2015-06-17 16:39:49 +00:00
|
|
|
package command
|
|
|
|
|
|
|
|
import (
|
2016-05-25 19:02:31 +00:00
|
|
|
"encoding/json"
|
2015-06-17 16:39:49 +00:00
|
|
|
"fmt"
|
2015-06-18 00:33:03 +00:00
|
|
|
"io/ioutil"
|
2015-06-24 22:13:12 +00:00
|
|
|
"net"
|
2015-06-18 00:33:03 +00:00
|
|
|
"os"
|
|
|
|
"os/exec"
|
2015-07-29 18:21:36 +00:00
|
|
|
"os/user"
|
2015-06-17 16:39:49 +00:00
|
|
|
"strings"
|
2017-09-05 04:04:32 +00:00
|
|
|
"syscall"
|
2015-07-02 23:00:14 +00:00
|
|
|
|
2017-08-17 02:01:24 +00:00
|
|
|
"github.com/hashicorp/vault/api"
|
2015-07-23 21:20:28 +00:00
|
|
|
"github.com/hashicorp/vault/builtin/logical/ssh"
|
2017-09-05 04:04:32 +00:00
|
|
|
"github.com/mitchellh/cli"
|
2015-08-18 01:22:03 +00:00
|
|
|
"github.com/mitchellh/mapstructure"
|
2017-08-17 02:01:24 +00:00
|
|
|
"github.com/pkg/errors"
|
2017-09-05 04:04:32 +00:00
|
|
|
"github.com/posener/complete"
|
2015-06-17 16:39:49 +00:00
|
|
|
)
|
|
|
|
|
2017-09-05 04:04:32 +00:00
|
|
|
var _ cli.Command = (*SSHCommand)(nil)
|
|
|
|
var _ cli.CommandAutocomplete = (*SSHCommand)(nil)
|
|
|
|
|
2015-07-01 15:58:49 +00:00
|
|
|
type SSHCommand struct {
|
2017-09-05 04:04:32 +00:00
|
|
|
*BaseCommand
|
|
|
|
|
|
|
|
// Common SSH options
|
|
|
|
flagMode string
|
|
|
|
flagRole string
|
|
|
|
flagNoExec bool
|
|
|
|
flagMountPoint string
|
|
|
|
flagStrictHostKeyChecking string
|
|
|
|
flagUserKnownHostsFile string
|
|
|
|
|
|
|
|
// SSH CA Mode options
|
|
|
|
flagPublicKeyPath string
|
|
|
|
flagPrivateKeyPath string
|
|
|
|
flagHostKeyMountPoint string
|
|
|
|
flagHostKeyHostnames string
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *SSHCommand) Synopsis() string {
|
|
|
|
return "Initiate an SSH session"
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *SSHCommand) Help() string {
|
|
|
|
helpText := `
|
|
|
|
Usage: vault ssh [options] username@ip [ssh options]
|
|
|
|
|
|
|
|
Establishes an SSH connection with the target machine.
|
|
|
|
|
2017-09-08 02:03:52 +00:00
|
|
|
This command uses one of the SSH secrets engines to authenticate and
|
2017-09-05 04:04:32 +00:00
|
|
|
automatically establish an SSH connection to a host. This operation requires
|
2017-09-08 02:03:52 +00:00
|
|
|
that the SSH secrets engine is mounted and configured.
|
2017-09-05 04:04:32 +00:00
|
|
|
|
|
|
|
SSH using the OTP mode (requires sshpass for full automation):
|
|
|
|
|
|
|
|
$ vault ssh -mode=otp -role=my-role user@1.2.3.4
|
|
|
|
|
|
|
|
SSH using the CA mode:
|
|
|
|
|
|
|
|
$ vault ssh -mode=ca -role=my-role user@1.2.3.4
|
|
|
|
|
|
|
|
SSH using CA mode with host key verification:
|
|
|
|
|
|
|
|
$ vault ssh \
|
|
|
|
-mode=ca \
|
|
|
|
-role=my-role \
|
|
|
|
-host-key-mount-point=host-signer \
|
|
|
|
-host-key-hostnames=example.com \
|
|
|
|
user@example.com
|
|
|
|
|
|
|
|
For the full list of options and arguments, please see the documentation.
|
|
|
|
|
|
|
|
` + c.Flags().Help()
|
|
|
|
|
|
|
|
return strings.TrimSpace(helpText)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *SSHCommand) Flags() *FlagSets {
|
|
|
|
set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
|
|
|
|
|
|
|
|
f := set.NewFlagSet("SSH Options")
|
|
|
|
|
|
|
|
// TODO: doc field?
