SSHs to multiple users by registering the respective host keys

2025-11-01 19:17:58 +00:00 · 2015-06-19 12:59:36 -04:00
parent 5cd9b7a7d8
commit 9d709bd5a9
5 changed files with 45 additions and 22 deletions
--- a/builtin/logical/ssh/path_config_lease.go
+++ b/builtin/logical/ssh/path_config_lease.go
@@ -18,7 +18,6 @@ func pathConfigLease(b *backend) *framework.Path {
 				Type:        framework.TypeString,
 				Description: "Default lease for roles.",
 			},
-
 			"lease_max": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: "Maximum time a credential is valid for.",
--- a/builtin/logical/ssh/secret_one_time_key.go
+++ b/builtin/logical/ssh/secret_one_time_key.go
@@ -8,12 +8,12 @@ import (
 	"github.com/hashicorp/vault/logical/framework"
 )

-const SecretSshHostKeyType = "secret_ssh_host_key_type"
+const SecretOneTimeKeyType = "secret_one_type_key_type"

 func secretOneTimeKey(b *backend) *framework.Secret {
 	log.Printf("Vishal: ssh.secretPrivateKey\n")
 	return &framework.Secret{
-		Type: SecretSshHostKeyType,
+		Type: SecretOneTimeKeyType,
 		Fields: map[string]*framework.FieldSchema{
 			"username": &framework.FieldSchema{
 				Type:        framework.TypeString,
--- a/builtin/logical/ssh/ssh_connect.go
+++ b/builtin/logical/ssh/ssh_connect.go
@@ -57,11 +57,17 @@ func (b *backend) sshConnectWrite(
 	//TODO: save th entry in a file
 	//TODO: read the hosts path and get the key
 	//TODO: Input validation for the commands below
+	hostKeyFileName := "./vault_ssh_" + username + "_" + ipAddr + "_shared.pem"
+	err = ioutil.WriteFile(hostKeyFileName, []byte(hostKey.Key), 0400)

-	rmCmd := "rm -f " + "vault_ssh_otk.pem" + " " + "vault_ssh_otk.pem.pub" + ";"
-	sshKeygenCmd := "ssh-keygen -f " + "vault_ssh_otk.pem" + " -t rsa -N ''" + ";"
-	chmodCmd := "chmod 400 " + "vault_ssh_otk.pem" + ";"
-	scpCmd := "scp -i " + "vault_ssh_shared.pem" + " " + "vault_ssh_otk.pem.pub" + " " + username + "@" + ipAddr + ":~;"
+	otkPrivateKeyFileName := "vault_ssh_" + username + "_" + ipAddr + "_otk.pem"
+	otkPublicKeyFileName := otkPrivateKeyFileName + ".pub"
+	rmCmd := "rm -f " + otkPrivateKeyFileName + " " + otkPublicKeyFileName + ";"
+	sshKeygenCmd := "ssh-keygen -f " + otkPrivateKeyFileName + " -t rsa -N ''" + ";"
+	chmodCmd := "chmod 400 " + otkPrivateKeyFileName + ";"
+	scpCmd := "scp -i " + hostKeyFileName + " " + otkPublicKeyFileName + " " + username + "@" + ipAddr + ":~;"
+
+	log.Printf("Vishal: scpCmd: \n", scpCmd)

 	localCmdString := strings.Join([]string{
 		rmCmd,
@@ -73,18 +79,20 @@ func (b *backend) sshConnectWrite(
 	if err != nil {
 		fmt.Errorf("Running command failed " + err.Error())
 	}
+	log.Printf("Vishal: Creating session\n")
 	session := createSSHPublicKeysSession(username, ipAddr)
 	var buf bytes.Buffer
 	session.Stdout = &buf
-	if err := installSshOtkInTarget(session); err != nil {
+	log.Printf("Vishal: Installing keys\n")
+	if err := installSshOtkInTarget(session, username, ipAddr); err != nil {
 		fmt.Errorf("Failed to install one-time-key at target machine: " + err.Error())
 	}
 	session.Close()
 	fmt.Println(buf.String())
-	keyBytes, err := ioutil.ReadFile("vault_ssh_otk.pem")
+	keyBytes, err := ioutil.ReadFile(otkPrivateKeyFileName)
 	oneTimeKey := string(keyBytes)
-	log.Printf("Vishal: Returning:%s\n", oneTimeKey)
-	return b.Secret(SecretSshHostKeyType).Response(map[string]interface{}{
+	log.Printf("Vishal: Returning:[%s]\n", oneTimeKey)
+	return b.Secret(SecretOneTimeKeyType).Response(map[string]interface{}{
 		"key": oneTimeKey,
 	}, nil), nil
 	/*return &logical.Response{
--- a/builtin/logical/ssh/ssh_util.go
+++ b/builtin/logical/ssh/ssh_util.go
@@ -18,18 +18,28 @@ func exec_command(cmdString string) error {
 	return nil
 }

