Add an option to force the command executed by sshproxy.

cyrilst · cyrilst · commit f156ac921f56 · 2021-10-26T10:54:07.000+02:00
Add an option to close the connection when original command does not
match de force command.

Add an option to translate the command to something else.
diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-SSHPROXY_VERSION ?= 1.4.0
+SSHPROXY_VERSION ?= 1.5.0
 SSHPROXY_GIT_URL ?= github.com/cea-hpc/sshproxy
 
 prefix		?= /usr
diff --git a/cmd/sshproxy/sshproxy.go b/cmd/sshproxy/sshproxy.go
@@ -92,18 +92,19 @@ func (c *etcdChecker) doCheck(hostport string) utils.State {
 
 // findDestination finds a reachable destination for the sshd server according
 // to the etcd database if available or the routes and route_select algorithm.
-// It returns a string with the service name and a string with host:port, a
+// It returns a string with the service name, a string with host:port, a string
+// containing ForceCommand value and a bool containing CommandMustMatch; a
 // string with the service name and an empty string if no destination is found
 // or an error if any.
-func findDestination(cli *utils.Client, username string, routes map[string]*utils.RouteConfig, sshdHostport string, checkInterval utils.Duration) (string, string, error) {
+func findDestination(cli *utils.Client, username string, routes map[string]*utils.RouteConfig, sshdHostport string, checkInterval utils.Duration) (string, string, string, bool, error) {
 	checker := &etcdChecker{
 		checkInterval: checkInterval,
 		cli:           cli,
 	}
 
 	service, err := findService(routes, sshdHostport)
 	if err != nil {
-		return "", "", err
+		return "", "", "", false, err
 	}
 	key := fmt.Sprintf("%s@%s", username, service)
 
@@ -117,7 +118,7 @@ func findDestination(cli *utils.Client, username string, routes map[string]*util
 			if utils.IsDestinationInRoutes(dest, routes[service].Dest) {
 				if checker.Check(dest) {
 					log.Debugf("found destination in etcd: %s", dest)
-					return service, dest, nil
+					return service, dest, routes[service].ForceCommand, routes[service].CommandMustMatch, nil
 				}
 				log.Infof("cannot connect %s to already existing connection(s) to %s: host %s", key, dest, checker.LastState)
 			} else {
@@ -128,10 +129,10 @@ func findDestination(cli *utils.Client, username string, routes map[string]*util
 
 	if len(routes[service].Dest) > 0 {
 		selected, err := utils.SelectRoute(routes[service].RouteSelect, routes[service].Dest, checker, cli, key)
-		return service, selected, err
+		return service, selected, routes[service].ForceCommand, routes[service].CommandMustMatch, err
 	}
 
-	return service, "", fmt.Errorf("no destination set for service %s", service)
+	return service, "", "", false, fmt.Errorf("no destination set for service %s", service)
 }
 
 // findService finds the first service containing a suitable source in the conf,
@@ -309,6 +310,7 @@ func mainExitCode() int {
 	log.Debugf("config.log_stats_interval = %s", config.LogStatsInterval.Duration())
 	log.Debugf("config.etcd = %+v", config.Etcd)
 	log.Debugf("config.bg_command = %s", config.BgCommand)
+	log.Debugf("config.translate_commands = %v", config.TranslateCommands)
 	log.Debugf("config.environment = %v", config.Environment)
 	log.Debugf("config.routes = %v", config.Routes)
 	log.Debugf("config.ssh.exe = %s", config.SSH.Exe)
@@ -324,7 +326,7 @@ func mainExitCode() int {
 		log.Errorf("Cannot contact etcd cluster to update state: %v", err)
 	}
 
