Add ability to set a default SSH user for kssh

This feature is useful when using jumpboxes combined with ssh configs. For example, imagine you have an SSH
config that translates to this command:

```
ssh -J jump.example.com server.internal
```

When run via kssh, you want it to use the `developer` user but when run via ssh you want it to use your
username as the user (the default when no user is specified). Prior to this change, that was not possible.
Now, kssh does two new things:

1. kssh --set-default-user
	It is now possible to set a default SSH user to use with kssh. This is implemented via an SSH config
	file that applies a User directive to all hosts. This config file then inherits from the default ssh
	config file at ~/.ssh/config. This makes it possible to set a default user without modifying the
	user's ssh config file.
2. kssh now adds to the SSH agent by default
	Now by default kssh adds to the running ssh agent. This is necessary in order for jumpboxes to work
	since they rely on ssh agent forwarding.

As part of this, I also had to tweak the tests to make all of this work properly.

Author: ddworken

README.md

@@ -153,9 +153,9 @@ client config file is how kssh determines which teams are using kssh and the nee
 channel name, the name of the bot, etc). When keybaseca stops, it deletes all of the client config files. 
 
 kssh reads the client config file in order to determine how to interact with a bot. kssh does not have any user controlled
-configuration. It does have one local config file stored in `~/.ssh/kssh.config` that is used to store the default bot
-if the kssh user has access to multiple running keybaseca bots. This config file is not meant to be manually edited and is only meant to be 
-interacted with via the `--set-default-bot` and `--clear-default-bot` flags. 
+configuration. It does have one local config file stored in `~/.ssh/kssh.config` that is used to store a few settings 
+for kssh. By default, this config file is not used. It is only created and meant to be interacted with via the 
+`--set-default-bot`, `--clear-default-bot`, `--set-default-user`, `--clear-default-user` flags. 
 
