Merge pull request #21 from keybase/david/specify-key-in-ssh-config

Specify key in ssh config and add kssh debug logs

Author: ddworken

README.md

@@ -152,14 +152,18 @@ VERSION:
    0.0.1
 
 GLOBAL OPTIONS:
-   --help,               Show help
+   --help                Show help
+   -v                    Enable kssh and ssh debug logs
    --provision           Provision a new SSH key and add it to the ssh-agent. Useful if you need to run another 
                          program that uses SSH auth (eg scp, rsync, etc)
    --set-default-bot     Set the default bot to be used for kssh. Not necessary if you are only in one team that
                          is using Keybase SSH CA
    --clear-default-bot   Clear the default bot
    --bot                 Specify a specific bot to be used for kssh. Not necessary if you are only in one team that
-                         is using Keybase SSH CA`)
+                         is using Keybase SSH CA
+   --set-default-user    Set the default SSH user to be used for kssh. Useful if you use ssh configs that do not set 
+					     a default SSH user 
+   --clear-default-user  Clear the default SSH user
 ```
 
 ## Architecture

go.mod

@@ -5,6 +5,7 @@ go 1.12
 require (
 	github.com/google/uuid v1.1.1
 	github.com/keybase/go-keybase-chat-bot v0.0.0-20190812134859-bc54fd9cf83b
+	github.com/sirupsen/logrus v1.4.2
 	github.com/stretchr/testify v1.3.0
 	github.com/urfave/cli v1.21.0
 	golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4

go.sum

@@ -1,13 +1,21 @@
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/keybase/go-keybase-chat-bot v0.0.0-20190812134859-bc54fd9cf83b h1:7Te2f9LQ/rd6XSzpntz6BaCBgglZ0uiCdv3/GdhX9VA=
 github.com/keybase/go-keybase-chat-bot v0.0.0-20190812134859-bc54fd9cf83b/go.mod h1:vNc28YFzigVJod0j5EbuTtRIe7swx8vodh2yA4jZ2s8=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
+github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/urfave/cli v1.21.0 h1:wYSSj06510qPIzGSua9ZqsncMmWE3Zr55KBERygyrxE=
@@ -19,6 +27,7 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e h1:D5TXcfTk7xF7hvieo4QErS3qqCB4teTffacDWr7CI+0=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

src/cmd/kssh/kssh.go

@@ -13,11 +13,13 @@ import (
 	"github.com/google/uuid"
 	"github.com/keybase/bot-ssh-ca/src/kssh"
 	"github.com/keybase/bot-ssh-ca/src/shared"
+	log "github.com/sirupsen/logrus"
 
 	"golang.org/x/crypto/ssh"
 )
 
 func main() {
+	kssh.InitLogging()
 	team, remainingArgs, action, err := handleArgs(os.Args[1:])
 	if err != nil {
 		fmt.Printf("Failed to parse arguments: %v\n", err)
@@ -29,7 +31,9 @@ func main() {
 		os.Exit(1)
 	}
 	if isValidCert(keyPath) {
+		log.WithField("keyPath", keyPath).Debug("Reusing unexpired certificate")
 		doAction(action, keyPath, remainingArgs)
+		os.Exit(0)
 	}
 	config, err := getConfig(team)
 	if err != nil {
@@ -80,6 +84,7 @@ var cliArguments = []kssh.CLIArgument{
 	{Name: "--set-default-user", HasArgument: true},
 	{Name: "--clear-default-user", HasArgument: false},
 	{Name: "--help", HasArgument: false},
+	{Name: "-v", HasArgument: false, Preserve: true},
 }
 
 func generateHelpPage() string {
@@ -93,7 +98,8 @@ VERSION:
    0.0.1
 
 GLOBAL OPTIONS:
-   --help,               Show help
+   --help                Show help
+   -v                    Enable kssh and ssh debug logs
    --provision           Provision a new SSH key and add it to the ssh-agent. Useful if you need to run another 
                          program that uses SSH auth (eg scp, rsync, etc)
    --set-default-bot     Set the default bot to be used for kssh. Not necessary if you are only in one team that
@@ -171,6 +177,9 @@ func handleArgs(args []string) (string, []string, Action, error) {
 			fmt.Println(generateHelpPage())
 			os.Exit(0)
 		}
+		if arg.Argument.Name == "-v" {
+			log.SetLevel(log.DebugLevel)
