// remoteCmdOutput runs the given command on a remote server at the given hostname as the given user.
func remoteCmdOutput(username, hostname, cmd string, privateKey []byte) (b []byte, err error) {
p, err := ssh.ParseRawPrivateKey(privateKey)
if err != nil {
return b, err
}
s, err := ssh.NewSignerFromKey(p)
if err != nil {
return b, err
}
pub := ssh.PublicKeys(s)
clientConfig := &ssh.ClientConfig{
User: username,
Auth: []ssh.AuthMethod{pub},
}
client, err := ssh.Dial("tcp", hostname, clientConfig)
if err != nil {
return b, errors.New("ERROR: Failed to dial: " + err.Error())
}
defer client.Close()
session, err := client.NewSession()
if err != nil {
return b, errors.New("ERROR: Failed to create session: " + err.Error())
}
defer session.Close()
b, err = session.Output(cmd)
if err != nil {
return b, fmt.Errorf("ERROR: Failed to run cmd on host %s: %s", hostname, err.Error())
}
return b, nil
}
// NewLinuxKVMCoreOSFactory returns a new HostedProgramFactory that can
// create docker containers to wrap programs.
// TODO(kwalsh) fix comment.
func NewLinuxKVMCoreOSHostFactory(sockPath string, cfg *CoreOSLinuxhostConfig) (HostedProgramFactory, error) {
// Create a key to use to connect to the instance and set up LinuxHost
// there.
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return nil, err
}
sshpk, err := ssh.NewPublicKey(&priv.PublicKey)
if err != nil {
return nil, err
}
pkstr := "ssh-rsa " + base64.StdEncoding.EncodeToString(sshpk.Marshal()) + " linux_host"
sshpriv, err := ssh.NewSignerFromKey(priv)
if err != nil {
return nil, err
}
return &LinuxKVMCoreOSHostFactory{
Cfg: cfg,
SocketPath: sockPath,
PublicKey: pkstr,
PrivateKey: sshpriv,
}, nil
}
// NewRandomSigner generates a random key of a desired bit length.
func NewRandomSigner(bits int) (ssh.Signer, error) {
key, err := rsa.GenerateKey(rand.Reader, bits)
if err != nil {
return nil, err
}
return ssh.NewSignerFromKey(key)
}
func newSigner(privKeyFile string) (*signer, error) {
signer := new(signer)
if len(privKeyFile) > 0 {
privateBytes, err := ioutil.ReadFile(privKeyFile)
if err != nil {
return nil, errors.New("Failed to load private host key")
}
signer.Signer, err = ssh.ParsePrivateKey(privateBytes)
if err != nil {
return nil, errors.New("Failed to parse private host key")
}
return signer, nil
}
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return nil, errors.New("Failed to generate server key pair")
}
signer.Signer, err = ssh.NewSignerFromKey(key)
if err != nil {
return nil, errors.New("Failed to extract private key from generated key pair")
}
signer.generated = true
return signer, nil
}
func sshOnConn(conn net.Conn, h conf.Host) (*ssh.Client, error) {
var auths []ssh.AuthMethod
if h.Pass != "" {
auths = append(auths, ssh.Password(h.Pass))
auths = append(auths, ssh.KeyboardInteractive(kbdInteractive(h.Pass)))
}
if h.Key != "" {
k := &keyring{}
err := k.loadPEM([]byte(h.Key))
if err != nil {
return nil, err
}
for _, k := range k.keys {
s, _ := ssh.NewSignerFromKey(k)
auths = append(auths, ssh.PublicKeys(s))
}
}
config := &ssh.ClientConfig{
User: h.User,
Auth: auths,
}
debugln("handshake & authenticate")
cc, nc, reqs, err := ssh.NewClientConn(conn, conn.RemoteAddr().String(), config)
if err != nil {
return nil, err
}
client := ssh.NewClient(cc, nc, reqs)
return client, nil
}
// Insert adds a private key to the keyring. If a certificate
// is given, that certificate is added as public key. Note that
// any constraints given are ignored.
