func TestAgentForward(t *testing.T) {
server := newServer(t)
defer server.Shutdown()
conn := server.Dial(clientConfig())
defer conn.Close()
keyring := agent.NewKeyring()
keyring.Add(testPrivateKeys["dsa"], nil, "")
pub := testPublicKeys["dsa"]
sess, err := conn.NewSession()
if err != nil {
t.Fatalf("NewSession: %v", err)
}
if err := agent.RequestAgentForwarding(sess); err != nil {
t.Fatalf("RequestAgentForwarding: %v", err)
}
if err := agent.ForwardToAgent(conn, keyring); err != nil {
t.Fatalf("SetupForwardKeyring: %v", err)
}
out, err := sess.CombinedOutput("ssh-add -L")
if err != nil {
t.Fatalf("running ssh-add: %v, out %s", err, out)
}
key, _, _, _, err := ssh.ParseAuthorizedKey(out)
if err != nil {
t.Fatalf("ParseAuthorizedKey(%q): %v", out, err)
}
if !bytes.Equal(key.Marshal(), pub.Marshal()) {
t.Fatalf("got key %s, want %s", ssh.MarshalAuthorizedKey(key), ssh.MarshalAuthorizedKey(pub))
}
}
// CreateSSHKey is used to generate rsa private & public keys that are used to
// set keys for ssh login to a server.
func CreateSSHKey() (string, string, error) {
pk, e := rsa.GenerateKey(rand.Reader, 2014)
if e != nil {
return "", "", e
}
pkDer := x509.MarshalPKCS1PrivateKey(pk)
pkBlk := pem.Block{
Type: "RSA PRIVATE KEY",
Headers: nil,
Bytes: pkDer,
}
pkPem := string(pem.EncodeToMemory(&pkBlk))
pubK := pk.PublicKey
pub, e := ssh.NewPublicKey(&pubK)
if e != nil {
return "", "", e
}
pubBytes := ssh.MarshalAuthorizedKey(pub)
return string(pkPem), string(pubBytes), nil
}
func TestSSHD(t *testing.T) {
block, _ := pem.Decode([]byte(testClientPrivateKey))
rsakey, _ := x509.ParsePKCS1PrivateKey(block.Bytes)
pub, _ := ssh.NewPublicKey(&rsakey.PublicKey)
cmd, c, err := startSSHD(ssh.MarshalAuthorizedKey(pub))
if err != nil {
t.Fatal(err)
}
defer cmd.Wait()
defer cmd.Process.Kill()
u, err := user.Current()
if err != nil {
t.Fatal(err)
}
_ = u
config := &ssh.ClientConfig{
User: u.Username,
Auth: []ssh.ClientAuth{ssh.ClientAuthKeyring(&keyring{rsakey})},
}
client, err := ssh.Client(c, config)
if err != nil {
t.Fatal(err)
}
sess, err := client.NewSession()
if err != nil {
t.Fatal(err)
}
out, err := sess.Output("echo hello")
if err != nil {
t.Fatal(err)
}
if string(out) != "hello\n" {
t.Fatalf("out = %q want %q", string(out), "hello\n")
}
}
func GenerateKey() (pkPem []byte, pubkPem []byte, pubSSHAK []byte, err error) {
pk, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return
}
pkDer := x509.MarshalPKCS1PrivateKey(pk)
pkBlock := pem.Block{
Type: "RSA PRIVATE KEY",
Headers: nil,
Bytes: pkDer,
}
pkPem = pem.EncodeToMemory(&pkBlock)
pubk := pk.PublicKey
pubkDer, err := x509.MarshalPKIXPublicKey(&pubk)
if err != nil {
return
}
pubkBlock := pem.Block{
Type: "PUBLIC KEY",
Headers: nil,
Bytes: pubkDer,
}
pubkPem = pem.EncodeToMemory(&pubkBlock)
pubSSH, err := ssh.NewPublicKey(&pubk)
if err != nil {
return
}
pubSSHAK = ssh.MarshalAuthorizedKey(pubSSH)
return
}
func main() {
log.SetFlags(0)
maybePrintInfo()
maybeProxy()
args := os.Args[1:]
runxURL, err := getToken()
if err != nil {
log.Fatal(err)
}
if len(args) > 0 && args[0] == "-d" {
args = args[1:]
_, err := herokuRun(strings.Join(args, " "), nil)
if err != nil {
log.Fatal(err)
}
return
}
key, err := rsa.GenerateKey(rand.Reader, 1024)
if err != nil {
log.Fatal("keygen", err)
}
pub, err := ssh.NewPublicKey(&key.PublicKey)
if err != nil {
log.Fatal(err)
}
uuid, err := herokuRun(script, map[string]string{
"RUNX_URL": runxURL,
"AUTHORIZED_KEYS": string(ssh.MarshalAuthorizedKey(pub)),
})
if err != nil {
log.Fatal(err)
}
log.Fatal(execSSH(runxURL, uuid, key, args))
}
// Run executes the Packer build step that generates SSH key pairs.
