Use ssh library: add user input (#281)
* feat: create backend for user input requests
This is the first part of a change that allows the backend to request
user input from the frontend. Essentially, the backend will send a
request for the user to answer some query, and the frontend will send
that answer back. It is blocking, so it needs to be used within a
goroutine.
There is some placeholder code in the frontend that will be updated in
future commits. Similarly, there is some debug code in the backend
remote.go file.
* feat: create frontend for user input requests
This is part of a change to allow the backend to request user input from
the frontend. This adds a component specifically for handling this
logic. It is only a starting point, and does not work perfectly yet.
* refactor: update user input backend/interface
This updates the user input backend to fix a few potential bugs. It also
refactors the user input request and response types to better handle
markdown and errors while making it more convenient to work with.
A couple frontend changes were made to keep everything compatible.
* fix: add props to user input request modal
There was a second place that the modals were created that I previously
missed. This fixes that second casel
* feat: complete user input modal
This rounds out the most immediate concerns for the new user input
modal. The frontend now includes a timer to show how much time is left
and will close itself once it reaches zero. Css
formatting has been cleaned up to be more reasonable.
There is still some test code present on the back end. This will be
removed once actuall examples of the new modal are in place.
* feat: create first pass known_hosts detection
Manually integrating with golang's ssh library means that the code must
authenticate known_hosts on its own. This is a first pass at creating a
system that parses the known hosts files and denys a connection if there
is a mismatch. This needs to be updated with a means to add keys to the
known-hosts file if the user requests it.
* feat: allow writing to known_hosts first pass
As a follow-up to the previous change, we now allow the user to respond
to interactive queries in order to determine if an unknown known hosts
key can be added to a known_hosts file if it is missing. This needs to
be refined further, but it gets the basic functionality there.
* feat: add user input for kbd-interactive auth
This adds a modal so the user can respond to prompts provided using the
keyboard interactive authentication method.
* feat: add interactive password authentication
This makes the ssh password authentication interactive with its own user
input modal. Unfortunately, this method does not allow trying a default
first. This will need to be expanded in the future to accomodate that.
* fix: allow automatic and interactive auth together
Previously, it was impossible to use to separate methods of the same
type to try ssh authentication. This made it impossible to make an auto
attempt before a manual one. This change restricts that by combining
them into one method where the auto attempt is tried once first and
cannot be tried again. Following that, interactive authentication can be
tried separately.
It also lowers the time limit on kbd interactive authentication to 15
seconds due to limitations on the library we are using.
* fix: set number of retries to one in ssh
Number of retries means number of attempts after the fact, not number of
total attempts. It has been adjusted from 2 to 1 to reflect this.
* refactor: change argument order in GetUserInput
This is a simple change to move the context to the first argument of
GetUserInput to match the convention used elsewhere in the code.
* fix: set number of retries to two again
I was wrong in my previous analysis. The number given is the total
number of tries. This is confusing when keyboard authentication and
password authentication are both available which usually doesn't happen.
* feat: create naive ui for ssh key passphrases
This isn't quite as reactive as the other methods, but it does attempt
to use publickey without a passphrase, then attempt to use the password
as the passphrase, and finally prompting the user for a passphrase. The
problem with this approach is that if multiple keys are used and they
all have passphrases, they need to all be checked up front. In practice,
this will not happen often, but it is something to be aware of.
* fix: add the userinput.tsx changes
These were missed in the previous commit. Adding them now.
2024-02-09 04:16:56 +01:00
|
|
|
// Copyright 2023-2024, Command Line Inc.
|
Use ssh library for remote connections (#250)
* create proof of concept ssh library integration
This is a first attempt to integrate the golang crypto/ssh library for
handling remote connections. As it stands, this features is limited to
identity files without passphrases. It needs to be expanded to include
key+passphrase and password verifications as well.
* add password and keyboard-interactive ssh auth
This adds several new ssh auth methods. In addition to the PublicKey
method used previously, this adds password authentication,
keyboard-interactive authentication, and PublicKey+Passphrase
authentication.
Furthermore, it refactores the ssh connection code into its own wavesrv
file rather than storing int in waveshell's shexec file.
* clean up old mshell launch methods
In the debugging the addition of the ssh library, i had several versions
of the MShellProc Launch function. Since this seems mostly stable, I
have removed the old version and the experimental version in favor of
the combined version.
* allow switching between new and old ssh for dev
It is inconvenient to create milestones without being able to merge into
the main branch. But due to the experimental nature of the ssh changes,
it is not desired to use these changes in the main branch yet. This
change disables the new ssh launcher by default. It can be used by
changing the UseSshLibrary constant to true in remote.go. With this, it
becomes possible to merge these changes into the main branch without
them being used in production.
* fix: allow retry after ssh auth failure
Previously, the error status was not set when an ssh connection failed.
Because of this, an ssh connection failure would lock the failed remote
until waveterm was rebooted. This fix properly sets the error status so
this cannot happen.
2024-01-25 19:18:11 +01:00
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
package remote
|
|
|
|
|
|
|
|
import (
|
Use ssh library: add user input (#281)
* feat: create backend for user input requests
This is the first part of a change that allows the backend to request
user input from the frontend. Essentially, the backend will send a
request for the user to answer some query, and the frontend will send
that answer back. It is blocking, so it needs to be used within a
goroutine.
There is some placeholder code in the frontend that will be updated in
future commits. Similarly, there is some debug code in the backend
remote.go file.
* feat: create frontend for user input requests
This is part of a change to allow the backend to request user input from
the frontend. This adds a component specifically for handling this
logic. It is only a starting point, and does not work perfectly yet.
* refactor: update user input backend/interface
This updates the user input backend to fix a few potential bugs. It also
refactors the user input request and response types to better handle
markdown and errors while making it more convenient to work with.
A couple frontend changes were made to keep everything compatible.
* fix: add props to user input request modal
There was a second place that the modals were created that I previously
missed. This fixes that second casel
* feat: complete user input modal
This rounds out the most immediate concerns for the new user input
modal. The frontend now includes a timer to show how much time is left
and will close itself once it reaches zero. Css
formatting has been cleaned up to be more reasonable.
There is still some test code present on the back end. This will be
removed once actuall examples of the new modal are in place.
* feat: create first pass known_hosts detection
Manually integrating with golang's ssh library means that the code must
authenticate known_hosts on its own. This is a first pass at creating a
system that parses the known hosts files and denys a connection if there
is a mismatch. This needs to be updated with a means to add keys to the
known-hosts file if the user requests it.
* feat: allow writing to known_hosts first pass
As a follow-up to the previous change, we now allow the user to respond
to interactive queries in order to determine if an unknown known hosts
key can be added to a known_hosts file if it is missing. This needs to
be refined further, but it gets the basic functionality there.
* feat: add user input for kbd-interactive auth
This adds a modal so the user can respond to prompts provided using the
keyboard interactive authentication method.
* feat: add interactive password authentication
This makes the ssh password authentication interactive with its own user
input modal. Unfortunately, this method does not allow trying a default
first. This will need to be expanded in the future to accomodate that.
* fix: allow automatic and interactive auth together
Previously, it was impossible to use to separate methods of the same
type to try ssh authentication. This made it impossible to make an auto
attempt before a manual one. This change restricts that by combining
them into one method where the auto attempt is tried once first and
cannot be tried again. Following that, interactive authentication can be
tried separately.
It also lowers the time limit on kbd interactive authentication to 15
seconds due to limitations on the library we are using.
* fix: set number of retries to one in ssh
Number of retries means number of attempts after the fact, not number of
total attempts. It has been adjusted from 2 to 1 to reflect this.
* refactor: change argument order in GetUserInput
This is a simple change to move the context to the first argument of
GetUserInput to match the convention used elsewhere in the code.
* fix: set number of retries to two again
I was wrong in my previous analysis. The number given is the total
number of tries. This is confusing when keyboard authentication and
password authentication are both available which usually doesn't happen.
* feat: create naive ui for ssh key passphrases
This isn't quite as reactive as the other methods, but it does attempt
to use publickey without a passphrase, then attempt to use the password
as the passphrase, and finally prompting the user for a passphrase. The
problem with this approach is that if multiple keys are used and they
all have passphrases, they need to all be checked up front. In practice,
this will not happen often, but it is something to be aware of.
* fix: add the userinput.tsx changes
These were missed in the previous commit. Adding them now.
2024-02-09 04:16:56 +01:00
|
|
|
"bytes"
|
|
|
|
"context"
|
|
|
|
"crypto/x509"
|
|
|
|
"encoding/base64"
|
Use ssh library for remote connections (#250)
* create proof of concept ssh library integration
This is a first attempt to integrate the golang crypto/ssh library for
handling remote connections. As it stands, this features is limited to
identity files without passphrases. It needs to be expanded to include
key+passphrase and password verifications as well.
* add password and keyboard-interactive ssh auth
This adds several new ssh auth methods. In addition to the PublicKey
method used previously, this adds password authentication,
keyboard-interactive authentication, and PublicKey+Passphrase
authentication.
Furthermore, it refactores the ssh connection code into its own wavesrv
file rather than storing int in waveshell's shexec file.
* clean up old mshell launch methods
In the debugging the addition of the ssh library, i had several versions
of the MShellProc Launch function. Since this seems mostly stable, I
have removed the old version and the experimental version in favor of
the combined version.
* allow switching between new and old ssh for dev
It is inconvenient to create milestones without being able to merge into
the main branch. But due to the experimental nature of the ssh changes,
it is not desired to use these changes in the main branch yet. This
change disables the new ssh launcher by default. It can be used by
changing the UseSshLibrary constant to true in remote.go. With this, it
becomes possible to merge these changes into the main branch without
them being used in production.
* fix: allow retry after ssh auth failure
Previously, the error status was not set when an ssh connection failed.
Because of this, an ssh connection failure would lock the failed remote
until waveterm was rebooted. This fix properly sets the error status so
this cannot happen.
2024-01-25 19:18:11 +01:00
|
|
|
"fmt"
|
Use ssh library: add user input (#281)
* feat: create backend for user input requests
This is the first part of a change that allows the backend to request
user input from the frontend. Essentially, the backend will send a
request for the user to answer some query, and the frontend will send
that answer back. It is blocking, so it needs to be used within a
goroutine.
There is some placeholder code in the frontend that will be updated in
future commits. Similarly, there is some debug code in the backend
remote.go file.
* feat: create frontend for user input requests
This is part of a change to allow the backend to request user input from
the frontend. This adds a component specifically for handling this
logic. It is only a starting point, and does not work perfectly yet.
* refactor: update user input backend/interface
This updates the user input backend to fix a few potential bugs. It also
refactors the user input request and response types to better handle
markdown and errors while making it more convenient to work with.
A couple frontend changes were made to keep everything compatible.
* fix: add props to user input request modal
There was a second place that the modals were created that I previously
missed. This fixes that second casel
* feat: complete user input modal
This rounds out the most immediate concerns for the new user input
modal. The frontend now includes a timer to show how much time is left
and will close itself once it reaches zero. Css
formatting has been cleaned up to be more reasonable.
There is still some test code present on the back end. This will be
removed once actuall examples of the new modal are in place.
* feat: create first pass known_hosts detection
Manually integrating with golang's ssh library means that the code must
authenticate known_hosts on its own. This is a first pass at creating a
system that parses the known hosts files and denys a connection if there
is a mismatch. This needs to be updated with a means to add keys to the
known-hosts file if the user requests it.
* feat: allow writing to known_hosts first pass
As a follow-up to the previous change, we now allow the user to respond
to interactive queries in order to determine if an unknown known hosts
key can be added to a known_hosts file if it is missing. This needs to
be refined further, but it gets the basic functionality there.
* feat: add user input for kbd-interactive auth
This adds a modal so the user can respond to prompts provided using the
keyboard interactive authentication method.
* feat: add interactive password authentication
This makes the ssh password authentication interactive with its own user
input modal. Unfortunately, this method does not allow trying a default
first. This will need to be expanded in the future to accomodate that.
* fix: allow automatic and interactive auth together
Previously, it was impossible to use to separate methods of the same
type to try ssh authentication. This made it impossible to make an auto
attempt before a manual one. This change restricts that by combining
them into one method where the auto attempt is tried once first and
cannot be tried again. Following that, interactive authentication can be
tried separately.
It also lowers the time limit on kbd interactive authentication to 15
seconds due to limitations on the library we are using.
* fix: set number of retries to one in ssh
Number of retries means number of attempts after the fact, not number of
total attempts. It has been adjusted from 2 to 1 to reflect this.
* refactor: change argument order in GetUserInput
This is a simple change to move the context to the first argument of
GetUserInput to match the convention used elsewhere in the code.
* fix: set number of retries to two again
I was wrong in my previous analysis. The number given is the total
number of tries. This is confusing when keyboard authentication and
password authentication are both available which usually doesn't happen.
* feat: create naive ui for ssh key passphrases
This isn't quite as reactive as the other methods, but it does attempt
to use publickey without a passphrase, then attempt to use the password
as the passphrase, and finally prompting the user for a passphrase. The
problem with this approach is that if multiple keys are used and they
all have passphrases, they need to all be checked up front. In practice,
this will not happen often, but it is something to be aware of.
* fix: add the userinput.tsx changes
These were missed in the previous commit. Adding them now.
2024-02-09 04:16:56 +01:00
|
|
|
"log"
|
|
|
|
"net"
|
Use ssh library for remote connections (#250)
* create proof of concept ssh library integration
This is a first attempt to integrate the golang crypto/ssh library for
handling remote connections. As it stands, this features is limited to
identity files without passphrases. It needs to be expanded to include
key+passphrase and password verifications as well.
* add password and keyboard-interactive ssh auth
This adds several new ssh auth methods. In addition to the PublicKey
method used previously, this adds password authentication,
keyboard-interactive authentication, and PublicKey+Passphrase
authentication.
Furthermore, it refactores the ssh connection code into its own wavesrv
file rather than storing int in waveshell's shexec file.