+		}
 	}
 	return team, remaining, action, nil
 }
@@ -249,7 +258,7 @@ func isValidCert(keyPath string) bool {
 
 // Provision a new signed SSH key with the given config
 func provisionNewKey(config kssh.ConfigFile, keyPath string) error {
-	fmt.Println("Generating a new SSH key...")
+	log.Debug("Generating a new SSH key...")
 	err := sshutils.GenerateNewSSHKey(keyPath, true, false)
 	if err != nil {
 		return fmt.Errorf("Failed to generate a new SSH key: %v", err)
@@ -264,13 +273,15 @@ func provisionNewKey(config kssh.ConfigFile, keyPath string) error {
 		return fmt.Errorf("Failed to generate a new UUID for the SignatureRequest: %v", err)
 	}
 
+	log.Debug("Requesting signature from the CA....")
 	resp, err := kssh.GetSignedKey(config, shared.SignatureRequest{
 		UUID:         randomUUID.String(),
 		SSHPublicKey: string(pubKey),
 	})
 	if err != nil {
 		return fmt.Errorf("Failed to get a signed key from the CA: %v", err)
 	}
+	log.Debug("Received signature from the CA!")
 
 	err = ioutil.WriteFile(shared.KeyPathToCert(keyPath), []byte(resp.SignedKey), 0600)
 	if err != nil {
@@ -291,7 +302,7 @@ func runSSHWithKey(keyPath string, remainingArgs []string) {
 	}
 	if user != "" {
 		useConfig = true
-		err = kssh.CreateDefaultUserConfigFile()
+		err = kssh.CreateDefaultUserConfigFile(keyPath)
 		if err != nil {
 			fmt.Printf("Failed to set default user: %v\n", err)
 			os.Exit(1)
@@ -305,13 +316,11 @@ func runSSHWithKey(keyPath string, remainingArgs []string) {
 		os.Exit(1)
 	}
 
-	// A new line to separate kssh output from ssh output
-	fmt.Printf("\n")
-
 	argumentList := []string{"-i", keyPath, "-o", "IdentitiesOnly=yes"}
 	checkAndWarnOnUnspecifiedBehavior(useConfig, remainingArgs)
 	if useConfig {
 		argumentList = append(argumentList, "-F", kssh.AlternateSSHConfigFile)
+		log.WithField("user", user).Debug("Using default ssh user")
 	}
 
 	argumentList = append(argumentList, remainingArgs...)
@@ -333,7 +342,7 @@ func checkAndWarnOnUnspecifiedBehavior(useConfig bool, arguments []string) {
 	if useConfig {
 		for _, arg := range arguments {
 			if arg == "-F" {
-				fmt.Println("Warning: You passed a -F flag, but kssh also uses this argument in " +
+				log.Warn("Warning: You passed a -F flag, but kssh also uses this argument in " +
 					"order to implement support for a default SSH username, which you're also using. " +
 					"Either do not use the -F flag or run `kssh --clear-default-user` to reset the " +
 					"default SSH user and delegate this to the running CA bot.")

src/cmd/kssh/kssh_test.go

@@ -23,7 +23,6 @@ func copyKeyFromTestFixture(t *testing.T, name, destination string) {
 	require.NoError(t, err)
 	err = ioutil.WriteFile(shared.KeyPathToCert(destination), cert, 0600)
 	require.NoError(t, err)
-
 }
 
 func TestIsValidCert(t *testing.T) {

src/kssh/bot.go

@@ -51,7 +51,6 @@ func GetSignedKey(config ConfigFile, request shared.SignatureRequest) (shared.Si
 		}
 	}()
 
-	fmt.Println("Requesting signature from the CA....")
 	hasBeenAcked := false
 	startTime := time.Now()
 	for {
@@ -97,7 +96,6 @@ func GetSignedKey(config ConfigFile, request shared.SignatureRequest) (shared.Si
 				// someone else's signature request
 				continue
 			}
-			fmt.Println("Received signature from the CA!")
 			return resp, nil
 		}
 	}

src/kssh/flags.go

@@ -3,13 +3,24 @@ package kssh
 import "fmt"
 
 type CLIArgument struct {
-	Name        string // eg "--foo"
-	HasArgument bool   // true if an argument comes after it (eg "--foo bar") false if it is a boolean flag (eg "--help")
+	// The name of the flag eg "--foo"
+	Name string
+
+	// HasArgument:true if an argument comes after it (eg "--foo bar") false if it is a boolean flag (eg "--help")
+	HasArgument bool
+
+	// Preserve:true if you wish to preserve this argument into the list of remaining arguments even if found
