diff --git a/cli/internal/cmd/ssh.go b/cli/internal/cmd/ssh.go index 0be07c21f..5768695b8 100644 --- a/cli/internal/cmd/ssh.go +++ b/cli/internal/cmd/ssh.go @@ -10,7 +10,6 @@ import ( "crypto/ed25519" "crypto/rand" "fmt" - "os" "time" "github.com/edgelesssys/constellation/v2/internal/constants" @@ -28,8 +27,8 @@ import ( func NewSSHCmd() *cobra.Command { cmd := &cobra.Command{ Use: "ssh", - Short: "Prepare your cluster for emergency ssh access", - Long: "Prepare your cluster for emergency ssh access and sign a given key pair for authorization.", + Short: "Generate a certificate for emergency ssh access", + Long: "Generate a certificate for emergency ssh access to your ssh enabled constellation cluster.", Args: cobra.ExactArgs(0), RunE: runSSH, } @@ -54,18 +53,10 @@ func runSSH(cmd *cobra.Command, _ []string) error { } func writeCertificateForKey(cmd *cobra.Command, keyPath string, fh file.Handler, debugLogger debugLog) error { - _, err := fh.Stat(constants.TerraformWorkingDir) - if os.IsNotExist(err) { - return fmt.Errorf("directory %q does not exist", constants.TerraformWorkingDir) - } - if err != nil { - return err - } - // NOTE(miampf): Since other KMS aren't fully implemented yet, this commands assumes that the cKMS is used and derives the key accordingly. var mastersecret uri.MasterSecret - if err = fh.ReadJSON(constants.MasterSecretFilename, &mastersecret); err != nil { - return fmt.Errorf("reading master secret: %s", err) + if err := fh.ReadJSON(constants.MasterSecretFilename, &mastersecret); err != nil { + return fmt.Errorf("reading master secret (does %q exist?): %s", constants.MasterSecretFilename, err) } mastersecretURI := uri.MasterSecret{Key: mastersecret.Key, Salt: mastersecret.Salt} @@ -113,10 +104,10 @@ func writeCertificateForKey(cmd *cobra.Command, keyPath string, fh file.Handler, } debugLogger.Debug("Signed certificate", "certificate", string(ssh.MarshalAuthorizedKey(&certificate))) - if err := fh.Write(fmt.Sprintf("%s/ca_cert.pub", constants.TerraformWorkingDir), ssh.MarshalAuthorizedKey(&certificate), file.OptOverwrite); err != nil { + if err := fh.Write("constellation_cert.pub", ssh.MarshalAuthorizedKey(&certificate), file.OptOverwrite); err != nil { return fmt.Errorf("writing certificate: %s", err) } - cmd.Printf("You can now connect to a node using 'ssh -F %s/ssh_config -i ' in your constellation workspace.\nYou can obtain the private node IP via the web UI of your CSP.\n", constants.TerraformWorkingDir) + cmd.Printf("You can now connect to a node using the \"constellation_cert.pub\" certificate.\nLook at the documentation for a how to guide:\n\n\thttps://https://docs.edgeless.systems/constellation/workflows/troubleshooting#emergency-ssh-access\n") return nil } diff --git a/cli/internal/cmd/ssh_test.go b/cli/internal/cmd/ssh_test.go index 7f5fe566d..1150b1105 100644 --- a/cli/internal/cmd/ssh_test.go +++ b/cli/internal/cmd/ssh_test.go @@ -8,7 +8,6 @@ package cmd import ( "bytes" - "fmt" "testing" "github.com/edgelesssys/constellation/v2/internal/constants" @@ -29,18 +28,6 @@ func TestSSH(t *testing.T) { "salt": "MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAK" } ` - - newFsWithDirectory := func() file.Handler { - require := require.New(t) - fh := file.NewHandler(afero.NewMemMapFs()) - require.NoError(fh.MkdirAll(constants.TerraformWorkingDir)) - return fh - } - newFsNoDirectory := func() file.Handler { - fh := file.NewHandler(afero.NewMemMapFs()) - return fh - } - testCases := map[string]struct { fh file.Handler pubKey string @@ -48,38 +35,32 @@ func TestSSH(t *testing.T) { wantErr bool }{ "everything exists": { - fh: newFsWithDirectory(), + fh: file.NewHandler(afero.NewMemMapFs()), pubKey: someSSHPubKey, masterSecret: someMasterSecret, }, "no public key": { - fh: newFsWithDirectory(), + fh: file.NewHandler(afero.NewMemMapFs()), masterSecret: someMasterSecret, wantErr: true, }, "no master secret": { - fh: newFsWithDirectory(), + fh: file.NewHandler(afero.NewMemMapFs()), pubKey: someSSHPubKey, wantErr: true, }, "malformed public key": { - fh: newFsWithDirectory(), + fh: file.NewHandler(afero.NewMemMapFs()), pubKey: "asdf", masterSecret: someMasterSecret, wantErr: true, }, "malformed master secret": { - fh: newFsWithDirectory(), + fh: file.NewHandler(afero.NewMemMapFs()), masterSecret: "asdf", pubKey: someSSHPubKey, wantErr: true, }, - "directory does not exist": { - fh: newFsNoDirectory(), - pubKey: someSSHPubKey, - masterSecret: someMasterSecret, - wantErr: true, - }, } for name, tc := range testCases { @@ -104,7 +85,7 @@ func TestSSH(t *testing.T) { assert.Error(err) } else { assert.NoError(err) - cert, err := tc.fh.Read(fmt.Sprintf("%s/ca_cert.pub", constants.TerraformWorkingDir)) + cert, err := tc.fh.Read("constellation_cert.pub") require.NoError(err) _, _, _, _, err = ssh.ParseAuthorizedKey(cert) require.NoError(err) diff --git a/terraform/infrastructure/azure/main.tf b/terraform/infrastructure/azure/main.tf index 683f5a85d..d066d3f33 100644 --- a/terraform/infrastructure/azure/main.tf +++ b/terraform/infrastructure/azure/main.tf @@ -296,19 +296,3 @@ data "azurerm_user_assigned_identity" "uaid" { name = local.uai_name resource_group_name = local.uai_resource_group } - -# emergency ssh configuration files -resource "local_file" "ssh_config" { - filename = "./ssh_config" - file_permission = "0600" - content = <