 #### Communication
 

docs/troubleshooting.md

@@ -59,4 +59,10 @@ ssh-keygen \
   /path/to/key.pub
 ```
 
-You can then use the signed SSH key to SSH via `ssh -i /path/to/key.pub user@server`. 
+You can then use the signed SSH key to SSH via `ssh -i /path/to/key.pub user@server`. 
+
+## Using kssh with jumpboxes and bastion hosts
+
+kssh does work correctly with jumpboxes and bastion hosts. Eg the command `kssh -J jumpbox.example.com server.internal`
+does work correctly. If using this with an SSH config, it may be useful to use `kssh --set-default-user foo` in order
+to specify a user to use for all kssh connections. 

go.mod

@@ -9,5 +9,4 @@ require (
 	github.com/urfave/cli v1.21.0
 	golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4
 	golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e // indirect
-	gopkg.in/yaml.v2 v2.2.2 // indirect
 )

src/cmd/kssh/kssh.go

@@ -77,6 +77,8 @@ var cliArguments = []kssh.CLIArgument{
 	{Name: "--clear-default-bot", HasArgument: false},
 	{Name: "--bot", HasArgument: true},
 	{Name: "--provision", HasArgument: false},
+	{Name: "--set-default-user", HasArgument: true},
+	{Name: "--clear-default-user", HasArgument: false},
 	{Name: "--help", HasArgument: false},
 }
 
@@ -98,7 +100,10 @@ GLOBAL OPTIONS:
                          is using Keybase SSH CA
    --clear-default-bot   Clear the default bot
    --bot                 Specify a specific bot to be used for kssh. Not necessary if you are only in one team that
-                         is using Keybase SSH CA`)
+                         is using Keybase SSH CA
+   --set-default-user    Set the default SSH user to be used for kssh. Useful if you use ssh configs that do not set 
+					     a default SSH user 
+   --clear-default-user  Clear the default SSH user`)
 }
 
 type Action int
@@ -122,6 +127,24 @@ func handleArgs(args []string) (string, []string, Action, error) {
 		if arg.Argument.Name == "--bot" {
 			team = arg.Value
 		}
+		if arg.Argument.Name == "--set-default-user" {
+			err := kssh.SetDefaultSSHUser(arg.Value)
+			if err != nil {
+				fmt.Printf("Failed to set the default ssh user: %v\n", err)
+				os.Exit(1)
+			}
+			fmt.Println("Set default ssh user, exiting...")
+			os.Exit(0)
+		}
+		if arg.Argument.Name == "--clear-default-user" {
+			err := kssh.SetDefaultSSHUser("")
+			if err != nil {
+				fmt.Printf("Failed to clear the default ssh user: %v\n", err)
+				os.Exit(1)
+			}
+			fmt.Println("Cleared default ssh user, exiting...")
+			os.Exit(0)
+		}
 		if arg.Argument.Name == "--set-default-bot" {
 			// We exit immediately after setting the default bot
 			err := kssh.SetDefaultBot(arg.Value)
@@ -257,17 +280,38 @@ func provisionNewKey(config kssh.ConfigFile, keyPath string) error {
 	return nil
 }
 
-// Run SSH with the given key. Calls os.Exit if SSH returns
+// Run SSH with the given key. Calls os.Exit and does not return.
 func runSSHWithKey(keyPath string, remainingArgs []string) {
-	fmt.Printf("\n") // a new line to separate kssh output from ssh output
+	// Create a config file for the default user if necessary
+	useConfig, err := kssh.CreateDefaultUserConfigFile()
+	if err != nil {
+		fmt.Printf("Failed to set default user: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Add the key to the ssh-agent in case we are doing multiple connections (eg via the `-J` flag)
+	err = kssh.AddKeyToSSHAgent(keyPath)
+	if err != nil {
+		fmt.Printf("Failed to add SSH key to the SSH agent: %v\n", err)
+		os.Exit(1)
+	}
+
+	// A new line to separate kssh output from ssh output
+	fmt.Printf("\n")
+
 	argumentList := []string{"-i", keyPath, "-o", "IdentitiesOnly=yes"}
+	if useConfig {
+		argumentList = append(argumentList, "-F", kssh.AlternateSSHConfigFile)
+	}
+
 	argumentList = append(argumentList, remainingArgs...)
 
 	cmd := exec.Command("ssh", argumentList...)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	cmd.Stdin = os.Stdin
-	err := cmd.Run()
+	err = cmd.Run()
+
 	if err != nil {
 		fmt.Printf("SSH exited with err: %v\n", err)
 		os.Exit(1)

src/kssh/config.go

@@ -109,40 +109,91 @@ func LoadConfig(kbfsFilename string) (ConfigFile, error) {
 type LocalConfigFile struct {
 	DefaultBotName string `json:"default_bot"`
 	DefaultBotTeam string `json:"default_team"`
+	DefaultSSHUser string `json:"default_ssh_user"`
 }
 
 // Where to store the local config file. Just stash it in ~/.ssh
 var localConfigFileLocation = shared.ExpandPathWithTilde("~/.ssh/kssh.config")
 
-func SetDefaultBot(botname string) error {
-	if botname == "" {
-		return os.Remove(localConfigFileLocation)
+func GetDefaultSSHUser() (string, error) {
+	lcf, err := getCurrentConfig()
+	if err != nil {
+		return "", err
 	}
-	teamname, err := GetTeamFromBot(botname)
+
+	return lcf.DefaultSSHUser, nil
+}
+
+func SetDefaultSSHUser(username string) error {
+	if strings.ContainsAny(username, " \t\n\r'\"") {
