Merge pull request #15 from keybase/david/keybase-ca-sign

Add keybaseca sign command to sign keys manually when keybase is down

Author: ddworken

docs/troubleshooting.md

@@ -39,8 +39,9 @@ and on the client run `kssh -p 2222 user@server` and inspect the debug logs.
 ## Keybase is down
 
 If Keybase is down, the bot will not work since it relies on Keybase chat for communication. In this scenario, you can 
-manually sign SSH keys with the CA key. Place the CA private key in `~/cakey` and the CA public key in `~/cakey.pub`. 
-Then run the command:
+manually sign SSH keys with the CA key. This can be done via `keybaseca sign --public-key /path/to/key.pub`. Alternatively,
+this can be done manually without relying on any of the tooling in this repository. To do so, place the CA private key 
+in `~/cakey` and the CA public key in `~/cakey.pub`. Then run the command:
 
 ```bash
 ssh-keygen \
@@ -55,7 +56,7 @@ ssh-keygen \
   # Specify the password on the CA key (if exported via `keybaseca backup` there is no password)
   -N "" \
   # The location of the public key you wish to sign
-  ~/.ssh/id_rsa.pub
+  /path/to/key.pub
 ```
 
-You can then use the signed SSH key to SSH via `ssh -i ~/.ssh/id_rsa user@server`. 
+You can then use the signed SSH key to SSH via `ssh -i /path/to/key.pub user@server`. 

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/google/uuid v1.1.1
 	github.com/keybase/go-keybase-chat-bot v0.0.0-20190812134859-bc54fd9cf83b
 	github.com/stretchr/testify v1.3.0
-	github.com/urfave/cli v1.20.0
+	github.com/urfave/cli v1.21.0
 	golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4
 	golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e // indirect
 	gopkg.in/yaml.v2 v2.2.2 // indirect

go.sum

@@ -1,3 +1,4 @@
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
@@ -9,8 +10,8 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/urfave/cli v1.20.0 h1:fDqGv3UG/4jbVl/QkFwEdddtEDjh/5Ov6X+0B/3bPaw=
-github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
+github.com/urfave/cli v1.21.0 h1:wYSSj06510qPIzGSua9ZqsncMmWE3Zr55KBERygyrxE=
+github.com/urfave/cli v1.21.0/go.mod h1:lxDj6qX9Q6lWQxIrbrT0nwecwUtRnhVZAJjJZrVUZZQ=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4 h1:HuIa8hRrWRSrqYzx1qI49NNxhdi2PrY7gxVSq1JjLDc=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

src/cmd/keybaseca/keybaseca.go

@@ -12,6 +12,8 @@ import (
 	"sync"
 	"syscall"
 
+	"github.com/google/uuid"
+
 	"github.com/keybase/bot-ssh-ca/src/keybaseca/bot"
 	"github.com/keybase/bot-ssh-ca/src/keybaseca/config"
 	klog "github.com/keybase/bot-ssh-ca/src/keybaseca/log"
@@ -60,6 +62,22 @@ func main() {
 			Usage:  "Start the CA service in the foreground",
 			Action: serviceAction,
 		},
+		{
+			Name:  "sign",
+			Usage: "Sign a given public key with all permissions without a dependency on Keybase",
+			Flags: []cli.Flag{
+				cli.StringFlag{
+					Name:     "public-key",
+					Usage:    "The path to the public key you wish to sign. Eg `~/.ssh/id_rsa.pub`",
+					Required: true,
+				},
+				cli.BoolFlag{
+					Name:  "overwrite",
+					Usage: "Overwrite the existing certificate on the filesystem",
+				},
+			},
+			Action: signAction,
+		},
 	}
 	app.Action = mainAction
 	err := app.Run(os.Args)
@@ -126,9 +144,54 @@ func serviceAction(c *cli.Context) error {
 	return nil
 }
 