func (s *StepCreateSSHKey) Run(state multistep.StateBag) multistep.StepAction {
ui := state.Get("ui").(packer.Ui)
ui.Say("Creating temporary SSH key for instance...")
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
err := fmt.Errorf("Error creating temporary ssh key: %s", err)
state.Put("error", err)
ui.Error(err.Error())
return multistep.ActionHalt
}
priv_blk := pem.Block{
Type: "RSA PRIVATE KEY",
Headers: nil,
Bytes: x509.MarshalPKCS1PrivateKey(priv),
}
pub, err := ssh.NewPublicKey(&priv.PublicKey)
if err != nil {
err := fmt.Errorf("Error creating temporary ssh key: %s", err)
state.Put("error", err)
ui.Error(err.Error())
return multistep.ActionHalt
}
state.Put("ssh_private_key", string(pem.EncodeToMemory(&priv_blk)))
state.Put("ssh_public_key", string(ssh.MarshalAuthorizedKey(pub)))
return multistep.ActionContinue
}
// newServer returns a new mock ssh server.
func newServer(t *testing.T) *server {
dir, err := ioutil.TempDir("", "sshtest")
if err != nil {
t.Fatal(err)
}
f, err := os.Create(filepath.Join(dir, "sshd_config"))
if err != nil {
t.Fatal(err)
}
err = configTmpl.Execute(f, map[string]string{
"Dir": dir,
})
if err != nil {
t.Fatal(err)
}
f.Close()
for k, v := range testdata.PEMBytes {
filename := "id_" + k
writeFile(filepath.Join(dir, filename), v)
writeFile(filepath.Join(dir, filename+".pub"), ssh.MarshalAuthorizedKey(testPublicKeys[k]))
}
return &server{
t: t,
configfile: f.Name(),
cleanup: func() {
if err := os.RemoveAll(dir); err != nil {
t.Error(err)
}
},
}
}
// handleAuth checks authentication against etcd using CanConnect and sets the needed
// environment variables for later parts of the builder to use. It takes in the SSH
// connection metadata, the public key of the user, and returns the SSH
// permissions of the connection and an error if they are not authorized.
func handleAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
if conn.User() != "git" {
return nil, ErrUnauthorized
}
keydata := string(bytes.TrimSpace(ssh.MarshalAuthorizedKey(key)))
etcd := etcd.NewClient([]string{*etcduplink})
fp := utils.GetFingerprint(keydata)
user, allowed := utils.CanConnect(etcd, keydata)
if allowed {
log.Printf("User %s (%s) accepted with fingerprint %s", user, conn.RemoteAddr().String(), fp)
return &ssh.Permissions{
Extensions: map[string]string{
"environ": fmt.Sprintf("USER=%s\nKEY='%s'\nFINGERPRINT=%s\n", user, keydata, fp),
"user": user,
"fingerprint": fp,
},
}, nil
} else {
log.Printf("Connection from %s rejected (bad key)", conn.RemoteAddr().String())
}
return nil, ErrUnauthorized
}
func pickSSHKey(candidateKeys map[string]string, w io.Writer) (ssh.PublicKey, error) {
i := 0
keyLst := make([]ssh.PublicKey, len(candidateKeys))
for key, comment := range candidateKeys {
pubKey, _, ok := ssh.ParsePublicKey([]byte(key))
if !ok {
continue
}
keyLst[i] = pubKey
k := strings.TrimSpace(string(ssh.MarshalAuthorizedKey(pubKey)))
l := fmt.Sprintf("[ %d ] %s...%s %s\n", i+1, k[0:24], k[len(k)-24:], comment)
w.Write([]byte(l))
i += 1
}
if i == 0 {
return nil, errors.New("No ssh keys found.")