|
|
|
|
|
|
|
|
// General
|
|
|
|
f.StringVar(&StringVar{
|
|
|
|
Name: "mode",
|
|
|
|
Target: &c.flagMode,
|
|
|
|
Default: "",
|
|
|
|
EnvVar: "",
|
|
|
|
Completion: complete.PredictSet("ca", "dynamic", "otp"),
|
|
|
|
Usage: "Name of the role to use to generate the key.",
|
|
|
|
})
|
|
|
|
|
|
|
|
f.StringVar(&StringVar{
|
|
|
|
Name: "role",
|
|
|
|
Target: &c.flagRole,
|
|
|
|
Default: "",
|
|
|
|
EnvVar: "",
|
|
|
|
Completion: complete.PredictAnything,
|
|
|
|
Usage: "Name of the role to use to generate the key.",
|
|
|
|
})
|
|
|
|
|
|
|
|
f.BoolVar(&BoolVar{
|
|
|
|
Name: "no-exec",
|
|
|
|
Target: &c.flagNoExec,
|
|
|
|
Default: false,
|
|
|
|
EnvVar: "",
|
|
|
|
Completion: complete.PredictNothing,
|
|
|
|
Usage: "Print the generated credentials, but do not establish a " +
|
|
|
|
"connection.",
|
|
|
|
})
|
|
|
|
|
|
|
|
f.StringVar(&StringVar{
|
|
|
|
Name: "mount-point",
|
|
|
|
Target: &c.flagMountPoint,
|
|
|
|
Default: "ssh/",
|
|
|
|
EnvVar: "",
|
|
|
|
Completion: complete.PredictAnything,
|
2017-09-08 02:03:52 +00:00
|
|
|
Usage: "Mount point to the SSH secrets engine.",
|
2017-09-05 04:04:32 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
f.StringVar(&StringVar{
|
|
|
|
Name: "strict-host-key-checking",
|
|
|
|
Target: &c.flagStrictHostKeyChecking,
|
|
|
|
Default: "ask",
|
|
|
|
EnvVar: "VAULT_SSH_STRICT_HOST_KEY_CHECKING",
|
|
|
|
Completion: complete.PredictSet("ask", "no", "yes"),
|
|
|
|
Usage: "Value to use for the SSH configuration option " +
|
|
|
|
"\"StrictHostKeyChecking\".",
|
|
|
|
})
|
|
|
|
|
|
|
|
f.StringVar(&StringVar{
|
|
|
|
Name: "user-known-hosts-file",
|
|
|
|
Target: &c.flagUserKnownHostsFile,
|
|
|
|
Default: "~/.ssh/known_hosts",
|
|
|
|
EnvVar: "VAULT_SSH_USER_KNOWN_HOSTS_FILE",
|
|
|
|
Completion: complete.PredictFiles("*"),
|
|
|
|
Usage: "Value to use for the SSH configuration option " +
|
|
|
|
"\"UserKnownHostsFile\".",
|
|
|
|
})
|
|
|
|
|
|
|
|
// SSH CA
|
|
|
|
f = set.NewFlagSet("CA Mode Options")
|
|
|
|
|
|
|
|
f.StringVar(&StringVar{
|
|
|
|
Name: "public-key-path",
|
|
|
|
Target: &c.flagPublicKeyPath,
|
|
|
|
Default: "~/.ssh/id_rsa.pub",
|
2017-09-08 02:03:52 +00:00
|
|
|
EnvVar: "",
|
2017-09-05 04:04:32 +00:00
|
|
|
Completion: complete.PredictFiles("*"),
|
|
|
|
Usage: "Path to the SSH public key to send to Vault for signing.",
|
|
|
|
})
|
|
|
|
|
|
|
|
f.StringVar(&StringVar{
|
|
|
|
Name: "private-key-path",
|
|
|
|
Target: &c.flagPrivateKeyPath,
|
|
|
|
Default: "~/.ssh/id_rsa",
|
|
|
|
EnvVar: "",
|
|
|
|
Completion: complete.PredictFiles("*"),
|
|
|
|
Usage: "Path to the SSH private key to use for authentication. This must " +
|
|
|
|
"be the corresponding private key to -public-key-path.",
|
|
|
|
})
|
|
|
|
|
|
|
|
f.StringVar(&StringVar{
|
|
|
|
Name: "host-key-mount-point",
|
|
|
|
Target: &c.flagHostKeyMountPoint,
|
2017-09-08 02:03:52 +00:00
|
|
|
Default: "",
|
2017-09-05 04:04:32 +00:00
|
|
|
EnvVar: "VAULT_SSH_HOST_KEY_MOUNT_POINT",
|
|
|
|
Completion: complete.PredictAnything,
|
2017-09-08 02:03:52 +00:00
|
|
|
Usage: "Mount point to the SSH secrets engine where host keys are signed. " +
|
2017-09-05 04:04:32 +00:00
|
|
|
"When given a value, Vault will generate a custom \"known_hosts\" file " +
|
|
|
|
"with delegation to the CA at the provided mount point to verify the " +
|
|
|
|
"SSH connection's host keys against the provided CA. By default, host " +
|
|
|
|
"keys are validated against the user's local \"known_hosts\" file. " +
|
|
|
|
"This flag forces strict key host checking and ignores a custom user " +
|
|
|
|
"known hosts file.",
|
|
|
|
})
|
|
|
|
|
|
|
|
f.StringVar(&StringVar{
|
|
|
|
Name: "host-key-hostnames",
|
|
|
|
Target: &c.flagHostKeyHostnames,
|
|
|
|
Default: "*",
|
|
|
|
EnvVar: "VAULT_SSH_HOST_KEY_HOSTNAMES",
|
|
|
|
Completion: complete.PredictAnything,
|
|
|
|
Usage: "List of hostnames to delegate for the CA. The default value " +
|
|
|
|
"allows all domains and IPs. This is specified as a comma-separated " +
|
|
|
|
"list of values.",
|
|
|
|
})
|
|
|
|
|
|
|
|
return set
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *SSHCommand) AutocompleteArgs() complete.Predictor {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *SSHCommand) AutocompleteFlags() complete.Flags {
|
|
|
|
return c.Flags().Completions()
|
2015-06-17 16:39:49 +00:00
|
|
|
}
|
|
|
|
|
2017-09-08 02:03:52 +00:00
|
|
|
// Structure to hold the fields returned when asked for a credential from SSH
|
|
|
|
// secrets engine.
