isometry
diff --git a/‎README.md‎
Lines changed: 39 additions & 21 deletions b/‎README.md‎
Lines changed: 39 additions & 21 deletions
diff --git a/‎agent/external.go‎
Lines changed: 80 additions & 0 deletions b/‎agent/external.go‎
Lines changed: 80 additions & 0 deletions
diff --git a/‎agent/internal.go‎
Lines changed: 102 additions & 0 deletions b/‎agent/internal.go‎
Lines changed: 102 additions & 0 deletions
diff --git a/‎go.mod‎
Lines changed: 6 additions & 4 deletions b/‎go.mod‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎go.sum‎
Lines changed: 13 additions & 11 deletions b/‎go.sum‎
Lines changed: 13 additions & 11 deletions
@@ -18,7 +18,6 @@ An enhanced implementation of [`vault ssh`](https://www.vaultproject.io/docs/com
 * A [HashiCorp Vault](https://www.vaultproject.io/) instance configured for [SSH Client Key Signing](https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates.html#client-key-signing), access to an appropriate role, and an SSH server configured to trust the Vault CA.
 * An active Vault token (either in the `VAULT_TOKEN` environment variable, or – if the standard `vault` binary is available within `$PATH` – available from a Vault Token Helper). The `VAULT_ADDR` environment variable must also be set.
 * OpenSSH 7.2 or newer `ssh` client binary.
-* A standard SSH private key (stored anywhere supported by `ssh`), and the associated *unsigned* public key (default: `~/.ssh/id_rsa.pub`). `vssh` does *not* require access to the private key.
 
 ## Usage
 
@@ -30,44 +29,63 @@ Usage:
   vssh [options] destination [command]
 
 Application Options:
-      --version                           Show version
-
-Vault SSH key signing Options:
-      --path=                             Vault SSH Path (default: ssh) [$VAULT_SSH_PATH]
-      --role=                             Vault SSH Role (default: default) [$VAULT_SSH_ROLE]
-      --ttl=                              Vault SSH Certificate TTL (default: 300) [$VAULT_SSH_TTL]
-  -P, --public-key=                       OpenSSH Public RSA Key to sign (default: ~/.ssh/id_rsa.pub) [$VAULT_SSH_PUBLIC_KEY]
+      --mode=[sign|issue]                   Mode (default: issue) [$VAULT_SSH_MODE]
+      --type=[rsa|ec|ed25519]               Preferred key type (default: ed25519) [$VAULT_SSH_KEY_TYPE]
+      --bits=[0|2048|3072|4096|256|384|521] Key bits for 'issue' mode (default: 0) [$VAULT_SSH_KEY_BITS]
+      --path=                               Vault SSH mountpoint (default: ssh) [$VAULT_SSH_PATH]
+      --role=                               Vault SSH role (default: <ssh-username>) [$VAULT_SSH_ROLE]
+      --ttl=                                Vault SSH certificate TTL (default: 300) [$VAULT_SSH_TTL]
+  -P, --public-key=                         Path to preferred public key for 'sign' mode [$VAULT_SSH_PUBLIC_KEY]
+      --version                             Show version
 
 Certificate Extensions:
-      --default-extensions                Disable automatic extension calculation and request signer-default extensions [$VAULT_SSH_DEFAULT_EXTENSIONS]
-      --agent-forwarding                  Force permit-agent-forwarding extension [$VAULT_SSH_AGENT_FORWARDING]
-      --port-forwarding                   Force permit-port-forwarding extension [$VAULT_SSH_PORT_FORWARDING]
-      --no-pty                            Force disable permit-pty extension [$VAULT_SSH_NO_PTY]
-      --user-rc                           Enable permit-user-rc extension [$VAULT_SSH_USER_RC]
-      --x11-forwarding                    Force permit-X11-forwarding extension [$VAULT_SSH_X11_FORWARDING]
+      --default-extensions                  Disable automatic extension calculation and request signer-default extensions [$VAULT_SSH_DEFAULT_EXTENSIONS]
+      --agent-forwarding                    Force permit-agent-forwarding extension [$VAULT_SSH_AGENT_FORWARDING]
+      --port-forwarding                     Force permit-port-forwarding extension [$VAULT_SSH_PORT_FORWARDING]
+      --no-pty                              Force disable permit-pty extension [$VAULT_SSH_NO_PTY]
+      --user-rc                             Enable permit-user-rc extension [$VAULT_SSH_USER_RC]
+      --x11-forwarding                      Force permit-X11-forwarding extension [$VAULT_SSH_X11_FORWARDING]
 