* clean up old mshell launch methods
In the debugging the addition of the ssh library, i had several versions
of the MShellProc Launch function. Since this seems mostly stable, I
have removed the old version and the experimental version in favor of
the combined version.
* allow switching between new and old ssh for dev
It is inconvenient to create milestones without being able to merge into
the main branch. But due to the experimental nature of the ssh changes,
it is not desired to use these changes in the main branch yet. This
change disables the new ssh launcher by default. It can be used by
changing the UseSshLibrary constant to true in remote.go. With this, it
becomes possible to merge these changes into the main branch without
them being used in production.
* fix: allow retry after ssh auth failure
Previously, the error status was not set when an ssh connection failed.
Because of this, an ssh connection failure would lock the failed remote
until waveterm was rebooted. This fix properly sets the error status so
this cannot happen.
2024-01-25 19:18:11 +01:00
|
|
|
"os"
|
|
|
|
"os/user"
|
Use ssh library: add user input (#281)
* feat: create backend for user input requests
This is the first part of a change that allows the backend to request
user input from the frontend. Essentially, the backend will send a
request for the user to answer some query, and the frontend will send
that answer back. It is blocking, so it needs to be used within a
goroutine.
There is some placeholder code in the frontend that will be updated in
future commits. Similarly, there is some debug code in the backend
remote.go file.
* feat: create frontend for user input requests
This is part of a change to allow the backend to request user input from
the frontend. This adds a component specifically for handling this
logic. It is only a starting point, and does not work perfectly yet.
* refactor: update user input backend/interface
This updates the user input backend to fix a few potential bugs. It also
refactors the user input request and response types to better handle
markdown and errors while making it more convenient to work with.
A couple frontend changes were made to keep everything compatible.
* fix: add props to user input request modal
There was a second place that the modals were created that I previously
missed. This fixes that second casel
* feat: complete user input modal
This rounds out the most immediate concerns for the new user input
modal. The frontend now includes a timer to show how much time is left
and will close itself once it reaches zero. Css
formatting has been cleaned up to be more reasonable.
There is still some test code present on the back end. This will be
removed once actuall examples of the new modal are in place.
* feat: create first pass known_hosts detection
Manually integrating with golang's ssh library means that the code must
authenticate known_hosts on its own. This is a first pass at creating a
system that parses the known hosts files and denys a connection if there
is a mismatch. This needs to be updated with a means to add keys to the
known-hosts file if the user requests it.
* feat: allow writing to known_hosts first pass
As a follow-up to the previous change, we now allow the user to respond
to interactive queries in order to determine if an unknown known hosts
key can be added to a known_hosts file if it is missing. This needs to
be refined further, but it gets the basic functionality there.
* feat: add user input for kbd-interactive auth
This adds a modal so the user can respond to prompts provided using the
keyboard interactive authentication method.
* feat: add interactive password authentication
This makes the ssh password authentication interactive with its own user
input modal. Unfortunately, this method does not allow trying a default
first. This will need to be expanded in the future to accomodate that.
* fix: allow automatic and interactive auth together
Previously, it was impossible to use to separate methods of the same
type to try ssh authentication. This made it impossible to make an auto
attempt before a manual one. This change restricts that by combining
them into one method where the auto attempt is tried once first and
cannot be tried again. Following that, interactive authentication can be
tried separately.
It also lowers the time limit on kbd interactive authentication to 15
seconds due to limitations on the library we are using.
* fix: set number of retries to one in ssh
Number of retries means number of attempts after the fact, not number of
total attempts. It has been adjusted from 2 to 1 to reflect this.
* refactor: change argument order in GetUserInput
This is a simple change to move the context to the first argument of
GetUserInput to match the convention used elsewhere in the code.
* fix: set number of retries to two again
I was wrong in my previous analysis. The number given is the total
number of tries. This is confusing when keyboard authentication and
password authentication are both available which usually doesn't happen.
* feat: create naive ui for ssh key passphrases
This isn't quite as reactive as the other methods, but it does attempt
to use publickey without a passphrase, then attempt to use the password
as the passphrase, and finally prompting the user for a passphrase. The
problem with this approach is that if multiple keys are used and they
all have passphrases, they need to all be checked up front. In practice,
this will not happen often, but it is something to be aware of.
* fix: add the userinput.tsx changes
These were missed in the previous commit. Adding them now.
2024-02-09 04:16:56 +01:00
|
|
|
"path/filepath"
|
Use ssh library for remote connections (#250)
* create proof of concept ssh library integration
This is a first attempt to integrate the golang crypto/ssh library for
handling remote connections. As it stands, this features is limited to
identity files without passphrases. It needs to be expanded to include
key+passphrase and password verifications as well.
* add password and keyboard-interactive ssh auth
This adds several new ssh auth methods. In addition to the PublicKey
method used previously, this adds password authentication,
keyboard-interactive authentication, and PublicKey+Passphrase
authentication.
Furthermore, it refactores the ssh connection code into its own wavesrv
file rather than storing int in waveshell's shexec file.
* clean up old mshell launch methods
In the debugging the addition of the ssh library, i had several versions
of the MShellProc Launch function. Since this seems mostly stable, I
have removed the old version and the experimental version in favor of
the combined version.
* allow switching between new and old ssh for dev
It is inconvenient to create milestones without being able to merge into
the main branch. But due to the experimental nature of the ssh changes,
it is not desired to use these changes in the main branch yet. This
change disables the new ssh launcher by default. It can be used by
changing the UseSshLibrary constant to true in remote.go. With this, it
becomes possible to merge these changes into the main branch without
them being used in production.
* fix: allow retry after ssh auth failure
Previously, the error status was not set when an ssh connection failed.
Because of this, an ssh connection failure would lock the failed remote
until waveterm was rebooted. This fix properly sets the error status so
this cannot happen.
2024-01-25 19:18:11 +01:00
|
|
|
"strconv"
|
|
|
|
"strings"
|
Use ssh library: add user input (#281)
* feat: create backend for user input requests
This is the first part of a change that allows the backend to request
user input from the frontend. Essentially, the backend will send a
request for the user to answer some query, and the frontend will send
that answer back. It is blocking, so it needs to be used within a
goroutine.
There is some placeholder code in the frontend that will be updated in
future commits. Similarly, there is some debug code in the backend
remote.go file.
* feat: create frontend for user input requests
This is part of a change to allow the backend to request user input from
the frontend. This adds a component specifically for handling this
logic. It is only a starting point, and does not work perfectly yet.
* refactor: update user input backend/interface
This updates the user input backend to fix a few potential bugs. It also
refactors the user input request and response types to better handle
markdown and errors while making it more convenient to work with.
A couple frontend changes were made to keep everything compatible.
* fix: add props to user input request modal
There was a second place that the modals were created that I previously
missed. This fixes that second casel
* feat: complete user input modal
This rounds out the most immediate concerns for the new user input
modal. The frontend now includes a timer to show how much time is left
and will close itself once it reaches zero. Css
formatting has been cleaned up to be more reasonable.
There is still some test code present on the back end. This will be
removed once actuall examples of the new modal are in place.
* feat: create first pass known_hosts detection
Manually integrating with golang's ssh library means that the code must
authenticate known_hosts on its own. This is a first pass at creating a
system that parses the known hosts files and denys a connection if there
is a mismatch. This needs to be updated with a means to add keys to the
known-hosts file if the user requests it.
* feat: allow writing to known_hosts first pass
As a follow-up to the previous change, we now allow the user to respond
to interactive queries in order to determine if an unknown known hosts
key can be added to a known_hosts file if it is missing. This needs to
be refined further, but it gets the basic functionality there.
* feat: add user input for kbd-interactive auth
This adds a modal so the user can respond to prompts provided using the
keyboard interactive authentication method.
* feat: add interactive password authentication
This makes the ssh password authentication interactive with its own user
input modal. Unfortunately, this method does not allow trying a default
first. This will need to be expanded in the future to accomodate that.
* fix: allow automatic and interactive auth together
Previously, it was impossible to use to separate methods of the same
type to try ssh authentication. This made it impossible to make an auto
attempt before a manual one. This change restricts that by combining
them into one method where the auto attempt is tried once first and
cannot be tried again. Following that, interactive authentication can be
tried separately.
It also lowers the time limit on kbd interactive authentication to 15
seconds due to limitations on the library we are using.
* fix: set number of retries to one in ssh
Number of retries means number of attempts after the fact, not number of
total attempts. It has been adjusted from 2 to 1 to reflect this.
* refactor: change argument order in GetUserInput
This is a simple change to move the context to the first argument of
GetUserInput to match the convention used elsewhere in the code.
* fix: set number of retries to two again
I was wrong in my previous analysis. The number given is the total
number of tries. This is confusing when keyboard authentication and
password authentication are both available which usually doesn't happen.
* feat: create naive ui for ssh key passphrases
This isn't quite as reactive as the other methods, but it does attempt
to use publickey without a passphrase, then attempt to use the password
as the passphrase, and finally prompting the user for a passphrase. The
problem with this approach is that if multiple keys are used and they
all have passphrases, they need to all be checked up front. In practice,
this will not happen often, but it is something to be aware of.
* fix: add the userinput.tsx changes
These were missed in the previous commit. Adding them now.
2024-02-09 04:16:56 +01:00
|
|
|
"sync"
|
|
|
|
"time"
|
Use ssh library for remote connections (#250)
* create proof of concept ssh library integration
This is a first attempt to integrate the golang crypto/ssh library for
handling remote connections. As it stands, this features is limited to
identity files without passphrases. It needs to be expanded to include
key+passphrase and password verifications as well.
* add password and keyboard-interactive ssh auth
This adds several new ssh auth methods. In addition to the PublicKey
method used previously, this adds password authentication,
keyboard-interactive authentication, and PublicKey+Passphrase
authentication.
Furthermore, it refactores the ssh connection code into its own wavesrv
file rather than storing int in waveshell's shexec file.
* clean up old mshell launch methods
In the debugging the addition of the ssh library, i had several versions
of the MShellProc Launch function. Since this seems mostly stable, I
have removed the old version and the experimental version in favor of
the combined version.
* allow switching between new and old ssh for dev
It is inconvenient to create milestones without being able to merge into
the main branch. But due to the experimental nature of the ssh changes,
it is not desired to use these changes in the main branch yet. This
change disables the new ssh launcher by default. It can be used by
changing the UseSshLibrary constant to true in remote.go. With this, it
becomes possible to merge these changes into the main branch without
them being used in production.
* fix: allow retry after ssh auth failure
Previously, the error status was not set when an ssh connection failed.
Because of this, an ssh connection failure would lock the failed remote
until waveterm was rebooted. This fix properly sets the error status so
this cannot happen.
2024-01-25 19:18:11 +01:00
|
|
|
|
|
|
|
"github.com/kevinburke/ssh_config"
|
|
|
|
"github.com/wavetermdev/waveterm/waveshell/pkg/base"
|
Use ssh library: add user input (#281)
* feat: create backend for user input requests
This is the first part of a change that allows the backend to request
user input from the frontend. Essentially, the backend will send a
request for the user to answer some query, and the frontend will send
that answer back. It is blocking, so it needs to be used within a
goroutine.
There is some placeholder code in the frontend that will be updated in
future commits. Similarly, there is some debug code in the backend
remote.go file.
* feat: create frontend for user input requests
This is part of a change to allow the backend to request user input from
the frontend. This adds a component specifically for handling this
logic. It is only a starting point, and does not work perfectly yet.
* refactor: update user input backend/interface
This updates the user input backend to fix a few potential bugs. It also
refactors the user input request and response types to better handle
markdown and errors while making it more convenient to work with.
A couple frontend changes were made to keep everything compatible.
* fix: add props to user input request modal
There was a second place that the modals were created that I previously
missed. This fixes that second casel
* feat: complete user input modal
This rounds out the most immediate concerns for the new user input
modal. The frontend now includes a timer to show how much time is left
and will close itself once it reaches zero. Css
formatting has been cleaned up to be more reasonable.
There is still some test code present on the back end. This will be
removed once actuall examples of the new modal are in place.
* feat: create first pass known_hosts detection
Manually integrating with golang's ssh library means that the code must
authenticate known_hosts on its own. This is a first pass at creating a
system that parses the known hosts files and denys a connection if there
is a mismatch. This needs to be updated with a means to add keys to the
known-hosts file if the user requests it.
* feat: allow writing to known_hosts first pass
As a follow-up to the previous change, we now allow the user to respond
to interactive queries in order to determine if an unknown known hosts
key can be added to a known_hosts file if it is missing. This needs to
be refined further, but it gets the basic functionality there.
* feat: add user input for kbd-interactive auth
This adds a modal so the user can respond to prompts provided using the
keyboard interactive authentication method.
* feat: add interactive password authentication
This makes the ssh password authentication interactive with its own user
input modal. Unfortunately, this method does not allow trying a default
first. This will need to be expanded in the future to accomodate that.
* fix: allow automatic and interactive auth together
Previously, it was impossible to use to separate methods of the same
type to try ssh authentication. This made it impossible to make an auto
attempt before a manual one. This change restricts that by combining
them into one method where the auto attempt is tried once first and
cannot be tried again. Following that, interactive authentication can be
tried separately.
It also lowers the time limit on kbd interactive authentication to 15
seconds due to limitations on the library we are using.
* fix: set number of retries to one in ssh
Number of retries means number of attempts after the fact, not number of
total attempts. It has been adjusted from 2 to 1 to reflect this.
* refactor: change argument order in GetUserInput
This is a simple change to move the context to the first argument of
GetUserInput to match the convention used elsewhere in the code.
* fix: set number of retries to two again
I was wrong in my previous analysis. The number given is the total
number of tries. This is confusing when keyboard authentication and
password authentication are both available which usually doesn't happen.
