NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.6k

Commitd74cb78

committed

fix(agent/agentssh): pin random seed for RSA key generation

Change-Id: I8c7e3070324e5d558374fd6891eea9d48660e1e9Signed-off-by: Thomas Kosiewski <tk@coder.com>

1 parent4732f08 commitd74cb78Copy full SHA for d74cb78

File tree

2 files changed

+33

-8

lines changed

agent
- agent.go
- agentssh
  - agentssh.go

2 files changed

+33

-8

lines changed

`‎agent/agent.go‎`

Lines changed: 17 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ import (`
`6`	`6`	`"encoding/json"`
`7`	`7`	`"errors"`
`8`	`8`	`"fmt"`
	`9`	`+"hash/fnv"`
`9`	`10`	`"io"`
`10`	`11`	`"net/http"`
`11`	`12`	`"net/netip"`
`@@ -272,6 +273,7 @@ func (a *agent) init() {`
`272`	`273`	`UpdateEnv:a.updateCommandEnv,`
`273`	`274`	`WorkingDirectory:func()string {returna.manifest.Load().Directory },`
`274`	`275`	`BlockFileTransfer:a.blockFileTransfer,`
	`276`	`+RandomSeed:stringToInt64Hash(&a.manifest),`
`275`	`277`	`})`
`276`	`278`	`iferr!=nil {`
`277`	`279`	`panic(err)`
`@@ -372,7 +374,6 @@ func (a *agent) collectMetadata(ctx context.Context, md codersdk.WorkspaceAgentM`
`372`	`374`	`// Important: if the command times out, we may see a misleading error like`
`373`	`375`	`// "exit status 1", so it's important to include the context error.`
`374`	`376`	`err=errors.Join(err,ctx.Err())`
`375`		`-`
`376`	`377`	`iferr!=nil {`
`377`	`378`	`result.Error=fmt.Sprintf("run cmd: %+v",err)`
`378`	`379`	`}`
`@@ -1850,3 +1851,18 @@ func PrometheusMetricsHandler(prometheusRegistry *prometheus.Registry, logger sl`
`1850`	`1851`	`}`
`1851`	`1852`	`})`
`1852`	`1853`	`}`
	`1854`	`+`
	`1855`	`+// stringToInt64Hash converts the manifest's AgentID and WorkspaceID to an int64 hash.`
	`1856`	`+// This uses the FNV-1a hash algorithm which provides decent distribution and collision`
	`1857`	`+// resistance for string inputs.`
	`1858`	`+funcstringToInt64Hash(manifest*atomic.Pointer[agentsdk.Manifest])int64 {`
	`1859`	`+m:=manifest.Load()`
	`1860`	`+ifm==nil {`
	`1861`	`+return42`
	`1862`	`+}`
	`1863`	`+`
	`1864`	`+h:=fnv.New64a()`
	`1865`	`+h.Write(m.AgentID[:])`
	`1866`	`+h.Write(m.WorkspaceID[:])`
	`1867`	`+returnint64(h.Sum64())`
	`1868`	`+}`

`‎agent/agentssh/agentssh.go‎`

Lines changed: 16 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,11 +3,11 @@ package agentssh`
`3`	`3`	`import (`
`4`	`4`	`"bufio"`
`5`	`5`	`"context"`
`6`		`-"crypto/rand"`
`7`	`6`	`"crypto/rsa"`
`8`	`7`	`"errors"`
`9`	`8`	`"fmt"`
`10`	`9`	`"io"`
	`10`	`+"math/rand"`
`11`	`11`	`"net"`
`12`	`12`	`"os"`
`13`	`13`	`"os/exec"`
`@@ -85,6 +85,10 @@ type Config struct {`
`85`	`85`	`X11DisplayOffset*int`
`86`	`86`	`// BlockFileTransfer restricts use of file transfer applications.`
`87`	`87`	`BlockFileTransferbool`
	`88`	`+`
	`89`	`+// RandomSeed is a random seed value exclusively used to generate a`
	`90`	`+// deterministic SSH host key.`
	`91`	`+RandomSeedint64`
`88`	`92`	`}`
`89`	`93`
`90`	`94`	`typeServerstruct {`
`@@ -112,20 +116,25 @@ type Server struct {`
`112`	`116`	`}`
`113`	`117`
`114`	`118`	`funcNewServer(ctx context.Context,logger slog.Logger,prometheusRegistryprometheus.Registry,fs afero.Fs,execer agentexec.Execer,configConfig) (*Server,error) {`
	`119`	`+ifconfig==nil {`
	`120`	`+config=&Config{}`
	`121`	`+}`
	`122`	`+`
`115`	`123`	`// Clients' should ignore the host key when connecting.`
`116`	`124`	`// The agent needs to authenticate with coderd to SSH,`
`117`	`125`	`// so SSH authentication doesn't improve security.`
`118`		`-randomHostKey,err:=rsa.GenerateKey(rand.Reader,2048)`
	`126`	`+`
	`127`	`+// Create a deterministic random source`
	`128`	`+// nolint: gosec`
	`129`	`+deterministicRand:=rand.New(rand.NewSource(config.RandomSeed))`
	`130`	`+coderHostKey,err:=rsa.GenerateKey(deterministicRand,2048)`
`119`	`131`	`iferr!=nil {`
`120`	`132`	`returnnil,err`
`121`	`133`	`}`
`122`		`-randomSigner,err:=gossh.NewSignerFromKey(randomHostKey)`
	`134`	`+coderSigner,err:=gossh.NewSignerFromKey(coderHostKey)`
`123`	`135`	`iferr!=nil {`
`124`	`136`	`returnnil,err`
`125`	`137`	`}`
`126`		`-ifconfig==nil {`
`127`		`-config=&Config{}`
`128`		`-}`
`129`	`138`	`ifconfig.X11DisplayOffset==nil {`
`130`	`139`	`offset:=X11DefaultDisplayOffset`
`131`	`140`	`config.X11DisplayOffset=&offset`
`@@ -190,7 +199,7 @@ func NewServer(ctx context.Context, logger slog.Logger, prometheusRegistry *prom`
`190`	`199`	`slog.Error(err))`
`191`	`200`	`},`
`192`	`201`	`Handler:s.sessionHandler,`
`193`		`-HostSigners: []ssh.Signer{randomSigner},`
	`202`	`+HostSigners: []ssh.Signer{coderSigner},`
`194`	`203`	`LocalPortForwardingCallback:func(ctx ssh.Context,destinationHoststring,destinationPortuint32)bool {`
`195`	`204`	`// Allow local port forwarding all!`
`196`	`205`	`s.logger.Debug(ctx,"local port forward",`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitd74cb78

File tree

2 files changed

2 files changed

`‎agent/agent.go‎`

`‎agent/agentssh/agentssh.go‎`

0 commit comments