+// The action for the `keybaseca sign` subcommand
+func signAction(c *cli.Context) error {
+	// Skip validation of the config since that relies on Keybase's servers
+	conf := config.EnvConfig{}
+	err := config.ValidateConfig(conf, true)
+	if err != nil {
+		return fmt.Errorf("Invalid config: %v", err)
+	}
+	principals := strings.Join(conf.GetTeams(), ",")
+	expiration := conf.GetKeyExpiration()
+	randomUUID, err := uuid.NewRandom()
+	if err != nil {
+		return fmt.Errorf("Failed to generate unique key ID: %v", err)
+	}
+
+	// Read the public key from the specified file
+	filename := c.String("public-key")
+	pubKey, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return fmt.Errorf("Failed to read file at %s to get the public key: %v", filename, err)
+	}
+
+	// Sign the public key
+	signature, err := sshutils.SignKey(conf.GetCAKeyLocation(), randomUUID.String()+":keybaseca-sign", principals, expiration, string(pubKey))
+	if err != nil {
+		return fmt.Errorf("Failed to sign key: %v", err)
+	}
+
+	// Either store it in a file or print it to stdout
+	certPath := shared.KeyPathToCert(shared.PubKeyPathToKeyPath(filename))
+	_, err = os.Stat(certPath)
+	if os.IsNotExist(err) || c.Bool("overwrite") {
+		err = ioutil.WriteFile(certPath, []byte(signature), 0600)
+		if err != nil {
+			return fmt.Errorf("Failed to write certificate to file: %v", err)
+		}
+		fmt.Printf("Provisioned new certificate in %s\n", certPath)
+	} else {
+		fmt.Printf("Provisioned new certificate. Place this in %s in order to use it with ssh.\n", certPath)
+		fmt.Printf("\n```\n%s```\n", signature)
+	}
+	return nil
+}
+
 // The action for the `keybaseca` command. Only used for hidden and unlisted flags.
 func mainAction(c *cli.Context) error {
-	if c.Bool("wipe-all-configs") {
+	switch {
+	case c.Bool("wipe-all-configs"):
 		teams, err := shared.KBFSList("/keybase/team/")
 		if err != nil {
 			return err
@@ -157,8 +220,7 @@ func mainAction(c *cli.Context) error {
 			}(team)
 		}
 		semaphore.Wait()
-	}
-	if c.Bool("wipe-logs") {
+	case c.Bool("wipe-logs"):
 		conf, err := loadServerConfig()
 		if err != nil {
 			return err
@@ -176,6 +238,8 @@ func mainAction(c *cli.Context) error {
 			}
 		}
 		fmt.Println("Wiped existing log file at " + logLocation)
+	default:
+		cli.ShowAppHelpAndExit(c, 1)
 	}
 	return nil
 }
@@ -257,7 +321,7 @@ func captureControlCToDeleteClientConfig(conf config.Config) {
 // Load and validate a server config object from the environment
 func loadServerConfig() (config.Config, error) {
 	conf := config.EnvConfig{}
-	err := config.ValidateConfig(conf)
+	err := config.ValidateConfig(conf, false)
 	if err != nil {
 		return nil, fmt.Errorf("Failed to validate config: %v", err)
 	}

src/keybaseca/config/config.go

@@ -25,21 +25,23 @@ type Config interface {
 	GetStrictLogging() bool
 }
 
-func ValidateConfig(conf EnvConfig) error {
+// Validate the given config file. If offline, do so without connecting to keybase (used in code that is meant
+// to function without any reliance on Keybase).
+func ValidateConfig(conf EnvConfig, offline bool) error {
 	if len(conf.GetTeams()) == 0 {
 		return fmt.Errorf("must specify at least one team via the TEAMS environment variable")
 	}
 	if conf.GetKeyExpiration() != "" && !strings.HasPrefix(conf.GetKeyExpiration(), "+") {
 		// Only a basic check for this since ssh will error out later on if it is bogus
 		return fmt.Errorf("KEY_EXPIRATION must be of the form `+<number><unit> where unit is one of `m`, `h`, `d`, `w`. Eg `+1h`. ")
 	}
-	if conf.GetLogLocation() != "" {
+	if conf.GetLogLocation() != "" && !offline {
 		err := validatePath(conf.GetLogLocation())
 		if err != nil {
 			return fmt.Errorf("LOG_LOCATION '%s' is not a valid path: %v", conf.GetLogLocation(), err)
 		}
 	}
-	if conf.getChatChannel() != "" {
+	if conf.getChatChannel() != "" && !offline {
 		team, channel, err := splitTeamChannel(conf.getChatChannel())
 		if err != nil {
 			return fmt.Errorf("Failed to parse CHAT_CHANNEL=%s: %v", conf.getChatChannel(), err)

src/keybaseca/log/log.go

@@ -16,7 +16,7 @@ func Log(conf config.Config, str string) {
 	strWithTs := fmt.Sprintf("[%s] %s", time.Now().String(), str)
 
 	if conf.GetLogLocation() == "" {
-		fmt.Print(strWithTs)
+		fmt.Print(strWithTs + "\n")
 	} else {
 		err := appendToFile(conf.GetLogLocation(), strWithTs)
 		if err != nil {

src/keybaseca/sshutils/generate_unix.go

@@ -5,6 +5,7 @@ package sshutils
 import (
 	"fmt"
 	"os/exec"
+	"strings"
 )
 
