Support of --publickey-auth-script (#2)

moul · moul · commit c6b2e6ea9235 · 2015-10-14T11:18:45.000+02:00
diff --git a/auth.go b/auth.go
@@ -3,7 +3,9 @@ package ssh2docker
 import (
 	"encoding/json"
 	"fmt"
+	"os"
 	"os/exec"
+	"strings"
 
 	"github.com/moul/ssh2docker/vendor/github.com/Sirupsen/logrus"
 	"github.com/moul/ssh2docker/vendor/golang.org/x/crypto/ssh"
@@ -37,7 +39,7 @@ func (s *Server) CheckConfig(config *ClientConfig) error {
 func (s *Server) PublicKeyCallback(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
 	username := conn.User()
 	clientID := conn.RemoteAddr().String()
-	keyText := string(ssh.MarshalAuthorizedKey(key))
+	keyText := strings.TrimSpace(string(ssh.MarshalAuthorizedKey(key)))
 	logrus.Debugf("PublicKeyCallback: %q %q", username, keyText)
 	// sessionID := conn.SessionID()
 
@@ -63,17 +65,44 @@ func (s *Server) KeyboardInteractiveCallback(conn ssh.ConnMetadata, challenge ss
 
 	config := s.ClientConfigs[clientID]
 	if config == nil {
-		config := &ClientConfig{
+		s.ClientConfigs[clientID] = &ClientConfig{
 			RemoteUser: username,
 			ImageName:  username,
+			Keys:       []string{},
 			Env:        make(Environment, 0),
 		}
-		s.ClientConfigs[clientID] = config
 	}
+	config = s.ClientConfigs[clientID]
 
-	if len(config.Keys) > 0 {
-		logrus.Debugf("%d keys received, trying to authenticate")
-		// FIXME: authenticate here
+	if len(config.Keys) == 0 {
+		logrus.Warnf("No user keys, continuing with password authentication")
+		return nil, s.CheckConfig(config)
+	}
+
+	if s.PublicKeyAuthScript != "" {
+		logrus.Debugf("%d keys received, trying to authenticate using hook script", len(config.Keys))
+		script, err := expandUser(s.PublicKeyAuthScript)
+		if err != nil {
+			logrus.Warnf("Failed to expandUser: %v", err)
+			return nil, err
+		}
+		args := append([]string{username}, config.Keys...)
+		cmd := exec.Command(script, args...)
+		// FIXME: redirect stderr to logrus
+		cmd.Stderr = os.Stderr
+		output, err := cmd.Output()
+		if err != nil {
+			logrus.Warnf("Failed to execute publickey-auth-script: %v", err)
+			return nil, err
+		}
+
+		err = json.Unmarshal(output, &config)
+		if err != nil {
+			logrus.Warnf("Failed to unmarshal json %q: %v", string(output), err)
+			return nil, err
+		}
+	} else {
+		logrus.Debugf("%d keys received, but no hook script, continuing", len(config.Keys))
 	}
 
 	return nil, s.CheckConfig(config)
@@ -88,24 +117,26 @@ func (s *Server) PasswordCallback(conn ssh.ConnMetadata, password []byte) (*ssh.
 
 	config := s.ClientConfigs[clientID]
 	if config == nil {
-		config := &ClientConfig{
+		s.ClientConfigs[clientID] = &ClientConfig{
 			//Allowed: true,
 			RemoteUser: username,
 			ImageName:  username,
+			Keys:       []string{},
 			Env:        make(Environment, 0),
 		}
-		s.ClientConfigs[clientID] = config
 	}
+	config = s.ClientConfigs[clientID]
 
 	if s.PasswordAuthScript != "" {
-		// Using a hook script
 		script, err := expandUser(s.PasswordAuthScript)
 		if err != nil {
 			logrus.Warnf("Failed to expandUser: %v", err)
 			return nil, err
 		}
 		cmd := exec.Command(script, username, string(password))
-		output, err := cmd.CombinedOutput()
+		// FIXME: redirect stderr to logrus
+		cmd.Stderr = os.Stderr
+		output, err := cmd.Output()
 		if err != nil {
 			logrus.Warnf("Failed to execute password-auth-script: %v", err)
 			return nil, err
diff --git a/cmd/ssh2docker/main.go b/cmd/ssh2docker/main.go
@@ -97,6 +97,10 @@ func main() {
 			Name:  "password-auth-script",
 			Usage: "Password auth hook file",
 		},
+		cli.StringFlag{
+			Name:  "publickey-auth-script",
+			Usage: "Public-key auth hook file",
+		},
 		cli.StringFlag{
 			Name:  "local-user",
 			Usage: "If setted, you can spawn a local shell (not withing docker) by SSHing to this user",
@@ -141,6 +145,7 @@ func Action(c *cli.Context) {
 	server.NoJoin = c.Bool("no-join")
 	server.CleanOnStartup = c.Bool("clean-on-startup")
 	server.PasswordAuthScript = c.String("password-auth-script")
+	server.PublicKeyAuthScript = c.String("publickey-auth-script")
 	server.LocalUser = c.String("local-user")
 	server.Banner = c.String("banner")
 
diff --git a/examples/password-auth-script b/examples/password-auth-script
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+echo "password-auth-script: $@" >&2
+
+echo '{"allowed":true}'
diff --git a/examples/publickey-auth-script b/examples/publickey-auth-script
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+echo "password-auth-script: $@" >&2
+
+echo '{"allowed":true}'
diff --git a/server.go b/server.go
@@ -13,14 +13,15 @@ type Server struct {
 	// Clients   map[string]Client
 	ClientConfigs map[string]*ClientConfig
 
-	AllowedImages      []string
-	DefaultShell       string
-	DockerRunArgs      []string
-	NoJoin             bool
-	CleanOnStartup     bool
-	PasswordAuthScript string
-	LocalUser          string
-	Banner             string
+	AllowedImages       []string
+	DefaultShell        string
+	DockerRunArgs       []string
+	NoJoin              bool
+	CleanOnStartup      bool
+	PasswordAuthScript  string
+	PublicKeyAuthScript string
+	LocalUser           string
+	Banner              string
 
 	initialized bool
 }
