Enhanced ssh(1) option parsing and further refactoring; add support for allowed_user defaulting

isometry · isometry · commit 7b90008eb593 · 2020-10-31T12:09:31.000+01:00
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -46,3 +46,7 @@ brews:
     homepage: https://just.breathe.io/project/vault-ssh-plus/
     dependencies:
       - name: vault
+    test: |
+      system "#{bin}/vssh --version"
+    install: |
+      bin.install "vssh"
diff --git a/README.md b/README.md
@@ -8,6 +8,7 @@ An enhanced implementation of [`vault ssh`](https://www.vaultproject.io/docs/com
 * Automatic and transparent just-in-time delivery of short-lived, signed, single-use `ssh` client keys.
 * Principal of Least Privilege: by default signed keys only permit the specific options required.
 * Significantly lower memory overhead than `vault ssh`.
+* Automatic username mapping for roles with a single, fixed entry in `allowed_users` (e.g. `root`, `jenkins`, `ansible`).
 
 ## Requirements
 
@@ -26,30 +27,24 @@ Usage:
   vssh [options] destination [command]
 
 Application Options:
-      --version           show version
+      --version                           Show version
 
 Vault SSH key signing Options:
-      --path=             Vault SSH Path (default: ssh) [$VAULT_SSH_PATH]
-      --role=             Vault SSH Role (default: default) [$VAULT_SSH_ROLE]
-      --ttl=              Vault SSH Certificate TTL (default: 300) [$VAULT_SSH_TTL]
-  -P, --public-key=       OpenSSH Public RSA Key to sign (default:
-                          ~/.ssh/id_rsa.pub) [$VAULT_SSH_PUBLIC_KEY]
-      --polp              Enforce Principal of Least Privilege [$VAULT_SSH_POLP]
+      --path=                             Vault SSH Path (default: ssh) [$VAULT_SSH_PATH]
+      --role=                             Vault SSH Role (default: default) [$VAULT_SSH_ROLE]
+      --ttl=                              Vault SSH Certificate TTL (default: 300) [$VAULT_SSH_TTL]
+  -P, --public-key=                       OpenSSH Public RSA Key to sign (default: ~/.ssh/id_rsa.pub) [$VAULT_SSH_PUBLIC_KEY]
 
 Certificate Extensions:
-      --default-extensions  Disable Principal of Least Privilege and request
-                            signer-default extensions [$VAULT_SSH_DEFAULT_EXTENSIONS]
-      --agent-forwarding    Force permit-agent-forwarding extension
-                            [$VAULT_SSH_AGENT_FORWARDING]
-      --port-forwarding     Force permit-port-forwarding extension
-                            [$VAULT_SSH_PORT_FORWARDING]
-      --no-pty              Force disable permit-pty extension [$VAULT_SSH_NO_PTY]
-      --user-rc             Force permit-user-rc extension [$VAULT_SSH_USER_RC]
-      --x11-forwarding      Force permit-X11-forwarding extension
-                            [$VAULT_SSH_X11_FORWARDING]
+      --default-extensions                Disable automatic extension calculation and request signer-default extensions [$VAULT_SSH_DEFAULT_EXTENSIONS]
+      --agent-forwarding                  Force permit-agent-forwarding extension [$VAULT_SSH_AGENT_FORWARDING]
+      --port-forwarding                   Force permit-port-forwarding extension [$VAULT_SSH_PORT_FORWARDING]
+      --no-pty                            Force disable permit-pty extension [$VAULT_SSH_NO_PTY]
+      --user-rc                           Enable permit-user-rc extension [$VAULT_SSH_USER_RC]
+      --x11-forwarding                    Force permit-X11-forwarding extension [$VAULT_SSH_X11_FORWARDING]
 