-	service, hostport, err := findDestination(cli, username, config.Routes, sshInfos.Dst(), config.CheckInterval)
+	service, hostport, forceCommand, commandMustMatch, err := findDestination(cli, username, config.Routes, sshInfos.Dst(), config.CheckInterval)
 	switch {
 	case err != nil:
 		log.Fatalf("Finding destination: %s", err)
@@ -442,24 +444,39 @@ func mainExitCode() int {
 	if port != utils.DefaultSSHPort {
 		sshArgs = append(sshArgs, "-p", port)
 	}
-	if originalCmd != "" {
-		if strings.Contains(originalCmd, "sftp-server") {
-			// Ask for sftp subsystem on destination (arguments are
-			// the same used by sftp client command).
-			sshArgs = append(sshArgs, "-oForwardX11=no",
-				"-oForwardAgent=no", "-oPermitLocalCommand=no",
-				"-oClearAllForwardings=yes", "-oProtocol=2",
-				"-s", "--", host, "sftp")
-			if config.Dump != "" {
-				// We don't want to dump sftp connections
-				config.Dump = "etcd"
+	doCmd := ""
+	if forceCommand != "" {
+		log.Debugf("forceCommand = %s", forceCommand)
+		doCmd = forceCommand
+	} else if originalCmd != "" {
+		doCmd = originalCmd
+	}
+	commandTranslated := false
+	if doCmd != "" {
+		if commandMustMatch && originalCmd != doCmd {
+			log.Errorf("error executing proxied ssh command: originalCmd \"%s\" does not match forceCommand \"%s\"", originalCmd, forceCommand)
+			return 1
+		}
+		for fromCmd, translateCmdConf := range config.TranslateCommands {
+			if doCmd == fromCmd {
+				log.Debugf("translateCmdConf = %+v", translateCmdConf)
+				for _, sshArg := range translateCmdConf.SSHArgs {
+					sshArgs = append(sshArgs, sshArg)
+				}
+				sshArgs = append(sshArgs, "--", host, translateCmdConf.Command)
+				if config.Dump != "" && translateCmdConf.DisableDump {
+					config.Dump = "etcd"
+				}
+				commandTranslated = true
+				break
 			}
-		} else {
+		}
+		if !commandTranslated {
 			if interactiveCommand {
 				// Force TTY allocation because the user probably asked for it.
 				sshArgs = append(sshArgs, "-t")
 			}
-			sshArgs = append(sshArgs, host, originalCmd)
+			sshArgs = append(sshArgs, host, doCmd)
 		}
 	} else {
 		sshArgs = append(sshArgs, host)
@@ -469,7 +486,7 @@ func mainExitCode() int {
 
 	var recorder *Recorder
 	if config.Dump != "" {
-		recorder = NewRecorder(conninfo, config.Dump, originalCmd, config.EtcdStatsInterval.Duration(), config.LogStatsInterval.Duration(), config.DumpLimitSize, config.DumpLimitWindow.Duration())
+		recorder = NewRecorder(conninfo, config.Dump, doCmd, config.EtcdStatsInterval.Duration(), config.LogStatsInterval.Duration(), config.DumpLimitSize, config.DumpLimitWindow.Duration())
 
 		wg.Add(1)
 		go func() {
diff --git a/config/sshproxy.yaml b/config/sshproxy.yaml
@@ -61,6 +61,24 @@
 # set.
 #etcd_stats_interval: "0"
 
+# Commands can be translated between what is received by sshproxy and what is
+# executed by the ssh forked by sshproxy. The keys are strings containing the
+# exact user command. ssh_args contains an optional list of options that will
+# be passed to ssh. command is a mandatory string, the actual executed command.
+# disable_dump is false by default. If true, no dumps will be done for this
+# command.
+#translate_commands:
+#  "internal-sftp":
+#    ssh_args:
+#      - "-oForwardX11=no"
+#      - "-oForwardAgent=no"
+#      - "-oPermitLocalCommand=no"
+#      - "-oClearAllForwardings=yes"
+#      - "-oProtocol=2"
+#      - "-s"
+#    command: "sftp"
+#    disable_dump: true
+
 # A command can be launched in the background for the session duration.
 # The standard and error outputs are only logged in debug mode.
 #bg_command: ""
@@ -110,11 +128,14 @@
 # priority, then the hosts with less global connections, and in case of a draw,
 # the selection is random. For "bandwidth", it's the same as "connections", but
 # based on the bandwidth used, with a rollback on connections (which is
-# frequent for new simultaneous connections). Finally, the mode value defines
-# the stickiness of a connection. It can be "sticky" or "balanced". If
-# "sticky", then all connections of a user will be made on the same destination
-# host. If "balanced", the route_select algorithm will be used for every
-# connection.
+# frequent for new simultaneous connections). The mode value defines the
+# stickiness of a connection. It can be "sticky" or "balanced". If "sticky",
+# then all connections of a user will be made on the same destination host. If
+# "balanced", the route_select algorithm will be used for every connection.
+# Finally, the force_command can be set to override the command asked by the
+# user. If command_must_match is set to true, then the connection is closed if
+# the original command is not the same as the force_command. command_must_match
+# defaults to false.
 #routes:
 #    service1:
 #        source: ["192.168.0.1"]
@@ -124,6 +145,8 @@
 #        dest: [host3, host4]
 #        route_select: bandwidth
 #        mode: balanced
+#        force_command: "internal-sftp"
+#        command_must_match: true
 #    default:
 #        dest: ["host5:4222"]
 
diff --git a/doc/sshproxy.yaml.txt b/doc/sshproxy.yaml.txt
@@ -97,6 +97,34 @@ It can also be a network address where to send dumps if specified as
 	suffix such as 'h', 'm' and 's' (e.g. '2m30s'). These statistics are
 	only available when the 'dump' option is set.
 