* feat: create naive ui for ssh key passphrases
This isn't quite as reactive as the other methods, but it does attempt
to use publickey without a passphrase, then attempt to use the password
as the passphrase, and finally prompting the user for a passphrase. The
problem with this approach is that if multiple keys are used and they
all have passphrases, they need to all be checked up front. In practice,
this will not happen often, but it is something to be aware of.
* fix: add the userinput.tsx changes
These were missed in the previous commit. Adding them now.
2024-02-09 04:16:56 +01:00
|
|
|
"github.com/wavetermdev/waveterm/wavesrv/pkg/scpacket"
|
Use ssh library for remote connections (#250)
* create proof of concept ssh library integration
This is a first attempt to integrate the golang crypto/ssh library for
handling remote connections. As it stands, this features is limited to
identity files without passphrases. It needs to be expanded to include
key+passphrase and password verifications as well.
* add password and keyboard-interactive ssh auth
This adds several new ssh auth methods. In addition to the PublicKey
method used previously, this adds password authentication,
keyboard-interactive authentication, and PublicKey+Passphrase
authentication.
Furthermore, it refactores the ssh connection code into its own wavesrv
file rather than storing int in waveshell's shexec file.
* clean up old mshell launch methods
In the debugging the addition of the ssh library, i had several versions
of the MShellProc Launch function. Since this seems mostly stable, I
have removed the old version and the experimental version in favor of
the combined version.
* allow switching between new and old ssh for dev
It is inconvenient to create milestones without being able to merge into
the main branch. But due to the experimental nature of the ssh changes,
it is not desired to use these changes in the main branch yet. This
change disables the new ssh launcher by default. It can be used by
changing the UseSshLibrary constant to true in remote.go. With this, it
becomes possible to merge these changes into the main branch without
them being used in production.
* fix: allow retry after ssh auth failure
Previously, the error status was not set when an ssh connection failed.
Because of this, an ssh connection failure would lock the failed remote
until waveterm was rebooted. This fix properly sets the error status so
this cannot happen.
2024-01-25 19:18:11 +01:00
|
|
|
"github.com/wavetermdev/waveterm/wavesrv/pkg/sstore"
|
|
|
|
"golang.org/x/crypto/ssh"
|
Use ssh library: add user input (#281)
* feat: create backend for user input requests
This is the first part of a change that allows the backend to request
user input from the frontend. Essentially, the backend will send a
request for the user to answer some query, and the frontend will send
that answer back. It is blocking, so it needs to be used within a
goroutine.
There is some placeholder code in the frontend that will be updated in
future commits. Similarly, there is some debug code in the backend
remote.go file.
* feat: create frontend for user input requests
This is part of a change to allow the backend to request user input from
the frontend. This adds a component specifically for handling this
logic. It is only a starting point, and does not work perfectly yet.
* refactor: update user input backend/interface
This updates the user input backend to fix a few potential bugs. It also
refactors the user input request and response types to better handle
markdown and errors while making it more convenient to work with.
A couple frontend changes were made to keep everything compatible.
* fix: add props to user input request modal
There was a second place that the modals were created that I previously
missed. This fixes that second casel
* feat: complete user input modal
This rounds out the most immediate concerns for the new user input
modal. The frontend now includes a timer to show how much time is left
and will close itself once it reaches zero. Css
formatting has been cleaned up to be more reasonable.
There is still some test code present on the back end. This will be
removed once actuall examples of the new modal are in place.
* feat: create first pass known_hosts detection
Manually integrating with golang's ssh library means that the code must
authenticate known_hosts on its own. This is a first pass at creating a
system that parses the known hosts files and denys a connection if there
is a mismatch. This needs to be updated with a means to add keys to the
known-hosts file if the user requests it.
* feat: allow writing to known_hosts first pass
As a follow-up to the previous change, we now allow the user to respond
to interactive queries in order to determine if an unknown known hosts
key can be added to a known_hosts file if it is missing. This needs to
be refined further, but it gets the basic functionality there.
* feat: add user input for kbd-interactive auth
This adds a modal so the user can respond to prompts provided using the
keyboard interactive authentication method.
* feat: add interactive password authentication
This makes the ssh password authentication interactive with its own user
input modal. Unfortunately, this method does not allow trying a default
first. This will need to be expanded in the future to accomodate that.
* fix: allow automatic and interactive auth together
Previously, it was impossible to use to separate methods of the same
type to try ssh authentication. This made it impossible to make an auto
attempt before a manual one. This change restricts that by combining
them into one method where the auto attempt is tried once first and
cannot be tried again. Following that, interactive authentication can be
tried separately.
It also lowers the time limit on kbd interactive authentication to 15
seconds due to limitations on the library we are using.
* fix: set number of retries to one in ssh
Number of retries means number of attempts after the fact, not number of
total attempts. It has been adjusted from 2 to 1 to reflect this.
* refactor: change argument order in GetUserInput
This is a simple change to move the context to the first argument of
GetUserInput to match the convention used elsewhere in the code.
* fix: set number of retries to two again
I was wrong in my previous analysis. The number given is the total
number of tries. This is confusing when keyboard authentication and
password authentication are both available which usually doesn't happen.
* feat: create naive ui for ssh key passphrases
This isn't quite as reactive as the other methods, but it does attempt
to use publickey without a passphrase, then attempt to use the password
as the passphrase, and finally prompting the user for a passphrase. The
problem with this approach is that if multiple keys are used and they
all have passphrases, they need to all be checked up front. In practice,
this will not happen often, but it is something to be aware of.
* fix: add the userinput.tsx changes
These were missed in the previous commit. Adding them now.
2024-02-09 04:16:56 +01:00
|
|
|
"golang.org/x/crypto/ssh/knownhosts"
|
Use ssh library for remote connections (#250)
* create proof of concept ssh library integration
This is a first attempt to integrate the golang crypto/ssh library for
handling remote connections. As it stands, this features is limited to
identity files without passphrases. It needs to be expanded to include
key+passphrase and password verifications as well.
* add password and keyboard-interactive ssh auth
This adds several new ssh auth methods. In addition to the PublicKey
method used previously, this adds password authentication,
keyboard-interactive authentication, and PublicKey+Passphrase
authentication.
Furthermore, it refactores the ssh connection code into its own wavesrv
file rather than storing int in waveshell's shexec file.
* clean up old mshell launch methods
In the debugging the addition of the ssh library, i had several versions
of the MShellProc Launch function. Since this seems mostly stable, I
have removed the old version and the experimental version in favor of
the combined version.
* allow switching between new and old ssh for dev
It is inconvenient to create milestones without being able to merge into
the main branch. But due to the experimental nature of the ssh changes,
it is not desired to use these changes in the main branch yet. This
change disables the new ssh launcher by default. It can be used by
changing the UseSshLibrary constant to true in remote.go. With this, it
becomes possible to merge these changes into the main branch without
them being used in production.
* fix: allow retry after ssh auth failure
Previously, the error status was not set when an ssh connection failed.
Because of this, an ssh connection failure would lock the failed remote
until waveterm was rebooted. This fix properly sets the error status so
this cannot happen.
2024-01-25 19:18:11 +01:00
|
|
|
)
|
|
|
|
|
Use ssh library: add user input (#281)
* feat: create backend for user input requests
This is the first part of a change that allows the backend to request
user input from the frontend. Essentially, the backend will send a
request for the user to answer some query, and the frontend will send
that answer back. It is blocking, so it needs to be used within a
goroutine.
There is some placeholder code in the frontend that will be updated in
future commits. Similarly, there is some debug code in the backend
remote.go file.
* feat: create frontend for user input requests
This is part of a change to allow the backend to request user input from
the frontend. This adds a component specifically for handling this
logic. It is only a starting point, and does not work perfectly yet.
* refactor: update user input backend/interface
This updates the user input backend to fix a few potential bugs. It also
refactors the user input request and response types to better handle
markdown and errors while making it more convenient to work with.
A couple frontend changes were made to keep everything compatible.
* fix: add props to user input request modal
There was a second place that the modals were created that I previously
missed. This fixes that second casel
* feat: complete user input modal
This rounds out the most immediate concerns for the new user input
modal. The frontend now includes a timer to show how much time is left
and will close itself once it reaches zero. Css
formatting has been cleaned up to be more reasonable.
There is still some test code present on the back end. This will be
removed once actuall examples of the new modal are in place.
* feat: create first pass known_hosts detection
Manually integrating with golang's ssh library means that the code must
authenticate known_hosts on its own. This is a first pass at creating a
system that parses the known hosts files and denys a connection if there
is a mismatch. This needs to be updated with a means to add keys to the
known-hosts file if the user requests it.
* feat: allow writing to known_hosts first pass
As a follow-up to the previous change, we now allow the user to respond
to interactive queries in order to determine if an unknown known hosts
key can be added to a known_hosts file if it is missing. This needs to
be refined further, but it gets the basic functionality there.
* feat: add user input for kbd-interactive auth
This adds a modal so the user can respond to prompts provided using the
keyboard interactive authentication method.
* feat: add interactive password authentication
This makes the ssh password authentication interactive with its own user
input modal. Unfortunately, this method does not allow trying a default
first. This will need to be expanded in the future to accomodate that.
* fix: allow automatic and interactive auth together
Previously, it was impossible to use to separate methods of the same
type to try ssh authentication. This made it impossible to make an auto
attempt before a manual one. This change restricts that by combining
them into one method where the auto attempt is tried once first and
cannot be tried again. Following that, interactive authentication can be
tried separately.
It also lowers the time limit on kbd interactive authentication to 15
seconds due to limitations on the library we are using.
* fix: set number of retries to one in ssh
Number of retries means number of attempts after the fact, not number of
total attempts. It has been adjusted from 2 to 1 to reflect this.
* refactor: change argument order in GetUserInput
This is a simple change to move the context to the first argument of
GetUserInput to match the convention used elsewhere in the code.
* fix: set number of retries to two again
I was wrong in my previous analysis. The number given is the total
number of tries. This is confusing when keyboard authentication and
password authentication are both available which usually doesn't happen.
* feat: create naive ui for ssh key passphrases
This isn't quite as reactive as the other methods, but it does attempt
to use publickey without a passphrase, then attempt to use the password
as the passphrase, and finally prompting the user for a passphrase. The
problem with this approach is that if multiple keys are used and they
all have passphrases, they need to all be checked up front. In practice,
this will not happen often, but it is something to be aware of.
* fix: add the userinput.tsx changes
These were missed in the previous commit. Adding them now.
2024-02-09 04:16:56 +01:00
|
|
|
type UserInputCancelError struct {
|
|
|
|
Err error
|
|
|
|
}
|
|
|
|
|
|
|
|
func (uice UserInputCancelError) Error() string {
|
|
|
|
return uice.Err.Error()
|
|
|
|
}
|
|
|
|
|
|
|
|
func createPublicKeyAuth(identityFile string, passphrase string) (ssh.Signer, error) {
|
Use ssh library for remote connections (#250)
* create proof of concept ssh library integration
This is a first attempt to integrate the golang crypto/ssh library for
handling remote connections. As it stands, this features is limited to
identity files without passphrases. It needs to be expanded to include
key+passphrase and password verifications as well.
* add password and keyboard-interactive ssh auth
This adds several new ssh auth methods. In addition to the PublicKey
method used previously, this adds password authentication,
keyboard-interactive authentication, and PublicKey+Passphrase
authentication.
Furthermore, it refactores the ssh connection code into its own wavesrv
file rather than storing int in waveshell's shexec file.
* clean up old mshell launch methods
In the debugging the addition of the ssh library, i had several versions
of the MShellProc Launch function. Since this seems mostly stable, I
have removed the old version and the experimental version in favor of
the combined version.
* allow switching between new and old ssh for dev
It is inconvenient to create milestones without being able to merge into
the main branch. But due to the experimental nature of the ssh changes,
it is not desired to use these changes in the main branch yet. This
change disables the new ssh launcher by default. It can be used by
changing the UseSshLibrary constant to true in remote.go. With this, it
becomes possible to merge these changes into the main branch without
them being used in production.
* fix: allow retry after ssh auth failure
Previously, the error status was not set when an ssh connection failed.
Because of this, an ssh connection failure would lock the failed remote
until waveterm was rebooted. This fix properly sets the error status so
this cannot happen.
2024-01-25 19:18:11 +01:00
|
|
|
privateKey, err := os.ReadFile(base.ExpandHomeDir(identityFile))
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("failed to read ssh key file. err: %+v", err)
|
|
|
|
}
|
|
|
|
signer, err := ssh.ParsePrivateKey(privateKey)
|
Use ssh library: add user input (#281)
* feat: create backend for user input requests
This is the first part of a change that allows the backend to request
user input from the frontend. Essentially, the backend will send a
request for the user to answer some query, and the frontend will send
that answer back. It is blocking, so it needs to be used within a
goroutine.
There is some placeholder code in the frontend that will be updated in
future commits. Similarly, there is some debug code in the backend
remote.go file.
* feat: create frontend for user input requests
This is part of a change to allow the backend to request user input from
the frontend. This adds a component specifically for handling this
logic. It is only a starting point, and does not work perfectly yet.
* refactor: update user input backend/interface
This updates the user input backend to fix a few potential bugs. It also
refactors the user input request and response types to better handle
markdown and errors while making it more convenient to work with.
A couple frontend changes were made to keep everything compatible.
* fix: add props to user input request modal
There was a second place that the modals were created that I previously
missed. This fixes that second casel
* feat: complete user input modal
This rounds out the most immediate concerns for the new user input
modal. The frontend now includes a timer to show how much time is left
and will close itself once it reaches zero. Css
formatting has been cleaned up to be more reasonable.
There is still some test code present on the back end. This will be
removed once actuall examples of the new modal are in place.
* feat: create first pass known_hosts detection
Manually integrating with golang's ssh library means that the code must
authenticate known_hosts on its own. This is a first pass at creating a
system that parses the known hosts files and denys a connection if there
is a mismatch. This needs to be updated with a means to add keys to the
known-hosts file if the user requests it.
