func fingerprintCallback(opts *options.SSHOptions, expectedFingerprint string) hostKeyCallback {
if opts.SkipHostValidation {
return nil
}
return func(hostname string, remote net.Addr, key ssh.PublicKey) error {
switch len(expectedFingerprint) {
case helpers.SHA1_FINGERPRINT_LENGTH:
fingerprint := helpers.SHA1Fingerprint(key)
if fingerprint != expectedFingerprint {
return fmt.Errorf("Host key verification failed.\n\nThe fingerprint of the received key was %q.", fingerprint)
}
case helpers.MD5_FINGERPRINT_LENGTH:
fingerprint := helpers.MD5Fingerprint(key)
if fingerprint != expectedFingerprint {
return fmt.Errorf("Host key verification failed.\n\nThe fingerprint of the received key was %q.", fingerprint)
}
case 0:
fingerprint := helpers.MD5Fingerprint(key)
return fmt.Errorf("Unable to verify identity of host.\n\nThe fingerprint of the received key was %q.", fingerprint)
default:
return errors.New("Unsupported host key fingerprint format")
}
return nil
}
}
func NewClientConn(logger lager.Logger, permissions *ssh.Permissions) (ssh.Conn, <-chan ssh.NewChannel, <-chan *ssh.Request, error) {
if permissions == nil || permissions.CriticalOptions == nil {
err := errors.New("Invalid permissions from authentication")
logger.Error("permissions-and-critical-options-required", err)
return nil, nil, nil, err
}
targetConfigJson := permissions.CriticalOptions["proxy-target-config"]
logger = logger.Session("new-client-conn", lager.Data{
"proxy-target-config": targetConfigJson,
})
var targetConfig TargetConfig
err := json.Unmarshal([]byte(permissions.CriticalOptions["proxy-target-config"]), &targetConfig)
if err != nil {
logger.Error("unmarshal-failed", err)
return nil, nil, nil, err
}
nConn, err := net.Dial("tcp", targetConfig.Address)
if err != nil {
logger.Error("dial-failed", err)
return nil, nil, nil, err
}
clientConfig := &ssh.ClientConfig{}
if targetConfig.User != "" {
clientConfig.User = targetConfig.User
}
if targetConfig.PrivateKey != "" {
key, err := ssh.ParsePrivateKey([]byte(targetConfig.PrivateKey))
if err != nil {
logger.Error("parsing-key-failed", err)
return nil, nil, nil, err
}
clientConfig.Auth = append(clientConfig.Auth, ssh.PublicKeys(key))
}
if targetConfig.User != "" && targetConfig.Password != "" {
clientConfig.Auth = append(clientConfig.Auth, ssh.Password(targetConfig.Password))
}
if targetConfig.HostFingerprint != "" {
clientConfig.HostKeyCallback = func(hostname string, remote net.Addr, key ssh.PublicKey) error {
expectedFingerprint := targetConfig.HostFingerprint
var actualFingerprint string
switch utf8.RuneCountInString(expectedFingerprint) {
case helpers.MD5_FINGERPRINT_LENGTH:
actualFingerprint = helpers.MD5Fingerprint(key)
case helpers.SHA1_FINGERPRINT_LENGTH:
actualFingerprint = helpers.SHA1Fingerprint(key)
}
if expectedFingerprint != actualFingerprint {
err := errors.New("Host fingerprint mismatch")
logger.Error("host-key-fingerprint-mismatch", err)
return err
}
return nil
}
}
conn, ch, req, err := ssh.NewClientConn(nConn, targetConfig.Address, clientConfig)
if err != nil {
logger.Error("handshake-failed", err)
return nil, nil, nil, err
}
return conn, ch, req, nil
}
actualLRPGroupResponse *models.ActualLRPGroupResponse
getDesiredLRPRequest *models.DesiredLRPByProcessGuidRequest
desiredLRPResponse *models.DesiredLRPResponse
processGuid string
clientConfig *ssh.ClientConfig
)
BeforeEach(func() {
fakeBBS = ghttp.NewServer()
fakeUAA = ghttp.NewTLSServer()
fakeCC = ghttp.NewTLSServer()
privateKey, err := ssh.ParsePrivateKey([]byte(hostKeyPem))
Expect(err).NotTo(HaveOccurred())
hostKeyFingerprint = helpers.MD5Fingerprint(privateKey.PublicKey())
address = fmt.Sprintf("127.0.0.1:%d", sshProxyPort)
bbsAddress = fakeBBS.URL()
ccAPIURL = fakeCC.URL()
diegoCredentials = "some-creds"
enableCFAuth = true