+Commands can be translated between what is received by sshproxy and what is
+executed by the ssh forked by sshproxy. *translate_commands* is an associative
+array which keys are strings containing the exact user command. The value is
+an associative array containing:
+
+*ssh_args*::
+	an optional list of options that will be passed to ssh.
+
+*command*::
+	a mandatory string, the actual executed command.
+
+*disable_dump*::
+	false by default. If true, no dumps will be done for this command.
+
+For example, we can have the following:
+
+	translate_commands:
+	    "internal-sftp":
+	        ssh_args:
+	            - "-oForwardX11=no"
+	            - "-oForwardAgent=no"
+	            - "-oPermitLocalCommand=no"
+	            - "-oClearAllForwardings=yes"
+	            - "-oProtocol=2"
+	            - "-s"
+	        command: "sftp"
+	        disable_dump: true
+
 etcd configuration is provided in an associative array *etcd* whose keys are:
 
 *endpoints*::
@@ -148,6 +176,8 @@ listening IP address of the SSH daemon:
 	        dest: [host3, host4]
 	        route_select: bandwidth
 	        mode: balanced
+		force_command: "internal-sftp"
+		command_must_match: true
 	    default:
 	        dest: ["host5:4222"]
 
@@ -164,11 +194,14 @@ If 'connections', the hosts with less connections from the user have
 priority, then the hosts with less global connections, and in case of a draw,
 the selection is random. For 'bandwidth', it's the same as 'connections', but
 based on the bandwidth used, with a rollback on connections (which is
-frequent for new simultaneous connections). Finally, the mode value defines
-the stickiness of a connection. It can be 'sticky' or 'balanced'. If
-'sticky', then all connections of a user will be made on the same destination
-host. If 'balanced', the route_select algorithm will be used for every
-connections.
+frequent for new simultaneous connections). The mode value defines the
+stickiness of a connection. It can be 'sticky' or 'balanced'. If 'sticky',
+then all connections of a user will be made on the same destination host. If
+'balanced', the route_select algorithm will be used for every connections.
+Finally, the force_command can be set to override the command asked by the
+user. If command_must_match is set to true, then the connection is closed if
+the original command is not the same as the force_command. command_must_match
+defaults to false.
 
 In the previous example, a client connected to '192.168.0.1' will be proxied
 to 'host1' and, if the host is not reachable, to 'host2'. If a client does not
diff --git a/misc/sshproxy.spec b/misc/sshproxy.spec
@@ -3,7 +3,7 @@
 %global debug_package   %{nil}
 
 Name:           sshproxy
-Version:        1.4.0
+Version:        1.5.0
 Release:        1%{?dist}
 Summary:        SSH proxy
 License:        CeCILL-B
@@ -51,6 +51,9 @@ install -p -m 0644 config/sshproxy.yaml %{buildroot}%{_sysconfdir}/sshproxy
 %{_mandir}/man8/sshproxy-replay.8*
 
 %changelog
+* Tue Oct 26 2021 Cyril Servant <cyril.servant@cea.fr> - 1.5.0-1
+- sshproxy 1.5.0
+
 * Mon Aug 16 2021 Cyril Servant <cyril.servant@cea.fr> - 1.4.0-1
 - sshproxy 1.4.0
 
diff --git a/pkg/utils/config.go b/pkg/utils/config.go
@@ -29,7 +29,7 @@ var (
 type Config struct {
 	Debug             bool
 	Log               string
-	CheckInterval     Duration `yaml:"check_interval"` // Minimum interval between host checks
+	CheckInterval     Duration `yaml:"check_interval"`
 	ErrorBanner       string   `yaml:"error_banner"`
 	Dump              string
 	DumpLimitSize     uint64   `yaml:"dump_limit_size"`
@@ -39,20 +39,32 @@ type Config struct {
 	LogStatsInterval  Duration `yaml:"log_stats_interval"`
 	BgCommand         string   `yaml:"bg_command"`
 	SSH               sshConfig
+	TranslateCommands map[string]*TranslateCommandConfig `yaml:"translate_commands"`
 	Environment       map[string]string
 	Routes            map[string]*RouteConfig
 	Users             []map[string]subConfig
 	Groups            []map[string]subConfig
 }
 
