From 8c8847e1cf230acae3ccc4ef42eb187974414fee Mon Sep 17 00:00:00 2001 From: James Bardin Date: Thu, 21 Dec 2017 16:47:05 -0500 Subject: [PATCH] sort ssh agent signers by requested id It's becoming more common for users to have many ssh keys loaded into an agent, and with the default max auth attempts of an openssh server at 6, one often needs to specify which id to use in order to avoid a `too many authentication failures` error. Add a connection field called `agent_identity` which will function similarly to the ssh_config IdentityFile when used in conjunction with an ssh agent. This uses `agent_identity` rather than `identity_file` to specify that the file is not used directly for authentication, rather it's used to choose which identity returned from the agent to authenticate with first. This feature tries a number of different methods to match the agent identity. First the provisioner attempts to read the id file and extract the public key. If that isn't available, we look for a .pub authorized key file. Either of these will result in a public key that can be matched directly against the agent keys. Finally we fall back to matching the comment string exactly, and the id as a suffix. The only result of using the agent_identity is the reordering of the public keys used for authentication, and if there is no exact match the client will still attempt remaining keys until there is an error. --- communicator/ssh/provisioner.go | 132 +++++++++++++++++++++++++++++++- 1 file changed, 130 insertions(+), 2 deletions(-) diff --git a/communicator/ssh/provisioner.go b/communicator/ssh/provisioner.go index 79d047727..69923017e 100644 --- a/communicator/ssh/provisioner.go +++ b/communicator/ssh/provisioner.go @@ -1,11 +1,15 @@ package ssh import ( + "bytes" "encoding/pem" "fmt" + "io/ioutil" "log" "net" "os" + "path/filepath" + "strings" "time" "github.com/hashicorp/terraform/communicator/shared" @@ -50,6 +54,8 @@ type connectionInfo struct { BastionPrivateKey string `mapstructure:"bastion_private_key"` BastionHost string `mapstructure:"bastion_host"` BastionPort int `mapstructure:"bastion_port"` + + AgentIdentity string `mapstructure:"agent_identity"` } // parseConnectionInfo is used to convert the ConnInfo of the InstanceState into @@ -186,7 +192,8 @@ type sshClientConfigOpts struct { func buildSSHClientConfig(opts sshClientConfigOpts) (*ssh.ClientConfig, error) { conf := &ssh.ClientConfig{ - User: opts.user, + HostKeyCallback: ssh.InsecureIgnoreHostKey(), + User: opts.user, } if opts.privateKey != "" { @@ -246,6 +253,7 @@ func connectToAgent(connInfo *connectionInfo) (*sshAgent, error) { return &sshAgent{ agent: agent, conn: conn, + id: connInfo.AgentIdentity, }, nil } @@ -255,6 +263,7 @@ func connectToAgent(connInfo *connectionInfo) (*sshAgent, error) { type sshAgent struct { agent agent.Agent conn net.Conn + id string } func (a *sshAgent) Close() error { @@ -265,8 +274,127 @@ func (a *sshAgent) Close() error { return a.conn.Close() } +// make an attempt to either read the identity file or find a corresponding +// public key file using the typical openssh naming convention. +// This returns the public key in wire format, or nil when a key is not found. +func findIDPublicKey(id string) []byte { + for _, d := range idKeyData(id) { + signer, err := ssh.ParsePrivateKey(d) + if err == nil { + log.Println("[DEBUG] parsed id private key") + pk := signer.PublicKey() + return pk.Marshal() + } + + // try it as a publicKey + pk, err := ssh.ParsePublicKey(d) + if err == nil { + log.Println("[DEBUG] parsed id public key") + return pk.Marshal() + } + + // finally try it as an authorized key + pk, _, _, _, err = ssh.ParseAuthorizedKey(d) + if err == nil { + log.Println("[DEBUG] parsed id authorized key") + return pk.Marshal() + } + } + + return nil +} + +// Try to read an id file using the id as the file path. Also read the .pub +// file if it exists, as the id file may be encrypted. Return only the file +// data read. We don't need to know what data came from which path, as we will +// try parsing each as a private key, a public key and an authorized key +// regardless. +func idKeyData(id string) [][]byte { + idPath, err := filepath.Abs(id) + if err != nil { + return nil + } + + var fileData [][]byte + + paths := []string{idPath} + + if !strings.HasSuffix(idPath, ".pub") { + paths = append(paths, idPath+".pub") + } + + for _, p := range paths { + d, err := ioutil.ReadFile(p) + if err != nil { + log.Printf("[DEBUG] error reading %q: %s", p, err) + continue + } + log.Printf("[DEBUG] found identity data at %q", p) + fileData = append(fileData, d) + } + + return fileData +} + +// sortSigners moves a signer with an agent comment field matching the +// agent_identity to the head of the list when attempting authentication. This +// helps when there are more keys loaded in an agent than the host will allow +// attempts. +func (s *sshAgent) sortSigners(signers []ssh.Signer) { + if s.id == "" || len(signers) < 2 { + return + } + + // if we can locate the public key, either by extracting it from the id or + // locating the .pub file, then we can more easily determine an exact match + idPk := findIDPublicKey(s.id) + + // if we have a signer with a connect field that matches the id, send that + // first, otherwise put close matches at the front of the list. + head := 0 + for i := range signers { + pk := signers[i].PublicKey() + k, ok := pk.(*agent.Key) + if !ok { + continue + } + + // check for an exact match first + if bytes.Equal(pk.Marshal(), idPk) || s.id == k.Comment { + signers[0], signers[i] = signers[i], signers[0] + break + } + + // no exact match yet, move it to the front if it's close. The agent + // may have loaded as a full filepath, while the config refers to it by + // filename only. + if strings.HasSuffix(k.Comment, s.id) { + signers[head], signers[i] = signers[i], signers[head] + head++ + continue + } + } + + ss := []string{} + for _, signer := range signers { + pk := signer.PublicKey() + k := pk.(*agent.Key) + ss = append(ss, k.Comment) + } +} + +func (s *sshAgent) Signers() ([]ssh.Signer, error) { + signers, err := s.agent.Signers() + if err != nil { + return nil, err + } + + s.sortSigners(signers) + return signers, nil +} + func (a *sshAgent) Auth() ssh.AuthMethod { - return ssh.PublicKeysCallback(a.agent.Signers) + return ssh.PublicKeysCallback(a.Signers) } func (a *sshAgent) ForwardToAgent(client *ssh.Client) error {