2014-07-15 23:50:53 +02:00
|
|
|
package ssh
|
|
|
|
|
|
|
|
|
|
import (
|
2014-08-05 18:53:02 +02:00
|
|
|
"encoding/pem"
|
2014-07-15 23:50:53 +02:00
|
|
|
"fmt"
|
2014-07-16 01:51:20 +02:00
|
|
|
"io/ioutil"
|
2014-07-15 23:50:53 +02:00
|
|
|
"log"
|
2015-04-19 01:07:11 +02:00
|
|
|
"math/rand"
|
2015-03-16 00:12:25 +01:00
|
|
|
"net"
|
|
|
|
|
"os"
|
2015-04-19 01:07:11 +02:00
|
|
|
"strconv"
|
|
|
|
|
"strings"
|
2014-07-15 23:50:53 +02:00
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
"github.com/hashicorp/terraform/terraform"
|
2014-08-19 21:27:01 +02:00
|
|
|
"github.com/mitchellh/go-homedir"
|
2014-07-15 23:50:53 +02:00
|
|
|
"github.com/mitchellh/mapstructure"
|
2015-03-16 00:12:25 +01:00
|
|
|
"golang.org/x/crypto/ssh"
|
|
|
|
|
"golang.org/x/crypto/ssh/agent"
|
2014-07-15 23:50:53 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
// DefaultUser is used if there is no default user given
|
|
|
|
|
DefaultUser = "root"
|
|
|
|
|
|
|
|
|
|
// DefaultPort is used if there is no port given
|
|
|
|
|
DefaultPort = 22
|
|
|
|
|
|
|
|
|
|
// DefaultScriptPath is used as the path to copy the file to
|
|
|
|
|
// for remote execution if not provided otherwise.
|
2015-04-19 01:07:11 +02:00
|
|
|
DefaultScriptPath = "/tmp/script_%RAND%.sh"
|
2014-07-15 23:50:53 +02:00
|
|
|
|
|
|
|
|
// DefaultTimeout is used if there is no timeout given
|
|
|
|
|
DefaultTimeout = 5 * time.Minute
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// SSHConfig is decoded from the ConnInfo of the resource. These
|
|
|
|
|
// are the only keys we look at. If a KeyFile is given, that is used
|
|
|
|
|
// instead of a password.
|
|
|
|
|
type SSHConfig struct {
|
|
|
|
|
User string
|
|
|
|
|
Password string
|
|
|
|
|
KeyFile string `mapstructure:"key_file"`
|
|
|
|
|
Host string
|
|
|
|
|
Port int
|
2015-03-16 00:12:25 +01:00
|
|
|
Agent bool
|
2014-07-15 23:50:53 +02:00
|
|
|
Timeout string
|
|
|
|
|
ScriptPath string `mapstructure:"script_path"`
|
|
|
|
|
TimeoutVal time.Duration `mapstructure:"-"`
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-19 01:07:11 +02:00
|
|
|
func (c *SSHConfig) RemotePath() string {
|
|
|
|
|
return strings.Replace(
|
|
|
|
|
c.ScriptPath, "%RAND%",
|
|
|
|
|
strconv.FormatInt(int64(rand.Int31()), 10), -1)
|
|
|
|
|
}
|
|
|
|
|
|
2014-08-07 19:19:03 +02:00
|
|
|
// VerifySSH is used to verify the ConnInfo is usable by remote-exec
|
2014-09-17 01:55:02 +02:00
|
|
|
func VerifySSH(s *terraform.InstanceState) error {
|
|
|
|
|
connType := s.Ephemeral.ConnInfo["type"]
|
2014-07-15 23:50:53 +02:00
|
|
|
switch connType {
|
|
|
|
|
case "":
|
|
|
|
|
case "ssh":
|
|
|
|
|
default:
|
|
|
|
|
return fmt.Errorf("Connection type '%s' not supported", connType)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-17 01:55:02 +02:00
|
|
|
// ParseSSHConfig is used to convert the ConnInfo of the InstanceState into
|
2014-07-15 23:50:53 +02:00
|
|
|
// a SSHConfig struct
|
2014-09-17 01:55:02 +02:00
|
|
|
func ParseSSHConfig(s *terraform.InstanceState) (*SSHConfig, error) {
|
2014-07-15 23:50:53 +02:00
|
|
|
sshConf := &SSHConfig{}
|
|
|
|
|
decConf := &mapstructure.DecoderConfig{
|
|
|
|
|
WeaklyTypedInput: true,
|
|
|
|
|
Result: sshConf,
|
|
|
|
|
}
|
|
|
|
|
dec, err := mapstructure.NewDecoder(decConf)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2014-09-17 01:55:02 +02:00
|
|
|
if err := dec.Decode(s.Ephemeral.ConnInfo); err != nil {
|
2014-07-15 23:50:53 +02:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if sshConf.User == "" {
|
|
|
|
|
sshConf.User = DefaultUser
|
|
|
|
|
}
|
|
|
|
|
if sshConf.Port == 0 {
|
|
|
|
|
sshConf.Port = DefaultPort
|
|
|
|
|
}
|
|
|
|
|
if sshConf.ScriptPath == "" {
|
|
|
|
|
sshConf.ScriptPath = DefaultScriptPath
|
|
|
|
|
}
|
|
|
|
|
if sshConf.Timeout != "" {
|
|
|
|
|
sshConf.TimeoutVal = safeDuration(sshConf.Timeout, DefaultTimeout)
|
|
|
|
|
} else {
|
|
|
|
|
sshConf.TimeoutVal = DefaultTimeout
|
|
|
|
|
}
|
|
|
|
|
return sshConf, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// safeDuration returns either the parsed duration or a default value
|
|
|
|
|
func safeDuration(dur string, defaultDur time.Duration) time.Duration {
|
|
|
|
|
d, err := time.ParseDuration(dur)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Printf("Invalid duration '%s', using default of %s", dur, defaultDur)
|
|
|
|
|
return defaultDur
|
|
|
|
|
}
|
|
|
|
|
return d
|
|
|
|
|
}
|
2014-07-16 01:51:20 +02:00
|
|
|
|
|
|
|
|
// PrepareConfig is used to turn the *SSHConfig provided into a
|
|
|
|
|
// usable *Config for client initialization.
