Merge branch 'master' into tr_graph

Author: mwfarb

.gitignore

@@ -49,6 +49,8 @@ sensorapp/sensorserver/sensorserver
 webapp/webapp
 tools/pathdb_dump/pathdb_dump
 netcat/netcat
+ssh/client/client
+ssh/server/server
 roughtime/timeclient/timeclient
 roughtime/timeserver/timeserver
 

Makefile

@@ -1,7 +1,7 @@
 .PHONY: all clean
 
 ROOT_DIR=$(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
-SRCDIRS= helloworld sensorapp/sensorserver sensorapp/sensorfetcher camerapp/imageserver camerapp/imagefetcher bwtester/bwtestserver bwtester/bwtestclient webapp bat bat/example_server tools/pathdb_dump roughtime/timeserver roughtime/timeclient netcat
+SRCDIRS= helloworld sensorapp/sensorserver sensorapp/sensorfetcher camerapp/imageserver camerapp/imagefetcher bwtester/bwtestserver bwtester/bwtestclient webapp bat bat/example_server tools/pathdb_dump roughtime/timeserver roughtime/timeclient ssh/client ssh/server netcat
 TARGETS = $(foreach D,$(SRCDIRS),$(D)/$(notdir $(D)))
 
 all: $(TARGETS)

ssh/README.md

@@ -0,0 +1,61 @@
+# SCION enabled SSH
+
+SSH client and server running over SCION network.
+
+# Installation
+
+## Prerequisite
+
+SCION infrastructure has to be installed and running. Instructions can be found [here](https://github.com/scionproto/scion)
+
+Additional development library for PAM is needed:
+```
+sudo apt-get install libpam0g-dev
+```
+
+# Running
+
+To generate TLS connection certificates:
+```
+# These are valid for 365 days, so you'll have to renew them periodically
+# Client
+cd ~/.ssh
+openssl req -newkey rsa:2048 -nodes -keyout quic-conn-key.pem -x509 -days 365 -out quic-conn-certificate.pem
+-# Server
+cd /etc/ssh
+sudo openssl req -newkey rsa:2048 -nodes -keyout quic-conn-key.pem -x509 -days 365 -out quic-conn-certificate.pem
+```
+
+You'll also need to create a client key (if you don't have one yet):
+```
+cd ~/.ssh
+ssh-keygen -t rsa -f id_rsa
+```
+
+And create an authorized key file for the server with the public key (note that you'd usually place this in `/home/<user>/.ssh/authorized_keys` whereas `<user>` is the user on the server you want to gain access to, but make sure not to overwrite an existing file):
+```
+cd $GOPATH/src/github.com/netsec-ethz/scion-apps/ssh/server
+cp ~/.ssh/id_rsa.pub ./authorized_keys
+```
+
+Running the server:
+```
+cd $GOPATH/src/github.com/netsec-ethz/scion-apps/ssh/server
+# If you are not root, you need to use sudo. You might also need the -E flag to preserve environment variables (like $SC)
+sudo -E ./server -oPort=2200 -oAuthorizedKeysFile=./authorized_keys
+# You might also want to disable password authentication for security reasons with -oPasswordAuthentication=no
+```
+
+
+Running the client:
+```
+cd $GOPATH/src/github.com/netsec-ethz/scion-apps/ssh/client
+./client -p 2200 1-11,[127.0.0.1] -oUser=username
+```
+
+Using SCP (make sure you've done `chmod +x ./scp.sh` first):
+```
+cd $GOPATH/src/github.com/netsec-ethz/scion-apps/ssh/scp
+./scp.sh -P 2200 localFileToCopy.txt [1-11,[127.0.0.1]]:remoteTarget.txt
+```
+

ssh/client/clientconfig/clientconfig.go

@@ -0,0 +1,43 @@
+package clientconfig
+
+// ClientConfig is a struct containing configuration for the client.
+type ClientConfig struct {
+	User                   string   `regex:".*"`
+	HostAddress            string   `regex:"(?P<ia>\\d+-[\\d:A-Fa-f]+),\\[(?P<host>[^\\]]+)\\]"`
+	Port                   string   `regex:"0*([0-5]?\\d{0,4}|6([0-4]\\d{3}|5([0-4]\\d{2}|5([0-2]\\d|3[0-5]))))"`
+	PasswordAuthentication string   `regex:"(yes|no)"`
+	PubkeyAuthentication   string   `regex:"(yes|no)"`
+	StrictHostKeyChecking  string   `regex:"(yes|no|ask)"`
+	IdentityFile           []string `regex:".*"`
+	LocalForward           string   `regex:".*"`
+	RemoteForward          string   `regex:".*"`
+	UserKnownHostsFile     string   `regex:".*"`
+	ProxyCommand           string   `regex:".*"`
+	QUICCertificatePath    string   `regex:".*"`
+	QUICKeyPath            string   `regex:".*"`
+}
+
+// Create creates a new ClientConfig with the default values.
+func Create() *ClientConfig {
+	return &ClientConfig{
+		User:        "",
+		HostAddress: "",
+		Port:        "22",
+		PasswordAuthentication: "yes",
+		PubkeyAuthentication:   "yes",
+		StrictHostKeyChecking:  "ask",
+		UserKnownHostsFile:     "~/.ssh/known_hosts",
+		IdentityFile: []string{
+			"~/.ssh/id_ed25519",
+			"~/.ssh/id_ecdsa",
+			"~/.ssh/id_dsa",
+			"~/.ssh/id_rsa",
+			"~/.ssh/identity",
+		},
+		LocalForward:        "",
+		RemoteForward:       "",
+		ProxyCommand:        "",
+		QUICCertificatePath: "~/.ssh/quic-conn-certificate.pem",
+		QUICKeyPath:         "~/.ssh/quic-conn-key.pem",
+	}
+}