func (r *keyring) Add(key AddedKey) error {
r.mu.Lock()
defer r.mu.Unlock()
if r.locked {
return errLocked
}
signer, err := ssh.NewSignerFromKey(key.PrivateKey)
if err != nil {
return err
}
if cert := key.Certificate; cert != nil {
signer, err = ssh.NewCertSigner(cert, signer)
if err != nil {
return err
}
}
p := privKey{
signer: signer,
comment: key.Comment,
}
if key.LifetimeSecs > 0 {
t := time.Now().Add(time.Duration(key.LifetimeSecs) * time.Second)
p.expire = &t
}
r.keys = append(r.keys, p)
return nil
}
func (c *client) insertCert(s interface{}, cert *ssh.Certificate, comment string, constraints []byte) error {
var req []byte
switch k := s.(type) {
case *rsa.PrivateKey:
if len(k.Primes) != 2 {
return fmt.Errorf("agent: unsupported RSA key with %d primes", len(k.Primes))
}
k.Precompute()
req = ssh.Marshal(rsaCertMsg{
Type: cert.Type(),
CertBytes: cert.Marshal(),
D: k.D,
Iqmp: k.Precomputed.Qinv,
P: k.Primes[0],
Q: k.Primes[1],
Comments: comment,
Constraints: constraints,
})
case *dsa.PrivateKey:
req = ssh.Marshal(dsaCertMsg{
Type: cert.Type(),
CertBytes: cert.Marshal(),
X: k.X,
Comments: comment,
})
case *ecdsa.PrivateKey:
req = ssh.Marshal(ecdsaCertMsg{
Type: cert.Type(),
CertBytes: cert.Marshal(),
D: k.D,
Comments: comment,
})
default:
return fmt.Errorf("agent: unsupported key type %T", s)
}
// if constraints are present then the message type needs to be changed.
if len(constraints) != 0 {
req[0] = agentAddIdConstrained
}
signer, err := ssh.NewSignerFromKey(s)
if err != nil {
return err
}
if bytes.Compare(cert.Key.Marshal(), signer.PublicKey().Marshal()) != 0 {
return errors.New("agent: signer and cert have different public key")
}
resp, err := c.call(req)
if err != nil {
return err
}
if _, ok := resp.(*successAgentMsg); ok {
return nil
}
return errors.New("agent: failure")
}
func loadPrivateKey(path string) (ssh.AuthMethod, error) {
// Read file
keyData, err := ioutil.ReadFile(path)
if err != nil {
log.Printf("error: could not read key file '%s': %s", path, err)
return nil, err
}
// Get first PEM block
block, _ := pem.Decode(keyData)
if err != nil {
log.Printf("error: no key found in file '%s': %s", path, err)
return nil, err
}
// If it's encrypted...
var (
signer ssh.Signer
signerErr error
)
if x509.IsEncryptedPEMBlock(block) {
// Get the passphrase
prompt := fmt.Sprintf("Enter passphrase for key '%s': ", path)
pass, err := speakeasy.Ask(prompt)
if err != nil {
log.Printf("error: error getting passphrase: %s", err)
return nil, err
}
block.Bytes, err = x509.DecryptPEMBlock(block, []byte(pass))
if err != nil {
log.Printf("error: error decrypting key: %s", err)
return nil, err
}
key, err := ParsePEMBlock(block)
if err != nil {
log.Printf("error: could not parse PEM block: %s", err)
return nil, err
}
signer, signerErr = ssh.NewSignerFromKey(key)
} else {
signer, signerErr = ssh.ParsePrivateKey(keyData)
}
if signerErr != nil {
log.Printf("error: error parsing private key '%s': %s", path, signerErr)
return nil, signerErr
}
return ssh.PublicKeys(signer), nil
}
//export c_NewSignerFromKey
func c_NewSignerFromKey(key uint64) (uint64, int, *C.char) {
obj, ok := GetObject(Handle(key))
if !ok {