* feat: allow writing to known_hosts first pass
As a follow-up to the previous change, we now allow the user to respond
to interactive queries in order to determine if an unknown known hosts
key can be added to a known_hosts file if it is missing. This needs to
be refined further, but it gets the basic functionality there.
* feat: add user input for kbd-interactive auth
This adds a modal so the user can respond to prompts provided using the
keyboard interactive authentication method.
* feat: add interactive password authentication
This makes the ssh password authentication interactive with its own user
input modal. Unfortunately, this method does not allow trying a default
first. This will need to be expanded in the future to accomodate that.
* fix: allow automatic and interactive auth together
Previously, it was impossible to use to separate methods of the same
type to try ssh authentication. This made it impossible to make an auto
attempt before a manual one. This change restricts that by combining
them into one method where the auto attempt is tried once first and
cannot be tried again. Following that, interactive authentication can be
tried separately.
It also lowers the time limit on kbd interactive authentication to 15
seconds due to limitations on the library we are using.
* fix: set number of retries to one in ssh
Number of retries means number of attempts after the fact, not number of
total attempts. It has been adjusted from 2 to 1 to reflect this.
* refactor: change argument order in GetUserInput
This is a simple change to move the context to the first argument of
GetUserInput to match the convention used elsewhere in the code.
* fix: set number of retries to two again
I was wrong in my previous analysis. The number given is the total
number of tries. This is confusing when keyboard authentication and
password authentication are both available which usually doesn't happen.
* feat: create naive ui for ssh key passphrases
This isn't quite as reactive as the other methods, but it does attempt
to use publickey without a passphrase, then attempt to use the password
as the passphrase, and finally prompting the user for a passphrase. The
problem with this approach is that if multiple keys are used and they
all have passphrases, they need to all be checked up front. In practice,
this will not happen often, but it is something to be aware of.
* fix: add the userinput.tsx changes
These were missed in the previous commit. Adding them now.
2024-02-09 04:16:56 +01:00
|
|
|
if err == nil {
|
|
|
|
return signer, err
|
|
|
|
}
|
|
|
|
if _, ok := err.(*ssh.PassphraseMissingError); !ok {
|
|
|
|
return nil, fmt.Errorf("failed to parse private ssh key. err: %+v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
signer, err = ssh.ParsePrivateKeyWithPassphrase(privateKey, []byte(passphrase))
|
|
|
|
if err == nil {
|
|
|
|
return signer, err
|
|
|
|
}
|
|
|
|
if err != x509.IncorrectPasswordError && err.Error() != "bcrypt_pbkdf: empty password" {
|
|
|
|
log.Printf("qwerty: %+v", err)
|
|
|
|
return nil, fmt.Errorf("failed to parse private ssh key. err: %+v", err)
|
|
|
|
}
|
|
|
|
request := &sstore.UserInputRequestType{
|
|
|
|
ResponseType: "text",
|
|
|
|
QueryText: fmt.Sprintf("Enter passphrase for the SSH key: %s", identityFile),
|
|
|
|
Title: "Publickey Auth + Passphrase",
|
|
|
|
}
|
|
|
|
ctx, cancelFn := context.WithTimeout(context.Background(), 15*time.Second)
|
|
|
|
defer cancelFn()
|
|
|
|
response, err := sstore.MainBus.GetUserInput(ctx, request)
|
Use ssh library for remote connections (#250)
* create proof of concept ssh library integration
This is a first attempt to integrate the golang crypto/ssh library for
handling remote connections. As it stands, this features is limited to
identity files without passphrases. It needs to be expanded to include
key+passphrase and password verifications as well.
* add password and keyboard-interactive ssh auth
This adds several new ssh auth methods. In addition to the PublicKey
method used previously, this adds password authentication,
keyboard-interactive authentication, and PublicKey+Passphrase
authentication.
Furthermore, it refactores the ssh connection code into its own wavesrv
file rather than storing int in waveshell's shexec file.
* clean up old mshell launch methods
In the debugging the addition of the ssh library, i had several versions
of the MShellProc Launch function. Since this seems mostly stable, I
have removed the old version and the experimental version in favor of
the combined version.
* allow switching between new and old ssh for dev
It is inconvenient to create milestones without being able to merge into
the main branch. But due to the experimental nature of the ssh changes,
it is not desired to use these changes in the main branch yet. This
change disables the new ssh launcher by default. It can be used by
changing the UseSshLibrary constant to true in remote.go. With this, it
becomes possible to merge these changes into the main branch without
them being used in production.
* fix: allow retry after ssh auth failure
Previously, the error status was not set when an ssh connection failed.
Because of this, an ssh connection failure would lock the failed remote
until waveterm was rebooted. This fix properly sets the error status so
this cannot happen.
2024-01-25 19:18:11 +01:00
|
|
|
if err != nil {
|
Use ssh library: add user input (#281)
* feat: create backend for user input requests
This is the first part of a change that allows the backend to request
user input from the frontend. Essentially, the backend will send a
request for the user to answer some query, and the frontend will send
that answer back. It is blocking, so it needs to be used within a
goroutine.
There is some placeholder code in the frontend that will be updated in
future commits. Similarly, there is some debug code in the backend
remote.go file.
* feat: create frontend for user input requests
This is part of a change to allow the backend to request user input from
the frontend. This adds a component specifically for handling this
logic. It is only a starting point, and does not work perfectly yet.
* refactor: update user input backend/interface
This updates the user input backend to fix a few potential bugs. It also
refactors the user input request and response types to better handle
markdown and errors while making it more convenient to work with.
A couple frontend changes were made to keep everything compatible.
* fix: add props to user input request modal
There was a second place that the modals were created that I previously
missed. This fixes that second casel
* feat: complete user input modal
This rounds out the most immediate concerns for the new user input
modal. The frontend now includes a timer to show how much time is left
and will close itself once it reaches zero. Css
formatting has been cleaned up to be more reasonable.
There is still some test code present on the back end. This will be
removed once actuall examples of the new modal are in place.
* feat: create first pass known_hosts detection
Manually integrating with golang's ssh library means that the code must
authenticate known_hosts on its own. This is a first pass at creating a
system that parses the known hosts files and denys a connection if there
is a mismatch. This needs to be updated with a means to add keys to the
known-hosts file if the user requests it.
* feat: allow writing to known_hosts first pass
As a follow-up to the previous change, we now allow the user to respond
to interactive queries in order to determine if an unknown known hosts
key can be added to a known_hosts file if it is missing. This needs to
be refined further, but it gets the basic functionality there.
* feat: add user input for kbd-interactive auth
This adds a modal so the user can respond to prompts provided using the
keyboard interactive authentication method.
* feat: add interactive password authentication
This makes the ssh password authentication interactive with its own user
input modal. Unfortunately, this method does not allow trying a default
first. This will need to be expanded in the future to accomodate that.
* fix: allow automatic and interactive auth together
Previously, it was impossible to use to separate methods of the same
type to try ssh authentication. This made it impossible to make an auto
attempt before a manual one. This change restricts that by combining
them into one method where the auto attempt is tried once first and
cannot be tried again. Following that, interactive authentication can be
tried separately.
It also lowers the time limit on kbd interactive authentication to 15
seconds due to limitations on the library we are using.
* fix: set number of retries to one in ssh
Number of retries means number of attempts after the fact, not number of
total attempts. It has been adjusted from 2 to 1 to reflect this.
* refactor: change argument order in GetUserInput
This is a simple change to move the context to the first argument of
GetUserInput to match the convention used elsewhere in the code.
* fix: set number of retries to two again
I was wrong in my previous analysis. The number given is the total
number of tries. This is confusing when keyboard authentication and
password authentication are both available which usually doesn't happen.
* feat: create naive ui for ssh key passphrases
This isn't quite as reactive as the other methods, but it does attempt
to use publickey without a passphrase, then attempt to use the password
as the passphrase, and finally prompting the user for a passphrase. The
problem with this approach is that if multiple keys are used and they
all have passphrases, they need to all be checked up front. In practice,
this will not happen often, but it is something to be aware of.
* fix: add the userinput.tsx changes
These were missed in the previous commit. Adding them now.
2024-02-09 04:16:56 +01:00
|
|
|
return nil, UserInputCancelError{Err: err}
|
|
|
|
}
|
|
|
|
return ssh.ParsePrivateKeyWithPassphrase(privateKey, []byte(response.Text))
|
|
|
|
}
|
|
|
|
|
|
|
|
func createDefaultPasswordCallbackPrompt(password string) func() (secret string, err error) {
|
|
|
|
return func() (secret string, err error) {
|
|
|
|
// this should be modified to return an error if no password is stored
|
|
|
|
// but an empty password is not sufficient because some systems allow
|
|
|
|
// empty passwords
|
|
|
|
return password, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func createInteractivePasswordCallbackPrompt() func() (secret string, err error) {
|
|
|
|
return func() (secret string, err error) {
|
|
|
|
// limited to 15 seconds for some reason. this should be investigated more
|
|
|
|
// in the future
|
|
|
|
ctx, cancelFn := context.WithTimeout(context.Background(), 15*time.Second)
|
|
|
|
defer cancelFn()
|
|
|
|
request := &sstore.UserInputRequestType{
|
|
|
|
ResponseType: "text",
|
|
|
|
QueryText: "Password:",
|
|
|
|
Title: "Password Authentication",
|
|
|
|
}
|
|
|
|
response, err := sstore.MainBus.GetUserInput(ctx, request)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return response.Text, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func createCombinedPasswordCallbackPrompt(password string) func() (secret string, err error) {
|
|
|
|
var once sync.Once
|
|
|
|
return func() (secret string, err error) {
|
|
|
|
var prompt func() (secret string, err error)
|
|
|
|
once.Do(func() { prompt = createDefaultPasswordCallbackPrompt(password) })
|
|
|
|
if prompt == nil {
|
|
|
|
prompt = createInteractivePasswordCallbackPrompt()
|
Use ssh library for remote connections (#250)
* create proof of concept ssh library integration
This is a first attempt to integrate the golang crypto/ssh library for
handling remote connections. As it stands, this features is limited to
identity files without passphrases. It needs to be expanded to include
key+passphrase and password verifications as well.
* add password and keyboard-interactive ssh auth
This adds several new ssh auth methods. In addition to the PublicKey
method used previously, this adds password authentication,
keyboard-interactive authentication, and PublicKey+Passphrase
authentication.
Furthermore, it refactores the ssh connection code into its own wavesrv
file rather than storing int in waveshell's shexec file.
* clean up old mshell launch methods
In the debugging the addition of the ssh library, i had several versions
of the MShellProc Launch function. Since this seems mostly stable, I
have removed the old version and the experimental version in favor of
the combined version.
* allow switching between new and old ssh for dev
It is inconvenient to create milestones without being able to merge into
the main branch. But due to the experimental nature of the ssh changes,
it is not desired to use these changes in the main branch yet. This
change disables the new ssh launcher by default. It can be used by
changing the UseSshLibrary constant to true in remote.go. With this, it
becomes possible to merge these changes into the main branch without
them being used in production.
* fix: allow retry after ssh auth failure
Previously, the error status was not set when an ssh connection failed.
Because of this, an ssh connection failure would lock the failed remote
until waveterm was rebooted. This fix properly sets the error status so
this cannot happen.
2024-01-25 19:18:11 +01:00
|
|
|
}
|
Use ssh library: add user input (#281)
* feat: create backend for user input requests
This is the first part of a change that allows the backend to request
user input from the frontend. Essentially, the backend will send a
request for the user to answer some query, and the frontend will send
that answer back. It is blocking, so it needs to be used within a
goroutine.
There is some placeholder code in the frontend that will be updated in
future commits. Similarly, there is some debug code in the backend
remote.go file.
* feat: create frontend for user input requests
This is part of a change to allow the backend to request user input from
the frontend. This adds a component specifically for handling this
logic. It is only a starting point, and does not work perfectly yet.
* refactor: update user input backend/interface
This updates the user input backend to fix a few potential bugs. It also
refactors the user input request and response types to better handle
markdown and errors while making it more convenient to work with.
A couple frontend changes were made to keep everything compatible.
* fix: add props to user input request modal
There was a second place that the modals were created that I previously
missed. This fixes that second casel
* feat: complete user input modal
This rounds out the most immediate concerns for the new user input
modal. The frontend now includes a timer to show how much time is left
and will close itself once it reaches zero. Css
formatting has been cleaned up to be more reasonable.
There is still some test code present on the back end. This will be
removed once actuall examples of the new modal are in place.
* feat: create first pass known_hosts detection
Manually integrating with golang's ssh library means that the code must
authenticate known_hosts on its own. This is a first pass at creating a
system that parses the known hosts files and denys a connection if there
is a mismatch. This needs to be updated with a means to add keys to the
known-hosts file if the user requests it.
* feat: allow writing to known_hosts first pass
As a follow-up to the previous change, we now allow the user to respond
to interactive queries in order to determine if an unknown known hosts
key can be added to a known_hosts file if it is missing. This needs to
be refined further, but it gets the basic functionality there.
* feat: add user input for kbd-interactive auth
This adds a modal so the user can respond to prompts provided using the
keyboard interactive authentication method.
* feat: add interactive password authentication
This makes the ssh password authentication interactive with its own user
input modal. Unfortunately, this method does not allow trying a default
first. This will need to be expanded in the future to accomodate that.
* fix: allow automatic and interactive auth together
Previously, it was impossible to use to separate methods of the same
type to try ssh authentication. This made it impossible to make an auto
attempt before a manual one. This change restricts that by combining
them into one method where the auto attempt is tried once first and
cannot be tried again. Following that, interactive authentication can be
tried separately.
It also lowers the time limit on kbd interactive authentication to 15
seconds due to limitations on the library we are using.
* fix: set number of retries to one in ssh
Number of retries means number of attempts after the fact, not number of
total attempts. It has been adjusted from 2 to 1 to reflect this.