|
|
|
|
|
func PrepareConfig(conf *SSHConfig) (*Config, error) {
|
2015-03-21 02:18:35 +01:00
|
|
|
var conn net.Conn
|
|
|
|
|
var err error
|
|
|
|
|
|
2014-07-16 01:51:20 +02:00
|
|
|
sshConf := &ssh.ClientConfig{
|
|
|
|
|
User: conf.User,
|
|
|
|
|
}
|
2015-03-16 00:12:25 +01:00
|
|
|
if conf.Agent {
|
|
|
|
|
sshAuthSock := os.Getenv("SSH_AUTH_SOCK")
|
|
|
|
|
|
|
|
|
|
if sshAuthSock == "" {
|
|
|
|
|
return nil, fmt.Errorf("SSH Requested but SSH_AUTH_SOCK not-specified")
|
|
|
|
|
}
|
|
|
|
|
|
2015-03-21 02:18:35 +01:00
|
|
|
conn, err = net.Dial("unix", sshAuthSock)
|
2015-03-16 00:12:25 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("Error connecting to SSH_AUTH_SOCK: %v", err)
|
|
|
|
|
}
|
|
|
|
|
// I need to close this but, later after all connections have been made
|
|
|
|
|
// defer conn.Close()
|
|
|
|
|
signers, err := agent.NewClient(conn).Signers()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("Error getting keys from ssh agent: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sshConf.Auth = append(sshConf.Auth, ssh.PublicKeys(signers...))
|
|
|
|
|
}
|
2014-07-16 01:51:20 +02:00
|
|
|
if conf.KeyFile != "" {
|
2014-08-19 21:21:01 +02:00
|
|
|
fullPath, err := homedir.Expand(conf.KeyFile)
|
2014-08-11 20:39:29 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("Failed to expand home directory: %v", err)
|
|
|
|
|
}
|
|
|
|
|
key, err := ioutil.ReadFile(fullPath)
|
2014-07-16 01:51:20 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("Failed to read key file '%s': %v", conf.KeyFile, err)
|
|
|
|
|
}
|
2014-08-05 18:53:02 +02:00
|
|
|
|
|
|
|
|
// We parse the private key on our own first so that we can
|
|
|
|
|
// show a nicer error if the private key has a password.
|
|
|
|
|
block, _ := pem.Decode(key)
|
|
|
|
|
if block == nil {
|
|
|
|
|
return nil, fmt.Errorf(
|
|
|
|
|
"Failed to read key '%s': no key found", conf.KeyFile)
|
|
|
|
|
}
|
|
|
|
|
if block.Headers["Proc-Type"] == "4,ENCRYPTED" {
|
|
|
|
|
return nil, fmt.Errorf(
|
|
|
|
|
"Failed to read key '%s': password protected keys are\n"+
|
|
|
|
|
"not supported. Please decrypt the key prior to use.", conf.KeyFile)
|
|
|
|
|
}
|
|
|
|
|
|
2014-07-16 01:51:20 +02:00
|
|
|
signer, err := ssh.ParsePrivateKey(key)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("Failed to parse key file '%s': %v", conf.KeyFile, err)
|
|
|
|
|
}
|
2014-08-05 18:53:02 +02:00
|
|
|
|
2014-07-16 01:51:20 +02:00
|
|
|
sshConf.Auth = append(sshConf.Auth, ssh.PublicKeys(signer))
|
|
|
|
|
}
|
|
|
|
|
if conf.Password != "" {
|
|
|
|
|
sshConf.Auth = append(sshConf.Auth,
|
|
|
|
|
ssh.Password(conf.Password))
|
|
|
|
|
sshConf.Auth = append(sshConf.Auth,
|
|
|
|
|
ssh.KeyboardInteractive(PasswordKeyboardInteractive(conf.Password)))
|
|
|
|
|
}
|
|
|
|
|
host := fmt.Sprintf("%s:%d", conf.Host, conf.Port)
|
|
|
|
|
config := &Config{
|
2015-03-21 02:18:35 +01:00
|
|
|
SSHConfig: sshConf,
|
|
|
|
|
Connection: ConnectFunc("tcp", host),
|
|
|
|
|
SSHAgentConn: conn,
|
2014-07-16 01:51:20 +02:00
|
|
|
}
|
|
|
|
|
return config, nil
|
|
|
|
|
}
|
2015-03-21 02:18:35 +01:00
|
|
|
|
|
|
|
|
func (c *Config) CleanupConfig() error {
|
|
|
|
|
if c.SSHAgentConn != nil {
|
|
|
|
|
return c.SSHAgentConn.Close()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