 Help Options:
-  -h, --help              Show this help message
+  -h, --help                              Show this help message
 ```
 
 If you need to override the [SSH Client Key Signing](https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates.html#client-key-signing) mountpoint or role, this is most easily achieved by setting the `VAULT_SSH_PATH` and `VAULT_SSH_ROLE` environment variables in your shell rc.
diff --git a/go.mod b/go.mod
@@ -5,5 +5,5 @@ go 1.12
 require (
 	github.com/hashicorp/vault/api v1.0.4
 	github.com/jessevdk/go-flags v1.4.0
-	golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897 // indirect
+	golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897
 )
diff --git a/init-dev.sh b/init-dev.sh
@@ -24,4 +24,17 @@ vault write ssh/roles/default - <<-EOH
     }
 EOH
 
+vault write ssh/roles/root - <<-EOH
+    {
+        "key_type": "ca",
+        "allow_user_certificates": true,
+        "algorithm_signer": "rsa-sha2-512",
+        "default_user": "root",
+        "allowed_users": "root",
+        "default_extensions": [],
+        "allowed_extensions": "permit-pty,permit-port-forwarding",
+        "ttl": "60"
+    }
+EOH
+
 fg
diff --git a/main.go b/main.go
@@ -20,70 +20,63 @@ const (
 	date    = "unknown"
 )
 
-var options struct {
-	Signer  signer.Options  `group:"Vault SSH key signing Options"`
-	OpenSSH openssh.Options `group:"OpenSSH ssh(1) Options" hidden:"yes"`
-	Version func()          `long:"version" group:"Help" description:"show version"`
-}
+func init() {
+	var options struct {
+		Signer  signer.Options  `group:"Vault SSH key signing Options"`
+		OpenSSH openssh.Options `group:"OpenSSH ssh(1) Options" hidden:"yes"`
+		Version func()          `long:"version" description:"Show version"`
+	}
 
-func main() {
 	options.Version = func() {
 		fmt.Printf("vault-ssh-plus v%s (%s), %s\n", version, commit, date)
 		os.Exit(0)
 	}
+
 	parser := flags.NewParser(&options, flags.Default)
 	parser.Usage = "[options] destination [command]"
 	if _, err := parser.ParseArgs(os.Args[1:]); err != nil {
 		if flagsErr, ok := err.(*flags.Error); ok && flagsErr.Type == flags.ErrHelp {
 			os.Exit(0)
 		} else {
-			fmt.Println(err)
 			os.Exit(1)
 		}
 	}
+}
+
+func main() {
+	var (
+		vaultClient signer.Client
+		sshClient   openssh.Client
+		err         error
+	)
 
-	vaultClient, unparsedArgs, err := signer.ParseArgs(os.Args[1:])
+	unparsedArgs, err := signer.ParseArgs(&vaultClient, os.Args[1:])
 	if err != nil {
 		log.Fatal("[ERROR] parsing vault options: ", err)
 	}
 
-	sshClient, _, err := openssh.ParseArgs(unparsedArgs)
+	_, err = openssh.ParseArgs(&sshClient, unparsedArgs)
 	if err != nil {
 		log.Fatal("[ERROR] parsing ssh options: ", err)
 	}
 
 	if sshClient.Options.LoginName == "" {
-		currentUser, _ := user.Current()
-		sshClient.Options.LoginName = currentUser.Username
+		sshClient.Options.LoginName = getDefaultUser(&vaultClient, &sshClient)
 	}
 
 	controlConnection := sshClient.ControlConnection()
 
 	if !controlConnection && sshClient.Options.ControlCommand != "exit" {
-		if !vaultClient.Options.Extensions.PortForwarding &&
-			(sshClient.Options.ProxyJump != "" ||
-				sshClient.Options.DynamicForward != nil ||
-				sshClient.Options.LocalForward != nil ||
-				sshClient.Options.RemoteForward != nil) {