-func installSshOtkInTarget(session *ssh.Session) error {
+func installSshOtkInTarget(session *ssh.Session, username string, ipAddr string) error {
 	log.Printf("Vishal: ssh.installSshOtkInTarget\n")

-	grepCmd := "grep -vFf " + "vault_ssh_otk.pem.pub" + " " + "~/.ssh/authorized_keys" + " > " + "./temp_authorized_keys" + ";"
-	catCmdRemoveDuplicate := "cat " + "./temp_authorized_keys" + " > " + "~/.ssh/authorized_keys" + ";"
-	catCmdAppendNew := "cat " + "./vault_ssh_otk.pem.pub" + " >> " + "~/.ssh/authorized_keys" + ";"
-	rmCmd := "rm -f " + "./temp_authorized_keys" + " " + "./vault_ssh_otk.pem.pub" + ";"
+	//TODO: Input validation for the commands below
+	otkPrivateKeyFileName := "vault_ssh_" + username + "_" + ipAddr + "_otk.pem"
+	otkPublicKeyFileName := otkPrivateKeyFileName + ".pub"
+	authKeysFileName := "~/.ssh/authorized_keys"
+	tempKeysFileName := "./temp_authorized_keys"
+
+	grepCmd := "grep -vFf " + otkPublicKeyFileName + " " + authKeysFileName + " > " + tempKeysFileName + ";"
+	catCmdRemoveDuplicate := "cat " + tempKeysFileName + " > " + authKeysFileName + ";"
+	catCmdAppendNew := "cat " + otkPublicKeyFileName + " >> " + authKeysFileName + ";"
+	rmCmd := "rm -f " + tempKeysFileName + " " + otkPublicKeyFileName + ";"
+	log.Printf("Vishal: grepCmd:%#v\n catCmdRemoveDuplicate:%#v\n catCmdAppendNew:%#v\n rmCmd: %#v\n", grepCmd, catCmdRemoveDuplicate, catCmdAppendNew, rmCmd)
 	remoteCmdString := strings.Join([]string{
 		grepCmd,
+		"echo 1;",
 		catCmdRemoveDuplicate,
+		"echo 2;",
 		catCmdAppendNew,
-		rmCmd,
+		"echo 3;",
+		//rmCmd,
 	}, "")

 	if err := session.Run(remoteCmdString); err != nil {
@@ -38,7 +48,8 @@ func installSshOtkInTarget(session *ssh.Session) error {
 	return nil
 }
 func createSSHPublicKeysSession(username string, ipAddr string) *ssh.Session {
-	pemBytes, err := ioutil.ReadFile("vault_ssh_shared.pem")
+	hostKeyFileName := "./vault_ssh_" + username + "_" + ipAddr + "_shared.pem"
+	pemBytes, err := ioutil.ReadFile(hostKeyFileName)
 	if err != nil {
 		fmt.Errorf("Reading shared key failed: " + err.Error())
 	}
@@ -59,6 +70,9 @@ func createSSHPublicKeysSession(username string, ipAddr string) *ssh.Session {
 	if err != nil {
 		fmt.Errorf("Dial Failed: " + err.Error())
 	}
+	if client == nil {
+		fmt.Errorf("SSH Dial to target failed: ", err.Error())
+	}

 	session, err := client.NewSession()
 	if err != nil {
--- a/command/ssh.go
+++ b/command/ssh.go
@@ -37,7 +37,9 @@ func (c *SshCommand) Run(args []string) int {
 	}

 	log.Printf("Vishal: command.ssh.Run returned! OTK:%#v\n", sshOneTimeKey)
-	err = ioutil.WriteFile("./vault_ssh_otk_"+args[0]+".pem", []byte(sshOneTimeKey.Key), 0400)
+	ag := strings.Split(args[0], "@")
+	sshOtkFileName := "vault_ssh_otk_" + ag[0] + "_" + ag[1] + ".pem"
+	err = ioutil.WriteFile(sshOtkFileName, []byte(sshOneTimeKey.Key), 0400)
 	//if sshOneTimeKey is empty, fail
 	//Establish a session directly from client to the target using the one time key received without making the vault server the middle guy:w
 	sshBinary, err := exec.LookPath("ssh")
@@ -47,10 +49,10 @@ func (c *SshCommand) Run(args []string) int {

 	sshEnv := os.Environ()

-	sshNew := "ssh -i " + "vault_ssh_otk_" + args[0] + ".pem " + args[0]
+	sshNew := "ssh -i " + sshOtkFileName + " " + args[0]
 	log.Printf("Vishal: sshNew:%#v\n", sshNew)
-	sshCmdArgs := []string{"ssh", "-i", "vault_ssh_otk_" + args[0] + ".pem", args[0]}
-	defer os.Remove("vault_ssh_otk_" + args[0] + ".pem")
+	sshCmdArgs := []string{"ssh", "-i", sshOtkFileName, args[0]}
+	//defer os.Remove("vault_ssh_otk_" + args[0] + ".pem")

 	if err := syscall.Exec(sshBinary, sshCmdArgs, sshEnv); err != nil {
 		log.Printf("Execution failed: sshCommand: " + err.Error())