return IH, ErrorCodeNotFound, C.CString(MessageNotFound)
}
signer, err := ssh.NewSignerFromKey(obj)
if err != nil {
return IH, ErrorCodeInternal, C.CString(err.Error())
}
return uint64(RegisterObject(&signer)), ErrorCodeSuccess, nil
}
func testLockAgent(agent Agent, t *testing.T) {
if err := agent.Add(AddedKey{PrivateKey: testPrivateKeys["rsa"], Comment: "comment 1"}); err != nil {
t.Errorf("Add: %v", err)
}
if err := agent.Add(AddedKey{PrivateKey: testPrivateKeys["dsa"], Comment: "comment dsa"}); err != nil {
t.Errorf("Add: %v", err)
}
if keys, err := agent.List(); err != nil {
t.Errorf("List: %v", err)
} else if len(keys) != 2 {
t.Errorf("Want 2 keys, got %v", keys)
}
passphrase := []byte("secret")
if err := agent.Lock(passphrase); err != nil {
t.Errorf("Lock: %v", err)
}
if keys, err := agent.List(); err != nil {
t.Errorf("List: %v", err)
} else if len(keys) != 0 {
t.Errorf("Want 0 keys, got %v", keys)
}
signer, _ := ssh.NewSignerFromKey(testPrivateKeys["rsa"])
if _, err := agent.Sign(signer.PublicKey(), []byte("hello")); err == nil {
t.Fatalf("Sign did not fail")
}
if err := agent.Remove(signer.PublicKey()); err == nil {
t.Fatalf("Remove did not fail")
}
if err := agent.RemoveAll(); err == nil {
t.Fatalf("RemoveAll did not fail")
}
if err := agent.Unlock(nil); err == nil {
t.Errorf("Unlock with wrong passphrase succeeded")
}
if err := agent.Unlock(passphrase); err != nil {
t.Errorf("Unlock: %v", err)
}
if err := agent.Remove(signer.PublicKey()); err != nil {
t.Fatalf("Remove: %v", err)
}
if keys, err := agent.List(); err != nil {
t.Errorf("List: %v", err)
} else if len(keys) != 1 {
t.Errorf("Want 1 keys, got %v", keys)
}
}
func clientAuth(pemData []byte) (ssh.AuthMethod, error) {
privKey, err := ssh.ParseRawPrivateKey(pemData)
if err != nil {
return nil, err
}
signer, err := ssh.NewSignerFromKey(privKey)
if err != nil {
return nil, err
}
return ssh.PublicKeys(signer), nil
}
func testAgentInterface(t *testing.T, agent Agent, key interface{}, cert *ssh.Certificate, lifetimeSecs uint32) {
signer, err := ssh.NewSignerFromKey(key)
if err != nil {
t.Fatalf("NewSignerFromKey(%T): %v", key, err)
}
// The agent should start up empty.
if keys, err := agent.List(); err != nil {
t.Fatalf("RequestIdentities: %v", err)
} else if len(keys) > 0 {
t.Fatalf("got %d keys, want 0: %v", len(keys), keys)
}
// Attempt to insert the key, with certificate if specified.
var pubKey ssh.PublicKey
if cert != nil {
err = agent.Add(AddedKey{
PrivateKey: key,
Certificate: cert,
Comment: "comment",
LifetimeSecs: lifetimeSecs,
})
pubKey = cert
} else {
err = agent.Add(AddedKey{PrivateKey: key, Comment: "comment", LifetimeSecs: lifetimeSecs})
pubKey = signer.PublicKey()
}
if err != nil {
t.Fatalf("insert(%T): %v", key, err)
}
// Did the key get inserted successfully?
if keys, err := agent.List(); err != nil {
t.Fatalf("List: %v", err)
} else if len(keys) != 1 {
t.Fatalf("got %v, want 1 key", keys)
} else if keys[0].Comment != "comment" {
t.Fatalf("key comment: got %v, want %v", keys[0].Comment, "comment")
} else if !bytes.Equal(keys[0].Blob, pubKey.Marshal()) {
t.Fatalf("key mismatch")
}
// Can the agent make a valid signature?