}
choice, err := pick("key", i)
if err != nil {
return nil, err
}
return keyLst[choice], nil
}
// helper function that marshalls an RSA Public Key to an SSH
// .authorized_keys format
func marshalPublicKey(pubkey *rsa.PublicKey) string {
pk, err := ssh.NewPublicKey(pubkey)
if err != nil {
return ""
}
return string(ssh.MarshalAuthorizedKey(pk))
}
// helper function that marshalls an RSA Public Key to an SSH
// .authorized_keys format
func MarshalPublicKey(public *rsa.PublicKey) []byte {
private, err := ssh.NewPublicKey(public)
if err != nil {
return []byte{}
}
return ssh.MarshalAuthorizedKey(private)
}
// marshalKey returns two byte slices: one represent the private key in the PEM
// format, and the other representing the public key in the authorized_keys
// format.
func marshalKey(keyPair *rsa.PrivateKey) (privateKey []byte, publicKey []byte, err error) {
sshPublicKey, err := ssh.NewPublicKey(&keyPair.PublicKey)
if err != nil {
return nil, nil, err
}
publicKey = ssh.MarshalAuthorizedKey(sshPublicKey)
block := pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(keyPair)}
privateKey = pem.EncodeToMemory(&block)
return privateKey, publicKey, nil
}
func TestCreateServerWithKeyPair(t *testing.T) {
client, err := newClient()
th.AssertNoErr(t, err)
if testing.Short() {
t.Skip("Skipping test that requires server creation in short mode.")
}
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
publicKey := privateKey.PublicKey
pub, err := ssh.NewPublicKey(&publicKey)
th.AssertNoErr(t, err)
pubBytes := ssh.MarshalAuthorizedKey(pub)
pk := string(pubBytes)
kp, err := keypairs.Create(client, keypairs.CreateOpts{
Name: keyName,
PublicKey: pk,
}).Extract()
th.AssertNoErr(t, err)
t.Logf("Created key pair: %s\n", kp)
choices, err := ComputeChoicesFromEnv()
th.AssertNoErr(t, err)
name := tools.RandomString("Gophercloud-", 8)
t.Logf("Creating server [%s] with key pair.", name)
serverCreateOpts := servers.CreateOpts{
Name: name,
FlavorRef: choices.FlavorID,
ImageRef: choices.ImageID,
}
server, err := servers.Create(client, keypairs.CreateOptsExt{
serverCreateOpts,
keyName,
}).Extract()
th.AssertNoErr(t, err)
defer servers.Delete(client, server.ID)
if err = waitForStatus(client, server, "ACTIVE"); err != nil {
t.Fatalf("Unable to wait for server: %v", err)
}
server, err = servers.Get(client, server.ID).Extract()
t.Logf("Created server: %+v\n", server)
th.AssertNoErr(t, err)
th.AssertEquals(t, server.KeyName, keyName)
t.Logf("Deleting key pair [%s]...", kp.Name)
err = keypairs.Delete(client, keyName).ExtractErr()
th.AssertNoErr(t, err)
t.Logf("Deleting server [%s]...", name)
}
func checkAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
status, err := exitStatus(exec.Command(authChecker[0],
append(authChecker[1:], conn.User(), string(bytes.TrimSpace(ssh.MarshalAuthorizedKey(key))))...).Run())
if err != nil {
return nil, err
}
if status.Status == 0 {
return nil, nil
}
return nil, ErrUnauthorized
}
func GenerateNewPublicKey() string {
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
log.Fatal("Failed to generate new RSA key: ", err)
}
pk, err := ssh.NewPublicKey(&key.PublicKey)
if err != nil {
log.Fatal("Failed to generate public key: ", err)
}
return string(ssh.MarshalAuthorizedKey(pk))
}
func renderHostLine(addr string, key gossh.PublicKey) []byte {
keyByte := gossh.MarshalAuthorizedKey(key)
// allocate line space in advance
length := len(addr) + 1 + len(keyByte)
line := make([]byte, 0, length)
w := bytes.NewBuffer(line)
w.Write([]byte(addr))
w.WriteByte(' ')
w.Write(keyByte)
return w.Bytes()
}
func genSSHKey() (*sshData, error) {