ssh/client/clientconfig/clientconfig_test.go

@@ -0,0 +1,99 @@
+package clientconfig
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/netsec-ethz/scion-apps/ssh/config"
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func TestDefaultConfig(t *testing.T) {
+	Convey("Given an example SSH config file", t, func() {
+		configString := `
+			Host *
+			ForwardAgent no
+			ForwardX11 no
+			ForwardX11Trusted yes
+			RhostsRSAAuthentication no
+			RSAAuthentication yes
+			PasswordAuthentication no
+			HostbasedAuthentication yes
+			GSSAPIAuthentication no
+			GSSAPIDelegateCredentials no
+			GSSAPIKeyExchange no
+			GSSAPITrustDNS no
+			BatchMode no
+			CheckHostIP yes
+			AddressFamily any
+			ConnectTimeout 0
+			StrictHostKeyChecking no
+			IdentityFile ~/.ssh/identity
+			IdentityFile ~/.ssh/id_rsa
+			IdentityFile ~/.ssh/id_dsa
+			IdentityFile ~/.ssh/id_ecdsa
+			IdentityFile ~/.ssh/id_ed25519
+			Port 65535
+			Protocol 2
+			Cipher 3des
+			Ciphers aes128-ctr,aes192-ctr,aes256-ctr$
+			MACs hmac-md5,hmac-sha1,umac-64@openssh.$
+			EscapeChar ~
+			Tunnel no
+			TunnelDevice any:any
+			PermitLocalCommand no
+			VisualHostKey no
+			ProxyCommand ssh -q -W %h:%p gateway.exa$
+			RekeyLimit 1G 1h
+			SendEnv LANG LC_*
+			HashKnownHosts yes
+			GSSAPIAuthentication yes
+			GSSAPIDelegateCredentials no
+		`
+
+		Convey("The new values are read correctly", func() {
+			conf := &ClientConfig{}
+			config.UpdateFromReader(conf, strings.NewReader(configString))
+			So(conf.HostAddress, ShouldEqual, "")
+			So(conf.PasswordAuthentication, ShouldEqual, "no")
+			So(conf.StrictHostKeyChecking, ShouldEqual, "no")
+			So(conf.Port, ShouldEqual, "65535")
+			So(conf.IdentityFile[len(conf.IdentityFile)-1], ShouldEqual, "~/.ssh/identity")
+			So(conf.IdentityFile[len(conf.IdentityFile)-2], ShouldEqual, "~/.ssh/id_rsa")
+			So(conf.IdentityFile[len(conf.IdentityFile)-3], ShouldEqual, "~/.ssh/id_dsa")
+			So(conf.IdentityFile[len(conf.IdentityFile)-4], ShouldEqual, "~/.ssh/id_ecdsa")
+			So(conf.IdentityFile[len(conf.IdentityFile)-5], ShouldEqual, "~/.ssh/id_ed25519")
+		})
+
+	})
+}
+
+func TestPortRegex(t *testing.T) {
+	Convey("Given a default config file", t, func() {
+		conf := &ClientConfig{}
+
+		Convey("Valid port numbers are accepted", func() {
+			nums := []int{1, 2, 3, 10, 100, 1000, 10000, 45, 652, 3486, 43621, 6554, 66, 65535}
+			for _, i := range nums {
+				err := config.Set(conf, "Port", i)
+				So(err, ShouldEqual, nil)
+				So(conf.Port, ShouldEqual, fmt.Sprintf("%v", i))
+			}
+		})
+
+		Convey("Invalid port numbers are not accepted", func() {
+			nums := []int{-1, 2, 3, 351000, 10064300, 455635, 65345632, 34845636, 6436554, 65536, 70000}
+			for _, i := range nums {
+				if i >= 0 && i <= 65535 {
+					continue
+				}
+				initialPort := conf.Port
+				err := config.Set(conf, "Port", i)
+				So(err, ShouldNotEqual, nil)
+				So(conf.Port, ShouldEqual, fmt.Sprintf("%v", initialPort))
+			}
+		})
+
+	})
+}