 Help Options:
-  -h, --help                              Show this help message
+  -h, --help                                Show this help message
 ```
 
 If you need to override the [SSH Client Key Signing](https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates.html#client-key-signing) mountpoint or role, this is most easily achieved by setting the `VAULT_SSH_PATH` and `VAULT_SSH_ROLE` environment variables in your shell rc.
+If your Vault SSH mountpoint isn't configured with a role matching the target SSH username, you *will* need to specify the Vault SSH role to use (e.g. `export VAULT_SSH_ROLE=self` or `vssh --role=self host` if you're using a role named `self` configured with templated `allowed_users`).
+
+In `issue` mode (the default), the client will retrieve an ephemeral keypair from Vault, exposed to `ssh(1)` via an internal SSH agent.
 
-Similarly, if you prefer an `ed25519` or `ecdsa` key, override with `VAULT_SSH_PUBLIC_KEY`.
+In `sign` mode, the client will sign the public key specified, defaulting to the first key added into `ssh-agent(1)` (preferring the first of type matching `VAULT_SSH_KEY_TYPE`).
 
-By default, the certificate will be requested with only those extensions required for the current command (default `permit-pty` unless `-N` is specified). Additional extensions may be requested (e.g. to support expected future multiplexed connections) with the "Certificate Extensions" arguments, or the Vault role default extensions may be forced with `--default-extensions`.
+The certificate will be requested with only those extensions required for the current command (default `permit-pty` unless `-N` is specified). Additional extensions may be requested (e.g. to support expected future multiplexed connections) with the "Certificate Extensions" arguments, or the Vault role default extensions may be forced with `--default-extensions`.
 
-### Example
+### Examples
 
-The following will request that the ed25519 public key be signed by the Vault signed at `https://vault.example.com:8200/v1/ssh/sign/ssh-client-signer`, with `permit-pty` and `permit-port-forwarding` extensions to support the connection to `host.example.com`
+The following will request that an existing ed25519 public key be signed by the Vault signer at `https://vault.example.com:8200/v1/ssh-client-signer/sign/default`, with (automatic) `permit-pty` and `permit-port-forwarding` extensions to support the connection to `host.example.com`:
 
