Merge pull request #253 from github/leaked-ssh-keys-detect

	Detect leaked ssh keys in backup snapshots

Author: rubiojr

bin/ghe-backup

@@ -247,5 +247,9 @@ else
     exit 1
 fi
 
+# Detect if the created backup contains any leaked ssh keys
+echo "Checking for leaked ssh keys ..."
+ghe-detect-leaked-ssh-keys -s "$GHE_SNAPSHOT_DIR" || true
+
 # Make sure we exit zero after the conditional
 true

bin/ghe-restore

@@ -66,6 +66,10 @@ GHE_RESTORE_SNAPSHOT_PATH="$(ghe-restore-snapshot-path "$snapshot_id")"
 GHE_RESTORE_SNAPSHOT=$(basename "$GHE_RESTORE_SNAPSHOT_PATH")
 export GHE_RESTORE_SNAPSHOT
 
+# Detect if the backup we are restoring has a leaked ssh key
+echo "Checking for leaked keys in the backup snapshot that is being restored ..."
+ghe-detect-leaked-ssh-keys -s "$GHE_RESTORE_SNAPSHOT_PATH" || true
+
 # Figure out whether to use the tarball or rsync restore strategy based on the
 # strategy file written in the snapshot directory.
 GHE_BACKUP_STRATEGY=$(cat "$GHE_RESTORE_SNAPSHOT_PATH/strategy")

share/github-backup-utils/ghe-detect-leaked-ssh-keys

@@ -0,0 +1,125 @@
+#!/bin/bash
+#/ Usage: ghe-detect-leaked-ssh-key [-s <snapshot-id>]
+#/
+#/ This utility will check each snapshot's existing SSH host keys against the list
+#/ of known leaked SSH host keys from GitHub Enterprise packages.
+#/
+#/ OPTIONS:
+#/   -h | --help                    Show this message.
+#/   -s |--snapshot <snapshot-id>   Scan the snapshot with the given id.
+#/                                  Available snapshots may be listed under the data directory.
+#/
+set -e
+
+usage() {
+  grep '^#/' < "$0" | cut -c 4-
+}
+
+TEMPDIR=$(mktemp -d)
+
+# Parse args.
+ARGS=$(getopt --name "$0" --long help,snapshot: --options hs -- "$@") || {
+  usage
+  exit 2
+}
+eval set -- $ARGS
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+    -h|--help)
+      usage
+      exit 2
+      ;;
+    -s|--snapshot)
+      shift 2
+      snapshot=$1
+      ;;
+    --)
+      shift
+      break
+      ;;
+  esac
+  shift
+done
+
+ppid_script=$(ps -o args= $PPID | awk '{print $2}')
+if [ -n "$ppid_script" ]; then
+  ppid_name=$(basename $ppid_script)
+fi
+
+# Bring in the backup configuration
+. $( dirname "${BASH_SOURCE[0]}" )/ghe-backup-config
+
+fingerprint_blacklist=$(cat "$GHE_BACKUP_ROOT/share/github-backup-utils/ghe-ssh-leaked-host-keys-list.txt")
+
+keys="ssh_host_dsa_key.pub ssh_host_ecdsa_key.pub ssh_host_ed25519_key.pub ssh_host_rsa_key.pub"
+
+# Get all the host ssh keys tar from all snapshots directories
+if [ -n "$snapshot" ]; then
+  ssh_tars=$(find "$snapshot" -maxdepth 1 -type f -iname 'ssh-host-keys.tar')
+else
+  ssh_tars=$(find "$GHE_DATA_DIR" -maxdepth 2 -type f -iname 'ssh-host-keys.tar')
+fi
+
+# Store the current backup snapshot folder
+if [ -L "$GHE_DATA_DIR/current" ]; then
+  current_dir=$(readlink -f "$GHE_DATA_DIR/current")
+fi
+
+leaked_keys_found=false
+current_bkup=false
+for tar_file in $ssh_tars; do
+  for key in $keys; do
+    if $(tar -tvf "$tar_file" $key &>/dev/null); then
+      tar -C $TEMPDIR -xvf "$tar_file" $key &>/dev/null
+      fingerprint=$(ssh-keygen -lf $TEMPDIR/$key | cut -d ' ' -f 2)
+      if echo "$fingerprint_blacklist" | grep -q "$fingerprint"; then
+        leaked_keys_found=true
+        if [ "$current_dir" == $(dirname "$tar_file") ]; then
+          current_bkup=true
+          echo "* Leaked key found in current backup snapshot."
+        else
+          echo "* Leaked key found in backup snapshot."
+        fi
+        echo "* Snapshot file: $tar_file"
+        echo "* Key file: $key"
+        echo "* Key: $fingerprint"
+        echo
+      fi
+    fi
+  done
+done
+
+if $leaked_keys_found; then
+  if  echo "$ppid_name" | grep -q 'ghe-restore'; then
+    echo
+    echo "* The snapshot that is being restored contains a leaked SSH host key."
+    echo "* We recommend rolling the SSH host keys after completing the restore."
+    echo "* Roll the keys either manually or with ghe-ssh-roll-host-keys on the appliance."
+    echo "* (An upgrade may be required)"
+    echo
+  elif echo "$ppid_name" | grep -q 'ghe-backup'; then
+    echo "* The current backup contains leaked SSH host keys."
+    echo "* We strongly recommend rolling your SSH host keys and making a new backup."
+    echo "* Roll the keys either manually or with ghe-ssh-roll-host-keys on the appliance."
+    echo "* (An upgrade may be required)"
+  else
+    if $current_bkup; then
+      echo "* The current backup contains leaked SSH host keys."
+      echo "* Current backup directory: $current_dir"
+      echo "* We strongly recommend rolling your SSH host keys and making a new backup."
+      echo "* Roll the keys either manually or with ghe-ssh-roll-host-keys on the appliance."
+      echo "* (An upgrade may be required)"
+    fi
+    echo
+    echo "* One or more older backup snapshots contain leaked SSH host keys."
+    echo "* No immediate action is needed but when you use one of these older snapshots for a restore, "
+    echo "* please make sure to roll the SSH host keys after restore."
+    echo "* Roll the keys either manually or with ghe-ssh-roll-host-keys on the appliance."
+    echo "* (An upgrade may be required)"
+    echo
+  fi
+fi
+
+# Cleanup temp dir
+rm -rf $TEMPDIR