Merge pull request #18 from keybase/david/kssh-default-ssh-user

Add ability to set a default SSH user for kssh

Author: ddworken

README.md

@@ -87,6 +87,21 @@ on the `ssh` binary being in the path. This can be installed in a number of diff
 [built in version](https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse) on 
 modern versions of windows. 
 
+# Using kssh with jumpboxes and bastion hosts
+
+kssh should work correctly with jumpboxes and bastion hosts as long as they are configured to trust the SSH CA and the usernames are correct. For example:
+
+```
+kssh -J developer@jumpbox.example.com developer@server.internal
+```
+
+This can also be made easier by setting the kssh default ssh-username locally, then you won't have to specify it for each server. 
+
+```
+kssh --set-default-user developer
+kssh -J jumpbox.example.com server.internal
+```
+
 # Contributing
 
 There are two separate binaries built from the code in this repo:
@@ -153,9 +168,9 @@ client config file is how kssh determines which teams are using kssh and the nee
 channel name, the name of the bot, etc). When keybaseca stops, it deletes all of the client config files. 
 
 kssh reads the client config file in order to determine how to interact with a bot. kssh does not have any user controlled
-configuration. It does have one local config file stored in `~/.ssh/kssh.config` that is used to store the default bot
-if the kssh user has access to multiple running keybaseca bots. This config file is not meant to be manually edited and is only meant to be 
-interacted with via the `--set-default-bot` and `--clear-default-bot` flags. 
+configuration. It does have one local config file stored in `~/.ssh/kssh-config.json` that is used to store a few settings 
+for kssh. By default, this config file is not used. It is only created and meant to be interacted with via the 
+`--set-default-bot`, `--clear-default-bot`, `--set-default-user`, `--clear-default-user` flags. 
 
