Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: Improve experience with local SSH keys#3835

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
mafredri merged 7 commits intomainfrommafredri/bring-your-own-ssh-keys
Sep 12, 2022
Merged
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
125 changes: 121 additions & 4 deletionscli/gitssh.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,15 @@
package cli

import (
"bufio"
"bytes"
"context"
"fmt"
"io"
"os"
"os/exec"
"os/signal"
"path/filepath"
"strings"

"github.com/spf13/cobra"
Expand All@@ -13,16 +19,30 @@ import (
)

func gitssh() *cobra.Command {
return &cobra.Command{
cmd := &cobra.Command{
Use: "gitssh",
Hidden: true,
Short: `Wraps the "ssh" command and uses the coder gitssh key for authentication`,
RunE: func(cmd *cobra.Command, args []string) error {
ctx := cmd.Context()
env := os.Environ()

// Catch interrupt signals to ensure the temporary private
// key file is cleaned up on most cases.
ctx, stop := signal.NotifyContext(ctx, interruptSignals...)
defer stop()

// Early check so errors are reported immediately.
identityFiles, err := parseIdentityFilesForHost(ctx, args, env)
if err != nil {
return err
}

client, err := createAgentClient(cmd)
if err != nil {
return xerrors.Errorf("create agent client: %w", err)
}
key, err := client.AgentGitSSHKey(cmd.Context())
key, err := client.AgentGitSSHKey(ctx)
if err != nil {
return xerrors.Errorf("get agent git ssh token: %w", err)
}
Expand All@@ -44,8 +64,23 @@ func gitssh() *cobra.Command {
return xerrors.Errorf("close temp gitsshkey file: %w", err)
}

args = append([]string{"-i", privateKeyFile.Name()}, args...)
c := exec.CommandContext(cmd.Context(), "ssh", args...)
// Append our key, giving precedence to user keys. Note that
// OpenSSH server are typically configured with MaxAuthTries
// set to the default value of 6. This means that only the 6
// first keys can be tried. However, we will assume that if
// a user has configured 6+ keys for a host, they know what
// they're doing. This behavior is critical if a server has
// been configured with MaxAuthTries set to 1.
identityFiles = append(identityFiles, privateKeyFile.Name())

var identityArgs []string
for _, id := range identityFiles {
identityArgs = append(identityArgs, "-i", id)
}

args = append(identityArgs, args...)
c := exec.CommandContext(ctx, "ssh", args...)
c.Env = append(c.Env, env...)
c.Stderr = cmd.ErrOrStderr()
c.Stdout = cmd.OutOrStdout()
c.Stdin = cmd.InOrStdin()
Expand All@@ -69,4 +104,86 @@ func gitssh() *cobra.Command {
return nil
},
}

return cmd
}

// fallbackIdentityFiles is the list of identity files SSH tries when
// none have been defined for a host.
var fallbackIdentityFiles = strings.Join([]string{
"identityfile ~/.ssh/id_rsa",
"identityfile ~/.ssh/id_dsa",
"identityfile ~/.ssh/id_ecdsa",
"identityfile ~/.ssh/id_ecdsa_sk",
"identityfile ~/.ssh/id_ed25519",
"identityfile ~/.ssh/id_ed25519_sk",
"identityfile ~/.ssh/id_xmss",
}, "\n")

// parseIdentityFilesForHost uses ssh -G to discern what SSH keys have
// been enabled for the host (via the users SSH config) and returns a
// list of existing identity files.
//
// We do this because when no keys are defined for a host, SSH uses
// fallback keys (see above). However, by passing `-i` to attach our
// private key, we're effectively disabling the fallback keys.
//
// Example invocation:
//
//ssh -G -o SendEnv=GIT_PROTOCOL git@github.com git-upload-pack 'coder/coder'
//
// The extra arguments work without issue and lets us run the command
// as-is without stripping out the excess (git-upload-pack 'coder/coder').
func parseIdentityFilesForHost(ctx context.Context, args, env []string) (identityFiles []string, error error) {
home, err := os.UserHomeDir()
if err != nil {
return nil, xerrors.Errorf("get user home dir failed: %w", err)
}

var outBuf bytes.Buffer
var r io.Reader = &outBuf

args = append([]string{"-G"}, args...)
cmd := exec.CommandContext(ctx, "ssh", args...)
cmd.Env = append(cmd.Env, env...)
cmd.Stdout = &outBuf
cmd.Stderr = io.Discard
err = cmd.Run()
if err != nil {
// If ssh -G failed, the SSH version is likely too old, fallback
// to using the default identity files.
r = strings.NewReader(fallbackIdentityFiles)
}

s := bufio.NewScanner(r)
for s.Scan() {
line := s.Text()
if strings.HasPrefix(line, "identityfile ") {
id := strings.TrimPrefix(line, "identityfile ")
if strings.HasPrefix(id, "~/") {
id = home + id[1:]
}
// OpenSSH on Windows is weird, it supports using (and does
// use) mixed \ and / in paths.
//
// Example: C:\Users\ZeroCool/.ssh/known_hosts
//
// To check the file existence in Go, though, we want to use
// proper Windows paths.
// OpenSSH is amazing, this will work on Windows too:
// C:\Users\ZeroCool/.ssh/id_rsa
id = filepath.FromSlash(id)

// Only include the identity file if it exists.
if _, err := os.Stat(id); err == nil {
identityFiles = append(identityFiles, id)
}
}
}
if err := s.Err(); err != nil {
// This should never happen, the check is for completeness.
return nil, xerrors.Errorf("scan ssh output: %w", err)
}

return identityFiles, nil
}
Loading
[8]ページ先頭
©2009-2025 Movatter.jp