* refactor: change argument order in GetUserInput
This is a simple change to move the context to the first argument of
GetUserInput to match the convention used elsewhere in the code.
* fix: set number of retries to two again
I was wrong in my previous analysis. The number given is the total
number of tries. This is confusing when keyboard authentication and
password authentication are both available which usually doesn't happen.
* feat: create naive ui for ssh key passphrases
This isn't quite as reactive as the other methods, but it does attempt
to use publickey without a passphrase, then attempt to use the password
as the passphrase, and finally prompting the user for a passphrase. The
problem with this approach is that if multiple keys are used and they
all have passphrases, they need to all be checked up front. In practice,
this will not happen often, but it is something to be aware of.
* fix: add the userinput.tsx changes
These were missed in the previous commit. Adding them now.
2024-02-09 04:16:56 +01:00
|
|
|
return prompt()
|
Use ssh library for remote connections (#250)
* create proof of concept ssh library integration
This is a first attempt to integrate the golang crypto/ssh library for
handling remote connections. As it stands, this features is limited to
identity files without passphrases. It needs to be expanded to include
key+passphrase and password verifications as well.
* add password and keyboard-interactive ssh auth
This adds several new ssh auth methods. In addition to the PublicKey
method used previously, this adds password authentication,
keyboard-interactive authentication, and PublicKey+Passphrase
authentication.
Furthermore, it refactores the ssh connection code into its own wavesrv
file rather than storing int in waveshell's shexec file.
* clean up old mshell launch methods
In the debugging the addition of the ssh library, i had several versions
of the MShellProc Launch function. Since this seems mostly stable, I
have removed the old version and the experimental version in favor of
the combined version.
* allow switching between new and old ssh for dev
It is inconvenient to create milestones without being able to merge into
the main branch. But due to the experimental nature of the ssh changes,
it is not desired to use these changes in the main branch yet. This
change disables the new ssh launcher by default. It can be used by
changing the UseSshLibrary constant to true in remote.go. With this, it
becomes possible to merge these changes into the main branch without
them being used in production.
* fix: allow retry after ssh auth failure
Previously, the error status was not set when an ssh connection failed.
Because of this, an ssh connection failure would lock the failed remote
until waveterm was rebooted. This fix properly sets the error status so
this cannot happen.
2024-01-25 19:18:11 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
Use ssh library: add user input (#281)
* feat: create backend for user input requests
This is the first part of a change that allows the backend to request
user input from the frontend. Essentially, the backend will send a
request for the user to answer some query, and the frontend will send
that answer back. It is blocking, so it needs to be used within a
goroutine.
There is some placeholder code in the frontend that will be updated in
future commits. Similarly, there is some debug code in the backend
remote.go file.
* feat: create frontend for user input requests
This is part of a change to allow the backend to request user input from
the frontend. This adds a component specifically for handling this
logic. It is only a starting point, and does not work perfectly yet.
* refactor: update user input backend/interface
This updates the user input backend to fix a few potential bugs. It also
refactors the user input request and response types to better handle
markdown and errors while making it more convenient to work with.
A couple frontend changes were made to keep everything compatible.
* fix: add props to user input request modal
There was a second place that the modals were created that I previously
missed. This fixes that second casel
* feat: complete user input modal
This rounds out the most immediate concerns for the new user input
modal. The frontend now includes a timer to show how much time is left
and will close itself once it reaches zero. Css
formatting has been cleaned up to be more reasonable.
There is still some test code present on the back end. This will be
removed once actuall examples of the new modal are in place.
* feat: create first pass known_hosts detection
Manually integrating with golang's ssh library means that the code must
authenticate known_hosts on its own. This is a first pass at creating a
system that parses the known hosts files and denys a connection if there
is a mismatch. This needs to be updated with a means to add keys to the
known-hosts file if the user requests it.
* feat: allow writing to known_hosts first pass
As a follow-up to the previous change, we now allow the user to respond
to interactive queries in order to determine if an unknown known hosts
key can be added to a known_hosts file if it is missing. This needs to
be refined further, but it gets the basic functionality there.
* feat: add user input for kbd-interactive auth
This adds a modal so the user can respond to prompts provided using the
keyboard interactive authentication method.
* feat: add interactive password authentication
This makes the ssh password authentication interactive with its own user
input modal. Unfortunately, this method does not allow trying a default
first. This will need to be expanded in the future to accomodate that.
* fix: allow automatic and interactive auth together
Previously, it was impossible to use to separate methods of the same
type to try ssh authentication. This made it impossible to make an auto
attempt before a manual one. This change restricts that by combining
them into one method where the auto attempt is tried once first and
cannot be tried again. Following that, interactive authentication can be
tried separately.
It also lowers the time limit on kbd interactive authentication to 15
seconds due to limitations on the library we are using.
* fix: set number of retries to one in ssh
Number of retries means number of attempts after the fact, not number of
total attempts. It has been adjusted from 2 to 1 to reflect this.
* refactor: change argument order in GetUserInput
This is a simple change to move the context to the first argument of
GetUserInput to match the convention used elsewhere in the code.
* fix: set number of retries to two again
I was wrong in my previous analysis. The number given is the total
number of tries. This is confusing when keyboard authentication and
password authentication are both available which usually doesn't happen.
* feat: create naive ui for ssh key passphrases
This isn't quite as reactive as the other methods, but it does attempt
to use publickey without a passphrase, then attempt to use the password
as the passphrase, and finally prompting the user for a passphrase. The
problem with this approach is that if multiple keys are used and they
all have passphrases, they need to all be checked up front. In practice,
this will not happen often, but it is something to be aware of.
* fix: add the userinput.tsx changes
These were missed in the previous commit. Adding them now.
2024-02-09 04:16:56 +01:00
|
|
|
func createNaiveKbdInteractiveChallenge(password string) func(name, instruction string, questions []string, echos []bool) (answers []string, err error) {
|
|
|
|
return func(name, instruction string, questions []string, echos []bool) (answers []string, err error) {
|
Use ssh library for remote connections (#250)
* create proof of concept ssh library integration
This is a first attempt to integrate the golang crypto/ssh library for
handling remote connections. As it stands, this features is limited to
identity files without passphrases. It needs to be expanded to include
key+passphrase and password verifications as well.
* add password and keyboard-interactive ssh auth
This adds several new ssh auth methods. In addition to the PublicKey
method used previously, this adds password authentication,
keyboard-interactive authentication, and PublicKey+Passphrase
authentication.
Furthermore, it refactores the ssh connection code into its own wavesrv
file rather than storing int in waveshell's shexec file.
* clean up old mshell launch methods
In the debugging the addition of the ssh library, i had several versions
of the MShellProc Launch function. Since this seems mostly stable, I
have removed the old version and the experimental version in favor of
the combined version.
* allow switching between new and old ssh for dev
It is inconvenient to create milestones without being able to merge into
the main branch. But due to the experimental nature of the ssh changes,
it is not desired to use these changes in the main branch yet. This
change disables the new ssh launcher by default. It can be used by
changing the UseSshLibrary constant to true in remote.go. With this, it
becomes possible to merge these changes into the main branch without
them being used in production.
* fix: allow retry after ssh auth failure
Previously, the error status was not set when an ssh connection failed.
Because of this, an ssh connection failure would lock the failed remote
until waveterm was rebooted. This fix properly sets the error status so
this cannot happen.
2024-01-25 19:18:11 +01:00
|
|
|
for _, q := range questions {
|
|
|
|
if strings.Contains(strings.ToLower(q), "password") {
|
|
|
|
answers = append(answers, password)
|
|
|
|
} else {
|
|
|
|
answers = append(answers, "")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return answers, nil
|
|
|
|
}
|
Use ssh library: add user input (#281)
* feat: create backend for user input requests
This is the first part of a change that allows the backend to request
user input from the frontend. Essentially, the backend will send a
request for the user to answer some query, and the frontend will send
that answer back. It is blocking, so it needs to be used within a
goroutine.
There is some placeholder code in the frontend that will be updated in
future commits. Similarly, there is some debug code in the backend
remote.go file.
* feat: create frontend for user input requests
This is part of a change to allow the backend to request user input from
the frontend. This adds a component specifically for handling this
logic. It is only a starting point, and does not work perfectly yet.
* refactor: update user input backend/interface
This updates the user input backend to fix a few potential bugs. It also
refactors the user input request and response types to better handle
markdown and errors while making it more convenient to work with.
A couple frontend changes were made to keep everything compatible.
* fix: add props to user input request modal
There was a second place that the modals were created that I previously
missed. This fixes that second casel
* feat: complete user input modal
This rounds out the most immediate concerns for the new user input
modal. The frontend now includes a timer to show how much time is left
and will close itself once it reaches zero. Css
formatting has been cleaned up to be more reasonable.
There is still some test code present on the back end. This will be
removed once actuall examples of the new modal are in place.
* feat: create first pass known_hosts detection
Manually integrating with golang's ssh library means that the code must
authenticate known_hosts on its own. This is a first pass at creating a
system that parses the known hosts files and denys a connection if there
is a mismatch. This needs to be updated with a means to add keys to the
known-hosts file if the user requests it.
* feat: allow writing to known_hosts first pass
As a follow-up to the previous change, we now allow the user to respond
to interactive queries in order to determine if an unknown known hosts
key can be added to a known_hosts file if it is missing. This needs to
be refined further, but it gets the basic functionality there.
* feat: add user input for kbd-interactive auth
This adds a modal so the user can respond to prompts provided using the
keyboard interactive authentication method.
* feat: add interactive password authentication
This makes the ssh password authentication interactive with its own user
input modal. Unfortunately, this method does not allow trying a default
first. This will need to be expanded in the future to accomodate that.
* fix: allow automatic and interactive auth together
Previously, it was impossible to use to separate methods of the same
type to try ssh authentication. This made it impossible to make an auto
attempt before a manual one. This change restricts that by combining
them into one method where the auto attempt is tried once first and
cannot be tried again. Following that, interactive authentication can be
tried separately.
It also lowers the time limit on kbd interactive authentication to 15
seconds due to limitations on the library we are using.
* fix: set number of retries to one in ssh
Number of retries means number of attempts after the fact, not number of
total attempts. It has been adjusted from 2 to 1 to reflect this.
* refactor: change argument order in GetUserInput
This is a simple change to move the context to the first argument of
GetUserInput to match the convention used elsewhere in the code.
* fix: set number of retries to two again
I was wrong in my previous analysis. The number given is the total
number of tries. This is confusing when keyboard authentication and
password authentication are both available which usually doesn't happen.
* feat: create naive ui for ssh key passphrases
This isn't quite as reactive as the other methods, but it does attempt
to use publickey without a passphrase, then attempt to use the password
as the passphrase, and finally prompting the user for a passphrase. The
problem with this approach is that if multiple keys are used and they
all have passphrases, they need to all be checked up front. In practice,
this will not happen often, but it is something to be aware of.
* fix: add the userinput.tsx changes
These were missed in the previous commit. Adding them now.