|
2015-08-18 01:22:03 +00:00
|
|
|
type SSHCredentialResp struct {
|
|
|
|
KeyType string `mapstructure:"key_type"`
|
|
|
|
Key string `mapstructure:"key"`
|
|
|
|
Username string `mapstructure:"username"`
|
|
|
|
IP string `mapstructure:"ip"`
|
2016-05-25 19:02:31 +00:00
|
|
|
Port string `mapstructure:"port"`
|
2015-08-18 01:22:03 +00:00
|
|
|
}
|
|
|
|
|
2015-07-01 15:58:49 +00:00
|
|
|
func (c *SSHCommand) Run(args []string) int {
|
2017-09-05 04:04:32 +00:00
|
|
|
f := c.Flags()
|
2017-08-17 02:01:24 +00:00
|
|
|
|
2017-09-05 04:04:32 +00:00
|
|
|
if err := f.Parse(args); err != nil {
|
|
|
|
c.UI.Error(err.Error())
|
2017-08-17 02:01:24 +00:00
|
|
|
return 1
|
2016-06-01 03:31:53 +00:00
|
|
|
}
|
|
|
|
|
2017-09-05 04:04:32 +00:00
|
|
|
// Use homedir to expand any relative paths such as ~/.ssh
|
|
|
|
c.flagUserKnownHostsFile = expandPath(c.flagUserKnownHostsFile)
|
|
|
|
c.flagPublicKeyPath = expandPath(c.flagPublicKeyPath)
|
|
|
|
c.flagPrivateKeyPath = expandPath(c.flagPrivateKeyPath)
|
2015-06-30 02:00:08 +00:00
|
|
|
|
2017-09-05 04:04:32 +00:00
|
|
|
args = f.Args()
|
|
|
|
if len(args) < 1 {
|
|
|
|
c.UI.Error(fmt.Sprintf("Not enough arguments, (expected 1-n, got %d)", len(args)))
|
2015-08-19 02:00:27 +00:00
|
|
|
return 1
|
2015-06-17 16:39:49 +00:00
|
|
|
}
|
2015-07-27 20:42:03 +00:00
|
|
|
|
2017-08-17 02:01:24 +00:00
|
|
|
// Extract the username and IP.
|
2017-09-05 04:04:32 +00:00
|
|
|
username, ip, err := c.userAndIP(args[0])
|
2017-08-17 02:01:24 +00:00
|
|
|
if err != nil {
|
2017-09-05 04:04:32 +00:00
|
|
|
c.UI.Error(fmt.Sprintf("Error parsing user and IP: %s", err))
|
2015-08-19 02:00:27 +00:00
|
|
|
return 1
|
2015-07-27 20:42:03 +00:00
|
|
|
}
|
|
|
|
|
2017-08-17 02:01:24 +00:00
|
|
|
// The rest of the args are ssh args
|
2017-09-05 04:04:32 +00:00
|
|
|
sshArgs := []string{}
|
2017-08-17 02:01:24 +00:00
|
|
|
if len(args) > 1 {
|
2017-09-05 04:04:32 +00:00
|
|
|
sshArgs = args[1:]
|
2015-06-30 02:00:08 +00:00
|
|
|
}
|
|
|
|
|
2015-08-13 23:55:47 +00:00
|
|
|
// Credentials are generated only against a registered role. If user
|
|
|
|
// does not specify a role with the SSH command, then lookup API is used
|
|
|
|
// to fetch all the roles with which this IP is associated. If there is
|
|
|
|
// only one role associated with it, use it to establish the connection.
|
2017-08-17 02:01:24 +00:00
|
|
|
//
|
|
|
|
// TODO: remove in 0.9.0, convert to validation error
|
2017-09-05 04:04:32 +00:00
|
|
|
if c.flagRole == "" {
|
|
|
|
c.UI.Warn(wrapAtLength(
|
|
|
|
"WARNING: No -role specified. Use -role to tell Vault which ssh role " +
|
|
|
|
"to use for authentication. In the future, you will need to tell " +
|
|
|
|
"Vault which role to use. For now, Vault will attempt to guess based " +
|
2018-01-18 00:31:52 +00:00
|
|
|
"on the API response. This will be removed in the Vault 0.11 (or " +
|
|
|
|
"later."))
|
2017-09-05 04:04:32 +00:00
|
|
|
|
|
|
|
role, err := c.defaultRole(c.flagMountPoint, ip)
|
2015-06-30 02:00:08 +00:00
|
|
|
if err != nil {
|
2017-09-05 04:04:32 +00:00
|
|
|
c.UI.Error(fmt.Sprintf("Error choosing role: %v", err))
|
2015-06-30 02:00:08 +00:00
|
|
|
return 1
|
|
|
|
}
|
2015-08-13 23:55:47 +00:00
|
|
|
// Print the default role chosen so that user knows the role name
|
|
|
|
// if something doesn't work. If the role chosen is not allowed to
|
|
|
|
// be used by the user (ACL enforcement), then user should see an
|
|
|
|
// error message accordingly.
|
2017-09-05 04:04:32 +00:00
|
|
|
c.UI.Output(fmt.Sprintf("Vault SSH: Role: %q", role))
|
|
|
|
c.flagRole = role
|
2015-06-30 02:00:08 +00:00
|
|
|
}
|
|
|
|
|
2017-08-17 02:01:24 +00:00
|
|
|
// If no mode was given, perform the old-school lookup. Keep this now for
|
|
|
|
// backwards-compatability, but print a warning.
|
|
|
|
//
|
|
|
|
// TODO: remove in 0.9.0, convert to validation error
|
2017-09-05 04:04:32 +00:00
|
|
|
if c.flagMode == "" {
|
|
|
|
c.UI.Warn(wrapAtLength(
|
|
|
|
"WARNING: No -mode specified. Use -mode to tell Vault which ssh " +
|
|
|
|
"authentication mode to use. In the future, you will need to tell " +
|
|
|
|
"Vault which mode to use. For now, Vault will attempt to guess based " +
|
|
|
|
"on the API response. This guess involves creating a temporary " +
|
|
|
|
"credential, reading its type, and then revoking it. To reduce the " +
|
|
|
|
"number of API calls and surface area, specify -mode directly. This " +
|
2018-01-18 00:31:52 +00:00
|
|
|
"will be removed in Vault 0.11 (or later)."))
|
2017-09-05 04:04:32 +00:00
|
|
|
secret, cred, err := c.generateCredential(username, ip)
|
2017-08-17 02:01:24 +00:00
|
|
|
if err != nil {
|
|
|
|
// This is _very_ hacky, but is the only sane backwards-compatible way
|
|
|
|
// to do this. If the error is "key type unknown", we just assume the
|
|
|
|
// type is "ca". In the future, mode will be required as an option.