-			vaultClient.Options.Extensions.PortForwarding = true
-		}
-
-		if !vaultClient.Options.Extensions.NoPTY &&
-			(sshClient.Options.NoPTY ||
-				(sshClient.Options.ForcePTY == nil && len(sshClient.Options.Positional.RemoteCommand) > 0)) {
-			vaultClient.Options.Extensions.NoPTY = true
-		}
-
-		if !vaultClient.Options.Extensions.X11Forwarding && sshClient.Options.ForwardX11 {
-			vaultClient.Options.Extensions.X11Forwarding = true
-		}
+		updateRequestExtensions(&vaultClient.Options.Extensions, &sshClient.Options)
 
 		signedKey, err := vaultClient.GetSignedKey(sshClient.Options.LoginName)
 		if err != nil {
 			log.Fatal("[ERROR] failed to get signed key: ", err)
 		}
 
-		sshClient.SetSignedKey(signedKey)
+		if err := sshClient.SetSignedKey(signedKey); err != nil {
+			log.Fatal("[ERROR] invalid certificate: ", err)
+		}
 
 		signedKeyFile, err := sshClient.WriteSignedKeyFile(
 			filepath.Dir(vaultClient.Options.PublicKey),
@@ -110,10 +103,50 @@ func main() {
 
 func setupExitHandler(fn string) {
 	s := make(chan os.Signal)
-	signal.Notify(s, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT)
+	signal.Notify(s, os.Interrupt, os.Kill, syscall.SIGTERM, syscall.SIGQUIT)
 	go func() {
 		<-s
 		_ = os.Remove(fn)
 		os.Exit(0)
 	}()
 }
+
+func getDefaultUser(vaultClient *signer.Client, sshClient *openssh.Client) string {
+	var loginName string
+
+	// if the role only allows a single, fixed user, use it
+	allowedUser := vaultClient.GetAllowedUser()
+	if allowedUser != "" {
+		loginName = allowedUser
+		sshClient.PrependArgs([]string{"-l", allowedUser})
+	}
+
+	if loginName == "" {
+		currentUser, _ := user.Current()
+		loginName = currentUser.Username
+	}
+
+	return loginName
+}
+
+func updateRequestExtensions(requestExtensions *signer.Extensions, sshOptions *openssh.Options) {
+	if !requestExtensions.AgentForwarding && sshOptions.ForwardAgent {
+		requestExtensions.AgentForwarding = true
+	} else if requestExtensions.AgentForwarding && sshOptions.NoForwardAgent {
+		requestExtensions.AgentForwarding = false
+	}
+
+	if !requestExtensions.PortForwarding &&
+		(sshOptions.ProxyJump != "" || sshOptions.DynamicForward != nil || sshOptions.LocalForward != nil || sshOptions.RemoteForward != nil) {
+		requestExtensions.PortForwarding = true
+	}
+
+	if !requestExtensions.NoPTY &&
+		(sshOptions.NoPTY || (sshOptions.ForcePTY == nil && len(sshOptions.Positional.RemoteCommand) > 0)) {
+		requestExtensions.NoPTY = true
+	}
+
+	if !requestExtensions.X11Forwarding && sshOptions.ForwardX11 {
+		requestExtensions.X11Forwarding = true
+	}
+}
diff --git a/openssh/openssh.go b/openssh/openssh.go
@@ -12,13 +12,15 @@ import (
 	"syscall"
 
 	"github.com/jessevdk/go-flags"
+	"golang.org/x/crypto/ssh"
 )
 
 type Client struct {
 	Args          []string
 	Options       Options
 	SignedKey     string
 	SignedKeyFile string
+	Certificate   *ssh.Certificate
 }
 
 // Options for https://man.openbsd.org/ssh.1
@@ -49,7 +51,7 @@ type Options struct {
 	MacSpec               string     `short:"m" description:"Mac Specification"`
 	NoRemoteCommand       bool       `short:"N" description:"Do not execute a remote command"`
 	NullStdin             bool       `short:"n" description:"Redirect stdin from /dev/null"`
-	ControlCommand        string     `short:"O" description:"Send control command"`