data := []byte("hello")
sig, err := agent.Sign(pubKey, data)
if err != nil {
t.Fatalf("Sign(%s): %v", pubKey.Type(), err)
}
if err := pubKey.Verify(data, sig); err != nil {
t.Fatalf("Verify(%s): %v", pubKey.Type(), err)
}
}
func addKeyAuth(auths []ssh.AuthMethod, keypath string) []ssh.AuthMethod {
if len(keypath) == 0 {
return auths
}
// read the file
pemBytes, err := ioutil.ReadFile(keypath)
if err != nil {
log.Print(err)
os.Exit(1)
}
// get first pem block
block, _ := pem.Decode(pemBytes)
if block == nil {
log.Printf("no key found in %s", keypath)
return auths
}
// handle plain and encrypted keyfiles
if x509.IsEncryptedPEMBlock(block) {
prompt := fmt.Sprintf("Enter passphrase for key '%s': ", keypath)
pass, err := getpass(prompt)
if err != nil {
return auths
}
block.Bytes, err = x509.DecryptPEMBlock(block, []byte(pass))
if err != nil {
log.Print(err)
return auths
}
key, err := ParsePemBlock(block)
if err != nil {
log.Print(err)
return auths
}
signer, err := ssh.NewSignerFromKey(key)
if err != nil {
log.Print(err)
return auths
}
return append(auths, ssh.PublicKeys(signer))
} else {
signer, err := ssh.ParsePrivateKey(pemBytes)
if err != nil {
log.Print(err)
return auths
}
return append(auths, ssh.PublicKeys(signer))
}
}
func (c *BaseCluster) sshConfig() (*ssh.ClientConfig, error) {
if c.SSHKey == nil {
return nil, errors.New("No SSHKey found")
}
signer, err := ssh.NewSignerFromKey(c.SSHKey.PrivateKey)
if err != nil {
return nil, err
}
sshConfig := &ssh.ClientConfig{
User: c.SSHUsername,
Auth: []ssh.AuthMethod{ssh.PublicKeys(signer)},
}
return sshConfig, nil
}
func (p privateKeySigner) Decrypt() (ssh.Signer, error) {
if p.key == nil {
pem, err := x509.DecryptPEMBlock(p.pem, []byte(p.Passphrase()))
if err != nil {
return nil, err
}
p.key, err = x509.ParsePKCS1PrivateKey(pem)
if err != nil {
return nil, err
}
p.Encrypted = false
}
return ssh.NewSignerFromKey(p.key)
}
func Run(username, hostname string, port uint16, seed string) ([]byte, int, error) {
key := generateKey(seed)
/*
config := &ssh.ClientConfig{
User: username,
Auth: []ssh.ClientAuth{
ssh.ClientAuthKeyring(&keyring{key: key}),
},
}
*/
signer, err := ssh.NewSignerFromKey(key)
if err != nil {
panic("Could not create a signer from the key: " + err.Error())
}
config := &ssh.ClientConfig{
User: username,
Auth: []ssh.AuthMethod{
ssh.PublicKeys(signer),
},
}
client, err := ssh.Dial("tcp", fmt.Sprintf("%s:%d", hostname, port), config)
if err != nil {
return nil, 0, err
}
defer client.Close()
session, err := client.NewSession()
if err != nil {
return nil, 0, err
}
defer session.Close()
bytes, err := session.Output("exit 1")
if err != nil {
if exiterror, ok := err.(*ssh.ExitError); ok {
return bytes, exiterror.ExitStatus(), nil
os.Stdout.Write(bytes)
os.Exit(exiterror.ExitStatus())
} else {
return nil, 0, err
}
}
return bytes, 0, nil
}
func sshKey() (pubKey string, auth ssh.AuthMethod, err error) {
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return "", nil, err
}
signer, err := ssh.NewSignerFromKey(key)
if err != nil {
return "", nil, err
}
pub, err := ssh.NewPublicKey(&key.PublicKey)
if err != nil {
return "", nil, err
}
return string(ssh.MarshalAuthorizedKey(pub)), ssh.PublicKeys(signer), nil
}
func newSSHServer() (*sshServer, error) {
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return nil, err
}
signer, err := ssh.NewSignerFromKey(key)
if err != nil {
return nil, err
}
username := randstr(20)
password := randstr(20)
config := &ssh.ServerConfig{
PasswordCallback: func(c ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
// Don't worry about constant time compares, etc.