+// TranslateCommandConfig represents the configuration of a translate_command.
+// SSHArgs is optional. Command is mandatory. DisableDump defaults to false
+type TranslateCommandConfig struct {
+	SSHArgs     []string `yaml:"ssh_args"`
+	Command     string
+	DisableDump bool `yaml:"disable_dump"`
+}
+
 // RouteConfig represents the configuration of a route. Dest is mandatory,
 // Source is mandatory if the associated service name is not the default one.
-// RouteSelect defaults to "ordered", Mode defaults to "stiky".
+// RouteSelect defaults to "ordered", Mode defaults to "stiky", ForceCommand is
+// optional, CommandMustMatch defaults to false
 type RouteConfig struct {
-	Source      []string
-	Dest        []string
-	RouteSelect string `yaml:"route_select"`
-	Mode        string
+	Source           []string
+	Dest             []string
+	RouteSelect      string `yaml:"route_select"`
+	Mode             string
+	ForceCommand     string `yaml:"force_command"`
+	CommandMustMatch bool   `yaml:"command_must_match"`
 }
 
 type sshConfig struct {
@@ -81,11 +93,12 @@ type subConfig struct {
 	Log               interface{}
 	ErrorBanner       interface{} `yaml:"error_banner"`
 	Dump              interface{}
-	DumpLimitSize     interface{} `yaml:"dump_limit_size"`
-	DumpLimitWindow   interface{} `yaml:"dump_limit_window"`
-	EtcdStatsInterval interface{} `yaml:"etcd_stats_interval"`
-	LogStatsInterval  interface{} `yaml:"log_stats_interval"`
-	BgCommand         interface{} `yaml:"bg_command"`
+	DumpLimitSize     interface{}                        `yaml:"dump_limit_size"`
+	DumpLimitWindow   interface{}                        `yaml:"dump_limit_window"`
+	EtcdStatsInterval interface{}                        `yaml:"etcd_stats_interval"`
+	LogStatsInterval  interface{}                        `yaml:"log_stats_interval"`
+	BgCommand         interface{}                        `yaml:"bg_command"`
+	TranslateCommands map[string]*TranslateCommandConfig `yaml:"translate_commands"`
 	Environment       map[string]string
 	Routes            map[string]*RouteConfig
 	SSH               sshConfig
@@ -153,6 +166,11 @@ func parseSubConfig(config *Config, subconfig *subConfig) error {
 		config.Routes[service] = opts
 	}
 
+	// merge translate_commands
+	for k, v := range subconfig.TranslateCommands {
+		config.TranslateCommands[k] = v
+	}
+
 	// merge environment
 	for k, v := range subconfig.Environment {
 		config.Environment[k] = v
diff --git a/test/centos-image/gateway.sh b/test/centos-image/gateway.sh
@@ -29,6 +29,18 @@ cat <<EOF >/etc/sshproxy/sshproxy.yaml
 debug: true
 log: /tmp/sshproxy-{user}.log
 
+translate_commands:
+    "/usr/libexec/openssh/sftp-server":
+        ssh_args:
+            - "-oForwardX11=no"
+            - "-oForwardAgent=no"
+            - "-oPermitLocalCommand=no"
+            - "-oClearAllForwardings=yes"
+            - "-oProtocol=2"
+            - "-s"
+        command: "sftp"
+        disable_dump: true
+
 etcd:
     endpoints:
         - "https://etcd:2379"
@@ -52,6 +64,11 @@ routes:
     service3:
         source: ["gateway1:2024"]
         dest: ["server2"]
+    sftp:
+        source: ["gateway2:2023"]
+        dest: ["server1"]
+        force_command: "/usr/libexec/openssh/sftp-server"
+        command_must_match: true
     default:
         dest: ["server3"]
 
diff --git a/test/centos-image/sshproxy_test.go b/test/centos-image/sshproxy_test.go

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-SSHPROXY_VERSION ?= 1.4.0`
	`1`	`+SSHPROXY_VERSION ?= 1.5.0`
`2`	`2`	`SSHPROXY_GIT_URL ?= github.com/cea-hpc/sshproxy`
`3`	`3`
`4`	`4`	`prefix ?= /usr`