search

pygmystack / pygmy

the pygmy stack is a container stack for local development
MIT License
25 stars 12 forks source link

Add protected SSH key support #498

Closed rocketeerbkw closed 6 months ago

rocketeerbkw commented 9 months ago

An issue for this change is required

Description

This PR changes the functionality of the add key process to use an interactive shell so that the password prompt can be passed to the host/user to be entered manually.

I did some initial testing and research to try and use the existing --passphrase cli flag but couldn't find a secure way to either inject the passphrase or the decrypted key into the ssh-agent container. This PR removes the passphrase flag altogether in favor of forwarding the ssh-agent password prompt to the user.

I tested this and it works on Linux (intel, Ubuntu 23.04), MacOS (intel, Ventura), and Windows (intel, 11, WSL2+Docker Desktop). On windows using powershell/cmd.exe, the password is not hidden as you type, but at least it will not be saved in shell history. I also found an error with ssh key permissions on windows and included a fix for that.

Example usage where I enter an incorrect password the first time, but the correct password the second time:

➜  pygmy git:(ssh-private-key) go run . status
[*] amazeeio-mailhog: Running as container amazeeio-mailhog
[*] amazeeio-haproxy: Running as container amazeeio-haproxy
[*] amazeeio-dnsmasq: Running as container amazeeio-dnsmasq
[*] amazeeio-ssh-agent: Running as container amazeeio-ssh-agent
[*] Resolv Linux Resolver is properly connected
The agent has no identities.
 - http://docker.amazee.io/stats (amazeeio-haproxy)
 - http://mailhog.docker.amazee.io (amazeeio-mailhog)

➜  pygmy git:(ssh-private-key) go run . addkey --key ~/.ssh/pygmy-protected
Validation success for protected SSH key /home/brandon/.ssh/pygmy-protected
Enter passphrase for /home/brandon/.ssh/pygmy-protected: 
Bad passphrase, try again for /home/brandon/.ssh/pygmy-protected: 
Identity added: /home/brandon/.ssh/pygmy-protected (pygmy-protected)

➜  pygmy git:(ssh-private-key) go run . status                             
[*] amazeeio-mailhog: Running as container amazeeio-mailhog
[*] amazeeio-haproxy: Running as container amazeeio-haproxy
[*] amazeeio-dnsmasq: Running as container amazeeio-dnsmasq
[*] amazeeio-ssh-agent: Running as container amazeeio-ssh-agent
[*] Resolv Linux Resolver is properly connected
Q256 SHA256:tOuDj9Bqw6NsAZxxUfINhHD7ztoytOwNftGDepjNudA pygmy-protected (ED25519)
 - http://docker.amazee.io/stats (amazeeio-haproxy)
 - http://mailhog.docker.amazee.io (amazeeio-mailhog)

➜  pygmy git:(ssh-private-key) docker exec -it amazeeio-ssh-agent ssh-add -l
256 SHA256:tOuDj9Bqw6NsAZxxUfINhHD7ztoytOwNftGDepjNudA pygmy-protected (ED25519)

Resolves

This PR resolves issue #333

Non-standard tests for this change

If any non-standard testing is expected, please describe it here.

fubarhouse commented 6 months ago

This one is testing well.

Unfortunately there's something triggering \ufffd to appear on the status output that can't be filtered out.

Otherwise looks good, and I'll merge it - all other testing is still passing.

https://github.com/golang/go/issues/48749

We should look to improve testing on this one in the future though.

By the way, thank you for the work on this.