// This is a single-use username and password
// on a randomized port, on the loopback interface
// only, on a friendly machine.
var err error
if c.User() != username || string(pass) != password {
err = errors.New("authentication failed")
}
return nil, err
},
}
config.AddHostKey(signer)
l, err := net.Listen("tcp", "127.0.0.1:0")
if err != nil {
return nil, err
}
port, err := strconv.Atoi(strings.TrimPrefix(l.Addr().String(), "127.0.0.1:"))
if err != nil {
return nil, err
}
server := sshServer{
config: config,
listener: l,
port: port,
username: username,
password: password,
}
return &server, nil
}
func (i *jupiterBrainInstance) sshClient() (*ssh.Client, error) {
file, err := ioutil.ReadFile(i.provider.sshKeyPath)
if err != nil {
return nil, err
}
block, _ := pem.Decode(file)
if block == nil {
return nil, fmt.Errorf("ssh key does not contain a valid PEM block")
}
der, err := x509.DecryptPEMBlock(block, []byte(i.provider.sshKeyPassphrase))
if err != nil {
return nil, err
}
key, err := x509.ParsePKCS1PrivateKey(der)
if err != nil {
return nil, err
}
signer, err := ssh.NewSignerFromKey(key)
if err != nil {
return nil, err
}
var ip net.IP
for _, ipString := range i.payload.IPAddresses {
curIP := net.ParseIP(ipString)
if curIP.To4() != nil {
ip = curIP
break
}
}
if ip == nil {
return nil, fmt.Errorf("no valid IPv4 address")
}
return ssh.Dial("tcp", fmt.Sprintf("%s:22", ip.String()), &ssh.ClientConfig{
User: "******",
Auth: []ssh.AuthMethod{
ssh.PublicKeys(signer),
},
})
}
// NewSSHServer returns a NewSSHServer instance, ready for use.
func NewSSHServer() (*SSHServer, error) {
s := &SSHServer{}
s.Transfers = &bytes.Buffer{}
s.Config = &ssh.ServerConfig{
NoClientAuth: true,
}
s.Commands = make(map[string]int)
private, err := rsa.GenerateKey(rand.Reader, 2014)
if err != nil {
return nil, err
}
signer, err := ssh.NewSignerFromKey(private)
if err != nil {
return nil, err
}
s.Config.AddHostKey(signer)
return s, nil
}
func (c *SSHCluster) importSSHKeyPair(t *TargetServer) error {
var buf bytes.Buffer
_, file, readFileErrChan := c.base.PromptFileInput(fmt.Sprintf("Please provide your private key for %s@%s", t.User, t.IP))
if _, err := io.Copy(&buf, file); err != nil {
readFileErrChan <- err
return err
}
readFileErrChan <- nil // no error reading file
b, _ := pem.Decode(buf.Bytes())
if b == nil {
return fmt.Errorf("Invalid private key")
}
var pemBytes []byte
if x509.IsEncryptedPEMBlock(b) {
passphrase := c.base.PromptProtectedInput("Please enter the passphrase for the key")
var err error
pemBytes, err = x509.DecryptPEMBlock(b, []byte(passphrase))
if err != nil {
return err
}
} else {
pemBytes = b.Bytes
}
privateKey, err := x509.ParsePKCS1PrivateKey(pemBytes)
if err != nil {
return err
}
signer, err := ssh.NewSignerFromKey(privateKey)
if err != nil {
return err
}
auth := []ssh.AuthMethod{ssh.PublicKeys(signer)}
sshConfig := c.sshConfigForAuth(t, auth)
c.base.SendLog(fmt.Sprintf("Testing provided key for %s@%s", t.User, t.IP))
