func init() {
template.Must(configTmpl.Parse(sshd_config))
var err error
hostKey, err = ssh.ParsePrivateKey([]byte(keys["ssh_host_rsa_key"]))
if err != nil {
panic("ParsePrivateKey: " + err.Error())
}
privateKey, err = ssh.ParsePrivateKey([]byte(testClientPrivateKey))
if err != nil {
panic("ParsePrivateKey: " + err.Error())
}
}
// Start listening for SSH connections
func StartSSH() {
PEM_KEY := LoadPrivKeyFromFile("./id_rsa")
private, err := ssh.ParsePrivateKey(PEM_KEY)
if err != nil {
log.Fatal("Key failed to parse.")
}
SSHConfig := &ssh.ServerConfig{
PasswordCallback: func(conn ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
perms := ssh.Permissions{}
return &perms, nil
},
PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
perms := ssh.Permissions{}
return &perms, nil
},
}
SSHConfig.AddHostKey(private)
listener, err := net.Listen("tcp", "0.0.0.0:2222")
if err != nil {
log.Fatalln("Could not start TCP listening on 0.0.0.0:2222")
}
log.Println("Waiting for TCP conns on 0.0.0.0:2222")
for {
nConn, err := listener.Accept()
if err != nil {
log.Println("WARNING - Failed to Accept TCP conn. RSN: %s / %s", err.Error(), err)
continue
}
go HandleIncomingSSHConn(nConn, SSHConfig)
}
}
func (s *SSHGoCryptoCommandSuite) TestProxyCommand(c *gc.C) {
realNetcat, err := exec.LookPath("nc")
if err != nil {
c.Skip("skipping test, couldn't find netcat: %v")
return
}
netcat := filepath.Join(c.MkDir(), "nc")
err = ioutil.WriteFile(netcat, []byte("#!/bin/sh\necho $0 \"$@\" > $0.args && exec "+realNetcat+" \"$@\""), 0755)
c.Assert(err, gc.IsNil)
private, _, err := ssh.GenerateKey("test-server")
c.Assert(err, gc.IsNil)
key, err := cryptossh.ParsePrivateKey([]byte(private))
client, err := ssh.NewGoCryptoClient(key)
c.Assert(err, gc.IsNil)
server := newServer(c)
var opts ssh.Options
port := server.listener.Addr().(*net.TCPAddr).Port
opts.SetProxyCommand(netcat, "-q0", "%h", "%p")
opts.SetPort(port)
cmd := client.Command("127.0.0.1", testCommand, &opts)
server.cfg.PublicKeyCallback = func(_ cryptossh.ConnMetadata, pubkey cryptossh.PublicKey) (*cryptossh.Permissions, error) {
return nil, nil
}
go server.run(c)
out, err := cmd.Output()
c.Assert(err, gc.IsNil)
c.Assert(string(out), gc.Equals, "abc value\n")
// Ensure the proxy command was executed with the appropriate arguments.