|
|
|
|
if strings.Contains(err.Error(), "key type unknown") {
|
2017-09-05 04:04:32 +00:00
|
|
|
c.flagMode = ssh.KeyTypeCA
|
2017-08-17 02:01:24 +00:00
|
|
|
} else {
|
2017-09-05 04:04:32 +00:00
|
|
|
c.UI.Error(fmt.Sprintf("Error getting credential: %s", err))
|
2017-08-17 02:01:24 +00:00
|
|
|
return 1
|
|
|
|
}
|
|
|
|
} else {
|
2017-09-05 04:04:32 +00:00
|
|
|
c.flagMode = cred.KeyType
|
2017-08-17 02:01:24 +00:00
|
|
|
}
|
2017-08-17 22:35:55 +00:00
|
|
|
|
|
|
|
// Revoke the secret, since the child functions will generate their own
|
|
|
|
// credential. Users wishing to avoid this should specify -mode.
|
|
|
|
if secret != nil {
|
|
|
|
if err := c.client.Sys().Revoke(secret.LeaseID); err != nil {
|
2017-09-05 04:04:32 +00:00
|
|
|
c.UI.Warn(fmt.Sprintf("Failed to revoke temporary key: %s", err))
|
2017-08-17 22:35:55 +00:00
|
|
|
}
|
|
|
|
}
|
2015-06-24 22:13:12 +00:00
|
|
|
}
|
2015-07-27 20:42:03 +00:00
|
|
|
|
2017-09-05 04:04:32 +00:00
|
|
|
switch strings.ToLower(c.flagMode) {
|
2017-08-17 02:01:24 +00:00
|
|
|
case ssh.KeyTypeCA:
|
2017-09-05 04:04:32 +00:00
|
|
|
return c.handleTypeCA(username, ip, sshArgs)
|
2017-08-17 02:01:24 +00:00
|
|
|
case ssh.KeyTypeOTP:
|
2017-09-05 04:04:32 +00:00
|
|
|
return c.handleTypeOTP(username, ip, sshArgs)
|
2017-08-17 02:01:24 +00:00
|
|
|
case ssh.KeyTypeDynamic:
|
2017-09-05 04:04:32 +00:00
|
|
|
return c.handleTypeDynamic(username, ip, sshArgs)
|
2017-08-17 02:01:24 +00:00
|
|
|
default:
|
2017-09-05 04:04:32 +00:00
|
|
|
c.UI.Error(fmt.Sprintf("Unknown SSH mode: %s", c.flagMode))
|
2015-08-19 02:00:27 +00:00
|
|
|
return 1
|
2015-06-17 16:39:49 +00:00
|
|
|
}
|
2017-08-17 02:01:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// handleTypeCA is used to handle SSH logins using the "CA" key type.
|
2017-09-05 04:04:32 +00:00
|
|
|
func (c *SSHCommand) handleTypeCA(username, ip string, sshArgs []string) int {
|
2017-08-17 02:01:24 +00:00
|
|
|
// Read the key from disk
|
2017-09-05 04:04:32 +00:00
|
|
|
publicKey, err := ioutil.ReadFile(c.flagPublicKeyPath)
|
|
|
|
if err != nil {
|
|
|
|
c.UI.Error(fmt.Sprintf("failed to read public key %s: %s",
|
|
|
|
c.flagPublicKeyPath, err))
|
|
|
|
return 1
|
|
|
|
}
|
|
|
|
|
|
|
|
client, err := c.Client()
|
2017-08-17 02:01:24 +00:00
|
|
|
if err != nil {
|
2017-09-05 04:04:32 +00:00
|
|
|
c.UI.Error(err.Error())
|
|
|
|
return 1
|
2015-07-29 18:21:36 +00:00
|
|
|
}
|
|
|
|
|
2017-09-05 04:04:32 +00:00
|
|
|
sshClient := client.SSHWithMountPoint(c.flagMountPoint)
|
|
|
|
|
2017-08-17 02:01:24 +00:00
|
|
|
// Attempt to sign the public key
|
2017-09-05 04:04:32 +00:00
|
|
|
secret, err := sshClient.SignKey(c.flagRole, map[string]interface{}{
|
2017-08-17 02:01:24 +00:00
|
|
|
// WARNING: publicKey is []byte, which is b64 encoded on JSON upload. We
|
|
|
|
// have to convert it to a string. SV lost many hours to this...
|
|
|
|
"public_key": string(publicKey),
|
2017-09-05 04:04:32 +00:00
|
|
|
"valid_principals": username,
|
2017-08-17 02:01:24 +00:00
|
|
|
"cert_type": "user",
|
|
|
|
|
|
|
|
// TODO: let the user configure these. In the interim, if users want to
|
|
|
|
// customize these values, they can produce the key themselves.
|
|
|
|
"extensions": map[string]string{
|
|
|
|
"permit-X11-forwarding": "",
|
|
|
|
"permit-agent-forwarding": "",
|
|
|
|
"permit-port-forwarding": "",
|
|
|
|
"permit-pty": "",
|
|
|
|
"permit-user-rc": "",
|
|
|
|
},
|
|
|
|
})
|
|
|
|
if err != nil {
|
2017-09-05 04:04:32 +00:00
|
|
|
c.UI.Error(fmt.Sprintf("failed to sign public key %s: %s",
|
|
|
|
c.flagPublicKeyPath, err))
|
|
|
|
return 2
|
2016-05-25 21:26:32 +00:00
|
|
|
}
|
2017-08-17 02:01:24 +00:00
|
|
|
if secret == nil || secret.Data == nil {
|
2017-09-05 04:04:32 +00:00
|
|
|
c.UI.Error("missing signed key")
|
|
|
|
return 2
|
2015-08-18 01:22:03 +00:00
|
|
|
}
|
|
|
|
|
2017-08-17 02:01:24 +00:00
|
|
|
// Handle no-exec
|
2017-09-05 04:04:32 +00:00
|
|
|
if c.flagNoExec {
|
|
|
|
if c.flagFormat != "" {
|
|
|
|
return PrintRawField(c.UI, secret, c.flagField)
|
2016-10-18 16:46:54 +00:00
|
|
|
}
|
2017-09-05 04:04:32 +00:00
|
|
|
return OutputSecret(c.UI, c.flagFormat, secret)
|
2017-08-17 02:01:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Extract public key
|
|
|
|
key, ok := secret.Data["signed_key"].(string)
|
2017-09-05 04:04:32 +00:00
|
|
|
if !ok || key == "" {
|
|
|
|
c.UI.Error("signed key is empty")
|
|
|
|
return 2
|
2017-08-17 02:01:24 +00:00
|
|
|
}
|
2016-10-18 16:46:54 +00:00
|
|
|
|
2017-08-17 23:12:58 +00:00
|
|
|
// Capture the current value - this could be overwritten later if the user
|
|
|
|
// enabled host key signing verification.