 #### Communication
 

docs/troubleshooting.md

@@ -59,4 +59,4 @@ ssh-keygen \
   /path/to/key.pub
 ```
 
-You can then use the signed SSH key to SSH via `ssh -i /path/to/key.pub user@server`. 
+You can then use the signed SSH key to SSH via `ssh -i /path/to/key.pub user@server`. 

go.mod

@@ -9,5 +9,4 @@ require (
 	github.com/urfave/cli v1.21.0
 	golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4
 	golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e // indirect
-	gopkg.in/yaml.v2 v2.2.2 // indirect
 )

src/cmd/kssh/kssh.go

@@ -77,6 +77,8 @@ var cliArguments = []kssh.CLIArgument{
 	{Name: "--clear-default-bot", HasArgument: false},
 	{Name: "--bot", HasArgument: true},
 	{Name: "--provision", HasArgument: false},
+	{Name: "--set-default-user", HasArgument: true},
+	{Name: "--clear-default-user", HasArgument: false},
 	{Name: "--help", HasArgument: false},
 }
 
@@ -98,7 +100,10 @@ GLOBAL OPTIONS:
                          is using Keybase SSH CA
    --clear-default-bot   Clear the default bot
    --bot                 Specify a specific bot to be used for kssh. Not necessary if you are only in one team that
-                         is using Keybase SSH CA`)
+                         is using Keybase SSH CA
+   --set-default-user    Set the default SSH user to be used for kssh. Useful if you use ssh configs that do not set 
+					     a default SSH user 
+   --clear-default-user  Clear the default SSH user`)
 }
 
 type Action int
@@ -122,6 +127,24 @@ func handleArgs(args []string) (string, []string, Action, error) {
 		if arg.Argument.Name == "--bot" {
 			team = arg.Value
 		}
+		if arg.Argument.Name == "--set-default-user" {
+			err := kssh.SetDefaultSSHUser(arg.Value)
+			if err != nil {
+				fmt.Printf("Failed to set the default ssh user: %v\n", err)
+				os.Exit(1)
+			}
+			fmt.Println("Set default ssh user, exiting...")
+			os.Exit(0)
+		}
+		if arg.Argument.Name == "--clear-default-user" {
+			err := kssh.SetDefaultSSHUser("")
+			if err != nil {
+				fmt.Printf("Failed to clear the default ssh user: %v\n", err)
+				os.Exit(1)
+			}
+			fmt.Println("Cleared default ssh user, exiting...")
+			os.Exit(0)
+		}
 		if arg.Argument.Name == "--set-default-bot" {
 			// We exit immediately after setting the default bot
 			err := kssh.SetDefaultBot(arg.Value)
@@ -257,20 +280,64 @@ func provisionNewKey(config kssh.ConfigFile, keyPath string) error {
 	return nil
 }
 
-// Run SSH with the given key. Calls os.Exit if SSH returns
+// Run SSH with the given key. Calls os.Exit and does not return.
 func runSSHWithKey(keyPath string, remainingArgs []string) {
-	fmt.Printf("\n") // a new line to separate kssh output from ssh output
+	// Determine whether a default SSH user has been specified and configure it if so
+	useConfig := false
+	user, err := kssh.GetDefaultSSHUser()
+	if err != nil {
+		fmt.Printf("Failed to retrieve default SSH user: %v\n", err)
+		os.Exit(1)
+	}
+	if user != "" {
+		useConfig = true
+		err = kssh.CreateDefaultUserConfigFile()
+		if err != nil {
+			fmt.Printf("Failed to set default user: %v\n", err)
+			os.Exit(1)
+		}
+	}
+
+	// Add the key to the ssh-agent in case we are doing multiple connections (eg via the `-J` flag)
+	err = kssh.AddKeyToSSHAgent(keyPath)
+	if err != nil {
+		fmt.Printf("Failed to add SSH key to the SSH agent: %v\n", err)
+		os.Exit(1)
+	}
+
+	// A new line to separate kssh output from ssh output
+	fmt.Printf("\n")
+
 	argumentList := []string{"-i", keyPath, "-o", "IdentitiesOnly=yes"}
+	checkAndWarnOnUnspecifiedBehavior(useConfig, remainingArgs)
+	if useConfig {
+		argumentList = append(argumentList, "-F", kssh.AlternateSSHConfigFile)
+	}
+
 	argumentList = append(argumentList, remainingArgs...)
 
 	cmd := exec.Command("ssh", argumentList...)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	cmd.Stdin = os.Stdin
-	err := cmd.Run()
+	err = cmd.Run()
+
 	if err != nil {
 		fmt.Printf("SSH exited with err: %v\n", err)
 		os.Exit(1)
 	}
 	os.Exit(0)
 }
+
+func checkAndWarnOnUnspecifiedBehavior(useConfig bool, arguments []string) {
+	if useConfig {
+		for _, arg := range arguments {
+			if arg == "-F" {
+				fmt.Println("Warning: You passed a -F flag, but kssh also uses this argument in " +
+					"order to implement support for a default SSH username, which you're also using. " +
+					"Either do not use the -F flag or run `kssh --clear-default-user` to reset the " +
+					"default SSH user and delegate this to the running CA bot.")
+			}
+		}
+	}
+}

src/cmd/kssh/kssh_test.go

@@ -46,7 +46,7 @@ func TestIsValidCert(t *testing.T) {
 }
 
 func BenchmarkLoadConfigs(b *testing.B) {
-	os.Remove("~/.ssh/kssh.config")
+	os.Remove("~/.ssh/kssh-config.json")
 	b.ResetTimer()
 
 	for n := 0; n < b.N; n++ {

src/kssh/config.go

@@ -109,40 +109,91 @@ func LoadConfig(kbfsFilename string) (ConfigFile, error) {
 type LocalConfigFile struct {
 	DefaultBotName string `json:"default_bot"`
 	DefaultBotTeam string `json:"default_team"`
+	DefaultSSHUser string `json:"default_ssh_user"`
 }
 
 // Where to store the local config file. Just stash it in ~/.ssh
-var localConfigFileLocation = shared.ExpandPathWithTilde("~/.ssh/kssh.config")
+var localConfigFileLocation = shared.ExpandPathWithTilde("~/.ssh/kssh-config.json")
 
-func SetDefaultBot(botname string) error {
-	if botname == "" {
-		return os.Remove(localConfigFileLocation)
+func GetDefaultSSHUser() (string, error) {
+	lcf, err := getCurrentConfig()
+	if err != nil {
