package command import ( "encoding/json" "fmt" "io/ioutil" "net" "os" "os/exec" "os/user" "strings" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/ssh" "github.com/hashicorp/vault/meta" homedir "github.com/mitchellh/go-homedir" "github.com/mitchellh/mapstructure" "github.com/pkg/errors" ) // SSHCommand is a Command that establishes a SSH connection with target by // generating a dynamic key type SSHCommand struct { meta.Meta // API client *api.Client sshClient *api.SSH // Common options mode string noExec bool format string mountPoint string role string username string ip string sshArgs []string // Key options strictHostKeyChecking string userKnownHostsFile string // SSH CA backend specific options publicKeyPath string privateKeyPath string hostKeyMountPoint string hostKeyHostnames string } // Structure to hold the fields returned when asked for a credential from SSHh backend. type SSHCredentialResp struct { KeyType string `mapstructure:"key_type"` Key string `mapstructure:"key"` Username string `mapstructure:"username"` IP string `mapstructure:"ip"` Port string `mapstructure:"port"` } func (c *SSHCommand) Run(args []string) int { flags := c.Meta.FlagSet("ssh", meta.FlagSetDefault) envOrDefault := func(key string, def string) string { if k := os.Getenv(key); k != "" { return k } return def } expandPath := func(p string) string { e, err := homedir.Expand(p) if err != nil { return p } return e } // Common options flags.StringVar(&c.mode, "mode", "", "") flags.BoolVar(&c.noExec, "no-exec", false, "") flags.StringVar(&c.format, "format", "table", "") flags.StringVar(&c.mountPoint, "mount-point", "ssh", "") flags.StringVar(&c.role, "role", "", "") // Key options flags.StringVar(&c.strictHostKeyChecking, "strict-host-key-checking", envOrDefault("VAULT_SSH_STRICT_HOST_KEY_CHECKING", "ask"), "") flags.StringVar(&c.userKnownHostsFile, "user-known-hosts-file", envOrDefault("VAULT_SSH_USER_KNOWN_HOSTS_FILE", expandPath("~/.ssh/known_hosts")), "") // CA-specific options flags.StringVar(&c.publicKeyPath, "public-key-path", expandPath("~/.ssh/id_rsa.pub"), "") flags.StringVar(&c.privateKeyPath, "private-key-path", expandPath("~/.ssh/id_rsa"), "") flags.StringVar(&c.hostKeyMountPoint, "host-key-mount-point", "", "") flags.StringVar(&c.hostKeyHostnames, "host-key-hostnames", "*", "") flags.Usage = func() { c.Ui.Error(c.Help()) } if err := flags.Parse(args); err != nil { return 1 } args = flags.Args() if len(args) < 1 { c.Ui.Error("ssh expects at least one argument") return 1 } client, err := c.Client() if err != nil { c.Ui.Error(fmt.Sprintf("Error initializing client: %v", err)) return 1 } c.client = client c.sshClient = client.SSHWithMountPoint(c.mountPoint) // Extract the username and IP. c.username, c.ip, err = c.userAndIP(args[0]) if err != nil { c.Ui.Error(fmt.Sprintf("Error parsing user and IP: %s", err)) return 1 } // The rest of the args are ssh args if len(args) > 1 { c.sshArgs = args[1:] } // Credentials are generated only against a registered role. If user // does not specify a role with the SSH command, then lookup API is used // to fetch all the roles with which this IP is associated. If there is // only one role associated with it, use it to establish the connection. // // TODO: remove in 0.9.0, convert to validation error if c.role == "" { c.Ui.Warn("" + "WARNING: No -role specified. Use -role to tell Vault which ssh role\n" + "to use for authentication. In the future, you will need to tell Vault\n" + "which role to use. For now, Vault will attempt to guess based on a\n" + "the API response.") role, err := c.defaultRole(c.mountPoint, c.ip) if err != nil { c.Ui.Error(fmt.Sprintf("Error choosing role: %v", err)) return 1 } // Print the default role chosen so that user knows the role name // if something doesn't work. If the role chosen is not allowed to // be used by the user (ACL enforcement), then user should see an // error message accordingly. c.Ui.Output(fmt.Sprintf("Vault SSH: Role: %q", role)) c.role = role } // If no mode was given, perform the old-school lookup. Keep this now for // backwards-compatability, but