|
2017-09-05 04:04:32 +00:00
|
|
|
userKnownHostsFile := c.flagUserKnownHostsFile
|
|
|
|
strictHostKeyChecking := c.flagStrictHostKeyChecking
|
2017-08-17 23:12:58 +00:00
|
|
|
|
|
|
|
// Handle host key signing verification. If the user specified a mount point,
|
|
|
|
// download the public key, trust it with the given domains, and use that
|
|
|
|
// instead of the user's regular known_hosts file.
|
2017-09-05 04:04:32 +00:00
|
|
|
if c.flagHostKeyMountPoint != "" {
|
|
|
|
secret, err := c.client.Logical().Read(c.flagHostKeyMountPoint + "/config/ca")
|
2017-08-17 23:12:58 +00:00
|
|
|
if err != nil {
|
2017-09-05 04:04:32 +00:00
|
|
|
c.UI.Error(fmt.Sprintf("failed to get host signing key: %s", err))
|
|
|
|
return 2
|
2017-08-17 23:12:58 +00:00
|
|
|
}
|
|
|
|
if secret == nil || secret.Data == nil {
|
2017-09-05 04:04:32 +00:00
|
|
|
c.UI.Error("missing host signing key")
|
|
|
|
return 2
|
2017-08-17 23:12:58 +00:00
|
|
|
}
|
|
|
|
publicKey, ok := secret.Data["public_key"].(string)
|
2017-09-05 04:04:32 +00:00
|
|
|
if !ok || publicKey == "" {
|
|
|
|
c.UI.Error("host signing key is empty")
|
|
|
|
return 2
|
2017-08-17 23:12:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Write the known_hosts file
|
2017-09-05 04:04:32 +00:00
|
|
|
name := fmt.Sprintf("vault_ssh_ca_known_hosts_%s_%s", username, ip)
|
|
|
|
data := fmt.Sprintf("@cert-authority %s %s", c.flagHostKeyHostnames, publicKey)
|
2017-08-17 23:12:58 +00:00
|
|
|
knownHosts, err, closer := c.writeTemporaryFile(name, []byte(data), 0644)
|
|
|
|
defer closer()
|
|
|
|
if err != nil {
|
2017-09-05 04:04:32 +00:00
|
|
|
c.UI.Error(fmt.Sprintf("failed to write host public key: %s", err))
|
|
|
|
return 1
|
2017-08-17 23:12:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Update the variables
|
|
|
|
userKnownHostsFile = knownHosts
|
|
|
|
strictHostKeyChecking = "yes"
|
|
|
|
}
|
|
|
|
|
2017-08-17 02:01:24 +00:00
|
|
|
// Write the signed public key to disk
|
2017-09-05 04:04:32 +00:00
|
|
|
name := fmt.Sprintf("vault_ssh_ca_%s_%s", username, ip)
|
2017-08-17 02:01:24 +00:00
|
|
|
signedPublicKeyPath, err, closer := c.writeTemporaryKey(name, []byte(key))
|
|
|
|
defer closer()
|
|
|
|
if err != nil {
|
2017-09-05 04:04:32 +00:00
|
|
|
c.UI.Error(fmt.Sprintf("failed to write signed public key: %s", err))
|
|
|
|
return 2
|
2017-08-17 02:01:24 +00:00
|
|
|
}
|
2016-10-18 16:46:54 +00:00
|
|
|
|
2017-08-17 02:01:24 +00:00
|
|
|
args := append([]string{
|
2017-09-05 04:04:32 +00:00
|
|
|
"-i", c.flagPrivateKeyPath,
|
2017-08-17 02:01:24 +00:00
|
|
|
"-i", signedPublicKeyPath,
|
2017-08-17 23:12:58 +00:00
|
|
|
"-o UserKnownHostsFile=" + userKnownHostsFile,
|
|
|
|
"-o StrictHostKeyChecking=" + strictHostKeyChecking,
|
2017-09-05 04:04:32 +00:00
|
|
|
username + "@" + ip,
|
|
|
|
}, sshArgs...)
|
2017-08-17 02:01:24 +00:00
|
|
|
|
|
|
|
cmd := exec.Command("ssh", args...)
|
|
|
|
cmd.Stdin = os.Stdin
|
|
|
|
cmd.Stdout = os.Stdout
|
2017-08-21 21:23:29 +00:00
|
|
|
cmd.Stderr = os.Stderr
|
2017-08-17 02:01:24 +00:00
|
|
|
err = cmd.Run()
|
|
|
|
if err != nil {
|
2017-09-05 04:04:32 +00:00
|
|
|
exitCode := 2
|
|
|
|
|
|
|
|
if exitError, ok := err.(*exec.ExitError); ok {
|
|
|
|
if exitError.Success() {
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
if ws, ok := exitError.Sys().(syscall.WaitStatus); ok {
|
|
|
|
exitCode = ws.ExitStatus()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
c.UI.Error(fmt.Sprintf("failed to run ssh command: %s", err))
|
|
|
|
return exitCode
|
2017-08-17 02:01:24 +00:00
|
|
|
}
|
|
|
|
|
2017-08-18 19:44:20 +00:00
|
|
|
// There is no secret to revoke, since it's a certificate signing
|
2017-09-05 04:04:32 +00:00
|
|
|
return 0
|
2017-08-17 02:01:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// handleTypeOTP is used to handle SSH logins using the "otp" key type.
