer b.Close()
agent, _, cleanup := startAgent(t)
defer cleanup()
if err := agent.Add(AddedKey{PrivateKey: testPrivateKeys["rsa"], Comment: "comment"}); err != nil {
t.Errorf("Add: %v", err)
}
serverConf := ssh.ServerConfig{}
serverConf.AddHostKey(testSigners["rsa"])
serverConf.PublicKeyCallback = func(c ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
if bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {
return nil, nil
}
return nil, errors.New("pubkey rejected")
}
go func() {
conn, _, _, err := ssh.NewServerConn(a, &serverConf)
if err != nil {
t.Fatalf("Server: %v", err)
}
conn.Close()
}()
conf := ssh.ClientConfig{}
conf.Auth = append(conf.Auth, ssh.PublicKeysCallback(agent.Signers))
conn, _, _, err := ssh.NewClientConn(b, "", &conf)
if err != nil {
t.Fatalf("NewClientConn: %v", err)
}
conn.Close()
}
func clientDo() error {
var cc ssh.ClientConfig
cc.User = string(testUser)
cc.Auth = append(cc.Auth, ssh.Password(string(testPass)))
conn, e := ssh.Dial("tcp4", "127.0.0.1:2022", &cc)
if e != nil {
return e
}
defer conn.Close()
cl, e := client.NewClient(conn)
if e != nil {
return e
}
cl.Mkdir("/D")
cl.Chmod("/D", 0700)
cl.Remove("/D")
rs, e := cl.ReadDir("/")
if e != nil {
return e
}
tdebug(rs)
return nil
}
It("attempts to acquire the lrp info from the BBS", func() {
ssh.Dial("tcp", address, clientConfig)
Expect(fakeBBS.ReceivedRequests()).To(HaveLen(1))
})
It("fails the authentication", func() {
_, err := ssh.Dial("tcp", address, clientConfig)
Expect(err).To(MatchError(ContainSubstring("ssh: handshake failed")))
})
})
Context("when invalid credentials are presented", func() {
BeforeEach(func() {
clientConfig.Auth = []ssh.AuthMethod{
ssh.Password("bogus-password"),
}
})
It("fails diego authentication when the wrong credentials are used", func() {
_, err := ssh.Dial("tcp", address, clientConfig)
Expect(err).To(MatchError(ContainSubstring("ssh: handshake failed")))
})
})
Context("and the enableDiegoAuth flag is set to false", func() {
BeforeEach(func() {
enableDiegoAuth = false
})
It("fails the authentication", func() {
func TestServer(t *testing.T) {
var shellScript string
if runtime.GOOS == "windows" {
shellScript = `@echo off
set flag=%1
set flag=%flag:"=%
set args=%2
set args=%args:"=%
echo %flag% %args%
`
} else {
shellScript = `#!/bin/sh
echo $*
exit
`
}
shell, dir, err := internal.ScriptFile("govcs-ssh-shell")
if err != nil {
t.Fatal(err)
}
defer os.Remove(shell)
if dir != "" {
defer os.RemoveAll(dir)
}
err = internal.WriteFileWithPermissions(shell, []byte(shellScript), 0700)
if err != nil {
t.Fatal(err)
}
s, err := NewServer(shell, os.TempDir(), PrivateKey(SamplePrivKey))
if err != nil {
t.Fatal(err)
}
if err := s.Start(); err != nil {
t.Fatal(err)
}
// Client
cauth, err := clientAuth(SamplePrivKey)
if err != nil {
t.Fatal(err)
}
cconf := ssh.ClientConfig{User: "******"}
cconf.Auth = append(cconf.Auth, cauth)
sshc, err := ssh.Dial(s.l.Addr().Network(), s.l.Addr().String(), &cconf)
if err != nil {
t.Fatal(err)
}
defer sshc.Close()
session, err := sshc.NewSession()
if err != nil {
t.Fatal(err)
}
defer session.Close()
out, err := session.CombinedOutput("git-upload-pack 'foo'")
if err != nil {
t.Fatal(err)
}
if got, want := strings.TrimSpace(string(out)), "-c git-upload-pack 'foo'"; got != want {
t.Errorf("got ssh session output %q, want %q", got, want)
}
}
client, err := ssh.Dial("tcp", address, clientConfig)
Expect(err).NotTo(HaveOccurred())
session, err := client.NewSession()
Expect(err).NotTo(HaveOccurred())
output, err := session.Output("echo -n hello")
Expect(err).NotTo(HaveOccurred())
Expect(string(output)).To(Equal("hello"))
})
})
Context("when authentication fails", func() {
BeforeEach(func() {
clientConfig.Auth = []ssh.AuthMethod{ssh.Password("bad password")}
fakeCC.RouteToHandler("GET", "/internal/apps/app-guid/ssh_access",
ghttp.CombineHandlers(
ghttp.VerifyRequest("GET", "/internal/apps/app-guid/ssh_access"),
ghttp.RespondWithJSONEncoded(http.StatusUnauthorized, ""),
),
)
})
It("logs the authentication failure", func() {
_, err := ssh.Dial("tcp", address, clientConfig)
Expect(err).To(MatchError(ContainSubstring("ssh: handshake failed")))
Expect(runner).To(gbytes.Say("authentication-failed.*cf:app-guid/0"))
})
})