print a warning. // // TODO: remove in 0.9.0, convert to validation error if c.mode == "" { c.Ui.Warn("" + "WARNING: No -mode specified. Use -mode to tell Vault which ssh\n" + "authentication mode to use. In the future, you will need to tell\n" + "Vault which mode to use. For now, Vault will attempt to guess based\n" + "on the API response. This guess involves creating a temporary\n" + "credential, reading its type, and then revoking it. To reduce the\n" + "number of API calls and surface area, specify -mode directly.") secret, cred, err := c.generateCredential() if err != nil { // This is _very_ hacky, but is the only sane backwards-compatible way // to do this. If the error is "key type unknown", we just assume the // type is "ca". In the future, mode will be required as an option. if strings.Contains(err.Error(), "key type unknown") { c.mode = ssh.KeyTypeCA } else { c.Ui.Error(fmt.Sprintf("Error getting credential: %s", err)) return 1 } } else { c.mode = cred.KeyType } // Revoke the secret, since the child functions will generate their own // credential. Users wishing to avoid this should specify -mode. if secret != nil { if err := c.client.Sys().Revoke(secret.LeaseID); err != nil { c.Ui.Warn(fmt.Sprintf("Failed to revoke temporary key: %s", err)) } } } switch strings.ToLower(c.mode) { case ssh.KeyTypeCA: if err := c.handleTypeCA(); err != nil { c.Ui.Error(err.Error()) return 1 } case ssh.KeyTypeOTP: if err := c.handleTypeOTP(); err != nil { c.Ui.Error(err.Error()) return 1 } case ssh.KeyTypeDynamic: if err := c.handleTypeDynamic(); err != nil { c.Ui.Error(err.Error()) return 1 } default: c.Ui.Error(fmt.Sprintf("Unknown SSH mode: %s", c.mode)) return 1 } return 0 } // handleTypeCA is used to handle SSH logins using the "CA" key type. func (c *SSHCommand) handleTypeCA() error { // Read the key from disk publicKey, err := ioutil.ReadFile(c.publicKeyPath) if err != nil { return errors.Wrap(err, "failed to read public key") } // Attempt to sign the public key secret, err := c.sshClient.SignKey(c.role, map[string]interface{}{ // WARNING: publicKey is []byte, which is b64 encoded on JSON upload. We // have to convert it to a string. SV lost many hours to this... "public_key": string(publicKey), "valid_principals": c.username, "cert_type": "user", // TODO: let the user configure these. In the interim, if users want to // customize these values, they can produce the key themselves. "extensions": map[string]string{ "permit-X11-forwarding": "", "permit-agent-forwarding": "", "permit-port-forwarding": "", "permit-pty": "", "permit-user-rc": "", }, }) if err != nil { return errors.Wrap(err, "failed to sign public key") } if secret == nil || secret.Data == nil { return fmt.Errorf("client signing returned empty credentials") } // Handle no-exec if c.noExec { // This is hacky, but OutputSecret returns an int, not an error :( if i := OutputSecret(c.Ui, c.format, secret); i != 0 { return fmt.Errorf("an error occurred outputting the secret") } return nil } // Extract public key key, ok := secret.Data["signed_key"].(string) if !ok { return fmt.Errorf("missing signed key") } // Capture the current value - this could be overwritten later if the user // enabled host key signing verification. userKnownHostsFile := c.userKnownHostsFile strictHostKeyChecking := c.strictHostKeyChecking // Handle host key signing verification. If the user specified a mount point, // download the public key, trust it with the given domains, and use that // instead of the user's regular known_hosts file. if c.hostKeyMountPoint != "" { secret, err := c.client.Logical().Read(c.hostKeyMountPoint + "/config/ca") if err != nil { return errors.Wrap(err, "failed to get host signing key") } if secret == nil || secret.Data == nil { return fmt.Errorf("missing host signing key") } publicKey, ok := secret.Data["public_key"].