if !c.testAndAddAuthentication(t, sshConfig) {
return fmt.Errorf("Provided key for %s@%s failed to authenticate", t.User, t.IP)
}
c.base.SendLog(fmt.Sprintf("Key verified for %s@%s", t.User, t.IP))
return nil
}
// https://github.com/rapidloop/rtop/blob/ba5b35e964135d50e0babedf0bd69b2fcb5dbcb4/src/sshhelper.go#L100
func addKeyAuth(auths []ssh.AuthMethod, keypath string, keypassword string) ([]ssh.AuthMethod, error) {
if len(keypath) == 0 {
return auths, nil
}
// read the file
pemBytes, err := ioutil.ReadFile(keypath)
if err != nil {
return auths, err
}
// get first pem block
block, _ := pem.Decode(pemBytes)
if block == nil {
return auths, fmt.Errorf("no key found in %s", keypath)
}
// handle plain and encrypted keyfiles
if x509.IsEncryptedPEMBlock(block) {
block.Bytes, err = x509.DecryptPEMBlock(block, []byte(keypassword))
if err != nil {
return auths, err
}
key, err := parsePemBlock(block)
if err != nil {
return auths, err
}
signer, err := ssh.NewSignerFromKey(key)
if err != nil {
return auths, err
}
return append(auths, ssh.PublicKeys(signer)), nil
}
signer, err := ssh.ParsePrivateKey(pemBytes)
if err != nil {
return auths, err
}
return append(auths, ssh.PublicKeys(signer)), nil
}
func createClient(username, password, host, port, key string) (*ssh.Client, error) {
authMethods := []ssh.AuthMethod{}
if len(password) > 0 {
authMethods = append(authMethods, ssh.Password(password))
}
if len(key) > 0 {
priv, err := loadKey(key)
if err != nil {
log.Println(err)
} else {
signers, err := ssh.NewSignerFromKey(priv)
if err != nil {
log.Println(err)
} else {
authMethods = append(authMethods, ssh.PublicKeys(signers))
}
}
}
config := &ssh.ClientConfig{
User: username,
Auth: authMethods,
}
if len(port) == 0 {
port = "22"
}
remoteServer := fmt.Sprintf("%v:%v", host, port)
fmt.Println(ansi.Color(fmt.Sprintf("Connecting to %v@%v", username, remoteServer), "green"))
client, err := ssh.Dial("tcp", remoteServer, config)
if err != nil {
return nil, err
}
return client, nil
}
func init() {
var err error
n := len(testdata.PEMBytes)
testPrivateKeys = make(map[string]interface{}, n)
testSigners = make(map[string]ssh.Signer, n)
testPublicKeys = make(map[string]ssh.PublicKey, n)
for t, k := range testdata.PEMBytes {
testPrivateKeys[t], err = ssh.ParseRawPrivateKey(k)
if err != nil {
panic(fmt.Sprintf("Unable to parse test key %s: %v", t, err))
}
testSigners[t], err = ssh.NewSignerFromKey(testPrivateKeys[t])
if err != nil {
panic(fmt.Sprintf("Unable to create signer for test key %s: %v", t, err))
}
testPublicKeys[t] = testSigners[t].PublicKey()
}
// Create a cert and sign it for use in tests.
testCert := &ssh.Certificate{
Nonce: []byte{}, // To pass reflect.DeepEqual after marshal & parse, this must be non-nil
ValidPrincipals: []string{"gopher1", "gopher2"}, // increases test coverage
ValidAfter: 0, // unix epoch
ValidBefore: ssh.CertTimeInfinity, // The end of currently representable time.