data, err := ioutil.ReadFile(netcat + ".args")
c.Assert(err, gc.IsNil)
c.Assert(string(data), gc.Equals, fmt.Sprintf("%s -q0 127.0.0.1 %v\n", netcat, port))
}
func (self *Server) ParsePrivateKey(filePath string) error {
if filePath == "" {
return nil
}
keyBytes, err := ioutil.ReadFile(filePath)
if err != nil {
err = errors.New(fmt.Sprintf("Could not read ssh key \"%s\" : %s ", filePath, err.Error()))
self.Error = err
self.ErrorMsg = err.Error()
return err
}
signer, err := ssh.ParsePrivateKey(keyBytes)
if err != nil {
err = errors.New(fmt.Sprintf("Could not parse ssh key \"%s\" : %s ", filePath, err.Error()))
self.Error = err
self.ErrorMsg = err.Error()
return err
}
self.PrivateKeyPath = filePath
self.AuthMethods = append(self.AuthMethods, ssh.PublicKeys(signer))
return nil
}
func newWorkerListener(listener net.Listener, secret []byte) connListener {
key, err := ssh.ParsePrivateKey(secret)
if err != nil {
return newTCPListener(listener, secret)
}
return newSSHListener(listener, key)
}
//TODO 某种认证方法只有一个会被使用,需要多次猜测
func DialInConsole(addr string, username string) (client *ssh.Client, err error) {
//find cert file
pathList := certFilePathList()
authList := []ssh.AuthMethod{}
for _, path := range pathList {
clientKeyBytes, err := ioutil.ReadFile(path)
if err != nil {
if !os.IsNotExist(err) {
return nil, fmt.Errorf("[DialInConsole] ioutil.ReadFile() err:%s", err)
}
} else {
signer, err := ssh.ParsePrivateKey(clientKeyBytes)
if err != nil {
return nil, fmt.Errorf("[DialInConsole] ssh.ParsePrivateKey err:%s", err)
}
//clientKey := &keychain{signer}
authList = append(authList, ssh.PublicKeys(signer))
}
}
authList = append(authList, ssh.PasswordCallback(func() (secret string, err error) {
fmt.Printf("[ssh] password for %s@%s", username, addr)
secret = string(gopass.GetPasswd())
return
}))
clientConfig := &ssh.ClientConfig{
User: username,
Auth: authList,
}
client, err = ssh.Dial("tcp", addr, clientConfig)
if err != nil {
return nil, fmt.Errorf("[DialInConsole] Failed to dial: %s", err.Error())
}
return
}
func newTestServer() (Server, error) {
// Create a new backend object.
b := redis.New("test", "tcp", "127.0.0.1:6379")
// Create a new crypter.
c, err := crypto.NewRandomCrypter()
if err != nil {
return nil, err
}
private, _ := ssh.ParsePrivateKey(ServerTestPrivateKey)
if err != nil {
return nil, err
}
s := NewServer(b, c, private)
for _, publicKey := range ServerTestPublicKeys {
publicKeyParsed, _, _, _, err := ssh.ParseAuthorizedKey([]byte(publicKey))
if err != nil {
return s, err
}
s.AddReadKey(publicKeyParsed)
s.AddWriteKey(publicKeyParsed)
}
return s, nil
}
func getSftpClient(conf Config) []*sftp.Client {
// process the keyfile
buf, err := ioutil.ReadFile(conf.KeyFile)
if err != nil {
log.Fatalf("error in reading private key file %s\n", err)
}
key, err := ssh.ParsePrivateKey(buf)
if err != nil {
log.Fatalf("error in parsing private key %s\n", key)
}
// client config
config := &ssh.ClientConfig{
User: conf.User,
Auth: []ssh.AuthMethod{ssh.PublicKeys(key)},
}
// connection
clients := make([]*sftp.Client, 0)
for _, r := range conf.Remotes {
c, err := ssh.Dial("tcp", r, config)
if err != nil {
log.Fatalf("error in ssh connection %s\n", err)
}
// sftp handler
sftp, err := sftp.NewClient(c)
if err != nil {
log.Fatalf("error in sftp connection %s\n", err)
}
clients = append(clients, sftp)
}
return clients
}
func (s *SSHGoCryptoCommandSuite) TestProxyCommand(c *gc.C) {
realNetcat, err := exec.LookPath("nc")
if err != nil {
c.Skip("skipping test, couldn't find netcat: %v")
return
}
netcat := filepath.Join(c.MkDir(), "nc")
err = ioutil.WriteFile(netcat, []byte("#!/bin/sh\necho $0 \"$@\" > $0.args && exec "+realNetcat+" \"$@\""), 0755)
c.Assert(err, gc.IsNil)
private, _, err := ssh.GenerateKey("test-server")
c.Assert(err, gc.IsNil)
key, err := cryptossh.ParsePrivateKey([]byte(private))
client, err := ssh.NewGoCryptoClient(key)
c.Assert(err, gc.IsNil)
server := newServer(c)
var opts ssh.Options
port := server.Addr().(*net.TCPAddr).Port
opts.SetProxyCommand(netcat, "-q0", "%h", "%p")
opts.SetPort(port)
cmd := client.Command("127.0.0.1", testCommand, &opts)
server.cfg.PublicKeyCallback = func(conn *cryptossh.ServerConn, user, algo string, pubkey []byte) bool {
return true
}
go server.run(c)
out, err := cmd.Output()
c.Assert(err, gc.ErrorMatches, "ssh: could not execute command.*")
// TODO(axw) when gosshnew is ready, expect reply from server.
