feature: read force-command from client certificate

Author: cyrilst

cmd/sshproxy/sshproxy.go

@@ -11,6 +11,7 @@
 package main
 
 import (
+	"bytes"
 	"context"
 	"errors"
 	"flag"
@@ -34,6 +35,7 @@ import (
 	"github.com/moby/term"
 	"github.com/op/go-logging"
 	"go.etcd.io/etcd/client/v3"
+	"golang.org/x/crypto/ssh"
 )
 
 var (
@@ -206,6 +208,42 @@ type ConnInfo struct {
 	SSH   *SSHInfo  // SSH source and destination (from SSH_CONNECTION)
 }
 
+// GetOriginalCommand returns the force-command included in the client ssh
+// certificate, if any. Otherwise, it returns the content of the environment
+// variable SSH_ORIGINAL_COMMAND. No error is returned. In case of any error,
+// the content of SSH_ORIGINAL_COMMAND will be returned. The second returned
+// string is a comment for debugging purpose.
+func getOriginalCommand() (string, string) {
+	userAuthFile := os.Getenv("SSH_USER_AUTH")
+	if userAuthFile != "" {
+		// The environment variable is present
+		content, err := os.ReadFile(userAuthFile)
+		if err == nil {
+			// The temporary file is read
+			prefix := []byte("publickey ")
+			key, found := bytes.CutPrefix(content, prefix)
+			if found {
+				// The file contains a publickey
+				pubKey, _, _, _, err := ssh.ParseAuthorizedKey(key)
+				if err == nil {
+					// The pubilckey is parsed
+					cert, ok := pubKey.(*ssh.Certificate)
+					if ok && cert.Permissions.CriticalOptions != nil && cert.Permissions.CriticalOptions["force-command"] != "" {
+						// the publickey is a certificate, and contains a
+						// force-command
+						return cert.Permissions.CriticalOptions["force-command"], " (forced) "
+					}
+				} else {
+					log.Warning(err)
+				}
+			}
+		} else {
+			log.Warning(err)
+		}
+	}
+	return os.Getenv("SSH_ORIGINAL_COMMAND"), " "
+}
+
 func main() {
 	os.Exit(mainExitCode())
 }
@@ -428,8 +466,8 @@ func mainExitCode() int {
 		}
 	}()
 
-	originalCmd := os.Getenv("SSH_ORIGINAL_COMMAND")
-	log.Debugf("original command = %s", originalCmd)
+	originalCmd, comment := getOriginalCommand()
+	log.Debugf("original command%s= %s", comment, originalCmd)
 
 	interactiveCommand := term.IsTerminal(os.Stdout.Fd())
 	log.Debugf("interactiveCommand = %v", interactiveCommand)

cmd/sshproxy/sshproxy_test.go

@@ -530,3 +530,86 @@ func BenchmarkSrcDst(b *testing.B) {
 		}
 	})
 }
+
+var getOriginalCommandTests = []struct {
+	sshUserAuth string
+	wantCmd     string
+	wantComment string
+	logs        []string
+}{
+	{
+		// without SSH_USER_AUTH
+		"",
+		"",
+		" ",
+		[]string{},
+	}, {
+		// with a wrong SSH_USER_AUTH
+		"_non_existing_file_",
+		"",
+		" ",
+		[]string{
+			"open _non_existing_file_: no such file or directory",
+		},
+	}, {
+		// SSH_USER_AUTH is not a publickey
+		"../../test/sshUserAuthPassword",
+		"",
+		" ",
+		[]string{},
+	}, {
+		// error in the publickey
+		"../../test/sshUserAuthInvalidKey",
+		"",
+		" ",
+		[]string{
+			"ssh: no key found",
+		},
+	}, {
+		// publickey is not a certificate
+		"../../test/sshUserAuthKey",
+		"",
+		" ",
+		[]string{},
+	}, {
+		// publickey is a certificate without force-command
+		"../../test/sshUserAuthCert",
+		"",
+		" ",
+		[]string{},
+	}, {
+		// publickey is a certificate with force-command
+		"../../test/sshUserAuthCertForceCmd",
+		"test-command",
+		" (forced) ",
+		[]string{},
+	},
+}
+
+func TestGetOriginalCommand(t *testing.T) {
+	for _, tt := range getOriginalCommandTests {
+		logBackend := setTestLogBackend()
+		os.Setenv("SSH_USER_AUTH", tt.sshUserAuth)
+		originalCmd, comment := getOriginalCommand()
+		if originalCmd != tt.wantCmd || comment != tt.wantComment {
+			t.Errorf("want '%s' - '%s', got '%s' - '%s'", tt.wantCmd, tt.wantComment, originalCmd, comment)
+		}
+		logs := getTestLogs(logBackend)
+		if !reflect.DeepEqual(tt.logs, logs) {
+			t.Errorf("want %v, got %v", tt.logs, logs)
+		}
+	}
+	os.Unsetenv("SSH_USER_AUTH")
+}
+
+func BenchmarkGetOriginalCommand(b *testing.B) {
+	for _, tt := range getOriginalCommandTests {
+		os.Setenv("SSH_USER_AUTH", tt.sshUserAuth)
+		b.Run(tt.sshUserAuth, func(b *testing.B) {
+			for i := 0; i < b.N; i++ {
+				getOriginalCommand()
+			}
+		})
+	}
+	os.Unsetenv("SSH_USER_AUTH")
+}

doc/sshproxy.txt

@@ -18,6 +18,13 @@ DESCRIPTION
 
 'sshproxy' is used on a gateway to proxy SSH connections.
 
+If the SSH server sets the 'SSH_USER_AUTH' environment variable (see
+'ExposeAuthInfo' in openssh's 'sshd_config'), 'sshproxy' uses it to get the
+'force-command' directive of the client's signed ssh public key. If a
+'force-command' is found, it is used as an argement to the 'ssh' command
+forked by sshproxy. Otherwise, the 'SSH_ORIGINAL_COMMAND' environment variable
+is used as the argument to the 'ssh' command.
+
 OPTIONS
 -------
 

go.mod

@@ -14,6 +14,7 @@ require (
 	go.etcd.io/etcd/api/v3 v3.6.5
 	go.etcd.io/etcd/client/v3 v3.6.5
 	go.uber.org/zap v1.27.0
+	golang.org/x/crypto v0.43.0
 	google.golang.org/grpc v1.76.0
 	gopkg.in/yaml.v2 v2.4.0
 )

go.sum

@@ -96,6 +96,8 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
+golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -114,6 +116,8 @@ golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
 golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q=
+golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=

test/sshUserAuthCert

@@ -0,0 +1 @@
+publickey [email protected] AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIJnb9PbGfwXbvXhNgOZsbqAo5SGjbcBgnU6DFQ6bTO44AAAAINQMu6aptjzBfNLiyi0y2Y1s1Qfdvuj9KVTqbIAN/cLYAAAAAAAAAAAAAAABAAAAC2Zvb0BiYXIuY29tAAAAAAAAAAAAAAAA//////////8AAAAAAAAAggAAABVwZXJtaXQtWDExLWZvcndhcmRpbmcAAAAAAAAAF3Blcm1pdC1hZ2VudC1mb3J3YXJkaW5nAAAAAAAAABZwZXJtaXQtcG9ydC1mb3J3YXJkaW5nAAAAAAAAAApwZXJtaXQtcHR5AAAAAAAAAA5wZXJtaXQtdXNlci1yYwAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAdwC2KCieJ4+hiUnZT/SypRFmbjmn+vEgWpWGLfPVUHAAAAFMAAAALc3NoLWVkMjU1MTkAAABAB77ZKSV75Df+l5GH4Sf/6rOm6l4Rye9lTQaAytpAnWmNgFKpxBgvBOO2WEQBqbktqGJ2NNF6vp5Qct7wCbLZCA==

test/sshUserAuthCertForceCmd

@@ -0,0 +1 @@
+publickey [email protected] AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIL6frxCB6M1cFbFQqc0TGFo54k3VczrFy6R313RRp+uOAAAAINQMu6aptjzBfNLiyi0y2Y1s1Qfdvuj9KVTqbIAN/cLYAAAAAAAAAAAAAAABAAAAC2Zvb0BiYXIuY29tAAAAAAAAAAAAAAAA//////////8AAAAlAAAADWZvcmNlLWNvbW1hbmQAAAAQAAAADHRlc3QtY29tbWFuZAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgHcAtigoniePoYlJ2U/0sqURZm45p/rxIFqVhi3z1VBwAAABTAAAAC3NzaC1lZDI1NTE5AAAAQMYvMM55rY8KFX67xrlhL0oXHHREEOo0Gp02luTiaekeo2IntQUEeYZb/T4g6eFJtf8A1XCS99FgXZ4/2UVcPQo=

test/sshUserAuthInvalidKey

@@ -0,0 +1 @@
+publickey invalid_data

test/sshUserAuthKey

@@ -0,0 +1 @@
+publickey ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQMu6aptjzBfNLiyi0y2Y1s1Qfdvuj9KVTqbIAN/cLY

test/sshUserAuthPassword

@@ -0,0 +1 @@
+password