func fingerprintCallback(opts *options.SSHOptions, expectedFingerprint string) hostKeyCallback { if opts.SkipHostValidation { return nil } return func(hostname string, remote net.Addr, key ssh.PublicKey) error { switch len(expectedFingerprint) { case helpers.SHA1_FINGERPRINT_LENGTH: fingerprint := helpers.SHA1Fingerprint(key) if fingerprint != expectedFingerprint { return fmt.Errorf("Host key verification failed.\n\nThe fingerprint of the received key was %q.", fingerprint) } case helpers.MD5_FINGERPRINT_LENGTH: fingerprint := helpers.MD5Fingerprint(key) if fingerprint != expectedFingerprint { return fmt.Errorf("Host key verification failed.\n\nThe fingerprint of the received key was %q.", fingerprint) } case 0: fingerprint := helpers.MD5Fingerprint(key) return fmt.Errorf("Unable to verify identity of host.\n\nThe fingerprint of the received key was %q.", fingerprint) default: return errors.New("Unsupported host key fingerprint format") } return nil } }
func NewClientConn(logger lager.Logger, permissions *ssh.Permissions) (ssh.Conn, <-chan ssh.NewChannel, <-chan *ssh.Request, error) { if permissions == nil || permissions.CriticalOptions == nil { err := errors.New("Invalid permissions from authentication") logger.Error("permissions-and-critical-options-required", err) return nil, nil, nil, err } targetConfigJson := permissions.CriticalOptions["proxy-target-config"] logger = logger.Session("new-client-conn", lager.Data{ "proxy-target-config": targetConfigJson, }) var targetConfig TargetConfig err := json.Unmarshal([]byte(permissions.CriticalOptions["proxy-target-config"]), &targetConfig) if err != nil { logger.Error("unmarshal-failed", err) return nil, nil, nil, err } nConn, err := net.Dial("tcp", targetConfig.Address) if err != nil { logger.Error("dial-failed", err) return nil, nil, nil, err } clientConfig := &ssh.ClientConfig{} if targetConfig.User != "" { clientConfig.User = targetConfig.User } if targetConfig.PrivateKey != "" { key, err := ssh.ParsePrivateKey([]byte(targetConfig.PrivateKey)) if err != nil { logger.Error("parsing-key-failed", err) return nil, nil, nil, err } clientConfig.Auth = append(clientConfig.Auth, ssh.PublicKeys(key)) } if targetConfig.User != "" && targetConfig.Password != "" { clientConfig.Auth = append(clientConfig.Auth, ssh.Password(targetConfig.Password)) } if targetConfig.HostFingerprint != "" { clientConfig.HostKeyCallback = func(hostname string, remote net.Addr, key ssh.PublicKey) error { expectedFingerprint := targetConfig.HostFingerprint var actualFingerprint string switch utf8.RuneCountInString(expectedFingerprint) { case helpers.MD5_FINGERPRINT_LENGTH: actualFingerprint = helpers.MD5Fingerprint(key) case helpers.SHA1_FINGERPRINT_LENGTH: actualFingerprint = helpers.SHA1Fingerprint(key) } if expectedFingerprint != actualFingerprint { err := errors.New("Host fingerprint mismatch") logger.Error("host-key-fingerprint-mismatch", err) return err } return nil } } conn, ch, req, err := ssh.NewClientConn(nConn, targetConfig.Address, clientConfig) if err != nil { logger.Error("handshake-failed", err) return nil, nil, nil, err } return conn, ch, req, nil }
actualLRPGroupResponse *models.ActualLRPGroupResponse getDesiredLRPRequest *models.DesiredLRPByProcessGuidRequest desiredLRPResponse *models.DesiredLRPResponse processGuid string clientConfig *ssh.ClientConfig ) BeforeEach(func() { fakeBBS = ghttp.NewServer() fakeUAA = ghttp.NewTLSServer() fakeCC = ghttp.NewTLSServer() privateKey, err := ssh.ParsePrivateKey([]byte(hostKeyPem)) Expect(err).NotTo(HaveOccurred()) hostKeyFingerprint = helpers.MD5Fingerprint(privateKey.PublicKey()) address = fmt.Sprintf("127.0.0.1:%d", sshProxyPort) bbsAddress = fakeBBS.URL() ccAPIURL = fakeCC.URL() diegoCredentials = "some-creds" enableCFAuth = true enableDiegoAuth = true hostKey = hostKeyPem skipCertVerify = true processGuid = "app-guid-app-version" u, err := url.Parse(fakeUAA.URL()) Expect(err).NotTo(HaveOccurred()) u.Path = "/oauth/token"