Reserved: []byte{}, // To pass reflect.DeepEqual after marshal & parse, this must be non-nil
Key: testPublicKeys["ecdsa"],
SignatureKey: testPublicKeys["rsa"],
Permissions: ssh.Permissions{
CriticalOptions: map[string]string{},
Extensions: map[string]string{},
},
}
testCert.SignCert(rand.Reader, testSigners["rsa"])
testPrivateKeys["cert"] = testPrivateKeys["ecdsa"]
testSigners["cert"], err = ssh.NewCertSigner(testCert, testSigners["ecdsa"])
if err != nil {
panic(fmt.Sprintf("Unable to create certificate signer: %v", err))
}
}
func setupHostKey(config *ssh.ServerConfig) {
var signers []ssh.Signer
if keyEnv := os.Getenv("SSH_PRIVATE_KEYS"); keyEnv != "" {
for _, block := range decodePemBlocks([]byte(keyEnv)) {
signer, _ := signerFromBlock(block)
if signer != nil {
signers = append(signers, signer)
}
}
}
if *hostKey != "" {
pemBytes, err := ioutil.ReadFile(*hostKey)
if err != nil {
debug("host key file error:", err)
}
for _, block := range decodePemBlocks(pemBytes) {
signer, _ := signerFromBlock(block)
if signer != nil {
signers = append(signers, signer)
}
}
}
if len(signers) > 0 {
for _, signer := range signers {
config.AddHostKey(signer)
}
} else {
debug("no host key provided, generating host key")
key, err := rsa.GenerateKey(rand.Reader, 768)
if err != nil {
log.Fatalln("failed key generate:", err)
}
signer, err := ssh.NewSignerFromKey(key)
if err != nil {
log.Fatalln("failed signer:", err)
}
config.AddHostKey(signer)
}
}
func signerFromBlock(block *pem.Block) (ssh.Signer, error) {
var key interface{}
var err error
switch block.Type {
case "RSA PRIVATE KEY":
key, err = x509.ParsePKCS1PrivateKey(block.Bytes)
case "EC PRIVATE KEY":
key, err = x509.ParseECPrivateKey(block.Bytes)
case "DSA PRIVATE KEY":
key, err = ssh.ParseDSAPrivateKey(block.Bytes)
default:
return nil, fmt.Errorf("unsupported key type %q", block.Type)
}
if err != nil {
return nil, err
}
signer, err := ssh.NewSignerFromKey(key)
if err != nil {
return nil, err
}
return signer, nil
}
func (r *SSHCmd) UsePrivateKey(path string) error {
if r.connected {
return fmt.Errorf("Cannot add authentication methods while being connected")
}
content, err := ioutil.ReadFile(path)
if err != nil {
return err
}
privateKey, err := ssh.ParseRawPrivateKey(content)
if err != nil {
return err
}
signer, err := ssh.NewSignerFromKey(privateKey)
if err != nil {
return err
}
authMethod := ssh.PublicKeys(signer)
r.config.Auth = append(r.config.Auth, authMethod)
return nil
}
func addKey(conf *ssh.ServerConfig, block *pem.Block) (err error) {
var key interface{}
switch block.Type {
case "RSA PRIVATE KEY":
key, err = x509.ParsePKCS1PrivateKey(block.Bytes)
case "EC PRIVATE KEY":
key, err = x509.ParseECPrivateKey(block.Bytes)
case "DSA PRIVATE KEY":
key, err = ssh.ParseDSAPrivateKey(block.Bytes)
default:
return fmt.Errorf("unsupported key type %q", block.Type)
}
if err != nil {
return err
}
signer, err := ssh.NewSignerFromKey(key)
if err != nil {
return err
}
conf.AddHostKey(signer)
return nil
}
// Insert adds a private key to the keyring. If a certificate
// is given, that certificate is added as public key. Note that
// any constraints given are ignored.
func (r *keyring) Add(key AddedKey) error {
r.mu.Lock()
defer r.mu.Unlock()
if r.locked {
return errLocked
}
signer, err := ssh.NewSignerFromKey(key.PrivateKey)
if err != nil {
return err
}
if cert := key.Certificate; cert != nil {
signer, err = ssh.NewCertSigner(cert, signer)
if err != nil {
return err
}
}
r.keys = append(r.keys, privKey{signer, key.Comment})
return nil
}
// Insert adds a private key to the keyring. If a certificate
// is given, that certificate is added as public key.
func (r *keyring) Add(priv interface{}, cert *ssh.Certificate, comment string) error {
r.mu.Lock()
defer r.mu.Unlock()
if r.locked {
return errLocked
}
signer, err := ssh.NewSignerFromKey(priv)
if err != nil {
return err
}
if cert != nil {
signer, err = ssh.NewCertSigner(cert, signer)
if err != nil {
return err
}
}
r.keys = append(r.keys, privKey{signer, comment})
return nil
}