func TestCertLogin(t *testing.T) { s := newServer(t) defer s.Shutdown() // Use a key different from the default. clientKey := testSigners["dsa"] caAuthKey := testSigners["ecdsa"] cert := &ssh.Certificate{ Key: clientKey.PublicKey(), ValidPrincipals: []string{username()}, CertType: ssh.UserCert, ValidBefore: ssh.CertTimeInfinity, } if err := cert.SignCert(rand.Reader, caAuthKey); err != nil { t.Fatalf("SetSignature: %v", err) } certSigner, err := ssh.NewCertSigner(cert, clientKey) if err != nil { t.Fatalf("NewCertSigner: %v", err) } conf := &ssh.ClientConfig{ User: username(), } conf.Auth = append(conf.Auth, ssh.PublicKeys(certSigner)) client, err := s.TryDial(conf) if err != nil { t.Fatalf("TryDial: %v", err) } client.Close() }
func Tunnel(app string, dbEnvVar string, identity string, port int) error { environ, err := api.VariablesListWithoutAlias(app) if err != nil { return errgo.Mask(err) } dbUrlStr := dbEnvVarValue(dbEnvVar, environ) if dbUrlStr == "" { return errgo.Newf("no such environment variable: %s", dbEnvVar) } dbUrl, err := url.Parse(dbUrlStr) if err != nil { return errgo.Notef(err, "invalid database 'URL': %s", dbUrlStr) } fmt.Printf("Building tunnel to %s\n", dbUrl.Host) var privateKeys []ssh.Signer if identity == "ssh-agent" { var agentConnection io.Closer privateKeys, agentConnection, err = sshkeys.ReadPrivateKeysFromAgent() if err != nil { return errgo.Mask(err) } defer agentConnection.Close() } if len(privateKeys) == 0 { identity = sshkeys.DefaultKeyPath privateKey, err := sshkeys.ReadPrivateKey(identity) if err != nil { return errgo.Mask(err) } privateKeys = append(privateKeys, privateKey) } debug.Println("Identity used:", identity) var client *ssh.Client for _, privateKey := range privateKeys { sshConfig := &ssh.ClientConfig{ User: "******", Auth: []ssh.AuthMethod{ssh.PublicKeys(privateKey)}, } client, err = ssh.Dial("tcp", config.C.SshHost, sshConfig) if err == nil { break } else { config.C.Logger.Println("Fail to connect to the SSH server", err) } } if client == nil { return errgo.Newf("No authentication method has succeeded, please use the flag '-i /path/to/private/key' to specify your private key") } tcpAddr, err := net.ResolveTCPAddr("tcp", fmt.Sprintf("localhost:%d", port)) if err != nil { return errgo.Mask(err) } sock, err := net.ListenTCP("tcp", tcpAddr) if err != nil { return errgo.Mask(err) } defer sock.Close() fmt.Printf("You can access your database on '%v'\n", sock.Addr()) go startIDGenerator() errs := make(chan error) for { select { case err := <-errs: return errgo.Mask(err) default: } connToTunnel, err := sock.Accept() if err != nil { return errgo.Mask(err) } go handleConnToTunnel(client, dbUrl, connToTunnel, errs) } }