2024-02-09 04:16:56 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
func createInteractiveKbdInteractiveChallenge() func(name, instruction string, questions []string, echos []bool) (answers []string, err error) {
|
|
|
|
return func(name, instruction string, questions []string, echos []bool) (answers []string, err error) {
|
|
|
|
if len(questions) != len(echos) {
|
|
|
|
return nil, fmt.Errorf("bad response from server: questions has len %d, echos has len %d", len(questions), len(echos))
|
|
|
|
}
|
|
|
|
for i, question := range questions {
|
|
|
|
echo := echos[i]
|
|
|
|
answer, err := promptChallengeQuestion(question, echo)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
answers = append(answers, answer)
|
|
|
|
}
|
|
|
|
return answers, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func promptChallengeQuestion(question string, echo bool) (answer string, err error) {
|
|
|
|
// limited to 15 seconds for some reason. this should be investigated more
|
|
|
|
// in the future
|
|
|
|
ctx, cancelFn := context.WithTimeout(context.Background(), 15*time.Second)
|
|
|
|
defer cancelFn()
|
|
|
|
request := &sstore.UserInputRequestType{
|
|
|
|
ResponseType: "text",
|
|
|
|
QueryText: question,
|
|
|
|
Title: "Keyboard Interactive Authentication",
|
|
|
|
}
|
|
|
|
response, err := sstore.MainBus.GetUserInput(ctx, request)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return response.Text, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func createCombinedKbdInteractiveChallenge(password string) ssh.KeyboardInteractiveChallenge {
|
|
|
|
var once sync.Once
|
|
|
|
return func(name, instruction string, questions []string, echos []bool) (answers []string, err error) {
|
|
|
|
var challenge ssh.KeyboardInteractiveChallenge
|
|
|
|
once.Do(func() { challenge = createNaiveKbdInteractiveChallenge(password) })
|
|
|
|
if challenge == nil {
|
|
|
|
challenge = createInteractiveKbdInteractiveChallenge()
|
|
|
|
}
|
|
|
|
return challenge(name, instruction, questions, echos)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func openKnownHostsForEdit(knownHostsFilename string) (*os.File, error) {
|
|
|
|
path, _ := filepath.Split(knownHostsFilename)
|
|
|
|
err := os.MkdirAll(path, 0700)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return os.OpenFile(knownHostsFilename, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0644)
|
|
|
|
}
|
|
|
|
|
|
|
|
func writeToKnownHosts(knownHostsFile string, newLine string, getUserVerification func() (*scpacket.UserInputResponsePacketType, error)) error {
|
|
|
|
if getUserVerification == nil {
|
|
|
|
getUserVerification = func() (*scpacket.UserInputResponsePacketType, error) {
|
|
|
|
return &scpacket.UserInputResponsePacketType{
|
|
|
|
Type: "confirm",
|
|
|
|
Confirm: true,
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
path, _ := filepath.Split(knownHostsFile)
|
|
|
|
err := os.MkdirAll(path, 0700)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
f, err := os.OpenFile(knownHostsFile, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0644)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
// do not close writeable files with defer
|
|
|
|
|
|
|
|
// this file works, so let's ask the user for permission
|
|
|
|
response, err := getUserVerification()
|
|
|
|
if err != nil {
|
|
|
|
f.Close()
|
|
|
|
return UserInputCancelError{Err: err}
|
|
|
|
}
|
|
|
|
if !response.Confirm {
|
|
|
|
f.Close()
|
|
|
|
return UserInputCancelError{Err: fmt.Errorf("Canceled by the user")}
|
|
|
|
}
|
|
|
|
|
|
|
|
_, err = f.WriteString(newLine)
|
|
|
|
return f.Close()
|
|
|
|
}
|
|
|
|
|
|
|
|
func createUnknownKeyVerifier(knownHostsFile string, hostname string, remote string, key ssh.PublicKey) func() (*scpacket.UserInputResponsePacketType, error) {
|
|
|
|
base64Key := base64.StdEncoding.EncodeToString(key.Marshal())
|
|
|
|
queryText := fmt.Sprintf(
|
|
|
|
"The authenticity of host '%s (%s)' can't be established "+
|
|
|
|
"as it **does not exist in any checked known_hosts files**. "+
|
|
|
|
"The host you are attempting to connect to provides this %s key: \n"+
|
|
|
|
"%s.\n\n"+
|
|
|
|
"**Would you like to continue connecting?** If so, the key will be permanently "+
|
|
|
|
"added to the file %s "+
|
|
|
|
"to protect from future man-in-the-middle attacks.", hostname, remote, key.Type(), base64Key, knownHostsFile)
|
|
|
|
request := &sstore.UserInputRequestType{
|
|
|
|
ResponseType: "confirm",
|
|
|
|
QueryText: queryText,
|
|
|
|
Markdown: true,
|
|
|
|
Title: "Known Hosts Key Missing",
|
|
|
|
}
|
|
|
|
return func() (*scpacket.UserInputResponsePacketType, error) {
|
|
|
|
ctx, cancelFn := context.WithTimeout(context.Background(), 60*time.Second)
|
|
|
|
defer cancelFn()
|
|
|
|
return sstore.MainBus.GetUserInput(ctx, request)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func createMissingKnownHostsVerifier(knownHostsFile string, hostname string, remote string, key ssh.PublicKey) func() (*scpacket.UserInputResponsePacketType, error) {
|
|
|
|
base64Key := base64.StdEncoding.EncodeToString(key.Marshal())
|
|
|
|
queryText := fmt.Sprintf(
|
|
|
|
"The authenticity of host '%s (%s)' can't be established "+
|
|
|
|
"as **no known_hosts files could be found**. "+
|
|
|
|
"The host you are attempting to connect to provides this %s key: \n"+
|
|
|
|
"%s.\n\n"+
|
|
|
|
"**Would you like to continue connecting?** If so: \n"+
|
|
|
|
"- %s will be created \n"+
|
|
|
|
"- the key will be added to %s\n\n"+
|
|
|
|
"This will protect from future man-in-the-middle attacks.", hostname, remote, key.Type(), base64Key, knownHostsFile, knownHostsFile)
|
|
|
|
request := &sstore.UserInputRequestType{
|
|
|
|
ResponseType: "confirm",
|
|
|
|
QueryText: queryText,
|
|
|
|
Markdown: true,
|
|
|
|
Title: "Known Hosts File Missing",
|
|
|
|
}
|
|
|
|
return func() (*scpacket.UserInputResponsePacketType, error) {
|
|
|
|
ctx, cancelFn := context.WithTimeout(context.Background(), 60*time.Second)
|
|
|
|
defer cancelFn()
|
|
|
|
return sstore.MainBus.GetUserInput(ctx, request)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func lineContainsMatch(line []byte, matches [][]byte) bool {
|
|
|
|
for _, match := range matches {
|
|
|
|
if bytes.Contains(line, match) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
func createHostKeyCallback(opts *sstore.SSHOpts) (ssh.HostKeyCallback, error) {
|
|
|
|
rawUserKnownHostsFiles, _ := ssh_config.GetStrict(opts.SSHHost, "UserKnownHostsFile")
|
|
|
|
userKnownHostsFiles := strings.Fields(rawUserKnownHostsFiles) // TODO - smarter splitting escaped spaces and quotes
|
|
|
|
rawGlobalKnownHostsFiles, _ := ssh_config.GetStrict(opts.SSHHost, "GlobalKnownHostsFile")
|
|
|
|
globalKnownHostsFiles := strings.Fields(rawGlobalKnownHostsFiles) // TODO - smarter splitting escaped spaces and quotes
|
|
|
|
unexpandedKnownHostsFiles := append(userKnownHostsFiles, globalKnownHostsFiles...)
|
|
|
|
var knownHostsFiles []string
|
|
|
|
for _, filename := range unexpandedKnownHostsFiles {
|
|
|
|
knownHostsFiles = append(knownHostsFiles, base.ExpandHomeDir(filename))
|
|
|
|
}
|
|
|
|
|
|
|
|
// there are no good known hosts files
|
|
|
|
if len(knownHostsFiles) == 0 {
|
|
|
|
return nil, fmt.Errorf("no known_hosts files provided by ssh. defaults are overridden")
|
|
|
|
}
|
|
|
|
|
|
|
|
var unreadableFiles []string
|
|
|
|
|
|
|
|
// the library we use isn't very forgiving about files that are formatted
|
|
|
|
// incorrectly. if a problem file is found, it is removed from our list
|
|
|
|
// and we try again
|
|
|
|
var basicCallback ssh.HostKeyCallback
|
|
|
|
for basicCallback == nil && len(knownHostsFiles) > 0 {
|
|
|
|
var err error
|
|
|
|
basicCallback, err = knownhosts.New(knownHostsFiles...)
|
|
|
|
if serr, ok := err.(*os.PathError); ok {
|
|
|
|
badFile := serr.Path
|
|
|
|
unreadableFiles = append(unreadableFiles, badFile)
|
|
|
|
var okFiles []string
|
|
|
|
for _, filename := range knownHostsFiles {
|
|
|
|
if filename != badFile {
|
|
|
|
okFiles = append(okFiles, filename)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if len(okFiles) >= len(knownHostsFiles) {
|
|
|
|
return nil, fmt.Errorf("problem file (%s) doesn't exist. this should not be possible", badFile)
|
|
|
|
}
|
|
|
|
knownHostsFiles = okFiles
|
|
|
|
} else if err != nil {
|
|
|
|
// TODO handle obscure problems if possible
|
|
|
|
return nil, fmt.Errorf("known_hosts formatting error: %+v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
waveHostKeyCallback := func(hostname string, remote net.Addr, key ssh.PublicKey) error {
|
|
|
|
err := basicCallback(hostname, remote, key)
|
|
|
|
if err == nil {
|
|
|
|
// success
|
|
|
|
return nil
|
|
|
|
} else if _, ok := err.(*knownhosts.RevokedError); ok {
|
|
|
|
// revoked credentials are refused outright
|
|
|
|
return err
|
|
|
|
} else if _, ok := err.(*knownhosts.KeyError); !ok {
|
|
|
|
// this is an unknown error (note the !ok is opposite of usual)
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
serr, _ := err.(*knownhosts.KeyError)
|
|
|
|
if len(serr.Want) == 0 {
|
|
|
|
// the key was not found
|
|
|
|
|
|
|
|
// try to write to a file that could be parsed
|
|
|
|
var err error
|
|
|
|
for _, filename := range knownHostsFiles {
|
|
|
|
newLine := knownhosts.Line([]string{knownhosts.Normalize(hostname)}, key)
|
|
|
|
getUserVerification := createUnknownKeyVerifier(filename, hostname, remote.String(), key)
|
|
|
|
err = writeToKnownHosts(filename, newLine, getUserVerification)
|
|
|
|
if err == nil {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
if serr, ok := err.(UserInputCancelError); ok {
|
|
|
|
return serr
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// try to write to a file that could not be read (file likely doesn't exist)
|
|
|
|
// should catch cases where there is no known_hosts file
|
|
|
|
if err != nil {
|
|
|
|
for _, filename := range unreadableFiles {
|
|
|
|
newLine := knownhosts.Line([]string{knownhosts.Normalize(hostname)}, key)
|
|
|
|
getUserVerification := createMissingKnownHostsVerifier(filename, hostname, remote.String(), key)
|
|
|
|
err = writeToKnownHosts(filename, newLine, getUserVerification)
|
|
|
|
if err == nil {
|
|
|
|
knownHostsFiles = []string{filename}
|
|
|
|
break
|
|
|
|
}
|
|
|
|
if serr, ok := err.(UserInputCancelError); ok {
|
|
|
|
return serr
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
// the key changed
|
|
|
|
correctKeyFingerprint := base64.StdEncoding.EncodeToString(key.Marshal())
|
|
|
|
var bulletListKnownHosts []string
|
|
|
|
for _, knownHostName := range knownHostsFiles {
|
|
|
|
withBulletPoint := "- " + knownHostName
|
|
|
|
bulletListKnownHosts = append(bulletListKnownHosts, withBulletPoint)
|
|
|
|
}
|
|
|
|
var offendingKeysFmt []string
|
|
|
|
for _, badKey := range serr.Want {
|
|
|
|
formattedKey := "- " + base64.StdEncoding.EncodeToString(badKey.Key.Marshal())
|
|
|
|
offendingKeysFmt = append(offendingKeysFmt, formattedKey)
|
|
|
|
}
|
|
|
|
alertText := fmt.Sprintf("**WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!**\n\n"+
|
|
|
|
"If this is not expected, it is possible that someone could be trying to "+
|
|
|
|
"eavesdrop on you via a man-in-the-middle attack. "+
|
|
|
|
"Alternatively, the host you are connecting to may have changed its key. "+
|
|
|
|
"The %s key sent by the remote hist has the fingerprint: \n"+
|
|
|
|
"%s\n\n"+
|
|
|
|
"If you are sure this is correct, please update your known_hosts files to "+
|
|
|
|
"remove the lines with the offending before trying to connect again. \n"+
|
|
|
|
"**Known Hosts Files** \n"+
|
|
|
|
"%s\n\n"+
|
|
|
|
"**Offending Keys** \n"+
|
|
|
|
"%s", key.Type(), correctKeyFingerprint, strings.Join(bulletListKnownHosts, " \n"), strings.Join(offendingKeysFmt, " \n"))
|
2024-02-10 02:19:44 +01:00
|
|
|
update := &sstore.ModelUpdate{}
|
|
|
|
sstore.AddUpdate(update, sstore.AlertMessageType{
|
Use ssh library: add user input (#281)
* feat: create backend for user input requests
This is the first part of a change that allows the backend to request
user input from the frontend. Essentially, the backend will send a
request for the user to answer some query, and the frontend will send
that answer back. It is blocking, so it needs to be used within a
goroutine.
There is some placeholder code in the frontend that will be updated in
future commits. Similarly, there is some debug code in the backend
remote.go file.
* feat: create frontend for user input requests
This is part of a change to allow the backend to request user input from
the frontend. This adds a component specifically for handling this
logic. It is only a starting point, and does not work perfectly yet.
* refactor: update user input backend/interface
This updates the user input backend to fix a few potential bugs. It also
refactors the user input request and response types to better handle
markdown and errors while making it more convenient to work with.
A couple frontend changes were made to keep everything compatible.
* fix: add props to user input request modal
There was a second place that the modals were created that I previously
missed. This fixes that second casel
* feat: complete user input modal
This rounds out the most immediate concerns for the new user input
modal. The frontend now includes a timer to show how much time is left
and will close itself once it reaches zero. Css
formatting has been cleaned up to be more reasonable.
There is still some test code present on the back end. This will be
removed once actuall examples of the new modal are in place.
* feat: create first pass known_hosts detection
Manually integrating with golang's ssh library means that the code must
authenticate known_hosts on its own. This is a first pass at creating a
system that parses the known hosts files and denys a connection if there
is a mismatch. This needs to be updated with a means to add keys to the
known-hosts file if the user requests it.
* feat: allow writing to known_hosts first pass
As a follow-up to the previous change, we now allow the user to respond
to interactive queries in order to determine if an unknown known hosts
key can be added to a known_hosts file if it is missing. This needs to
be refined further, but it gets the basic functionality there.
* feat: add user input for kbd-interactive auth
This adds a modal so the user can respond to prompts provided using the
keyboard interactive authentication method.
* feat: add interactive password authentication
This makes the ssh password authentication interactive with its own user
input modal. Unfortunately, this method does not allow trying a default
first. This will need to be expanded in the future to accomodate that.
* fix: allow automatic and interactive auth together
Previously, it was impossible to use to separate methods of the same
type to try ssh authentication. This made it impossible to make an auto
attempt before a manual one. This change restricts that by combining
them into one method where the auto attempt is tried once first and
cannot be tried again. Following that, interactive authentication can be
tried separately.
It also lowers the time limit on kbd interactive authentication to 15
seconds due to limitations on the library we are using.
* fix: set number of retries to one in ssh
Number of retries means number of attempts after the fact, not number of
total attempts. It has been adjusted from 2 to 1 to reflect this.
* refactor: change argument order in GetUserInput
This is a simple change to move the context to the first argument of
GetUserInput to match the convention used elsewhere in the code.
* fix: set number of retries to two again
I was wrong in my previous analysis. The number given is the total
number of tries. This is confusing when keyboard authentication and
password authentication are both available which usually doesn't happen.
* feat: create naive ui for ssh key passphrases
This isn't quite as reactive as the other methods, but it does attempt
to use publickey without a passphrase, then attempt to use the password
as the passphrase, and finally prompting the user for a passphrase. The
problem with this approach is that if multiple keys are used and they
all have passphrases, they need to all be checked up front. In practice,
this will not happen often, but it is something to be aware of.
* fix: add the userinput.tsx changes
These were missed in the previous commit. Adding them now.