(string) if !ok { return fmt.Errorf("host signing key is empty") } // Write the known_hosts file name := fmt.Sprintf("vault_ssh_ca_known_hosts_%s_%s", c.username, c.ip) data := fmt.Sprintf("@cert-authority %s %s", c.hostKeyHostnames, publicKey) knownHosts, err, closer := c.writeTemporaryFile(name, []byte(data), 0644) defer closer() if err != nil { return errors.Wrap(err, "failed to write host public key") } // Update the variables userKnownHostsFile = knownHosts strictHostKeyChecking = "yes" } // Write the signed public key to disk name := fmt.Sprintf("vault_ssh_ca_%s_%s", c.username, c.ip) signedPublicKeyPath, err, closer := c.writeTemporaryKey(name, []byte(key)) defer closer() if err != nil { return errors.Wrap(err, "failed to write signed public key") } args := append([]string{ "-i", c.privateKeyPath, "-i", signedPublicKeyPath, "-o UserKnownHostsFile=" + userKnownHostsFile, "-o StrictHostKeyChecking=" + strictHostKeyChecking, c.username + "@" + c.ip, }, c.sshArgs...) cmd := exec.Command("ssh", args...) cmd.Stdin = os.Stdin cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr err = cmd.Run() if err != nil { return errors.Wrap(err, "failed to run ssh command") } // There is no secret to revoke, since it's a certificate signing return nil } // handleTypeOTP is used to handle SSH logins using the "otp" key type. func (c *SSHCommand) handleTypeOTP() error { secret, cred, err := c.generateCredential() if err != nil { return errors.Wrap(err, "failed to generate credential") } // Handle no-exec if c.noExec { // This is hacky, but OutputSecret returns an int, not an error :( if i := OutputSecret(c.Ui, c.format, secret); i != 0 { return fmt.Errorf("an error occurred outputting the secret") } return nil } var cmd *exec.Cmd // Check if the application 'sshpass' is installed in the client machine. // If it is then, use it to automate typing in OTP to the prompt. Unfortunately, // it was not possible to automate it without a third-party application, with // only the Go libraries. // Feel free to try and remove this dependency. sshpassPath, err := exec.LookPath("sshpass") if err != nil { c.Ui.Warn("" + "Vault could not locate sshpass. The OTP code for the session will be\n" + "displayed below. Enter this code in the SSH password prompt. If you\n" + "install sshpass, Vault can automatically perform this step for you.") c.Ui.Output("OTP for the session is " + cred.Key) args := append([]string{ "-o UserKnownHostsFile=" + c.userKnownHostsFile, "-o StrictHostKeyChecking=" + c.strictHostKeyChecking, "-p", cred.Port, c.username + "@" + c.ip, }, c.sshArgs...) cmd = exec.Command("ssh", args...) } else { args := append([]string{ "-e", // Read password for SSHPASS environment variable "ssh", "-o UserKnownHostsFile=" + c.userKnownHostsFile, "-o StrictHostKeyChecking=" + c.strictHostKeyChecking, "-p", cred.Port, c.username + "@" + c.ip, }, c.sshArgs...) cmd = exec.Command(sshpassPath, args...) env := os.Environ() env = append(env, fmt.Sprintf("SSHPASS=%s", string(cred.Key))) cmd.Env = env } cmd.Stdin = os.Stdin cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr err = cmd.Run() if err != nil { return errors.Wrap(err, "failed to run ssh command") } // Revoke the key if it's longer than expected if err := c.client.Sys().Revoke(secret.LeaseID); err != nil { return errors.Wrap(err, "failed to revoke key") } return nil } // handleTypeDynamic is used to handle SSH logins using the "dyanmic" key type. func (c *SSHCommand) handleTypeDynamic() error { // Generate the credential secret, cred, err := c.generateCredential() if err != nil { return errors.Wrap(err, "failed to generate credential") } // Handle no-exec if c.noExec { // This is hacky, but OutputSecret returns an int, not an error :( if i := OutputSecret(c.Ui, c.format, secret); i != 0 { return fmt.Errorf("an error occurred outputting the secret") } return nil } // Write the dynamic key to disk name := fmt.Sprintf("vault_ssh_dynamic_%s_%s", c.username, c.ip) keyPath, err, closer := c.writeTemporaryKey(name, []byte(cred.Key)) defer closer() if err != nil { return errors.Wrap(err, "failed to save dyanmic key") } args := append([]string{ "-i", keyPath, "-o UserKnownHostsFile=" + c.userKnownHostsFile, "-o StrictHostKeyChecking=" + c.strictHostKeyChecking, "-p", cred.Port, c.username + "@" + c.ip, }, c.sshArgs...) cmd := exec.Command("ssh", args...) cmd.Stdin = os.Stdin cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr err = cmd.Run() if err != nil { return errors.Wrap(err, "failed to run ssh command") } // Revoke the key if it's longer than expected if err := c.client.Sys().Revoke(secret.LeaseID); err != nil { return errors.Wrap(err, "failed to revoke key") } return nil } // generateCredential generates a credential for the given role and returns the // decoded secret data. func (c *SSHCommand) generateCredential() (*api.Secret, *SSHCredentialResp, error) { // Attempt to generate the credential. secret, err := c.sshClient.Credential(c.role, map[string]interface{}{ "username": c.username, "ip": c.ip, }) if err != nil { return nil, nil, errors.Wrap(err, "failed to get credentials") } if secret == nil || secret.Data == nil { return nil, nil, fmt.Errorf("vault returned empty credentials") } // Port comes back as a json.Number which mapstructure doesn't like, so // convert it if d, ok := secret.Data["port"].(json.Number); ok { secret.Data["port"] = d.String() } // Use mapstructure to decode the response var resp SSHCredentialResp if err := mapstructure.Decode(secret.Data, &resp); err != nil { return nil, nil, errors.Wrap(err, "failed to decode credential") } // Check for an empty key response if len(resp.Key) == 0 { return nil, nil, fmt.Errorf("vault returned an invalid key") } return secret, &resp, nil } // writeTemporaryFile writes a file to a temp location with the given data and // file permissions. func (c *SSHCommand) writeTemporaryFile(name string, data []byte, perms os.FileMode) (string, error, func() error) { // default closer to prevent panic closer := func() error { return nil } f, err := ioutil.TempFile("", name) if err != nil { return "", errors.Wrap(err, "creating temporary file"), closer } closer = func() error { return os.Remove(f.Name()) } if err := ioutil.WriteFile(f.Name(), data, perms); err != nil { return "", errors.Wrap(err, "writing temporary key"), closer } return f.Name(), nil, closer } // writeTemporaryKey writes the key to a temporary file and returns the path. // The caller should defer the closer to cleanup the key. func (c *SSHCommand) writeTemporaryKey(name string, data []byte) (string, error, func() error) { return c.writeTemporaryFile(name, data, 0600) } // If user did not provide the role with which SSH connection has // to be established and if there is only one role associated with // the IP, it is used by default. func (c *SSHCommand) defaultRole(mountPoint, ip string) (string, error) { data := map[string]interface{}{ "ip": ip, } client, err := c.Client() if err != nil { return "", err } secret, err := client.Logical().Write(mountPoint+"/lookup", data) if err != nil { return "", fmt.Errorf("Error finding roles for IP %q: %q", ip, err) } if secret == nil || secret.Data == nil { return "", fmt.Errorf("Error finding roles for IP %q: %q", ip, err) } if secret.Data["roles"] == nil { return "", fmt.Errorf("No matching roles found for IP %q", ip) } if len(secret.Data["roles"].([]interface{})) == 1 { return secret.Data["roles"].([]interface{})[0].(string), nil } else { var roleNames string for _, item := range secret.Data["roles"].([]interface{}) { roleNames += item.(string) + ", " } roleNames = strings.TrimRight(roleNames, ", ") return "", fmt.Errorf("Roles:%q. "+` Multiple roles are registered for this IP. Select a role using '-role' option. Note that all roles may not be permitted, based on ACLs.