 // Generate a new SSH key. Places the private key at filename and the public key at filename.pub. If `overwrite`,
@@ -15,7 +16,7 @@ func generateNewSSHKey(filename string) error {
 	cmd := exec.Command("ssh-keygen", "-t", "ed25519", "-f", filename, "-m", "PEM", "-N", "")
 	bytes, err := cmd.CombinedOutput()
 	if err != nil {
-		return fmt.Errorf("ssh-keygen failed: %s (%v)", string(bytes), err)
+		return fmt.Errorf("ssh-keygen failed: %s (%v)", strings.TrimSpace(string(bytes)), err)
 	}
 	return nil
 }

src/keybaseca/sshutils/sshutils.go

@@ -79,37 +79,57 @@ func ProcessSignatureRequest(conf config.Config, sr shared.SignatureRequest) (re
 		return
 	}
 
+	// The key ID uniquely identifies the certificate by encoding the UUID of the request, a new UUID, and the username
+	// Use both their uuid and our uuid to ensure it is unique
+	keyID := sr.UUID + ":" + randomUUID.String() + ":" + sr.Username
+
+	log.Log(conf, fmt.Sprintf("Processing SignatureRequest from user=%s on device='%s' keyID:%s, principals:%s, expiration:%s, pubkey:%s",
+		sr.Username, sr.DeviceName, keyID, principals, conf.GetKeyExpiration(), sr.SSHPublicKey))
+	signature, err := SignKey(conf.GetCAKeyLocation(), keyID, principals, conf.GetKeyExpiration(), sr.SSHPublicKey)
+
+	return shared.SignatureResponse{SignedKey: signature, UUID: sr.UUID}, nil
+}
+
+// Sign an SSH public key with the given data. Do so without any operations that rely on Keybase in order to ensure
+// that running `keybaseca sign` works even if Keybase is down.
+func SignKey(caKeyLocation, keyID, principals, expiration, publicKey string) (signature string, err error) {
+	// Just a little bit of validation to give a nice error message
+	if strings.Contains(publicKey, "PRIVATE KEY") {
+		return "", fmt.Errorf("SignKey expects a public key (not a private key)")
+	}
+
+	// Write the public key to a temporary file
 	tempFilename, err := getTempFilename("keybase-ca-signed-key")
 	if err != nil {
 		return
 	}
-	err = ioutil.WriteFile(shared.KeyPathToPubKey(tempFilename), []byte(sr.SSHPublicKey), 0600)
+	err = ioutil.WriteFile(shared.KeyPathToPubKey(tempFilename), []byte(publicKey), 0600)
 	if err != nil {
 		return
 	}
 
-	// The key ID uniquely identifies the certificate by encoding the UUID of the request, a new UUID, and the username
-	keyID := sr.UUID + ":" + randomUUID.String() + ":" + sr.Username
-
-	log.Log(conf, fmt.Sprintf("Processing SignatureRequest from user=%s on device='%s' keyID:%s, principals:%s, expiration:%s, pubkey:%s",
-		sr.Username, sr.DeviceName, keyID, principals, conf.GetKeyExpiration(), sr.SSHPublicKey))
+	// Note that we use ssh-keygen rather than Go's builtin SSH library since Go's SSH library does not support ed25519
+	// SSH keys.
 	cmd := exec.Command("ssh-keygen",
-		"-s", conf.GetCAKeyLocation(), // The CA key
-		"-I", keyID, // The ID of the signed key. Use their uuid and our uuid to ensure it is unique
+		"-s", caKeyLocation, // The CA key
+		"-I", keyID, // A unique key ID
 		"-n", principals, // The allowed principals
-		"-V", conf.GetKeyExpiration(), // The configured key expiration
+		"-V", expiration, // The expiration period for the key
 		"-N", "", // No password on the key
-		shared.KeyPathToPubKey(tempFilename), // The location of where to put the key
+		shared.KeyPathToPubKey(tempFilename), // The location of the public key
 	)
-	err = cmd.Run()
+	bytes, err := cmd.CombinedOutput()
 	if err != nil {
-		return
+		return "", fmt.Errorf("ssh-keygen error: %s (%v)", strings.TrimSpace(string(bytes)), err)
 	}
 