2024-02-09 04:16:56 +01:00
|
|
|
Markdown: true,
|
|
|
|
Title: "Known Hosts Key Changed",
|
|
|
|
Message: alertText,
|
2024-02-10 02:19:44 +01:00
|
|
|
})
|
Use ssh library: add user input (#281)
* feat: create backend for user input requests
This is the first part of a change that allows the backend to request
user input from the frontend. Essentially, the backend will send a
request for the user to answer some query, and the frontend will send
that answer back. It is blocking, so it needs to be used within a
goroutine.
There is some placeholder code in the frontend that will be updated in
future commits. Similarly, there is some debug code in the backend
remote.go file.
* feat: create frontend for user input requests
This is part of a change to allow the backend to request user input from
the frontend. This adds a component specifically for handling this
logic. It is only a starting point, and does not work perfectly yet.
* refactor: update user input backend/interface
This updates the user input backend to fix a few potential bugs. It also
refactors the user input request and response types to better handle
markdown and errors while making it more convenient to work with.
A couple frontend changes were made to keep everything compatible.
* fix: add props to user input request modal
There was a second place that the modals were created that I previously
missed. This fixes that second casel
* feat: complete user input modal
This rounds out the most immediate concerns for the new user input
modal. The frontend now includes a timer to show how much time is left
and will close itself once it reaches zero. Css
formatting has been cleaned up to be more reasonable.
There is still some test code present on the back end. This will be
removed once actuall examples of the new modal are in place.
* feat: create first pass known_hosts detection
Manually integrating with golang's ssh library means that the code must
authenticate known_hosts on its own. This is a first pass at creating a
system that parses the known hosts files and denys a connection if there
is a mismatch. This needs to be updated with a means to add keys to the
known-hosts file if the user requests it.
* feat: allow writing to known_hosts first pass
As a follow-up to the previous change, we now allow the user to respond
to interactive queries in order to determine if an unknown known hosts
key can be added to a known_hosts file if it is missing. This needs to
be refined further, but it gets the basic functionality there.
* feat: add user input for kbd-interactive auth
This adds a modal so the user can respond to prompts provided using the
keyboard interactive authentication method.
* feat: add interactive password authentication
This makes the ssh password authentication interactive with its own user
input modal. Unfortunately, this method does not allow trying a default
first. This will need to be expanded in the future to accomodate that.
* fix: allow automatic and interactive auth together
Previously, it was impossible to use to separate methods of the same
type to try ssh authentication. This made it impossible to make an auto
attempt before a manual one. This change restricts that by combining
them into one method where the auto attempt is tried once first and
cannot be tried again. Following that, interactive authentication can be
tried separately.
It also lowers the time limit on kbd interactive authentication to 15
seconds due to limitations on the library we are using.
* fix: set number of retries to one in ssh
Number of retries means number of attempts after the fact, not number of
total attempts. It has been adjusted from 2 to 1 to reflect this.
* refactor: change argument order in GetUserInput
This is a simple change to move the context to the first argument of
GetUserInput to match the convention used elsewhere in the code.
* fix: set number of retries to two again
I was wrong in my previous analysis. The number given is the total
number of tries. This is confusing when keyboard authentication and
password authentication are both available which usually doesn't happen.
* feat: create naive ui for ssh key passphrases
This isn't quite as reactive as the other methods, but it does attempt
to use publickey without a passphrase, then attempt to use the password
as the passphrase, and finally prompting the user for a passphrase. The
problem with this approach is that if multiple keys are used and they
all have passphrases, they need to all be checked up front. In practice,
this will not happen often, but it is something to be aware of.
* fix: add the userinput.tsx changes
These were missed in the previous commit. Adding them now.
2024-02-09 04:16:56 +01:00
|
|
|
sstore.MainBus.SendUpdate(update)
|
|
|
|
return fmt.Errorf("remote host identification has changed")
|
|
|
|
}
|
|
|
|
|
|
|
|
updatedCallback, err := knownhosts.New(knownHostsFiles...)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
// try one final time
|
|
|
|
return updatedCallback(hostname, remote, key)
|
|
|
|
}
|
|
|
|
|
|
|
|
return waveHostKeyCallback, nil
|
Use ssh library for remote connections (#250)
* create proof of concept ssh library integration
This is a first attempt to integrate the golang crypto/ssh library for
handling remote connections. As it stands, this features is limited to
identity files without passphrases. It needs to be expanded to include
key+passphrase and password verifications as well.
* add password and keyboard-interactive ssh auth
This adds several new ssh auth methods. In addition to the PublicKey
method used previously, this adds password authentication,
keyboard-interactive authentication, and PublicKey+Passphrase
authentication.
Furthermore, it refactores the ssh connection code into its own wavesrv
file rather than storing int in waveshell's shexec file.
* clean up old mshell launch methods
In the debugging the addition of the ssh library, i had several versions
of the MShellProc Launch function. Since this seems mostly stable, I
have removed the old version and the experimental version in favor of
the combined version.
* allow switching between new and old ssh for dev
It is inconvenient to create milestones without being able to merge into
the main branch. But due to the experimental nature of the ssh changes,
it is not desired to use these changes in the main branch yet. This
change disables the new ssh launcher by default. It can be used by
changing the UseSshLibrary constant to true in remote.go. With this, it
becomes possible to merge these changes into the main branch without
them being used in production.
* fix: allow retry after ssh auth failure
Previously, the error status was not set when an ssh connection failed.
Because of this, an ssh connection failure would lock the failed remote
until waveterm was rebooted. This fix properly sets the error status so
this cannot happen.
2024-01-25 19:18:11 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
func ConnectToClient(opts *sstore.SSHOpts) (*ssh.Client, error) {
|
|
|
|
ssh_config.ReloadConfigs()
|
|
|
|
configIdentity, _ := ssh_config.GetStrict(opts.SSHHost, "IdentityFile")
|
|
|
|
var identityFile string
|
|
|
|
if opts.SSHIdentity != "" {
|
|
|
|
identityFile = opts.SSHIdentity
|
|
|
|
} else {
|
|
|
|
identityFile = configIdentity
|
|
|
|
}
|
|
|
|
|
Use ssh library: add user input (#281)
* feat: create backend for user input requests
This is the first part of a change that allows the backend to request
user input from the frontend. Essentially, the backend will send a
request for the user to answer some query, and the frontend will send
that answer back. It is blocking, so it needs to be used within a
goroutine.
There is some placeholder code in the frontend that will be updated in
future commits. Similarly, there is some debug code in the backend
remote.go file.
* feat: create frontend for user input requests
This is part of a change to allow the backend to request user input from
the frontend. This adds a component specifically for handling this
logic. It is only a starting point, and does not work perfectly yet.
* refactor: update user input backend/interface
This updates the user input backend to fix a few potential bugs. It also
refactors the user input request and response types to better handle
markdown and errors while making it more convenient to work with.
A couple frontend changes were made to keep everything compatible.
* fix: add props to user input request modal
There was a second place that the modals were created that I previously
missed. This fixes that second casel
* feat: complete user input modal
This rounds out the most immediate concerns for the new user input
modal. The frontend now includes a timer to show how much time is left
and will close itself once it reaches zero. Css
formatting has been cleaned up to be more reasonable.
There is still some test code present on the back end. This will be
removed once actuall examples of the new modal are in place.
* feat: create first pass known_hosts detection
Manually integrating with golang's ssh library means that the code must
authenticate known_hosts on its own. This is a first pass at creating a
system that parses the known hosts files and denys a connection if there
is a mismatch. This needs to be updated with a means to add keys to the
known-hosts file if the user requests it.
* feat: allow writing to known_hosts first pass
As a follow-up to the previous change, we now allow the user to respond
to interactive queries in order to determine if an unknown known hosts
key can be added to a known_hosts file if it is missing. This needs to
be refined further, but it gets the basic functionality there.
* feat: add user input for kbd-interactive auth
This adds a modal so the user can respond to prompts provided using the
keyboard interactive authentication method.
* feat: add interactive password authentication
This makes the ssh password authentication interactive with its own user
input modal. Unfortunately, this method does not allow trying a default
first. This will need to be expanded in the future to accomodate that.
* fix: allow automatic and interactive auth together
Previously, it was impossible to use to separate methods of the same
type to try ssh authentication. This made it impossible to make an auto
attempt before a manual one. This change restricts that by combining
them into one method where the auto attempt is tried once first and
cannot be tried again. Following that, interactive authentication can be
tried separately.
It also lowers the time limit on kbd interactive authentication to 15
seconds due to limitations on the library we are using.
* fix: set number of retries to one in ssh
Number of retries means number of attempts after the fact, not number of
total attempts. It has been adjusted from 2 to 1 to reflect this.
* refactor: change argument order in GetUserInput
This is a simple change to move the context to the first argument of
GetUserInput to match the convention used elsewhere in the code.
* fix: set number of retries to two again
I was wrong in my previous analysis. The number given is the total
number of tries. This is confusing when keyboard authentication and
password authentication are both available which usually doesn't happen.
* feat: create naive ui for ssh key passphrases
This isn't quite as reactive as the other methods, but it does attempt
to use publickey without a passphrase, then attempt to use the password
as the passphrase, and finally prompting the user for a passphrase. The
problem with this approach is that if multiple keys are used and they
all have passphrases, they need to all be checked up front. In practice,
this will not happen often, but it is something to be aware of.
* fix: add the userinput.tsx changes
These were missed in the previous commit. Adding them now.
2024-02-09 04:16:56 +01:00
|
|
|
hostKeyCallback, err := createHostKeyCallback(opts)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
Use ssh library for remote connections (#250)
* create proof of concept ssh library integration
This is a first attempt to integrate the golang crypto/ssh library for
handling remote connections. As it stands, this features is limited to
identity files without passphrases. It needs to be expanded to include
key+passphrase and password verifications as well.
* add password and keyboard-interactive ssh auth
This adds several new ssh auth methods. In addition to the PublicKey
method used previously, this adds password authentication,
keyboard-interactive authentication, and PublicKey+Passphrase
authentication.
Furthermore, it refactores the ssh connection code into its own wavesrv
file rather than storing int in waveshell's shexec file.
* clean up old mshell launch methods
In the debugging the addition of the ssh library, i had several versions
of the MShellProc Launch function. Since this seems mostly stable, I
have removed the old version and the experimental version in favor of
the combined version.
* allow switching between new and old ssh for dev
It is inconvenient to create milestones without being able to merge into
the main branch. But due to the experimental nature of the ssh changes,
it is not desired to use these changes in the main branch yet. This
change disables the new ssh launcher by default. It can be used by
changing the UseSshLibrary constant to true in remote.go. With this, it
becomes possible to merge these changes into the main branch without
them being used in production.
* fix: allow retry after ssh auth failure
Previously, the error status was not set when an ssh connection failed.
Because of this, an ssh connection failure would lock the failed remote
until waveterm was rebooted. This fix properly sets the error status so
this cannot happen.
2024-01-25 19:18:11 +01:00
|
|
|
var authMethods []ssh.AuthMethod
|
Use ssh library: add user input (#281)
* feat: create backend for user input requests
This is the first part of a change that allows the backend to request
user input from the frontend. Essentially, the backend will send a
request for the user to answer some query, and the frontend will send
that answer back. It is blocking, so it needs to be used within a
goroutine.
There is some placeholder code in the frontend that will be updated in
future commits. Similarly, there is some debug code in the backend
remote.go file.
* feat: create frontend for user input requests
This is part of a change to allow the backend to request user input from
the frontend. This adds a component specifically for handling this
logic. It is only a starting point, and does not work perfectly yet.
* refactor: update user input backend/interface
This updates the user input backend to fix a few potential bugs. It also
refactors the user input request and response types to better handle
markdown and errors while making it more convenient to work with.
A couple frontend changes were made to keep everything compatible.
* fix: add props to user input request modal
There was a second place that the modals were created that I previously
missed. This fixes that second casel
* feat: complete user input modal
This rounds out the most immediate concerns for the new user input
modal. The frontend now includes a timer to show how much time is left
and will close itself once it reaches zero. Css
formatting has been cleaned up to be more reasonable.
There is still some test code present on the back end. This will be
removed once actuall examples of the new modal are in place.
* feat: create first pass known_hosts detection
Manually integrating with golang's ssh library means that the code must
authenticate known_hosts on its own. This is a first pass at creating a
system that parses the known hosts files and denys a connection if there
is a mismatch. This needs to be updated with a means to add keys to the
known-hosts file if the user requests it.
* feat: allow writing to known_hosts first pass
As a follow-up to the previous change, we now allow the user to respond
to interactive queries in order to determine if an unknown known hosts
key can be added to a known_hosts file if it is missing. This needs to
be refined further, but it gets the basic functionality there.
* feat: add user input for kbd-interactive auth
This adds a modal so the user can respond to prompts provided using the
keyboard interactive authentication method.
* feat: add interactive password authentication
This makes the ssh password authentication interactive with its own user
input modal. Unfortunately, this method does not allow trying a default
first. This will need to be expanded in the future to accomodate that.
* fix: allow automatic and interactive auth together
Previously, it was impossible to use to separate methods of the same
type to try ssh authentication. This made it impossible to make an auto
attempt before a manual one. This change restricts that by combining
them into one method where the auto attempt is tried once first and
cannot be tried again. Following that, interactive authentication can be
tried separately.
It also lowers the time limit on kbd interactive authentication to 15
seconds due to limitations on the library we are using.
* fix: set number of retries to one in ssh
Number of retries means number of attempts after the fact, not number of
total attempts. It has been adjusted from 2 to 1 to reflect this.
* refactor: change argument order in GetUserInput
This is a simple change to move the context to the first argument of
GetUserInput to match the convention used elsewhere in the code.
* fix: set number of retries to two again
I was wrong in my previous analysis. The number given is the total
number of tries. This is confusing when keyboard authentication and
password authentication are both available which usually doesn't happen.