+	// eg if your command takes in a `-v` flag and the subcommand also takes in a `-v` flag
+	// incompatible with HasArgument: true but only because that has not been built
+	Preserve bool
 }
 
 type ParsedCLIArgument struct {
+	// The CLIArgument that was found and parsed
 	Argument CLIArgument
-	Value    string
+
+	// The value associated with it if HasArgument:true. Otherwise an empty string.
+	Value string
 }
 
 // ParseArgs parses os.Args for use with kssh. This is handwritten rather than using go's flag library (or
@@ -19,6 +30,12 @@ type ParsedCLIArgument struct {
 //
 // Returns: a list of the remaining unparsed arguments, a list of the parsed arguments, error
 func ParseArgs(args []string, cliArguments []CLIArgument) ([]string, []ParsedCLIArgument, error) {
+	for _, cliArg := range cliArguments {
+		if cliArg.Preserve && cliArg.HasArgument {
+			return nil, nil, fmt.Errorf("cannot specify Preserve and HasArgument for argument %s", cliArg.Name)
+		}
+	}
+
 	remainingArguments := []string{}
 	found := []ParsedCLIArgument{}
 OUTER:
@@ -36,6 +53,9 @@ OUTER:
 					i++
 				}
 				found = append(found, parsed)
+				if cliArg.Preserve {
+					remainingArguments = append(remainingArguments, arg)
+				}
 				continue OUTER
 			}
 		}

src/kssh/flags_test.go

@@ -19,6 +19,7 @@ func TestParseArgs(t *testing.T) {
 		{Name: "--arg-with-value", HasArgument: true},
 		{Name: "--arg2-with-value", HasArgument: true},
 		{Name: "--arg-without-value", HasArgument: false},
+		{Name: "--preserved-flag", Preserve: true},
 	}
 	testCases := []testCase{
 		// No arguments
@@ -71,6 +72,16 @@ func TestParseArgs(t *testing.T) {
 			remaining: nil,
 			found:     nil,
 		},
+		// Preserve:true
+		{
+			args:      []string{"--preserved-flag", "--arg-without-value", "unused"},
+			err:       nil,
+			remaining: []string{"--preserved-flag", "unused"},
+			found: []ParsedCLIArgument{
+				{Argument: CLIArgument{Name: "--preserved-flag", HasArgument: false, Preserve: true}, Value: ""},
+				{Argument: CLIArgument{Name: "--arg-without-value", HasArgument: false}, Value: ""},
+			},
+		},
 	}
 
 	for i, testCase := range testCases {

src/kssh/log.go

@@ -0,0 +1,17 @@
+package kssh
+
+import log "github.com/sirupsen/logrus"
+
+// Prefix formatter adds a prefix of "kssh: " to log messages before delegating to the default text formatter
+type prefixFormatter struct{}
+
+func (pf *prefixFormatter) Format(entry *log.Entry) ([]byte, error) {
+	entry.Message = "kssh: " + entry.Message
+	textFormatter := &log.TextFormatter{}
+	return textFormatter.Format(entry)
+}
+
+func InitLogging() {
+	log.SetLevel(log.WarnLevel)
+	log.SetFormatter(&prefixFormatter{})
+}

src/kssh/ssh.go

@@ -22,7 +22,7 @@ func AddKeyToSSHAgent(keyPath string) error {
 var AlternateSSHConfigFile = shared.ExpandPathWithTilde("~/.ssh/kssh-config")
 
 // Create an SSH config file that inherits from the default SSH config file but sets a default SSH user
-func CreateDefaultUserConfigFile() error {
+func CreateDefaultUserConfigFile(keyPath string) error {
 	user, err := GetDefaultSSHUser()
 	if err != nil {
 		return err
@@ -44,10 +44,13 @@ func CreateDefaultUserConfigFile() error {
 		f.Close()
 	}
 
+	// This config file sets a default ssh user and a default ssh key. This ensures that kssh's signed key will be used.
 	config := fmt.Sprintf("# kssh config file to set a default SSH user\n"+
 		"Include config\n"+
 		"Host *\n"+
-		"  User %s\n", user)
+		"  User %s\n"+
+		"  IdentityFile %s\n"+
+		"  IdentitiesOnly yes\n", user, keyPath)
 
 	f, err := os.OpenFile(AlternateSSHConfigFile, os.O_CREATE|os.O_WRONLY, 0644)
 	if err != nil {
@@ -58,7 +61,6 @@ func CreateDefaultUserConfigFile() error {
 	if err != nil {
 		return err
 	}
-	fmt.Printf("Using default ssh user %s\n", user)
 	return nil
 }