+	ControlCommand        string     `short:"O" choice:"check" choice:"forward" choice:"cancel" choice:"exit" choice:"stop" description:"Send control command"`
 	Option                []string   `short:"o" description:"Override configuration option"`
 	Port                  uint16     `short:"p" default:"22" description:"Port"`
 	QueryOption           string     `short:"Q" description:"Query supported algorithms"`
@@ -79,25 +81,23 @@ type Positional struct {
 }
 
 // ParseArgs parses arguments intended for https://man.openbsd.org/ssh.1
-func ParseArgs(args []string) (Client, []string, error) {
-	var o Client
+func ParseArgs(client *Client, args []string) ([]string, error) {
+	client.Args = args
 
-	o.Args = args
-
-	parser := flags.NewParser(&o.Options, flags.PassDoubleDash|flags.IgnoreUnknown)
+	parser := flags.NewParser(&client.Options, flags.PassDoubleDash|flags.IgnoreUnknown)
 	unparsedArgs, err := parser.ParseArgs(args)
 	if err != nil {
-		return Client{}, nil, err
+		return nil, err
 	}
 
-	if err := o.ParseDestination(o.Options.Positional.Destination); err != nil {
-		return Client{}, nil, err
+	if err := client.ParseDestination(client.Options.Positional.Destination); err != nil {
+		return nil, err
 	}
-	if err := o.ParseOptions(o.Options.Option, "="); err != nil {
-		return Client{}, nil, err
+	if err := client.ParseOptions(client.Options.Option, "="); err != nil {
+		return nil, err
 	}
 
-	return o, unparsedArgs, nil
+	return unparsedArgs, nil
 }
 
 // ParseDestination parses the `destination` argument as an `ssh://` scheme URI and updates options according to what it finds
@@ -130,8 +130,9 @@ func (c *Client) ParseDestination(destination string) error {
 // ParseOptions parses ssh_config options of the form `key[separator]value` and updates other options accordingly
 func (c *Client) ParseOptions(options []string, separator string) error {
 	for _, option := range options {
-		split := strings.Split(option, separator)
-		key, value := split[0], strings.Join(split[1:], separator)
+		split := strings.SplitN(option, separator, 2)
+		key, value := split[0], split[1]
+
 		switch key {
 		case "User":
 			if c.Options.LoginName == "" {
@@ -169,8 +170,12 @@ func (c *Client) PrependArgs(args []string) {
 }
 
 // SetSignedKey sets the Client's signed key
-func (c *Client) SetSignedKey(key string) {
+func (c *Client) SetSignedKey(key string) error {
 	c.SignedKey = key
+	if err := c.ParseSignedKey(); err != nil {
+		return err
+	}
+	return nil
 }
 
 // WriteSignedKeyFile updates the signed key at path/name
@@ -214,3 +219,19 @@ func (c *Client) Connect() error {
 		return cmd.Run()
 	}
 }
+
+func (c *Client) ParseSignedKey() error {
+	pub, _, _, _, err := ssh.ParseAuthorizedKey([]byte(c.SignedKey))
+	if err != nil {
+		return err
+	}
+
+	cert, ok := pub.(*ssh.Certificate)
+	if !ok {
+		return nil // XXX: return an appropriate custom error!
+	}
+
+	c.Certificate = cert
+
+	return nil
+}
diff --git a/signer/vault.go b/signer/vault.go

Original file line number	Diff line number	Diff line change
`@@ -5,5 +5,5 @@ go 1.12`
`5`	`5`	`require (`
`6`	`6`	`github.com/hashicorp/vault/api v1.0.4`
`7`	`7`	`github.com/jessevdk/go-flags v1.4.0`
`8`		`- golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897 // indirect`
	`8`	`+ golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897`
`9`	`9`	`)`