+		return "", err
 	}
-	teamname, err := GetTeamFromBot(botname)
+
+	return lcf.DefaultSSHUser, nil
+}
+
+func SetDefaultSSHUser(username string) error {
+	if strings.ContainsAny(username, " \t\n\r'\"") {
+		return fmt.Errorf("invalid username: %s", username)
+	}
+
+	lcf, err := getCurrentConfig()
 	if err != nil {
 		return err
 	}
-	bytes, err := json.Marshal(&LocalConfigFile{DefaultBotName: botname, DefaultBotTeam: teamname})
+
+	lcf.DefaultSSHUser = username
+	return writeConfig(lcf)
+}
+
+func writeConfig(lcf LocalConfigFile) error {
+	bytes, err := json.Marshal(&lcf)
+	if err != nil {
+		return fmt.Errorf("failed to marshal json into config file: %v", err)
+	}
+
+	// Create ~/.ssh/ if it does not yet exist
+	err = MakeDotSSH()
 	if err != nil {
 		return err
 	}
+
 	err = ioutil.WriteFile(localConfigFileLocation, bytes, 0600)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to write config file: %v", err)
 	}
 	return nil
 }
 
-func GetDefaultBotAndTeam() (string, string, error) {
+func getCurrentConfig() (lcf LocalConfigFile, err error) {
 	if _, err := os.Stat(localConfigFileLocation); os.IsNotExist(err) {
-		return "", "", nil
+		return lcf, nil
 	}
 	bytes, err := ioutil.ReadFile(localConfigFileLocation)
 	if err != nil {
-		return "", "", err
+		return lcf, fmt.Errorf("failed to read local config file: %v", err)
 	}
-	var lcf LocalConfigFile
 	err = json.Unmarshal(bytes, &lcf)
+	if err != nil {
+		return lcf, fmt.Errorf("failed to parse local config file: %v", err)
+	}
+	return lcf, nil
+}
+
+func SetDefaultBot(botname string) error {
+	teamname := ""
+	var err error
+	if botname != "" {
+		teamname, err = GetTeamFromBot(botname)
+		if err != nil {
+			return err
+		}
+	}
+
+	lcf, err := getCurrentConfig()
+	if err != nil {
+		return err
+	}
+	lcf.DefaultBotName = botname
+	lcf.DefaultBotTeam = teamname
+
+	return writeConfig(lcf)
+}
+
+func GetDefaultBotAndTeam() (string, string, error) {
+	lcf, err := getCurrentConfig()
 	if err != nil {
 		return "", "", err
 	}

src/kssh/ssh.go

@@ -2,8 +2,11 @@ package kssh
 
 import (
 	"fmt"
+	"os"
 	"os/exec"
 	"strings"
+
+	"github.com/keybase/bot-ssh-ca/src/shared"
 )
 
 func AddKeyToSSHAgent(keyPath string) error {
@@ -14,3 +17,56 @@ func AddKeyToSSHAgent(keyPath string) error {
 	}
 	return nil
 }
+
+var AlternateSSHConfigFile = shared.ExpandPathWithTilde("~/.ssh/kssh-config")
+
+// Create an SSH config file that inherits from the default SSH config file but sets a default SSH user
+func CreateDefaultUserConfigFile() error {
+	user, err := GetDefaultSSHUser()
+	if err != nil {
+		return err
+	}
+	if user == "" {
+		return nil
+	}
+
+	err = MakeDotSSH()
+	if err != nil {
+		return err
+	}
+
+	if _, err := os.Stat(shared.ExpandPathWithTilde("~/.ssh/config")); os.IsNotExist(err) {
+		f, err := os.OpenFile(shared.ExpandPathWithTilde("~/.ssh/config"), os.O_RDONLY|os.O_CREATE, 0644)
+		if err != nil {
+			return fmt.Errorf("failed to touch ~/.ssh/config: %v", err)
+		}
+		f.Close()
+	}
+
+	config := fmt.Sprintf("# kssh config file to set a default SSH user\n"+
+		"Include config\n"+
+		"Host *\n"+
+		"  User %s\n", user)
+
+	f, err := os.OpenFile(AlternateSSHConfigFile, os.O_CREATE|os.O_WRONLY, 0644)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	_, err = f.WriteString(config)
+	if err != nil {
+		return err
+	}
+	fmt.Printf("Using default ssh user %s\n", user)
+	return nil
+}
+
+func MakeDotSSH() error {
+	if _, err := os.Stat(shared.ExpandPathWithTilde("~/.ssh/")); os.IsNotExist(err) {
+		err = os.Mkdir(shared.ExpandPathWithTilde("~/.ssh/"), 0700)
+		if err != nil {
+			return fmt.Errorf("failed to create ~/.ssh directory: %v", err)
+		}
+	}
+	return nil
+}

tests/tests/lib.py

@@ -37,7 +37,21 @@ def getDefaultTestConfig():
             [os.environ['SUBTEAM'] + postfix for postfix in [".ssh.prod", ".ssh.staging", ".ssh.root_everywhere"]]
         )
 
-def run_command(cmd: str, timeout: int=10) -> bytes:
+def run_command_with_agent(cmd: str) -> bytes:
+    """
+    Run the given command in a shell session with a running ssh-agent
+    :param cmd:     The command to run
+    :return:        The stdout of the process
+    """
+    return run_command("eval `ssh-agent` && " + cmd)
+
+def run_command(cmd: str, timeout: int=15) -> bytes:
+    """
+    Run the given command in a shell with the given timeout
+    :param cmd:         The command to run
+    :param timeout:     The timeout in seconds
+    :return:            The stdout of the process
+    """
     # In order to properly run a command with a timeout and shell=True, we use Popen with a shell and group all child
     # processes so we can kill all of them. See:
     # - https://stackoverflow.com/questions/36952245/subprocess-timeout-failure
@@ -46,6 +60,7 @@ def run_command(cmd: str, timeout: int=10) -> bytes:
         try:
             stdout, stderr = process.communicate(timeout=timeout)
             if process.returncode != 0:
+                print(f"Output before return: {repr(stdout)}, {repr(stderr)}")
                 raise subprocess.CalledProcessError(process.returncode, cmd, stdout, stderr)
             return stdout
         except subprocess.TimeoutExpired as e:
@@ -76,7 +91,7 @@ def clear_keys():
 def clear_local_config():
     # Clear kssh's local config file
     try:
-        run_command("rm -rf ~/.ssh/kssh.config")
+        run_command("rm -rf ~/.ssh/kssh-config.json")
     except subprocess.CalledProcessError:
         pass