* feat: create naive ui for ssh key passphrases
This isn't quite as reactive as the other methods, but it does attempt
to use publickey without a passphrase, then attempt to use the password
as the passphrase, and finally prompting the user for a passphrase. The
problem with this approach is that if multiple keys are used and they
all have passphrases, they need to all be checked up front. In practice,
this will not happen often, but it is something to be aware of.
* fix: add the userinput.tsx changes
These were missed in the previous commit. Adding them now.
2024-02-09 04:16:56 +01:00
|
|
|
publicKeySigner, err := createPublicKeyAuth(identityFile, opts.SSHPassword)
|
Use ssh library for remote connections (#250)
* create proof of concept ssh library integration
This is a first attempt to integrate the golang crypto/ssh library for
handling remote connections. As it stands, this features is limited to
identity files without passphrases. It needs to be expanded to include
key+passphrase and password verifications as well.
* add password and keyboard-interactive ssh auth
This adds several new ssh auth methods. In addition to the PublicKey
method used previously, this adds password authentication,
keyboard-interactive authentication, and PublicKey+Passphrase
authentication.
Furthermore, it refactores the ssh connection code into its own wavesrv
file rather than storing int in waveshell's shexec file.
* clean up old mshell launch methods
In the debugging the addition of the ssh library, i had several versions
of the MShellProc Launch function. Since this seems mostly stable, I
have removed the old version and the experimental version in favor of
the combined version.
* allow switching between new and old ssh for dev
It is inconvenient to create milestones without being able to merge into
the main branch. But due to the experimental nature of the ssh changes,
it is not desired to use these changes in the main branch yet. This
change disables the new ssh launcher by default. It can be used by
changing the UseSshLibrary constant to true in remote.go. With this, it
becomes possible to merge these changes into the main branch without
them being used in production.
* fix: allow retry after ssh auth failure
Previously, the error status was not set when an ssh connection failed.
Because of this, an ssh connection failure would lock the failed remote
until waveterm was rebooted. This fix properly sets the error status so
this cannot happen.
2024-01-25 19:18:11 +01:00
|
|
|
if err == nil {
|
Use ssh library: add user input (#281)
* feat: create backend for user input requests
This is the first part of a change that allows the backend to request
user input from the frontend. Essentially, the backend will send a
request for the user to answer some query, and the frontend will send
that answer back. It is blocking, so it needs to be used within a
goroutine.
There is some placeholder code in the frontend that will be updated in
future commits. Similarly, there is some debug code in the backend
remote.go file.
* feat: create frontend for user input requests
This is part of a change to allow the backend to request user input from
the frontend. This adds a component specifically for handling this
logic. It is only a starting point, and does not work perfectly yet.
* refactor: update user input backend/interface
This updates the user input backend to fix a few potential bugs. It also
refactors the user input request and response types to better handle
markdown and errors while making it more convenient to work with.
A couple frontend changes were made to keep everything compatible.
* fix: add props to user input request modal
There was a second place that the modals were created that I previously
missed. This fixes that second casel
* feat: complete user input modal
This rounds out the most immediate concerns for the new user input
modal. The frontend now includes a timer to show how much time is left
and will close itself once it reaches zero. Css
formatting has been cleaned up to be more reasonable.
There is still some test code present on the back end. This will be
removed once actuall examples of the new modal are in place.
* feat: create first pass known_hosts detection
Manually integrating with golang's ssh library means that the code must
authenticate known_hosts on its own. This is a first pass at creating a
system that parses the known hosts files and denys a connection if there
is a mismatch. This needs to be updated with a means to add keys to the
known-hosts file if the user requests it.
* feat: allow writing to known_hosts first pass
As a follow-up to the previous change, we now allow the user to respond
to interactive queries in order to determine if an unknown known hosts
key can be added to a known_hosts file if it is missing. This needs to
be refined further, but it gets the basic functionality there.
* feat: add user input for kbd-interactive auth
This adds a modal so the user can respond to prompts provided using the
keyboard interactive authentication method.
* feat: add interactive password authentication
This makes the ssh password authentication interactive with its own user
input modal. Unfortunately, this method does not allow trying a default
first. This will need to be expanded in the future to accomodate that.
* fix: allow automatic and interactive auth together
Previously, it was impossible to use to separate methods of the same
type to try ssh authentication. This made it impossible to make an auto
attempt before a manual one. This change restricts that by combining
them into one method where the auto attempt is tried once first and
cannot be tried again. Following that, interactive authentication can be
tried separately.
It also lowers the time limit on kbd interactive authentication to 15
seconds due to limitations on the library we are using.
* fix: set number of retries to one in ssh
Number of retries means number of attempts after the fact, not number of
total attempts. It has been adjusted from 2 to 1 to reflect this.
* refactor: change argument order in GetUserInput
This is a simple change to move the context to the first argument of
GetUserInput to match the convention used elsewhere in the code.
* fix: set number of retries to two again
I was wrong in my previous analysis. The number given is the total
number of tries. This is confusing when keyboard authentication and
password authentication are both available which usually doesn't happen.
* feat: create naive ui for ssh key passphrases
This isn't quite as reactive as the other methods, but it does attempt
to use publickey without a passphrase, then attempt to use the password
as the passphrase, and finally prompting the user for a passphrase. The
problem with this approach is that if multiple keys are used and they
all have passphrases, they need to all be checked up front. In practice,
this will not happen often, but it is something to be aware of.
* fix: add the userinput.tsx changes
These were missed in the previous commit. Adding them now.
2024-02-09 04:16:56 +01:00
|
|
|
authMethods = append(authMethods, ssh.PublicKeys(publicKeySigner))
|
Use ssh library for remote connections (#250)
* create proof of concept ssh library integration
This is a first attempt to integrate the golang crypto/ssh library for
handling remote connections. As it stands, this features is limited to
identity files without passphrases. It needs to be expanded to include
key+passphrase and password verifications as well.
* add password and keyboard-interactive ssh auth
This adds several new ssh auth methods. In addition to the PublicKey
method used previously, this adds password authentication,
keyboard-interactive authentication, and PublicKey+Passphrase
authentication.
Furthermore, it refactores the ssh connection code into its own wavesrv
file rather than storing int in waveshell's shexec file.
* clean up old mshell launch methods
In the debugging the addition of the ssh library, i had several versions
of the MShellProc Launch function. Since this seems mostly stable, I
have removed the old version and the experimental version in favor of
the combined version.
* allow switching between new and old ssh for dev
It is inconvenient to create milestones without being able to merge into
the main branch. But due to the experimental nature of the ssh changes,
it is not desired to use these changes in the main branch yet. This
change disables the new ssh launcher by default. It can be used by
changing the UseSshLibrary constant to true in remote.go. With this, it
becomes possible to merge these changes into the main branch without
them being used in production.
* fix: allow retry after ssh auth failure
Previously, the error status was not set when an ssh connection failed.
Because of this, an ssh connection failure would lock the failed remote
until waveterm was rebooted. This fix properly sets the error status so
this cannot happen.
2024-01-25 19:18:11 +01:00
|
|
|
}
|
Use ssh library: add user input (#281)
* feat: create backend for user input requests
This is the first part of a change that allows the backend to request
user input from the frontend. Essentially, the backend will send a
request for the user to answer some query, and the frontend will send
that answer back. It is blocking, so it needs to be used within a
goroutine.
There is some placeholder code in the frontend that will be updated in
future commits. Similarly, there is some debug code in the backend
remote.go file.
* feat: create frontend for user input requests
This is part of a change to allow the backend to request user input from
the frontend. This adds a component specifically for handling this
logic. It is only a starting point, and does not work perfectly yet.
* refactor: update user input backend/interface
This updates the user input backend to fix a few potential bugs. It also
refactors the user input request and response types to better handle
markdown and errors while making it more convenient to work with.
A couple frontend changes were made to keep everything compatible.
* fix: add props to user input request modal
There was a second place that the modals were created that I previously
missed. This fixes that second casel
* feat: complete user input modal
This rounds out the most immediate concerns for the new user input
modal. The frontend now includes a timer to show how much time is left
and will close itself once it reaches zero. Css
formatting has been cleaned up to be more reasonable.
There is still some test code present on the back end. This will be
removed once actuall examples of the new modal are in place.
* feat: create first pass known_hosts detection
Manually integrating with golang's ssh library means that the code must
authenticate known_hosts on its own. This is a first pass at creating a
system that parses the known hosts files and denys a connection if there
is a mismatch. This needs to be updated with a means to add keys to the
known-hosts file if the user requests it.
* feat: allow writing to known_hosts first pass
As a follow-up to the previous change, we now allow the user to respond
to interactive queries in order to determine if an unknown known hosts
key can be added to a known_hosts file if it is missing. This needs to
be refined further, but it gets the basic functionality there.
* feat: add user input for kbd-interactive auth
This adds a modal so the user can respond to prompts provided using the
keyboard interactive authentication method.
* feat: add interactive password authentication
This makes the ssh password authentication interactive with its own user
input modal. Unfortunately, this method does not allow trying a default
first. This will need to be expanded in the future to accomodate that.
* fix: allow automatic and interactive auth together
Previously, it was impossible to use to separate methods of the same
type to try ssh authentication. This made it impossible to make an auto
attempt before a manual one. This change restricts that by combining
them into one method where the auto attempt is tried once first and
cannot be tried again. Following that, interactive authentication can be
tried separately.
It also lowers the time limit on kbd interactive authentication to 15
seconds due to limitations on the library we are using.
* fix: set number of retries to one in ssh
Number of retries means number of attempts after the fact, not number of
total attempts. It has been adjusted from 2 to 1 to reflect this.
* refactor: change argument order in GetUserInput
This is a simple change to move the context to the first argument of
GetUserInput to match the convention used elsewhere in the code.
* fix: set number of retries to two again
I was wrong in my previous analysis. The number given is the total
number of tries. This is confusing when keyboard authentication and
password authentication are both available which usually doesn't happen.
* feat: create naive ui for ssh key passphrases
This isn't quite as reactive as the other methods, but it does attempt
to use publickey without a passphrase, then attempt to use the password
as the passphrase, and finally prompting the user for a passphrase. The
problem with this approach is that if multiple keys are used and they
all have passphrases, they need to all be checked up front. In practice,
this will not happen often, but it is something to be aware of.
* fix: add the userinput.tsx changes
These were missed in the previous commit. Adding them now.
2024-02-09 04:16:56 +01:00
|
|
|
authMethods = append(authMethods, ssh.RetryableAuthMethod(ssh.KeyboardInteractive(createCombinedKbdInteractiveChallenge(opts.SSHPassword)), 2))
|
|
|
|
authMethods = append(authMethods, ssh.RetryableAuthMethod(ssh.PasswordCallback(createCombinedPasswordCallbackPrompt(opts.SSHPassword)), 2))
|
Use ssh library for remote connections (#250)
* create proof of concept ssh library integration
This is a first attempt to integrate the golang crypto/ssh library for
handling remote connections. As it stands, this features is limited to
identity files without passphrases. It needs to be expanded to include
key+passphrase and password verifications as well.
* add password and keyboard-interactive ssh auth
This adds several new ssh auth methods. In addition to the PublicKey
method used previously, this adds password authentication,
keyboard-interactive authentication, and PublicKey+Passphrase
authentication.
Furthermore, it refactores the ssh connection code into its own wavesrv
file rather than storing int in waveshell's shexec file.
* clean up old mshell launch methods
In the debugging the addition of the ssh library, i had several versions
of the MShellProc Launch function. Since this seems mostly stable, I
have removed the old version and the experimental version in favor of
the combined version.
* allow switching between new and old ssh for dev
It is inconvenient to create milestones without being able to merge into
the main branch. But due to the experimental nature of the ssh changes,
it is not desired to use these changes in the main branch yet. This
change disables the new ssh launcher by default. It can be used by
changing the UseSshLibrary constant to true in remote.go. With this, it
becomes possible to merge these changes into the main branch without
them being used in production.
* fix: allow retry after ssh auth failure
Previously, the error status was not set when an ssh connection failed.
Because of this, an ssh connection failure would lock the failed remote
until waveterm was rebooted. This fix properly sets the error status so
this cannot happen.
2024-01-25 19:18:11 +01:00
|
|
|
|
|
|
|
configUser, _ := ssh_config.GetStrict(opts.SSHHost, "User")
|
|
|
|
configHostName, _ := ssh_config.GetStrict(opts.SSHHost, "HostName")
|
|
|
|
configPort, _ := ssh_config.GetStrict(opts.SSHHost, "Port")
|
|
|
|
var username string
|
|
|
|
if opts.SSHUser != "" {
|
|
|
|
username = opts.SSHUser
|
|
|
|
} else if configUser != "" {
|
|
|
|
username = configUser
|
|
|
|
} else {
|
|
|
|
user, err := user.Current()
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("failed to get user for ssh: %+v", err)
|
|
|
|
}
|
|
|
|
username = user.Username
|
|
|
|
}
|
|
|
|
var hostName string
|
|
|
|
if configHostName != "" {
|
|
|
|
hostName = configHostName
|
|
|
|
} else {
|
|
|
|
hostName = opts.SSHHost
|
|
|
|
}
|
|
|
|
clientConfig := &ssh.ClientConfig{
|
|
|
|
User: username,
|
|
|
|
Auth: authMethods,
|
|
|
|
HostKeyCallback: hostKeyCallback,
|
|
|
|
}
|
|
|
|
var port string
|
|
|
|
if opts.SSHPort != 0 && opts.SSHPort != 22 {
|
|
|
|
port = strconv.Itoa(opts.SSHPort)
|
|
|
|
} else if configPort != "" && configPort != "22" {
|
|
|
|
port = configPort
|
|
|
|
} else {
|
|
|
|
port = "22"
|
|
|
|
}
|
|
|
|
networkAddr := hostName + ":" + port
|
|
|
|
return ssh.Dial("tcp", networkAddr, clientConfig)
|
|
|
|
}
|