keyFile, err := ioutil.TempFile("", "")
if err != nil {
return nil, err
}
defer keyFile.Close()
rsaKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return nil, err
}
pem.Encode(keyFile, &pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(rsaKey),
})
pubFile, err := ioutil.TempFile("", "")
if err != nil {
return nil, err
}
defer pubFile.Close()
rsaPubKey, err := ssh.NewPublicKey(&rsaKey.PublicKey)
if err != nil {
return nil, err
}
if _, err := pubFile.Write(ssh.MarshalAuthorizedKey(rsaPubKey)); err != nil {
return nil, err
}
wrapperFile, err := ioutil.TempFile("", "")
if err != nil {
return nil, err
}
defer wrapperFile.Close()
if err := sshWrapper.Execute(wrapperFile, map[string]string{"SSHKey": keyFile.Name()}); err != nil {
return nil, err
}
if err := wrapperFile.Chmod(0700); err != nil {
return nil, err
}
return &sshData{
Key: keyFile.Name(),
Pub: pubFile.Name(),
Env: []string{"GIT_SSH=" + wrapperFile.Name()},
Cleanup: func() {
os.RemoveAll(keyFile.Name())
os.RemoveAll(pubFile.Name())
os.RemoveAll(wrapperFile.Name())
},
}, nil
}
func newKey(name, user, raw string) (*Key, error) {
key, comment, _, _, ok := ssh.ParseAuthorizedKey([]byte(raw))
if !ok {
return nil, ErrInvalidKey
}
body := ssh.MarshalAuthorizedKey(key)
k := Key{
Name: name,
Body: string(body),
Comment: comment,
UserName: user,
}
return &k, nil
}
func newKey(name, user, raw string) (*Key, error) {
key, comment, _, _, err := ssh.ParseAuthorizedKey([]byte(raw))
if err != nil {
return nil, ErrInvalidKey
}
body := ssh.MarshalAuthorizedKey(key.(ssh.PublicKey))
k := Key{
Name: name,
Body: string(body),
Comment: comment,
UserName: user,
CreatedAt: time.Now(),
}
return &k, nil
}
func generateRSAKey(bits int) ([]byte, []byte, error) {
rsaKey, err := rsa.GenerateKey(rand.Reader, bits)
if err != nil {
return nil, nil, err
}
pubKey, err := ssh.NewPublicKey(&rsaKey.PublicKey)
if err != nil {
return nil, nil, err
}
rsaKeyDER := x509.MarshalPKCS1PrivateKey(rsaKey)
return pem.EncodeToMemory(&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: rsaKeyDER,
}), ssh.MarshalAuthorizedKey(pubKey), nil
}
func (s *stepCreateSSHKey) Run(state multistep.StateBag) multistep.StepAction {
client := state.Get("client").(*DigitalOceanClient)
ui := state.Get("ui").(packer.Ui)
ui.Say("Creating temporary ssh key for droplet...")
priv, err := rsa.GenerateKey(rand.Reader, 2014)
// ASN.1 DER encoded form
priv_der := x509.MarshalPKCS1PrivateKey(priv)
priv_blk := pem.Block{
Type: "RSA PRIVATE KEY",
Headers: nil,
Bytes: priv_der,
}
// Set the private key in the statebag for later
state.Put("privateKey", string(pem.EncodeToMemory(&priv_blk)))
// Marshal the public key into SSH compatible format
// TODO properly handle the public key error
pub, _ := ssh.NewPublicKey(&priv.PublicKey)
pub_sshformat := string(ssh.MarshalAuthorizedKey(pub))
// The name of the public key on DO
name := fmt.Sprintf("packer-%s", hex.EncodeToString(identifier.NewUUID().Raw()))
// Create the key!
keyId, err := client.CreateKey(name, pub_sshformat)
if err != nil {
err := fmt.Errorf("Error creating temporary SSH key: %s", err)
state.Put("error", err)
ui.Error(err.Error())
return multistep.ActionHalt
}
// We use this to check cleanup
s.keyId = keyId
log.Printf("temporary ssh key name: %s", name)
// Remember some state for the future
state.Put("ssh_key_id", keyId)
return multistep.ActionContinue
}
// Run executes the Packer build step that generates SSH key pairs.
func (s *StepCreateSSHKey) Run(state multistep.StateBag) multistep.StepAction {
ui := state.Get("ui").(packer.Ui)
ui.Say("Creating temporary SSH key for instance...")