`, roleNames) } } // userAndIP takes an argument in the format foo@1.2.3.4 and separates the IP // and user parts, returning any errors. func (c *SSHCommand) userAndIP(s string) (string, string, error) { // split the parameter username@ip input := strings.Split(s, "@") var username, address string // If only IP is mentioned and username is skipped, assume username to // be the current username. Vault SSH role's default username could have // been used, but in order to retain the consistency with SSH command, // current username is employed. switch len(input) { case 1: u, err := user.Current() if err != nil { return "", "", errors.Wrap(err, "failed to fetch current user") } username, address = u.Username, input[0] case 2: username, address = input[0], input[1] default: return "", "", fmt.Errorf("invalid arguments: %q", s) } // Resolving domain names to IP address on the client side. // Vault only deals with IP addresses. ipAddr, err := net.ResolveIPAddr("ip", address) if err != nil { return "", "", errors.Wrap(err, "failed to resolve IP address") } ip := ipAddr.String() return username, ip, nil } func (c *SSHCommand) Synopsis() string { return "Initiate an SSH session" } func (c *SSHCommand) Help() string { helpText := ` Usage: vault ssh [options] username@ip [ssh options] Establishes an SSH connection with the target machine. This command uses one of the SSH authentication backends to authenticate and automatically establish an SSH connection to a host. This operation requires that the SSH backend is mounted and configured. SSH using the OTP mode (requires sshpass for full automation): $ vault ssh -mode=otp -role=my-role user@1.2.3.4 SSH using the CA mode: $ vault ssh -mode=ca -role=my-role user@1.2.3.4 SSH using CA mode with host key verification: $ vault ssh \ -mode=ca \ -role=my-role \ -host-key-mount-point=host-signer \ -host-key-hostnames=example.com \ user@example.com For the full list of options and arguments, please see the documentation. General Options: ` + meta.GeneralOptionsUsage() + ` SSH Options: -role Role to be used to create the key. Each IP is associated with a role. To see the associated roles with IP, use "lookup" endpoint. If you are certain that there is only one role associated with the IP, you can skip mentioning the role. It will be chosen by default. If there are no roles associated with the IP, register the CIDR block of that IP using the "roles/" endpoint. -no-exec Shows the credentials but does not establish connection. -mount-point Mount point of SSH backend. If the backend is mounted at "ssh" (default), this parameter can be skipped. -format If the "no-exec" option is enabled, the credentials will be printed out and SSH connection will not be established. The format of the output can be "json" or "table" (default). -strict-host-key-checking This option corresponds to "StrictHostKeyChecking" of SSH configuration. If "sshpass" is employed to enable automated login, then if host key is not "known" to the client, "vault ssh" command will fail. Set this option to "no" to bypass the host key checking. Defaults to "ask". Can also be specified with the "VAULT_SSH_STRICT_HOST_KEY_CHECKING" environment variable. -user-known-hosts-file This option corresponds to "UserKnownHostsFile" of SSH configuration. Assigns the file to use for storing the host keys. If this option is set to "/dev/null" along with "-strict-host-key-checking=no", both warnings and host key checking can be avoided while establishing the connection. Defaults to "~/.ssh/known_hosts". Can also be specified with "VAULT_SSH_USER_KNOWN_HOSTS_FILE" environment variable. CA Mode Options: - public-key-path= The path to the public key to send to Vault for signing. The default value is ~/.ssh/id_rsa.pub. - private-key-path= The path to the private key to use for authentication. This must be the corresponding private key to -public-key-path. The default value is ~/.ssh/id_rsa. - host-key-mount-point= The mount point to the SSH backend where host keys are signed. When given a value, Vault will generate a custom known_hosts file with delegation to the CA at the provided mount point and verify the SSH connection's host keys against the provided CA. By default, this command uses the users's existing known_hosts file. When this flag is set, this command will force strict host key checking and will override any values provided for a custom -user-known-hosts-file. - host-key-hostnames= The list of hostnames to delegate for this certificate authority. By default, this is "*", which allows all domains and IPs. To restrict validation to a series of hostnames, specify them as comma-separated values here. ` return strings.TrimSpace(helpText) }