c.Assert(out, gc.IsNil)
// Ensure the proxy command was executed with the appropriate arguments.
data, err := ioutil.ReadFile(netcat + ".args")
c.Assert(err, gc.IsNil)
c.Assert(string(data), gc.Equals, fmt.Sprintf("%s -q0 127.0.0.1 %v\n", netcat, port))
}
func (c *SftpClient) GetKey(sKeyPath string) (key ssh.Signer, err error) {
buf, err := ioutil.ReadFile(sKeyPath)
if err != nil {
return nil, err
}
return ssh.ParsePrivateKey(buf)
}
// FileSigner returns an ssh.Signer for a key file.
func FileSigner(path string) (ssh.Signer, error) {
f, err := os.Open(path)
if err != nil {
return nil, err
}
defer f.Close()
keyBytes, err := ioutil.ReadAll(f)
if err != nil {
return nil, err
}
// We parse the private key on our own first so that we can
// show a nicer error if the private key has a password.
block, _ := pem.Decode(keyBytes)
if block == nil {
return nil, fmt.Errorf(
"Failed to read key '%s': no key found", path)
}
if block.Headers["Proc-Type"] == "4,ENCRYPTED" {
return nil, fmt.Errorf(
"Failed to read key '%s': password protected keys are\n"+
"not supported. Please decrypt the key prior to use.", path)
}
signer, err := ssh.ParsePrivateKey(keyBytes)
if err != nil {
return nil, fmt.Errorf("Error setting up SSH config: %s", err)
}
return signer, nil
}
func CreateServer(webhost string) (srv *Server, err error) {
srv = &Server{
scss: make(map[net.Addr]SshConnServer, 0),
webhost: webhost,
cnt: CreateCounter(CONN_PROTECT),
}
srv.srvcfg = &ssh.ServerConfig{
PublicKeyCallback: srv.authUser,
}
v := &url.Values{}
err = srv.GetJson("/l/cfg", false, v, &srv.WebConfig)
if err != nil {
panic(err.Error())
}
log.Debug("config: %#v", srv.WebConfig)
private, err := ssh.ParsePrivateKey([]byte(srv.WebConfig.Hostkey))
if err != nil {
log.Error("failed to parse keyfile: %s", err.Error())
return
}
srv.srvcfg.AddHostKey(private)
return
}
// PrepareConfig is used to turn the *SSHConfig provided into a
// usable *Config for client initialization.