 ```console
-$ export VAULT_ADDR=https://vault.example.com:8200 VAULT_SSH_PATH=ssh-client-signer VAULT_SSH_PUBLIC_KEY=~/.ssh/id_ed25519.pub
-$ vault login -method=oidc
+$ ssh-add ~/.ssh/id_ed25519
+$ export VAULT_ADDR=https://vault.example.com:8200
+$ export VAULT_SSH_PATH=ssh-client-signer
+$ export VAULT_SSH_ROLE=default
+$ export VAULT_SSH_MODE=sign
+$ vault login
 ...
 $ vssh -L8080:localhost:80 host.example.com
 ...
 ```
 
+The following will request that an ephemeral ecdsa keypair with a (default) 256-bit private key be generated by the Vault issuer at `https://vault.example.com/v1/ssh/issue/root`, and used to run the `id` command on `host2.example.com` as `root`:
+
+```console
+$ export VAULT_ADDR=https://vault.example.com
+$ export VAULT_SSH_KEY_TYPE=ec
+$ vault login
+...
+$ vssh [email protected] id
+uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
+```
+
 ## Installation
 
 ### Manual
 
@@ -0,0 +1,80 @@
+package agent
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"os"
+	"os/user"
+
+	log "github.com/sirupsen/logrus"
+
+	"golang.org/x/crypto/ssh"
+	"golang.org/x/crypto/ssh/agent"
+	"golang.org/x/exp/slices"
+)
+
+var sshKeyTypeMap = map[string][]string{
+	"rsa":     {ssh.KeyAlgoRSA},
+	"ec":      {ssh.KeyAlgoECDSA256, ssh.KeyAlgoSKECDSA256, ssh.KeyAlgoECDSA384, ssh.KeyAlgoECDSA521},
+	"ed25519": {ssh.KeyAlgoED25519, ssh.KeyAlgoSKED25519},
+	"sk":      {ssh.KeyAlgoSKECDSA256, ssh.KeyAlgoSKED25519},
+}
+
+var supportedKeyTypes = []string{
+	ssh.KeyAlgoRSA,
+	ssh.KeyAlgoECDSA256,
+	ssh.KeyAlgoSKECDSA256,
+	ssh.KeyAlgoECDSA384,
+	ssh.KeyAlgoECDSA521,
+	ssh.KeyAlgoED25519,
+	ssh.KeyAlgoSKED25519,
+}
+
+func GetBestPublicKey(preferredType string) (publicKey []byte, err error) {
+	prefKeyTypes, ok := sshKeyTypeMap[preferredType]
+	if !ok {
+		return nil, fmt.Errorf("invalid key type: %q", preferredType)
+	}
+
+	sock := os.Getenv("SSH_AUTH_SOCK")
+	if sock == "" {
+		currentUser, err := user.Current()
+		if err != nil {
+			return nil, err
+		}
+		sock = fmt.Sprintf("%s/.ssh/agent.sock", currentUser.HomeDir)
+	}
+	conn, err := net.Dial("unix", sock)
+	if err != nil {
+		return
+	}
+	defer conn.Close()
+
+	keyring := agent.NewClient(conn)
+
+	keys, err := keyring.List()
+	if err != nil {
+		return
+	}
+
+	var bestKey *agent.Key
+	for _, key := range keys {
+		keyType := key.Type()
+		if bestKey == nil && slices.Contains(supportedKeyTypes, keyType) {
+			bestKey = key
+		}
+		if slices.Contains(prefKeyTypes, keyType) {
+			bestKey = key
+			break
+		}
+	}
+	if bestKey == nil {
+		return nil, errors.New("no viable key found in external agent")
+	}
+	if !slices.Contains(prefKeyTypes, bestKey.Type()) {
+		log.Infof("no key of type %q found, falling back to first key of type %q", preferredType, bestKey.Type())
+	}
+
+	return []byte(bestKey.String()), nil
+}
@@ -0,0 +1,102 @@
+package agent
+
+import (
+	"io"
+	"net"
+	"os"
+	"path/filepath"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/ssh"
+	"golang.org/x/crypto/ssh/agent"
+)
+
+type InternalAgent struct {
+	keyring    agent.Agent
+	socketDir  string
+	socketFile string
+	listener   net.Listener
+	stop       chan bool
+	stopped    chan bool
+}
+
+func NewInternalAgent() (ia *InternalAgent, err error) {
+	socketDir, err := os.MkdirTemp("", "vssh-agent.*")
+	if err != nil {
+		return
+	}
+
+	ia = &InternalAgent{
+		keyring:    agent.NewKeyring(),
+		socketDir:  socketDir,
+		socketFile: filepath.Join(socketDir, "agent.sock"),
+		stop:       make(chan bool),
+		stopped:    make(chan bool),
+	}
+
+	ia.listener, err = net.Listen("unix", ia.socketFile)
+	if err != nil {
+		return nil, err
+	}
+
+	go ia.run()
+	return ia, nil
+}
+
+func (ia *InternalAgent) run() {
+	defer close(ia.stopped)
+	for {
+		select {
+		case <-ia.stop:
+			return
+		default:
+			conn, err := ia.listener.Accept()
+			if err != nil {
+				select {
+				case <-ia.stop:
+					return
+				default:
+					log.Fatalf("could not accept connection to agent %v", err)
+					continue
+				}
+			}
+			defer conn.Close()
+			go func(c io.ReadWriter) {
+				err := agent.ServeAgent(ia.keyring, c)
+				if err != nil && !errors.Is(err, io.EOF) {
+					log.Printf("could not serve ssh agent %v", err)
+				}
+			}(conn)
+		}
+	}
+}
+
+func (ia *InternalAgent) AddSignedKeyPair(privateKeyStr string, signedKeyStr string) (err error) {
+	privateKey, err := ssh.ParseRawPrivateKey([]byte(privateKeyStr))
+	if err != nil {
+		return errors.Wrap(err, "failed to parse private key")
+	}
+
+	signedKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(signedKeyStr))
+	if err != nil {
+		return errors.Wrap(err, "failed to parse signed public key")
+	}
+
+	return ia.keyring.Add(agent.AddedKey{
+		PrivateKey:  privateKey,
+		Certificate: signedKey.(*ssh.Certificate),
+	})
+}
+
+func (ia *InternalAgent) Stop() {
+	close(ia.stop)
+	ia.listener.Close()
+	<-ia.stopped
+	os.RemoveAll(ia.socketDir)
+}
+
+func (ia *InternalAgent) SocketFile() string {
+	return ia.socketFile
+}
@@ -7,7 +7,8 @@ require (
 	github.com/jessevdk/go-flags v1.5.0
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.9.0
-	golang.org/x/crypto v0.8.0
+	golang.org/x/crypto v0.9.0
+	golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea
 )
 
 require (
@@ -16,7 +17,7 @@ require (
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-hclog v1.4.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.2 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
 	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 // indirect
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
@@ -28,8 +29,9 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/stretchr/testify v1.7.2 // indirect
-	golang.org/x/net v0.9.0 // indirect
-	golang.org/x/sys v0.7.0 // indirect
+	golang.org/x/net v0.10.0 // indirect
+	golang.org/x/sys v0.8.0 // indirect
+	golang.org/x/term v0.8.0 // indirect
 	golang.org/x/text v0.9.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 
@@ -9,11 +9,10 @@ github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5Kwzbycv
 github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw=
-github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o=
+github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
@@ -22,8 +21,8 @@ github.com/hashicorp/go-hclog v1.4.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVH
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-retryablehttp v0.7.1 h1:sUiuQAnLlbvmExtFQs72iFW/HXeUn8Z1aJLQ4LJJbTQ=
-github.com/hashicorp/go-retryablehttp v0.7.1/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
+github.com/hashicorp/go-retryablehttp v0.7.2 h1:AcYqCvkpalPnPF2pn0KamgwamS42TqUDDYFRKq/RAd0=
+github.com/hashicorp/go-retryablehttp v0.7.2/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
 github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
 github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs=
@@ -71,10 +70,12 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s=
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
-golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ=
-golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
-golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
-golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
+golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g=
+golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
+golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea h1:vLCWI/yYrdEHyN2JzIzPO3aaQJHQdp89IZBA/+azVC4=
+golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
+golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -84,9 +85,10 @@ golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
-golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ=
+golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=