enableDiegoAuth = true
hostKey = hostKeyPem
skipCertVerify = true
processGuid = "app-guid-app-version"
u, err := url.Parse(fakeUAA.URL())
Expect(err).NotTo(HaveOccurred())
u.Path = "/oauth/token"
{"file-server", fileServer},
{"rep", componentMaker.Rep()},
{"converger", componentMaker.Converger()},
{"auctioneer", componentMaker.Auctioneer()},
{"route-emitter", componentMaker.RouteEmitter()},
{"ssh-proxy", componentMaker.SSHProxy()},
}))
tgCompressor := compressor.NewTgz()
err := tgCompressor.Compress(componentMaker.Artifacts.Executables["sshd"], filepath.Join(fileServerStaticDir, "sshd.tgz"))
Expect(err).NotTo(HaveOccurred())
sshRoute := routes.SSHRoute{
ContainerPort: 3456,
PrivateKey: componentMaker.SSHConfig.PrivateKeyPem,
HostFingerprint: ssh_helpers.MD5Fingerprint(componentMaker.SSHConfig.HostKey.PublicKey()),
}
sshRoutePayload, err := json.Marshal(sshRoute)
Expect(err).NotTo(HaveOccurred())
sshRouteMessage := json.RawMessage(sshRoutePayload)
envVars := []receptor.EnvironmentVariable{
{Name: "TEST", Value: "foobar"},
}
lrp = receptor.DesiredLRPCreateRequest{
ProcessGuid: processGuid,
Domain: "inigo",
Instances: 2,
It("correctly represents the private key", func() {
privateKey, err := ssh.ParsePrivateKey([]byte(keyPair.PEMEncodedPrivateKey()))
Expect(err).NotTo(HaveOccurred())
Expect(privateKey.PublicKey().Marshal()).To(Equal(keyPair.PublicKey().Marshal()))
})
})
Describe("PublicKey", func() {
It("equals the public key associated with the private key", func() {
Expect(keyPair.PrivateKey().PublicKey().Marshal()).To(Equal(keyPair.PublicKey().Marshal()))
})
})
Describe("Fingerprint", func() {
It("equals the MD5 fingerprint of the public key", func() {
expectedFingerprint := helpers.MD5Fingerprint(keyPair.PublicKey())
Expect(keyPair.Fingerprint()).To(Equal(expectedFingerprint))
})
})
Describe("AuthorizedKey", func() {
It("equals the authorized key formatted public key", func() {
expectedAuthorizedKey := string(ssh.MarshalAuthorizedKey(keyPair.PublicKey()))
Expect(keyPair.AuthorizedKey()).To(Equal(expectedAuthorizedKey))
})
})
})
daemonSSHConfig.AddHostKey(TestHostKey)
daemonGlobalRequestHandlers = map[string]handlers.GlobalRequestHandler{}
daemonNewChannelHandlers = map[string]handlers.NewChannelHandler{}
var err error
proxyListener, err = net.Listen("tcp", "127.0.0.1:0")
Expect(err).NotTo(HaveOccurred())
proxyAddress = proxyListener.Addr().String()
sshdListener, err = net.Listen("tcp", "127.0.0.1:0")
Expect(err).NotTo(HaveOccurred())
daemonAddress = sshdListener.Addr().String()
daemonTargetConfig = proxy.TargetConfig{
Address: daemonAddress,
HostFingerprint: helpers.MD5Fingerprint(TestHostKey.PublicKey()),
User: "******",
Password: "******",
}
targetConfigJson, err := json.Marshal(daemonTargetConfig)
Expect(err).NotTo(HaveOccurred())
logMessageJson, err := json.Marshal(proxy.LogMessage{
Guid: "a-guid",
Message: "a-message",
Index: 1,
})
Expect(err).NotTo(HaveOccurred())
permissions := &ssh.Permissions{
func (k *rsaKeyPair) Fingerprint() string {
return helpers.MD5Fingerprint(k.PublicKey())
}
)
var _ = Describe("Fingerprint", func() {
var publicKey ssh.PublicKey
var fingerprint string
BeforeEach(func() {
privateKey, err := ssh.ParsePrivateKey([]byte(TestPrivateKeyPem))
Expect(err).NotTo(HaveOccurred())
publicKey = privateKey.PublicKey()
})
Describe("MD5 Fingerprint", func() {
BeforeEach(func() {
fingerprint = helpers.MD5Fingerprint(publicKey)
})
It("should have the correct length", func() {
Expect(utf8.RuneCountInString(fingerprint)).To(Equal(helpers.MD5_FINGERPRINT_LENGTH))
})
It("should match the expected fingerprint", func() {
Expect(fingerprint).To(Equal(ExpectedMD5Fingerprint))
})
})
Describe("SHA1 Fingerprint", func() {
BeforeEach(func() {
fingerprint = helpers.SHA1Fingerprint(publicKey)
})