feature: read force-command from client certificate

cyrilst · cyrilst · commit 8e0e5296cfb0 · 2025-10-23T09:47:57.000+02:00
diff --git a/cmd/sshproxy/sshproxy.go b/cmd/sshproxy/sshproxy.go
@@ -34,6 +34,7 @@ import (
 	"github.com/moby/term"
 	"github.com/op/go-logging"
 	"go.etcd.io/etcd/client/v3"
+	"golang.org/x/crypto/ssh"
 )
 
 var (
@@ -206,6 +207,31 @@ type ConnInfo struct {
 	SSH   *SSHInfo  // SSH source and destination (from SSH_CONNECTION)
 }
 
+// GetOriginalCommand returns the force-command included in the client ssh
+// certificate, if any. Otherwise, it returns the content of the environment
+// variable SSH_ORIGINAL_COMMAND. No error is returned. In case of any error,
+// the content of SSH_ORIGINAL_COMMAND will be returned.
+func getOriginalCommand() string {
+	userAuthFile := os.Getenv("SSH_USER_AUTH")
+	if userAuthFile != "" {
+		content, err := os.ReadFile(userAuthFile)
+		if err == nil {
+			prefix := []byte("publickey ")
+			key, found := bytes.CutPrefix(content, prefix)
+			if found {
+				out, comment, options, rest, err := ssh.ParseAuthorizedKey(key)
+				if err == nil {
+					fmt.Println("out: %v", out)
+					fmt.Println("comment: %v", comment)
+					fmt.Println("options: %v", options)
+					fmt.Println("rest: %v", rest)
+				}
+			}
+		}
+	}
+	return os.Getenv("SSH_ORIGINAL_COMMAND")
+}
+
 func main() {
 	os.Exit(mainExitCode())
 }
@@ -428,7 +454,7 @@ func mainExitCode() int {
 		}
 	}()
 
-	originalCmd := os.Getenv("SSH_ORIGINAL_COMMAND")
+	originalCmd := getOriginalCommand()
 	log.Debugf("original command = %s", originalCmd)
 
 	interactiveCommand := term.IsTerminal(os.Stdout.Fd())