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
err := fmt.Errorf("Error creating temporary ssh key: %s", err)
state.Put("error", err)
ui.Error(err.Error())
return multistep.ActionHalt
}
priv_blk := pem.Block{
Type: "RSA PRIVATE KEY",
Headers: nil,
Bytes: x509.MarshalPKCS1PrivateKey(priv),
}
pub, err := ssh.NewPublicKey(&priv.PublicKey)
if err != nil {
err := fmt.Errorf("Error creating temporary ssh key: %s", err)
state.Put("error", err)
ui.Error(err.Error())
return multistep.ActionHalt
}
state.Put("ssh_private_key", string(pem.EncodeToMemory(&priv_blk)))
state.Put("ssh_public_key", string(ssh.MarshalAuthorizedKey(pub)))
if s.Debug {
ui.Message(fmt.Sprintf("Saving key for debug purposes: %s", s.DebugKeyPath))
f, err := os.Create(s.DebugKeyPath)
if err != nil {
state.Put("error", fmt.Errorf("Error saving debug key: %s", err))
return multistep.ActionHalt
}
// Write out the key
err = pem.Encode(f, &priv_blk)
f.Close()
if err != nil {
state.Put("error", fmt.Errorf("Error saving debug key: %s", err))
return multistep.ActionHalt
}
}
return multistep.ActionContinue
}
func TestMarshalParsePublicKey(t *testing.T) {
pub := getTestPublicKey(t)
authKeys := ssh.MarshalAuthorizedKey(pub)
actualFields := strings.Fields(string(authKeys))
if len(actualFields) == 0 {
t.Fatalf("failed authKeys: %v", authKeys)
}
// drop the comment
expectedFields := strings.Fields(keys["authorized_keys"])[0:2]
if !reflect.DeepEqual(actualFields, expectedFields) {
t.Errorf("got %v, expected %v", actualFields, expectedFields)
}
actPub, _, _, _, ok := ssh.ParseAuthorizedKey([]byte(keys["authorized_keys"]))
if !ok {
t.Fatalf("cannot parse %v", keys["authorized_keys"])
}
if !reflect.DeepEqual(actPub, pub) {
t.Errorf("got %v, expected %v", actPub, pub)
}
}
// GenerateKey makes a 2048 bit RSA no-passphrase SSH capable key. The bit
// size is actually controlled by the KeyBits var. The private key returned is
// encoded to ASCII using the PKCS1 encoding. The public key is suitable to
// be added into an authorized_keys file, and has the comment passed in as the
// comment part of the key.
func GenerateKey(comment string) (private, public string, err error) {
key, err := rsaGenerateKey(rand.Reader, KeyBits)
if err != nil {
return "", "", err
}
identity := pem.EncodeToMemory(
&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(key),
})
signer, err := ssh.ParsePrivateKey(identity)
if err != nil {
return "", "", fmt.Errorf("failed to load key: %v", err)
}
auth_key := string(ssh.MarshalAuthorizedKey(signer.PublicKey()))
// Strip off the trailing new line so we can add a comment.
auth_key = strings.TrimSpace(auth_key)
public = fmt.Sprintf("%s %s\n", auth_key, comment)
return string(identity), public, nil
}
func generateDSAKey() ([]byte, []byte, error) {
params := &dsa.Parameters{}
if err := dsa.GenerateParameters(params, rand.Reader, dsa.L1024N160); err != nil {
return nil, nil, err
}
dsaKey := &dsa.PrivateKey{
PublicKey: dsa.PublicKey{
Parameters: *params,
},
}
if err := dsa.GenerateKey(dsaKey, rand.Reader); err != nil {
return nil, nil, err
}
pubKey, err := ssh.NewPublicKey(&dsaKey.PublicKey)
if err != nil {
return nil, nil, err
}
dsaKeyASN1, err := asn1.Marshal(struct {
Version int
P, Q, G, Y, X *big.Int
}{
0,
dsaKey.P,
dsaKey.Q,
dsaKey.G,
dsaKey.Y,
dsaKey.X,
})
if err != nil {
return nil, nil, err
}
return pem.EncodeToMemory(&pem.Block{
Type: "DSA PRIVATE KEY",
Bytes: dsaKeyASN1,
}), ssh.MarshalAuthorizedKey(pubKey), nil
}
}
key, err = pickSSHKey(keys, os.Stdout)
}
if err != nil {
return fmt.Errorf("refusing to upload: %s", err)
}
var keyName string
keyName = getText("Name this key [optional]")
if keyName == "" {
keyName = time.Now().Format("2006-01-02")
}
keyStr := string(ssh.MarshalAuthorizedKey(key))
err = client.UploadKey(keyName, strings.TrimSpace(keyStr))
if err != nil {
return err
}
fmt.Printf("Added key '%s'.\n", keyName)
return nil
},
flags: flag.NewFlagSet("add-key", flag.ExitOnError),
usage: func() string {
return "add an ssh key to your account"
},
}
var cmdKeysList = &cmd{