func PrepareConfig(conf *SSHConfig) (*Config, error) {
sshConf := &ssh.ClientConfig{
User: conf.User,
}
if conf.KeyFile != "" {
key, err := ioutil.ReadFile(conf.KeyFile)
if err != nil {
return nil, fmt.Errorf("Failed to read key file '%s': %v", conf.KeyFile, err)
}
signer, err := ssh.ParsePrivateKey(key)
if err != nil {
return nil, fmt.Errorf("Failed to parse key file '%s': %v", conf.KeyFile, err)
}
sshConf.Auth = append(sshConf.Auth, ssh.PublicKeys(signer))
}
if conf.Password != "" {
sshConf.Auth = append(sshConf.Auth,
ssh.Password(conf.Password))
sshConf.Auth = append(sshConf.Auth,
ssh.KeyboardInteractive(PasswordKeyboardInteractive(conf.Password)))
}
host := fmt.Sprintf("%s:%d", conf.Host, conf.Port)
config := &Config{
SSHConfig: sshConf,
Connection: ConnectFunc("tcp", host),
}
return config, nil
}
func getTestPublicKey(t *testing.T) ssh.PublicKey {
priv, err := ssh.ParsePrivateKey([]byte(testClientPrivateKey))
if err != nil {
t.Fatalf("ParsePrivateKey: %v", err)
}
return priv.PublicKey()
}
func init() {
// Parse and set the private key of the server, required to accept connections
signer, err := ssh.ParsePrivateKey([]byte(testServerPrivateKey))
if err != nil {
panic("unable to parse private key: " + err.Error())
}
serverConfig.AddHostKey(signer)
}
func (s *Command) getSSHKey(identityFile string) (key ssh.Signer, err error) {
buf, err := ioutil.ReadFile(identityFile)
if err != nil {
return nil, err
}
key, err = ssh.ParsePrivateKey(buf)
return key, err
}
func newWorkerDialer(secret []byte) connDialer {
key, err := ssh.ParsePrivateKey(secret)
if err != nil {
return newTCPDialer(secret)
}
return newSSHDialer(key)
}
func serverRun(cmd *Command, args []string) {
c, err := crypto.NewCrypterFromFile(serverConfig.SecretFilepath)
if err != nil {
log.Fatal(err)
}
b, err := backend.NewBackend(serverConfig.Backend, serverConfig.BackendNamespace, serverConfig.BackendProtocol, serverConfig.BackendAddress)
if err != nil {
log.Fatal(err)
}
privateBytes, err := ioutil.ReadFile(serverConfig.PrivateFilepath)
if err != nil {
log.Fatal("failed to load private key")
}
private, err := ssh.ParsePrivateKey(privateBytes)
if err != nil {
log.Fatal("failed to parse private key")
}
// Create a new server using the specified Backend and Crypter.
server := auth.NewServer(b, c, private)
// Check if a URL was provided to pull reader keys from.
if serverConfig.ReadersURL != "" {
// Fetch the reader keys.
readers, err := serverFetchPublicKeys(serverConfig.ReadersURL)
if err != nil {
log.Fatal(err)
}
// Add the reader keys to the server.
for _, reader := range readers {
server.AddReadKey(reader)
}
}
// Check if a URL was provided to pull writer keys from.
if serverConfig.WritersURL != "" {
// Fetch the writer keys.
writers, err := serverFetchPublicKeys(serverConfig.WritersURL)
if err != nil {
log.Fatal(err)
}
// Add the writer keys to the server.
for _, writer := range writers {
server.AddWriteKey(writer)
}
}
// Start the server.
log.Fatal(server.ListenAndServe(serverConfig.Address))
}
func (s *SSHGoCryptoCommandSuite) TestNewGoCryptoClient(c *gc.C) {
_, err := ssh.NewGoCryptoClient()
c.Assert(err, gc.IsNil)
private, _, err := ssh.GenerateKey("test-client")
c.Assert(err, gc.IsNil)
key, err := cryptossh.ParsePrivateKey([]byte(private))
c.Assert(err, gc.IsNil)
_, err = ssh.NewGoCryptoClient(key)
c.Assert(err, gc.IsNil)
}
func (k *Keychain) Add(privateKey []byte) error {
key, err := ssh.ParsePrivateKey(privateKey)
if err != nil {
return err
}
k.keys = append(k.keys, key)
return nil
}
func loadPEM(file string) (ssh.Signer, error) {
buf, err := ioutil.ReadFile(file)
if err != nil {
return nil, err
}
key, err := ssh.ParsePrivateKey(buf)
if err != nil {
return nil, err
}
return key, nil
