/* Copyright (c) Edgeless Systems GmbH SPDX-License-Identifier: AGPL-3.0-only */ package cmd import ( "crypto/ed25519" "crypto/rand" "fmt" "os" "time" "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/crypto" "github.com/edgelesssys/constellation/v2/internal/file" "github.com/edgelesssys/constellation/v2/internal/kms/setup" "github.com/edgelesssys/constellation/v2/internal/kms/uri" "github.com/spf13/afero" "github.com/spf13/cobra" "golang.org/x/crypto/ssh" ) // NewSSHCmd returns a new cobra.Command for the ssh command. func NewSSHCmd() *cobra.Command { cmd := &cobra.Command{ Use: "ssh", Short: "Prepare your cluster for emergency ssh access", Long: "Prepare your cluster for emergency ssh access and sign a given key pair for authorization.", Args: cobra.ExactArgs(0), RunE: runSSH, } cmd.Flags().String("key", "", "the path to an existing ssh public key") must(cmd.MarkFlagRequired("key")) return cmd } func runSSH(cmd *cobra.Command, _ []string) error { fh := file.NewHandler(afero.NewOsFs()) debugLogger, err := newDebugFileLogger(cmd, fh) if err != nil { return err } keyPath, err := cmd.Flags().GetString("key") if err != nil { return fmt.Errorf("retrieving path to public key from flags: %s", err) } return writeCertificateForKey(cmd, keyPath, fh, debugLogger) } func writeCertificateForKey(cmd *cobra.Command, keyPath string, fh file.Handler, debugLogger debugLog) error { _, err := fh.Stat(constants.TerraformWorkingDir) if os.IsNotExist(err) { return fmt.Errorf("directory %q does not exist", constants.TerraformWorkingDir) } if err != nil { return err } // NOTE(miampf): Since other KMS aren't fully implemented yet, this commands assumes that the cKMS is used and derives the key accordingly. var mastersecret uri.MasterSecret if err = fh.ReadJSON(constants.MasterSecretFilename, &mastersecret); err != nil { return fmt.Errorf("reading master secret: %s", err) } mastersecretURI := uri.MasterSecret{Key: mastersecret.Key, Salt: mastersecret.Salt} kms, err := setup.KMS(cmd.Context(), uri.NoStoreURI, mastersecretURI.EncodeToURI()) if err != nil { return fmt.Errorf("setting up KMS: %s", err) } sshCAKeySeed, err := kms.GetDEK(cmd.Context(), crypto.DEKPrefix+constants.SSHCAKeySuffix, ed25519.SeedSize) if err != nil { return fmt.Errorf("retrieving key from KMS: %s", err) } ca, err := crypto.GenerateEmergencySSHCAKey(sshCAKeySeed) if err != nil { return fmt.Errorf("generating ssh emergency CA key: %s", err) } debugLogger.Debug("SSH CA KEY generated", "public-key", string(ssh.MarshalAuthorizedKey(ca.PublicKey()))) keyBuffer, err := fh.Read(keyPath) if err != nil { return fmt.Errorf("reading public key %q: %s", keyPath, err) } pub, _, _, _, err := ssh.ParseAuthorizedKey(keyBuffer) if err != nil { return fmt.Errorf("parsing public key %q: %s", keyPath, err) } certificate := ssh.Certificate{ Key: pub, CertType: ssh.UserCert, ValidAfter: uint64(time.Now().Unix()), ValidBefore: uint64(time.Now().Add(24 * time.Hour).Unix()), ValidPrincipals: []string{"root"}, Permissions: ssh.Permissions{ Extensions: map[string]string{ "permit-port-forwarding": "yes", "permit-pty": "yes", }, }, } if err := certificate.SignCert(rand.Reader, ca); err != nil { return fmt.Errorf("signing certificate: %s", err) } debugLogger.Debug("Signed certificate", "certificate", string(ssh.MarshalAuthorizedKey(&certificate))) if err := fh.Write(fmt.Sprintf("%s/ca_cert.pub", constants.TerraformWorkingDir), ssh.MarshalAuthorizedKey(&certificate), file.OptOverwrite); err != nil { return fmt.Errorf("writing certificate: %s", err) } cmd.Printf("You can now connect to a node using 'ssh -F %s/ssh_config -i '.\nYou can obtain the private node IP via the web UI of your CSP.\n", constants.TerraformWorkingDir) return nil }