|
2017-09-05 04:04:32 +00:00
|
|
|
func (c *SSHCommand) handleTypeOTP(username, ip string, sshArgs []string) int {
|
|
|
|
secret, cred, err := c.generateCredential(username, ip)
|
2017-08-17 02:01:24 +00:00
|
|
|
if err != nil {
|
2017-09-05 04:04:32 +00:00
|
|
|
c.UI.Error(fmt.Sprintf("failed to generate credential: %s", err))
|
|
|
|
return 2
|
2017-08-17 02:01:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Handle no-exec
|
2017-09-05 04:04:32 +00:00
|
|
|
if c.flagNoExec {
|
|
|
|
if c.flagFormat != "" {
|
|
|
|
return PrintRawField(c.UI, secret, c.flagField)
|
2016-10-18 16:46:54 +00:00
|
|
|
}
|
2017-09-05 04:04:32 +00:00
|
|
|
return OutputSecret(c.UI, c.flagFormat, secret)
|
2017-08-17 02:01:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
var cmd *exec.Cmd
|
|
|
|
|
2017-09-05 04:04:32 +00:00
|
|
|
// Check if the application 'sshpass' is installed in the client machine. If
|
|
|
|
// it is then, use it to automate typing in OTP to the prompt. Unfortunately,
|
2017-08-17 02:01:24 +00:00
|
|
|
// it was not possible to automate it without a third-party application, with
|
2017-09-05 04:04:32 +00:00
|
|
|
// only the Go libraries. Feel free to try and remove this dependency.
|
2017-08-17 02:01:24 +00:00
|
|
|
sshpassPath, err := exec.LookPath("sshpass")
|
|
|
|
if err != nil {
|
2017-09-05 04:04:32 +00:00
|
|
|
c.UI.Warn(wrapAtLength(
|
|
|
|
"Vault could not locate \"sshpass\". The OTP code for the session is " +
|
|
|
|
"displayed below. Enter this code in the SSH password prompt. If you " +
|
|
|
|
"install sshpass, Vault can automatically perform this step for you."))
|
|
|
|
c.UI.Output("OTP for the session is: " + cred.Key)
|
2017-08-17 02:01:24 +00:00
|
|
|
|
|
|
|
args := append([]string{
|
2017-09-05 04:04:32 +00:00
|
|
|
"-o UserKnownHostsFile=" + c.flagUserKnownHostsFile,
|
|
|
|
"-o StrictHostKeyChecking=" + c.flagStrictHostKeyChecking,
|
2017-08-17 02:01:24 +00:00
|
|
|
"-p", cred.Port,
|
2017-09-05 04:04:32 +00:00
|
|
|
username + "@" + ip,
|
|
|
|
}, sshArgs...)
|
2017-08-17 02:01:24 +00:00
|
|
|
cmd = exec.Command("ssh", args...)
|
|
|
|
} else {
|
|
|
|
args := append([]string{
|
|
|
|
"-e", // Read password for SSHPASS environment variable
|
|
|
|
"ssh",
|
2017-09-05 04:04:32 +00:00
|
|
|
"-o UserKnownHostsFile=" + c.flagUserKnownHostsFile,
|
|
|
|
"-o StrictHostKeyChecking=" + c.flagStrictHostKeyChecking,
|
2017-08-17 02:01:24 +00:00
|
|
|
"-p", cred.Port,
|
2017-09-05 04:04:32 +00:00
|
|
|
username + "@" + ip,
|
|
|
|
}, sshArgs...)
|
2017-08-17 02:01:24 +00:00
|
|
|
cmd = exec.Command(sshpassPath, args...)
|
|
|
|
env := os.Environ()
|
|
|
|
env = append(env, fmt.Sprintf("SSHPASS=%s", string(cred.Key)))
|
|
|
|
cmd.Env = env
|
|
|
|
}
|
|
|
|
|
|
|
|
cmd.Stdin = os.Stdin
|
|
|
|
cmd.Stdout = os.Stdout
|
2017-08-21 21:23:29 +00:00
|
|
|
cmd.Stderr = os.Stderr
|
2017-08-17 02:01:24 +00:00
|
|
|
err = cmd.Run()
|
|
|
|
if err != nil {
|
2017-09-05 04:04:32 +00:00
|
|
|
exitCode := 2
|
|
|
|
|
|
|
|
if exitError, ok := err.(*exec.ExitError); ok {
|
|
|
|
if exitError.Success() {
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
if ws, ok := exitError.Sys().(syscall.WaitStatus); ok {
|
|
|
|
exitCode = ws.ExitStatus()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
c.UI.Error(fmt.Sprintf("failed to run ssh command: %s", err))
|
|
|
|
return exitCode
|
2017-08-17 02:01:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Revoke the key if it's longer than expected
|
|
|
|
if err := c.client.Sys().Revoke(secret.LeaseID); err != nil {
|
2017-09-05 04:04:32 +00:00
|
|
|
c.UI.Error(fmt.Sprintf("failed to revoke key: %s", err))
|
|
|
|
return 2
|
2017-08-17 02:01:24 +00:00
|
|
|
}
|
|
|
|
|
2017-09-05 04:04:32 +00:00
|
|
|
return 0
|
2017-08-17 02:01:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// handleTypeDynamic is used to handle SSH logins using the "dyanmic" key type.