{"file-server", fileServer}, {"rep", componentMaker.Rep()}, {"converger", componentMaker.Converger()}, {"auctioneer", componentMaker.Auctioneer()}, {"route-emitter", componentMaker.RouteEmitter()}, {"ssh-proxy", componentMaker.SSHProxy()}, })) tgCompressor := compressor.NewTgz() err := tgCompressor.Compress(componentMaker.Artifacts.Executables["sshd"], filepath.Join(fileServerStaticDir, "sshd.tgz")) Expect(err).NotTo(HaveOccurred()) sshRoute := routes.SSHRoute{ ContainerPort: 3456, PrivateKey: componentMaker.SSHConfig.PrivateKeyPem, HostFingerprint: ssh_helpers.MD5Fingerprint(componentMaker.SSHConfig.HostKey.PublicKey()), } sshRoutePayload, err := json.Marshal(sshRoute) Expect(err).NotTo(HaveOccurred()) sshRouteMessage := json.RawMessage(sshRoutePayload) envVars := []receptor.EnvironmentVariable{ {Name: "TEST", Value: "foobar"}, } lrp = receptor.DesiredLRPCreateRequest{ ProcessGuid: processGuid, Domain: "inigo", Instances: 2,
It("correctly represents the private key", func() { privateKey, err := ssh.ParsePrivateKey([]byte(keyPair.PEMEncodedPrivateKey())) Expect(err).NotTo(HaveOccurred()) Expect(privateKey.PublicKey().Marshal()).To(Equal(keyPair.PublicKey().Marshal())) }) }) Describe("PublicKey", func() { It("equals the public key associated with the private key", func() { Expect(keyPair.PrivateKey().PublicKey().Marshal()).To(Equal(keyPair.PublicKey().Marshal())) }) }) Describe("Fingerprint", func() { It("equals the MD5 fingerprint of the public key", func() { expectedFingerprint := helpers.MD5Fingerprint(keyPair.PublicKey()) Expect(keyPair.Fingerprint()).To(Equal(expectedFingerprint)) }) }) Describe("AuthorizedKey", func() { It("equals the authorized key formatted public key", func() { expectedAuthorizedKey := string(ssh.MarshalAuthorizedKey(keyPair.PublicKey())) Expect(keyPair.AuthorizedKey()).To(Equal(expectedAuthorizedKey)) }) }) })
daemonSSHConfig.AddHostKey(TestHostKey) daemonGlobalRequestHandlers = map[string]handlers.GlobalRequestHandler{} daemonNewChannelHandlers = map[string]handlers.NewChannelHandler{} var err error proxyListener, err = net.Listen("tcp", "127.0.0.1:0") Expect(err).NotTo(HaveOccurred()) proxyAddress = proxyListener.Addr().String() sshdListener, err = net.Listen("tcp", "127.0.0.1:0") Expect(err).NotTo(HaveOccurred()) daemonAddress = sshdListener.Addr().String() daemonTargetConfig = proxy.TargetConfig{ Address: daemonAddress, HostFingerprint: helpers.MD5Fingerprint(TestHostKey.PublicKey()), User: "******", Password: "******", } targetConfigJson, err := json.Marshal(daemonTargetConfig) Expect(err).NotTo(HaveOccurred()) logMessageJson, err := json.Marshal(proxy.LogMessage{ Guid: "a-guid", Message: "a-message", Index: 1, }) Expect(err).NotTo(HaveOccurred()) permissions := &ssh.Permissions{
func (k *rsaKeyPair) Fingerprint() string { return helpers.MD5Fingerprint(k.PublicKey()) }
) var _ = Describe("Fingerprint", func() { var publicKey ssh.PublicKey var fingerprint string BeforeEach(func() { privateKey, err := ssh.ParsePrivateKey([]byte(TestPrivateKeyPem)) Expect(err).NotTo(HaveOccurred()) publicKey = privateKey.PublicKey() }) Describe("MD5 Fingerprint", func() { BeforeEach(func() { fingerprint = helpers.MD5Fingerprint(publicKey) }) It("should have the correct length", func() { Expect(utf8.RuneCountInString(fingerprint)).To(Equal(helpers.MD5_FINGERPRINT_LENGTH)) }) It("should match the expected fingerprint", func() { Expect(fingerprint).To(Equal(ExpectedMD5Fingerprint)) }) }) Describe("SHA1 Fingerprint", func() { BeforeEach(func() { fingerprint = helpers.SHA1Fingerprint(publicKey) })