-	data, err := ioutil.ReadFile(shared.KeyPathToCert(tempFilename))
+	// Read the certificate from the file
+	signatureBytes, err := ioutil.ReadFile(shared.KeyPathToCert(tempFilename))
 	if err != nil {
 		return
 	}
+
+	// Delete the certificate and the pub key from the filesystem
 	err = os.Remove(shared.KeyPathToPubKey(tempFilename))
 	if err != nil {
 		return
@@ -118,7 +138,8 @@ func ProcessSignatureRequest(conf config.Config, sr shared.SignatureRequest) (re
 	if err != nil {
 		return
 	}
-	return shared.SignatureResponse{SignedKey: string(data), UUID: sr.UUID}, nil
+
+	return string(signatureBytes), nil
 }
 
 // Get the principals that should be placed in the signed certificate.

src/kssh/ssh.go

@@ -3,13 +3,14 @@ package kssh
 import (
 	"fmt"
 	"os/exec"
+	"strings"
 )
 
 func AddKeyToSSHAgent(keyPath string) error {
 	cmd := exec.Command("ssh-add", keyPath)
 	bytes, err := cmd.CombinedOutput()
 	if err != nil {
-		return fmt.Errorf("failed to add SSH key to the ssh-agent (is it running?): %s (%v)", string(bytes), err)
+		return fmt.Errorf("failed to add SSH key to the ssh-agent (is it running?): %s (%v)", strings.TrimSpace(string(bytes)), err)
 	}
 	return nil
 }

src/shared/kbfs.go

@@ -43,7 +43,7 @@ func KBFSFileExists(kbfsFilename string) (bool, error) {
 	if strings.Contains(string(bytes), "ERROR file does not exist") {
 		return false, nil
 	}
-	return false, fmt.Errorf("failed to stat %s: %s (%v)", kbfsFilename, string(bytes), err)
+	return false, fmt.Errorf("failed to stat %s: %s (%v)", kbfsFilename, strings.TrimSpace(string(bytes)), err)
 }
 
 func KBFSRead(kbfsFilename string) ([]byte, error) {
@@ -54,7 +54,7 @@ func KBFSRead(kbfsFilename string) ([]byte, error) {
 	cmd := exec.Command("keybase", "fs", "read", kbfsFilename)
 	bytes, err := cmd.CombinedOutput()
 	if err != nil {
-		return nil, fmt.Errorf("failed to read %s: %s (%v)", kbfsFilename, string(bytes), err)
+		return nil, fmt.Errorf("failed to read %s: %s (%v)", kbfsFilename, strings.TrimSpace(string(bytes)), err)
 	}
 	return bytes, nil
 }
@@ -63,7 +63,7 @@ func KBFSDelete(filename string) error {
 	cmd := exec.Command("keybase", "fs", "rm", filename)
 	bytes, err := cmd.CombinedOutput()
 	if err != nil {
-		return fmt.Errorf("failed to delete the file at %s: %s (%v)", filename, string(bytes), err)
+		return fmt.Errorf("failed to delete the file at %s: %s (%v)", filename, strings.TrimSpace(string(bytes)), err)
 	}
 	return nil
 }
@@ -87,7 +87,7 @@ func KBFSWrite(filename string, contents string, appendToFile bool) error {
 	cmd.Stdin = strings.NewReader(string(contents))
 	bytes, err := cmd.CombinedOutput()
 	if err != nil {
-		return fmt.Errorf("failed to write to file at %s: %s (%v)", filename, string(bytes), err)
+		return fmt.Errorf("failed to write to file at %s: %s (%v)", filename, strings.TrimSpace(string(bytes)), err)
 	}
 	return nil
 }
@@ -96,7 +96,7 @@ func KBFSList(path string) ([]string, error) {
 	cmd := exec.Command("keybase", "fs", "ls", "-1", "--nocolor", path)
 	output, err := cmd.CombinedOutput()
 	if err != nil {
-		return nil, fmt.Errorf("failed to list files in /keybase/team/: %s (%v)", string(output), err)
+		return nil, fmt.Errorf("failed to list files in /keybase/team/: %s (%v)", strings.TrimSpace(string(output)), err)
 	}
 	var ret []string
 	for _, s := range strings.Split(string(output), "\n") {