feature: read force-command from client certificate

Author: cyrilst

cmd/sshproxy/sshproxy.go

@@ -11,6 +11,7 @@
 package main
 
 import (
+	"bytes"
 	"context"
 	"errors"
 	"flag"
@@ -34,6 +35,7 @@ import (
 	"github.com/moby/term"
 	"github.com/op/go-logging"
 	"go.etcd.io/etcd/client/v3"
+	"golang.org/x/crypto/ssh"
 )
 
 var (
@@ -206,6 +208,31 @@ type ConnInfo struct {
 	SSH   *SSHInfo  // SSH source and destination (from SSH_CONNECTION)
 }
 
+// GetOriginalCommand returns the force-command included in the client ssh
+// certificate, if any. Otherwise, it returns the content of the environment
+// variable SSH_ORIGINAL_COMMAND. No error is returned. In case of any error,
+// the content of SSH_ORIGINAL_COMMAND will be returned.
+func getOriginalCommand() string {
+	userAuthFile := os.Getenv("SSH_USER_AUTH")
+	if userAuthFile != "" {
+		content, err := os.ReadFile(userAuthFile)
+		if err == nil {
+			prefix := []byte("publickey ")
+			key, found := bytes.CutPrefix(content, prefix)
+			if found {
+				out, comment, options, rest, err := ssh.ParseAuthorizedKey(key)
+				if err == nil {
+					fmt.Println("out: %v", out)
+					fmt.Println("comment: %v", comment)
+					fmt.Println("options: %v", options)
+					fmt.Println("rest: %v", rest)
+				}
+			}
+		}
+	}
+	return os.Getenv("SSH_ORIGINAL_COMMAND")
+}
+
 func main() {
 	os.Exit(mainExitCode())
 }
@@ -428,7 +455,7 @@ func mainExitCode() int {
 		}
 	}()
 
-	originalCmd := os.Getenv("SSH_ORIGINAL_COMMAND")
+	originalCmd := getOriginalCommand()
 	log.Debugf("original command = %s", originalCmd)
 
 	interactiveCommand := term.IsTerminal(os.Stdout.Fd())

go.mod

@@ -14,6 +14,7 @@ require (
 	go.etcd.io/etcd/api/v3 v3.6.5
 	go.etcd.io/etcd/client/v3 v3.6.5
 	go.uber.org/zap v1.27.0
+	golang.org/x/crypto v0.43.0
 	google.golang.org/grpc v1.76.0
 	gopkg.in/yaml.v2 v2.4.0
 )

go.sum

@@ -96,6 +96,8 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
+golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -114,6 +116,8 @@ golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
 golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q=
+golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=