+		return fmt.Errorf("invalid username: %s", username)
+	}
+
+	lcf, err := getCurrentConfig()
 	if err != nil {
 		return err
 	}
-	bytes, err := json.Marshal(&LocalConfigFile{DefaultBotName: botname, DefaultBotTeam: teamname})
+
+	lcf.DefaultSSHUser = username
+	return writeConfig(lcf)
+}
+
+func writeConfig(lcf LocalConfigFile) error {
+	bytes, err := json.Marshal(&lcf)
+	if err != nil {
+		return fmt.Errorf("failed to marshal json into config file: %v", err)
+	}
+
+	// Create ~/.ssh/ if it does not yet exist
+	err = MakeDotSSH()
 	if err != nil {
 		return err
 	}
+
 	err = ioutil.WriteFile(localConfigFileLocation, bytes, 0600)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to write config file: %v", err)
 	}
 	return nil
 }
 
-func GetDefaultBotAndTeam() (string, string, error) {
+func getCurrentConfig() (lcf LocalConfigFile, err error) {
 	if _, err := os.Stat(localConfigFileLocation); os.IsNotExist(err) {
-		return "", "", nil
+		return lcf, nil
 	}
 	bytes, err := ioutil.ReadFile(localConfigFileLocation)
 	if err != nil {
-		return "", "", err
+		return lcf, fmt.Errorf("failed to read local config file: %v", err)
 	}
-	var lcf LocalConfigFile
 	err = json.Unmarshal(bytes, &lcf)
+	if err != nil {
+		return lcf, fmt.Errorf("failed to parse local config file: %v", err)
+	}
+	return lcf, nil
+}
+
+func SetDefaultBot(botname string) error {
+	teamname := ""
+	var err error
+	if botname != "" {
+		teamname, err = GetTeamFromBot(botname)
+		if err != nil {
+			return err
+		}
+	}
+
+	lcf, err := getCurrentConfig()
+	if err != nil {
+		return err
+	}
+	lcf.DefaultBotName = botname
+	lcf.DefaultBotTeam = teamname
+
+	return writeConfig(lcf)
+}
+
+func GetDefaultBotAndTeam() (string, string, error) {
+	lcf, err := getCurrentConfig()
 	if err != nil {
 		return "", "", err
 	}

src/kssh/ssh.go

@@ -2,8 +2,11 @@ package kssh
 
 import (
 	"fmt"
+	"os"
 	"os/exec"
 	"strings"
+
+	"github.com/keybase/bot-ssh-ca/src/shared"
 )
 
 func AddKeyToSSHAgent(keyPath string) error {
@@ -14,3 +17,55 @@ func AddKeyToSSHAgent(keyPath string) error {
 	}
 	return nil
 }
+
+var AlternateSSHConfigFile = shared.ExpandPathWithTilde("~/.ssh/kssh-config")
+
+func CreateDefaultUserConfigFile() (bool, error) {
+	user, err := GetDefaultSSHUser()
+	if err != nil {
+		return false, err
+	}
+	if user == "" {
+		return false, nil
+	}
+
+	err = MakeDotSSH()
+	if err != nil {
+		return false, err
+	}
+
+	if _, err := os.Stat(shared.ExpandPathWithTilde("~/.ssh/config")); os.IsNotExist(err) {
+		f, err := os.OpenFile(shared.ExpandPathWithTilde("~/.ssh/config"), os.O_RDONLY|os.O_CREATE, 0644)
+		if err != nil {
+			return false, fmt.Errorf("failed to touch ~/.ssh/config: %v", err)
+		}
+		f.Close()
+	}
+
+	config := fmt.Sprintf("# kssh config file\n"+
+		"Include config\n"+
+		"Host *\n"+
+		"  User %s\n", user)
+
+	f, err := os.OpenFile(AlternateSSHConfigFile, os.O_CREATE|os.O_WRONLY, 0644)
+	if err != nil {
+		return false, err
+	}
+	defer f.Close()
+	_, err = f.WriteString(config)
+	if err != nil {
+		return false, err
+	}
+	fmt.Printf("Using default ssh user %s\n", user)
+	return true, nil
+}
+
+func MakeDotSSH() error {
+	if _, err := os.Stat(shared.ExpandPathWithTilde("~/.ssh/")); os.IsNotExist(err) {
+		err = os.Mkdir(shared.ExpandPathWithTilde("~/.ssh/"), 0700)
+		if err != nil {
+			return fmt.Errorf("failed to create ~/.ssh directory: %v", err)
+		}
+	}
+	return nil
+}

tests/tests/lib.py

@@ -37,7 +37,21 @@ def getDefaultTestConfig():
             [os.environ['SUBTEAM'] + postfix for postfix in [".ssh.prod", ".ssh.staging", ".ssh.root_everywhere"]]
         )
 
-def run_command(cmd: str, timeout: int=10) -> bytes:
+def run_command_with_agent(cmd: str) -> bytes:
+    """
+    Run the given command in a shell session with a running ssh-agent
+    :param cmd:     The command to run
+    :return:        The stdout of the process
+    """
+    return run_command("eval `ssh-agent` && " + cmd)
+
+def run_command(cmd: str, timeout: int=15) -> bytes:
+    """
+    Run the given command in a shell with the given timeout
+    :param cmd:         The command to run
+    :param timeout:     The timeout in seconds
+    :return:            The stdout of the process
+    """
     # In order to properly run a command with a timeout and shell=True, we use Popen with a shell and group all child
     # processes so we can kill all of them. See:
     # - https://stackoverflow.com/questions/36952245/subprocess-timeout-failure
@@ -46,6 +60,7 @@ def run_command(cmd: str, timeout: int=10) -> bytes:
         try:
             stdout, stderr = process.communicate(timeout=timeout)
             if process.returncode != 0:
+                print(f"Output before return: {repr(stdout)}, {repr(stderr)}")
                 raise subprocess.CalledProcessError(process.returncode, cmd, stdout, stderr)
             return stdout
         except subprocess.TimeoutExpired as e: