Add keybaseca sign command to sign keys manually when keybase is down

Also:
- Adds tests for `keybaseca sign` that verify that it generates a correct signed key
- Updates docs to explain `keybaseca sign` (and keep the docs on doing it manually via ssh-keygen
in case anything ever breaks with `keybaseca sign`)
- Refactored key signing to live in a single function that is called by `keybaseca sign` and the
signature request handler.
- Updates the version of urfave/cli in order to pull in a recent change that added support for
making CLI flags required.
- Adds `strings.TrimSpace(...)` around the output of commands when they error and we include the
command's output in an error string. This removes the new line from error messages and makes them
more readable.

Author: ddworken

docs/troubleshooting.md

@@ -39,8 +39,9 @@ and on the client run `kssh -p 2222 user@server` and inspect the debug logs.
 ## Keybase is down
 
 If Keybase is down, the bot will not work since it relies on Keybase chat for communication. In this scenario, you can 
-manually sign SSH keys with the CA key. Place the CA private key in `~/cakey` and the CA public key in `~/cakey.pub`. 
-Then run the command:
+manually sign SSH keys with the CA key. This can be done via `keybaseca sign --public-key /path/to/key.pub`. Alternatively,
+this can be done manually without relying on any of the tooling in this repository. To do so, place the CA private key 
+in `~/cakey` and the CA public key in `~/cakey.pub`. Then run the command:
 
 ```bash
 ssh-keygen \
@@ -55,7 +56,7 @@ ssh-keygen \
   # Specify the password on the CA key (if exported via `keybaseca backup` there is no password)
   -N "" \
   # The location of the public key you wish to sign
-  ~/.ssh/id_rsa.pub
+  /path/to/key.pub
 ```
 
-You can then use the signed SSH key to SSH via `ssh -i ~/.ssh/id_rsa user@server`. 
+You can then use the signed SSH key to SSH via `ssh -i /path/to/key.pub user@server`. 

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/google/uuid v1.1.1
 	github.com/keybase/go-keybase-chat-bot v0.0.0-20190812134859-bc54fd9cf83b
 	github.com/stretchr/testify v1.3.0
-	github.com/urfave/cli v1.20.0
+	github.com/urfave/cli v1.21.0
 	golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4
 	golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e // indirect
 )

go.sum

@@ -1,18 +1,17 @@
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/keybase/go-keybase-chat-bot v0.0.0-20190730220753-8e3930228e5a h1:gZKAzUClAbcGN8rEIUkqG9vXu5g9w+qLD1gA68qOX2Y=
-github.com/keybase/go-keybase-chat-bot v0.0.0-20190730220753-8e3930228e5a/go.mod h1:vNc28YFzigVJod0j5EbuTtRIe7swx8vodh2yA4jZ2s8=
 github.com/keybase/go-keybase-chat-bot v0.0.0-20190812134859-bc54fd9cf83b h1:7Te2f9LQ/rd6XSzpntz6BaCBgglZ0uiCdv3/GdhX9VA=
 github.com/keybase/go-keybase-chat-bot v0.0.0-20190812134859-bc54fd9cf83b/go.mod h1:vNc28YFzigVJod0j5EbuTtRIe7swx8vodh2yA4jZ2s8=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/urfave/cli v1.20.0 h1:fDqGv3UG/4jbVl/QkFwEdddtEDjh/5Ov6X+0B/3bPaw=
-github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
+github.com/urfave/cli v1.21.0 h1:wYSSj06510qPIzGSua9ZqsncMmWE3Zr55KBERygyrxE=
+github.com/urfave/cli v1.21.0/go.mod h1:lxDj6qX9Q6lWQxIrbrT0nwecwUtRnhVZAJjJZrVUZZQ=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4 h1:HuIa8hRrWRSrqYzx1qI49NNxhdi2PrY7gxVSq1JjLDc=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -23,3 +22,7 @@ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e h1:D5TXcfTk7xF7hvieo4QErS3qqCB4teTffacDWr7CI+0=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

src/cmd/keybaseca/keybaseca.go

@@ -12,6 +12,8 @@ import (
 	"sync"
 	"syscall"
 
+	"github.com/google/uuid"
+
 	"github.com/keybase/bot-ssh-ca/src/keybaseca/bot"
 	"github.com/keybase/bot-ssh-ca/src/keybaseca/config"
 	klog "github.com/keybase/bot-ssh-ca/src/keybaseca/log"
@@ -60,6 +62,22 @@ func main() {
 			Usage:  "Start the CA service in the foreground",
 			Action: serviceAction,
 		},
+		{
+			Name:  "sign",
+			Usage: "Sign a given public key with all permissions without a dependency on Keybase",
+			Flags: []cli.Flag{
+				cli.StringFlag{
+					Name:     "public-key",
+					Usage:    "The path to the public key you wish to sign. Eg `~/.ssh/id_rsa.pub`",
+					Required: true,
+				},
+				cli.BoolFlag{
+					Name:  "overwrite",
+					Usage: "Overwrite the existing certificate on the filesystem",
+				},
+			},
+			Action: signAction,
+		},
 	}
 	app.Action = mainAction
 	err := app.Run(os.Args)
@@ -126,6 +144,46 @@ func serviceAction(c *cli.Context) error {
 	return nil
 }
 
+// The action for the `keybaseca sign` subcommand
+func signAction(c *cli.Context) error {
+	// Skip validation of the config since that relies on Keybase's servers
+	conf := config.EnvConfig{}
+	principals := strings.Join(conf.GetTeams(), ",")
+	expiration := conf.GetKeyExpiration()
+	randomUUID, err := uuid.NewRandom()
+	if err != nil {
+		return fmt.Errorf("Failed to generate unique key ID: %v", err)
+	}
+
+	// Read the public key from the specified file
+	filename := c.String("public-key")
+	pubKey, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return fmt.Errorf("Failed to read file at %s to get the public key: %v", filename, err)
+	}
+
+	// Sign the public key
+	signature, err := sshutils.SignKey(conf.GetCAKeyLocation(), randomUUID.String()+":keybaseca-sign", principals, expiration, string(pubKey))
+	if err != nil {
+		return fmt.Errorf("Failed to sign key: %v", err)
+	}
+
+	// Either store it in a file or print it to stdout
+	certPath := shared.KeyPathToCert(shared.PubKeyPathToKeyPath(filename))
+	_, err = os.Stat(certPath)
+	if os.IsNotExist(err) || c.Bool("overwrite") {
+		err = ioutil.WriteFile(certPath, []byte(signature), 0600)
+		if err != nil {
+			return fmt.Errorf("Failed to write certificate to file: %v", err)
+		}
+		fmt.Printf("Provisioned new certificate in %s\n", certPath)
+	} else {
+		fmt.Printf("Provisioned new certificate. Place this in %s in order to use it with ssh.\n", certPath)
+		fmt.Printf("\n```\n%s```\n", signature)
+	}
+	return nil
+}
+
 // The action for the `keybaseca` command. Only used for hidden and unlisted flags.
 func mainAction(c *cli.Context) error {
 	if c.Bool("wipe-all-configs") {
@@ -157,8 +215,7 @@ func mainAction(c *cli.Context) error {
 			}(team)
 		}
 		semaphore.Wait()
-	}
-	if c.Bool("wipe-logs") {
+	} else if c.Bool("wipe-logs") {
 		conf, err := loadServerConfig()
 		if err != nil {
 			return err
@@ -176,6 +233,8 @@ func mainAction(c *cli.Context) error {
 			}
 		}
 		fmt.Println("Wiped existing log file at " + logLocation)
+	} else {
+		cli.ShowAppHelpAndExit(c, 1)
 	}
 	return nil
 }

src/keybaseca/log/log.go

@@ -16,7 +16,7 @@ func Log(conf config.Config, str string) {
 	strWithTs := fmt.Sprintf("[%s] %s", time.Now().String(), str)
 
 	if conf.GetLogLocation() == "" {
-		fmt.Print(strWithTs)
+		fmt.Print(strWithTs + "\n")
 	} else {
 		err := appendToFile(conf.GetLogLocation(), strWithTs)
 		if err != nil {

src/keybaseca/sshutils/generate_unix.go

@@ -5,6 +5,7 @@ package sshutils
 import (
 	"fmt"
 	"os/exec"
+	"strings"
 )
 
 // Generate a new SSH key. Places the private key at filename and the public key at filename.pub. If `overwrite`,
@@ -15,7 +16,7 @@ func generateNewSSHKey(filename string) error {
 	cmd := exec.Command("ssh-keygen", "-t", "ed25519", "-f", filename, "-m", "PEM", "-N", "")
 	bytes, err := cmd.CombinedOutput()
 	if err != nil {
-		return fmt.Errorf("ssh-keygen failed: %s (%v)", string(bytes), err)
+		return fmt.Errorf("ssh-keygen failed: %s (%v)", strings.TrimSpace(string(bytes)), err)
 	}
 	return nil
 }

src/keybaseca/sshutils/sshutils.go

@@ -79,37 +79,57 @@ func ProcessSignatureRequest(conf config.Config, sr shared.SignatureRequest) (re
 		return
 	}
 
+	// The key ID uniquely identifies the certificate by encoding the UUID of the request, a new UUID, and the username
+	// Use both their uuid and our uuid to ensure it is unique
+	keyID := sr.UUID + ":" + randomUUID.String() + ":" + sr.Username
+
+	log.Log(conf, fmt.Sprintf("Processing SignatureRequest from user=%s on device='%s' keyID:%s, principals:%s, expiration:%s, pubkey:%s",
+		sr.Username, sr.DeviceName, keyID, principals, conf.GetKeyExpiration(), sr.SSHPublicKey))
+	signature, err := SignKey(conf.GetCAKeyLocation(), keyID, principals, conf.GetKeyExpiration(), sr.SSHPublicKey)
+
+	return shared.SignatureResponse{SignedKey: signature, UUID: sr.UUID}, nil
+}
+
+// Sign an SSH public key with the given data. Do so without any operations that rely on Keybase in order to ensure
+// that running `keybaseca sign` works even if Keybase is down.
+func SignKey(caKeyLocation, keyID, principals, expiration, publicKey string) (signature string, err error) {
+	// Just a little bit of validation to give a nice error message
+	if strings.Contains(publicKey, "PRIVATE KEY") {
+		return "", fmt.Errorf("SignKey expects a public key (not a private key)")
+	}
+
+	// Write the public key to a temporary file
 	tempFilename, err := getTempFilename("keybase-ca-signed-key")
 	if err != nil {
 		return
 	}
-	err = ioutil.WriteFile(shared.KeyPathToPubKey(tempFilename), []byte(sr.SSHPublicKey), 0600)
+	err = ioutil.WriteFile(shared.KeyPathToPubKey(tempFilename), []byte(publicKey), 0600)
 	if err != nil {
 		return
 	}
 
-	// The key ID uniquely identifies the certificate by encoding the UUID of the request, a new UUID, and the username
-	keyID := sr.UUID + ":" + randomUUID.String() + ":" + sr.Username
-
-	log.Log(conf, fmt.Sprintf("Processing SignatureRequest from user=%s on device='%s' keyID:%s, principals:%s, expiration:%s, pubkey:%s",
-		sr.Username, sr.DeviceName, keyID, principals, conf.GetKeyExpiration(), sr.SSHPublicKey))
+	// Note that we use ssh-keygen rather than Go's builtin SSH library since Go's SSH library does not support ed25519
+	// SSH keys.
 	cmd := exec.Command("ssh-keygen",
-		"-s", conf.GetCAKeyLocation(), // The CA key
-		"-I", keyID, // The ID of the signed key. Use their uuid and our uuid to ensure it is unique
+		"-s", caKeyLocation, // The CA key
+		"-I", keyID, // A unique key ID
 		"-n", principals, // The allowed principals
-		"-V", conf.GetKeyExpiration(), // The configured key expiration
+		"-V", expiration, // The expiration period for the key
 		"-N", "", // No password on the key
-		shared.KeyPathToPubKey(tempFilename), // The location of where to put the key
+		shared.KeyPathToPubKey(tempFilename), // The location of the public key
 	)
-	err = cmd.Run()
+	bytes, err := cmd.CombinedOutput()
 	if err != nil {
-		return
+		return "", fmt.Errorf("ssh-keygen error: %s (%v)", strings.TrimSpace(string(bytes)), err)
 	}
 
-	data, err := ioutil.ReadFile(shared.KeyPathToCert(tempFilename))
+	// Read the certificate from the file
+	signatureBytes, err := ioutil.ReadFile(shared.KeyPathToCert(tempFilename))
 	if err != nil {
 		return
 	}
+
+	// Delete the certificate and the pub key from the filesystem
 	err = os.Remove(shared.KeyPathToPubKey(tempFilename))
 	if err != nil {
 		return
@@ -118,7 +138,8 @@ func ProcessSignatureRequest(conf config.Config, sr shared.SignatureRequest) (re
 	if err != nil {
 		return
 	}
-	return shared.SignatureResponse{SignedKey: string(data), UUID: sr.UUID}, nil
+
+	return string(signatureBytes), nil
 }
 
 // Get the principals that should be placed in the signed certificate.

src/kssh/ssh.go

@@ -3,13 +3,14 @@ package kssh
 import (
 	"fmt"
 	"os/exec"
+	"strings"
 )
 
 func AddKeyToSSHAgent(keyPath string) error {
 	cmd := exec.Command("ssh-add", keyPath)
 	bytes, err := cmd.CombinedOutput()
 	if err != nil {
-		return fmt.Errorf("failed to add SSH key to the ssh-agent (is it running?): %s (%v)", string(bytes), err)
+		return fmt.Errorf("failed to add SSH key to the ssh-agent (is it running?): %s (%v)", strings.TrimSpace(string(bytes)), err)
 	}
 	return nil
 }

src/shared/kbfs.go

@@ -43,7 +43,7 @@ func KBFSFileExists(kbfsFilename string) (bool, error) {
 	if strings.Contains(string(bytes), "ERROR file does not exist") {
 		return false, nil
 	}
-	return false, fmt.Errorf("failed to stat %s: %s (%v)", kbfsFilename, string(bytes), err)
+	return false, fmt.Errorf("failed to stat %s: %s (%v)", kbfsFilename, strings.TrimSpace(string(bytes)), err)
 }
 
 func KBFSRead(kbfsFilename string) ([]byte, error) {
@@ -54,7 +54,7 @@ func KBFSRead(kbfsFilename string) ([]byte, error) {
 	cmd := exec.Command("keybase", "fs", "read", kbfsFilename)
 	bytes, err := cmd.CombinedOutput()
 	if err != nil {
-		return nil, fmt.Errorf("failed to read %s: %s (%v)", kbfsFilename, string(bytes), err)
+		return nil, fmt.Errorf("failed to read %s: %s (%v)", kbfsFilename, strings.TrimSpace(string(bytes)), err)
 	}
 	return bytes, nil
 }
@@ -63,7 +63,7 @@ func KBFSDelete(filename string) error {
 	cmd := exec.Command("keybase", "fs", "rm", filename)
 	bytes, err := cmd.CombinedOutput()
 	if err != nil {
-		return fmt.Errorf("failed to delete the file at %s: %s (%v)", filename, string(bytes), err)
+		return fmt.Errorf("failed to delete the file at %s: %s (%v)", filename, strings.TrimSpace(string(bytes)), err)
 	}
 	return nil
 }
@@ -87,7 +87,7 @@ func KBFSWrite(filename string, contents string, appendToFile bool) error {
 	cmd.Stdin = strings.NewReader(string(contents))
 	bytes, err := cmd.CombinedOutput()
 	if err != nil {
-		return fmt.Errorf("failed to write to file at %s: %s (%v)", filename, string(bytes), err)
+		return fmt.Errorf("failed to write to file at %s: %s (%v)", filename, strings.TrimSpace(string(bytes)), err)
 	}
 	return nil
 }
@@ -96,7 +96,7 @@ func KBFSList(path string) ([]string, error) {
 	cmd := exec.Command("keybase", "fs", "ls", "-1", "--nocolor", path)
 	output, err := cmd.CombinedOutput()
 	if err != nil {
-		return nil, fmt.Errorf("failed to list files in /keybase/team/: %s (%v)", string(output), err)
+		return nil, fmt.Errorf("failed to list files in /keybase/team/: %s (%v)", strings.TrimSpace(string(output)), err)
 	}
 	var ret []string
 	for _, s := range strings.Split(string(output), "\n") {

src/shared/utils.go

@@ -14,6 +14,10 @@ func KeyPathToCert(keyPath string) string {
 	return keyPath + "-cert.pub"
 }
 
+func PubKeyPathToKeyPath(pubKeyPath string) string {
+	return strings.Replace(pubKeyPath, ".pub", "", 1)
+}
+
 // Expand out a path that starts with a tilde to be an absolute path
 func ExpandPathWithTilde(path string) string {
 	usr, _ := user.Current()