|
2017-09-05 04:04:32 +00:00
|
|
|
func (c *SSHCommand) handleTypeDynamic(username, ip string, sshArgs []string) int {
|
2017-08-17 02:01:24 +00:00
|
|
|
// Generate the credential
|
2017-09-05 04:04:32 +00:00
|
|
|
secret, cred, err := c.generateCredential(username, ip)
|
2017-08-17 02:01:24 +00:00
|
|
|
if err != nil {
|
2017-09-05 04:04:32 +00:00
|
|
|
c.UI.Error(fmt.Sprintf("failed to generate credential: %s", err))
|
|
|
|
return 2
|
2017-08-17 02:01:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Handle no-exec
|
2017-09-05 04:04:32 +00:00
|
|
|
if c.flagNoExec {
|
|
|
|
if c.flagFormat != "" {
|
|
|
|
return PrintRawField(c.UI, secret, c.flagField)
|
2015-08-06 21:00:50 +00:00
|
|
|
}
|
2017-09-05 04:04:32 +00:00
|
|
|
return OutputSecret(c.UI, c.flagFormat, secret)
|
2015-07-23 21:20:28 +00:00
|
|
|
}
|
2017-08-17 02:01:24 +00:00
|
|
|
|
|
|
|
// Write the dynamic key to disk
|
2017-09-05 04:04:32 +00:00
|
|
|
name := fmt.Sprintf("vault_ssh_dynamic_%s_%s", username, ip)
|
2017-08-17 02:01:24 +00:00
|
|
|
keyPath, err, closer := c.writeTemporaryKey(name, []byte(cred.Key))
|
|
|
|
defer closer()
|
|
|
|
if err != nil {
|
2017-09-05 04:04:32 +00:00
|
|
|
c.UI.Error(fmt.Sprintf("failed to write dynamic key: %s", err))
|
|
|
|
return 1
|
2016-08-01 18:53:00 +00:00
|
|
|
}
|
2015-07-10 15:56:14 +00:00
|
|
|
|
2017-08-17 02:01:24 +00:00
|
|
|
args := append([]string{
|
|
|
|
"-i", keyPath,
|
2017-09-05 04:04:32 +00:00
|
|
|
"-o UserKnownHostsFile=" + c.flagUserKnownHostsFile,
|
|
|
|
"-o StrictHostKeyChecking=" + c.flagStrictHostKeyChecking,
|
2017-08-17 02:01:24 +00:00
|
|
|
"-p", cred.Port,
|
2017-09-05 04:04:32 +00:00
|
|
|
username + "@" + ip,
|
|
|
|
}, sshArgs...)
|
2017-08-17 02:01:24 +00:00
|
|
|
|
|
|
|
cmd := exec.Command("ssh", args...)
|
|
|
|
cmd.Stdin = os.Stdin
|
|
|
|
cmd.Stdout = os.Stdout
|
2017-08-21 21:23:29 +00:00
|
|
|
cmd.Stderr = os.Stderr
|
2017-08-17 02:01:24 +00:00
|
|
|
err = cmd.Run()
|
|
|
|
if err != nil {
|
2017-09-05 04:04:32 +00:00
|
|
|
exitCode := 2
|
|
|
|
|
|
|
|
if exitError, ok := err.(*exec.ExitError); ok {
|
|
|
|
if exitError.Success() {
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
if ws, ok := exitError.Sys().(syscall.WaitStatus); ok {
|
|
|
|
exitCode = ws.ExitStatus()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
c.UI.Error(fmt.Sprintf("failed to run ssh command: %s", err))
|
|
|
|
return exitCode
|
2017-08-17 02:01:24 +00:00
|
|
|
}
|
2015-07-10 15:56:14 +00:00
|
|
|
|
2017-08-17 02:01:24 +00:00
|
|
|
// Revoke the key if it's longer than expected
|
|
|
|
if err := c.client.Sys().Revoke(secret.LeaseID); err != nil {
|
2017-09-05 04:04:32 +00:00
|
|
|
c.UI.Error(fmt.Sprintf("failed to revoke key: %s", err))
|
|
|
|
return 2
|
2017-08-17 02:01:24 +00:00
|
|
|
}
|
|
|
|
|
2017-09-05 04:04:32 +00:00
|
|
|
return 0
|
2017-08-17 02:01:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// generateCredential generates a credential for the given role and returns the
|
|
|
|
// decoded secret data.
|
2017-09-05 04:04:32 +00:00
|
|
|
func (c *SSHCommand) generateCredential(username, ip string) (*api.Secret, *SSHCredentialResp, error) {
|
|
|
|
client, err := c.Client()
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
sshClient := client.SSHWithMountPoint(c.flagMountPoint)
|
|
|
|
|
2017-08-17 02:01:24 +00:00
|
|
|
// Attempt to generate the credential.
|
2017-09-05 04:04:32 +00:00
|
|
|
secret, err := sshClient.Credential(c.flagRole, map[string]interface{}{
|
|
|
|
"username": username,
|
|
|
|
"ip": ip,
|
2017-08-17 02:01:24 +00:00
|
|
|
})
|
2015-06-18 00:33:03 +00:00
|
|
|
if err != nil {
|
2017-08-17 02:01:24 +00:00
|
|
|
return nil, nil, errors.Wrap(err, "failed to get credentials")
|
|
|
|
}
|
|
|
|
if secret == nil || secret.Data == nil {
|
|
|
|
return nil, nil, fmt.Errorf("vault returned empty credentials")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Port comes back as a json.Number which mapstructure doesn't like, so
|
|
|
|
// convert it
|
|
|
|
if d, ok := secret.Data["port"].(json.Number); ok {
|
|
|
|
secret.Data["port"] = d.String()
|
2015-07-06 15:05:02 +00:00
|
|
|
}
|
|
|
|
|
2017-08-17 02:01:24 +00:00
|
|
|
// Use mapstructure to decode the response
|
|
|
|
var resp SSHCredentialResp
|
|
|
|
if err := mapstructure.Decode(secret.Data, &resp); err != nil {
|
|
|
|
return nil, nil, errors.Wrap(err, "failed to decode credential")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check for an empty key response
|
|
|
|
if len(resp.Key) == 0 {
|
|
|
|
return nil, nil, fmt.Errorf("vault returned an invalid key")
|
|
|
|
}
|
|
|
|
|
|
|
|
return secret, &resp, nil
|
|
|
|
}
|
|
|
|
|
2017-08-17 23:12:58 +00:00
|
|
|
// writeTemporaryFile writes a file to a temp location with the given data and
|
|
|
|
// file permissions.