}
func init() {
template.Must(configTmpl.Parse(sshd_config))
for n, k := range map[string]*ssh.Signer{
"ssh_host_ecdsa_key": &hostKeyECDSA,
"ssh_host_rsa_key": &hostKeyRSA,
"ssh_host_dsa_key": &hostKeyDSA,
} {
var err error
*k, err = ssh.ParsePrivateKey([]byte(keys[n]))
if err != nil {
panic(fmt.Sprintf("ParsePrivateKey(%q): %v", n, err))
}
}
var err error
privateKey, err = ssh.ParsePrivateKey([]byte(testClientPrivateKey))
if err != nil {
panic(fmt.Sprintf("ParsePrivateKey: %v", err))
}
}
func (k *KeyChain) LoadPEM(file string) error {
buf, err := ioutil.ReadFile(file)
if err != nil {
return err
}
key, err := ssh.ParsePrivateKey(buf)
if err != nil {
return err
}
k.keys = append(k.keys, key)
return nil
}
func (k *keychain) loadPEM(file string) error {
buf, err := ioutil.ReadFile(file)
if err != nil {
return err
}
key, err := ssh.ParsePrivateKey(buf)
if err != nil {
return err
}
k.add(key)
return nil
}
func (self *Script) Execute(host *Host, out io.Writer) error {
usr, err := user.Current()
if err != nil {
return err
}
if host.User == "" {
host.User = usr.Username
}
cfg := &ssh.ClientConfig{
User: host.User,
}
if host.Password != "" {
cfg.Auth = []ssh.AuthMethod{
ssh.Password(host.Password),
}
} else {
content, err := ioutil.ReadFile(usr.HomeDir + "/.ssh/id_rsa")
if err != nil {
content, err = ioutil.ReadFile(usr.HomeDir + "/.ssh/id_dsa")
if err != nil {
return err
}
}
key, err := ssh.ParsePrivateKey(content)
if err != nil {
return err
}
cfg.Auth = []ssh.AuthMethod{ssh.PublicKeys(key)}
}
client, err := ssh.Dial("tcp", host.Name+":"+strconv.Itoa(host.Port), cfg)
if err != nil {
fmt.Fprintln(out, err.Error())
return err
}
session, err := client.NewSession()
if err != nil {
fmt.Fprintln(out, err.Error())
return err
}
defer session.Close()
session.Stdout = out
session.Stderr = out
if !self.HideBoundaries {
fmt.Fprintln(out, "---------------------- script started ----------------------")
}
if err := session.Run(self.Content); err != nil {
return err
}
if !self.HideBoundaries {
fmt.Fprintln(out, "---------------------- script finished ----------------------")
}
return nil
}
// This function is used to get the pulic ssh key to make password-less
// connection to a remote machine.
func getKeyFile() (key ssh.Signer, err error) {
file := os.Getenv("HOME") + "/.ssh/id_rsa"
buf, err := ioutil.ReadFile(file)
if err != nil {
return
}
key, err = ssh.ParsePrivateKey(buf)
if err != nil {
return
}
return
}
// parsekey is a private function that reads in a keyfile containing a private key and parses it.
func parsekey(file string) (ssh.Signer, error) {
var private ssh.Signer
privateBytes, err := ioutil.ReadFile(file)
if err != nil {
return nil, err
}
private, err = ssh.ParsePrivateKey(privateBytes)
if err != nil {
return nil, err
}
return private, nil
}
func getPrivateKeys(job *engine.Job) ssh.Signer {
privateBytes, err := ioutil.ReadFile(os.Getenv("HOME") + "/.ssh/id_rsa")
if err != nil {
job.Errorf("Failed to load private key")
}
private, err := ssh.ParsePrivateKey(privateBytes)
if err != nil {
job.Errorf("Failed to parse private key")
}
return private
}
func newServer(c *gc.C) *sshServer {
private, _, err := ssh.GenerateKey("test-server")
c.Assert(err, gc.IsNil)
key, err := cryptossh.ParsePrivateKey([]byte(private))
c.Assert(err, gc.IsNil)
server := &sshServer{
cfg: &cryptossh.ServerConfig{},
}
server.cfg.AddHostKey(key)
server.listener, err = net.Listen("tcp", "127.0.0.1:0")
c.Assert(err, gc.IsNil)
return server
}
func getKeyFile() (key ssh.Signer, err error) {
usr, _ := user.Current()
file := usr.HomeDir + "/.ssh/jai_rsa"
buf, err := ioutil.ReadFile(file)
if err != nil {
panic(err)
}
key, err = ssh.ParsePrivateKey(buf)
if err != nil {
panic(err)
}
return
}