|
|
|
|
func (c *SSHCommand) writeTemporaryFile(name string, data []byte, perms os.FileMode) (string, error, func() error) {
|
2017-08-17 02:01:24 +00:00
|
|
|
// default closer to prevent panic
|
|
|
|
closer := func() error { return nil }
|
|
|
|
|
|
|
|
f, err := ioutil.TempFile("", name)
|
2015-07-06 15:05:02 +00:00
|
|
|
if err != nil {
|
2017-08-17 02:01:24 +00:00
|
|
|
return "", errors.Wrap(err, "creating temporary file"), closer
|
2015-06-18 00:33:03 +00:00
|
|
|
}
|
2015-07-02 23:00:14 +00:00
|
|
|
|
2017-08-17 02:01:24 +00:00
|
|
|
closer = func() error { return os.Remove(f.Name()) }
|
|
|
|
|
2017-08-17 23:12:58 +00:00
|
|
|
if err := ioutil.WriteFile(f.Name(), data, perms); err != nil {
|
2017-08-17 02:01:24 +00:00
|
|
|
return "", errors.Wrap(err, "writing temporary key"), closer
|
|
|
|
}
|
|
|
|
|
|
|
|
return f.Name(), nil, closer
|
2015-06-17 16:39:49 +00:00
|
|
|
}
|
|
|
|
|
2017-08-17 23:12:58 +00:00
|
|
|
// writeTemporaryKey writes the key to a temporary file and returns the path.
|
|
|
|
// The caller should defer the closer to cleanup the key.
|
|
|
|
func (c *SSHCommand) writeTemporaryKey(name string, data []byte) (string, error, func() error) {
|
|
|
|
return c.writeTemporaryFile(name, data, 0600)
|
|
|
|
}
|
|
|
|
|
2015-07-29 18:21:36 +00:00
|
|
|
// If user did not provide the role with which SSH connection has
|
|
|
|
// to be established and if there is only one role associated with
|
|
|
|
// the IP, it is used by default.
|
2015-08-12 17:30:50 +00:00
|
|
|
func (c *SSHCommand) defaultRole(mountPoint, ip string) (string, error) {
|
2015-07-02 23:00:14 +00:00
|
|
|
data := map[string]interface{}{
|
|
|
|
"ip": ip,
|
|
|
|
}
|
2015-07-29 18:21:36 +00:00
|
|
|
client, err := c.Client()
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
2015-08-12 17:30:50 +00:00
|
|
|
secret, err := client.Logical().Write(mountPoint+"/lookup", data)
|
2015-07-02 23:00:14 +00:00
|
|
|
if err != nil {
|
2016-10-18 16:46:54 +00:00
|
|
|
return "", fmt.Errorf("Error finding roles for IP %q: %q", ip, err)
|
2015-07-02 23:00:14 +00:00
|
|
|
|
|
|
|
}
|
2017-08-17 02:01:24 +00:00
|
|
|
if secret == nil || secret.Data == nil {
|
2016-10-18 16:46:54 +00:00
|
|
|
return "", fmt.Errorf("Error finding roles for IP %q: %q", ip, err)
|
2015-07-02 23:00:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if secret.Data["roles"] == nil {
|
2016-10-18 16:46:54 +00:00
|
|
|
return "", fmt.Errorf("No matching roles found for IP %q", ip)
|
2015-07-02 23:00:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if len(secret.Data["roles"].([]interface{})) == 1 {
|
|
|
|
return secret.Data["roles"].([]interface{})[0].(string), nil
|
|
|
|
} else {
|
2015-07-29 18:21:36 +00:00
|
|
|
var roleNames string
|
|
|
|
for _, item := range secret.Data["roles"].([]interface{}) {
|
|
|
|
roleNames += item.(string) + ", "
|
|
|
|
}
|
|
|
|
roleNames = strings.TrimRight(roleNames, ", ")
|
2016-10-18 16:46:54 +00:00
|
|
|
return "", fmt.Errorf("Roles:%q. "+`
|
2017-09-05 04:04:32 +00:00
|
|
|
Multiple roles are registered for this IP.
|
|
|
|
Select a role using '-role' option.
|
|
|
|
Note that all roles may not be permitted, based on ACLs.`, roleNames)
|
2015-07-02 23:00:14 +00:00
|
|
|
}
|
2015-06-24 22:13:12 +00:00
|
|
|
}
|
|
|
|
|
2017-08-17 02:01:24 +00:00
|
|
|
// userAndIP takes an argument in the format foo@1.2.3.4 and separates the IP
|
|
|
|
// and user parts, returning any errors.
|
|
|
|
func (c *SSHCommand) userAndIP(s string) (string, string, error) {
|
|
|
|
// split the parameter username@ip
|
|
|
|
input := strings.Split(s, "@")
|
|
|
|
var username, address string
|
|
|
|
|
|
|
|
// If only IP is mentioned and username is skipped, assume username to
|
|
|
|
// be the current username. Vault SSH role's default username could have
|
|
|
|
// been used, but in order to retain the consistency with SSH command,
|
|
|
|
// current username is employed.
|
|
|
|
switch len(input) {
|
|
|
|
case 1:
|
|
|
|
u, err := user.Current()
|
|
|
|
if err != nil {
|
|
|
|
return "", "", errors.Wrap(err, "failed to fetch current user")
|
|
|
|
}
|
|
|
|
username, address = u.Username, input[0]
|
|
|
|
case 2:
|
|
|
|
username, address = input[0], input[1]
|
|
|
|
default:
|
|
|
|
return "", "", fmt.Errorf("invalid arguments: %q", s)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Resolving domain names to IP address on the client side.
|
|
|
|
// Vault only deals with IP addresses.
|
|
|
|
ipAddr, err := net.ResolveIPAddr("ip", address)
|
|
|
|
if err != nil {
|
|
|
|
return "", "", errors.Wrap(err, "failed to resolve IP address")
|
|
|
|
}
|
|
|
|
ip := ipAddr.String()
|
|
|
|
|
|
|
|
return username, ip, nil
|
|
|
|
}
|