Add support for authorizing connections based on public key

charts/uptermd/templates/configmap.yaml

@@ -0,0 +1,13 @@
+{{- if gt (len .Values.authorized_keys) 0 }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "upterm.fullname" . }}
+  labels:
+    {{- include "upterm.labels" . | nindent 4 }}
+data:
+  authorized_keys: |-
+    {{- range .Values.authorized_keys }}
+    {{- . | nindent 4 }}
+    {{- end }}
+{{- end }}

charts/uptermd/templates/deployment.yaml

@@ -40,6 +40,10 @@ spec:
             - --ws-addr
             - $(POD_IP):80
             {{- end }}
+            {{- if gt (len .Values.authorized_keys) 0 }}
+            - --authorized-keys
+            - /etc/uptermd/authorized_keys
+            {{- end }}
             - --node-addr
             - $(POD_IP):22
             - --hostname
@@ -85,11 +89,20 @@ spec:
           volumeMounts:
             - mountPath: /host-keys
               name: host-keys
+            {{- if gt (len .Values.authorized_keys) 0 }}
+            - mountPath: /etc/uptermd
+              name: authorized-keys
+            {{- end }}
       volumes:
         - name: host-keys
           secret:
             secretName: {{ include "upterm.fullname" . }}
             defaultMode: 0600
+        {{- if gt (len .Values.authorized_keys) 0 }}
+        - name: authorized-keys
+          configMap:
+            name: uptermd
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/uptermd/values.yaml

@@ -65,6 +65,8 @@ affinity: {}
 
 host_keys: {}
 
+authorized_keys: []
+
 hostname: my-upterm-host
 
 # Require ingress-nginx & cert-manager

cmd/uptermd/command/root.go

@@ -26,6 +26,7 @@ func Root(logger log.FieldLogger) *cobra.Command {
 	cmd.PersistentFlags().StringP("ssh-addr", "", utils.DefaultLocalhost("2222"), "ssh server address")
 	cmd.PersistentFlags().StringP("ws-addr", "", "", "websocket server address")
 	cmd.PersistentFlags().StringP("node-addr", "", "", "node address")
+	cmd.PersistentFlags().StringP("authorized-keys", "", "", "authorized_keys file to control proxy access")
 	cmd.PersistentFlags().StringSliceP("private-key", "", nil, "server private key")
 	cmd.PersistentFlags().StringSliceP("hostname", "", nil, "server hostname for public-key authentication certificate principals. If empty, public-key authentication is used instead.")
 

server/server.go

@@ -26,15 +26,16 @@ const (
 )
 
 type Opt struct {
-	SSHAddr     string   `mapstructure:"ssh-addr"`
-	WSAddr      string   `mapstructure:"ws-addr"`
-	NodeAddr    string   `mapstructure:"node-addr"`
-	PrivateKeys []string `mapstructure:"private-key"`
-	Hostnames   []string `mapstructure:"hostname"`
-	Network     string   `mapstructure:"network"`
-	NetworkOpts []string `mapstructure:"network-opt"`
-	MetricAddr  string   `mapstructure:"metric-addr"`
-	Debug       bool     `mapstructure:"debug"`
+	SSHAddr            string   `mapstructure:"ssh-addr"`
+	WSAddr             string   `mapstructure:"ws-addr"`
+	NodeAddr           string   `mapstructure:"node-addr"`
+	AuthorizedKeysFile string   `mapstructure:"authorized-keys"`
+	PrivateKeys        []string `mapstructure:"private-key"`
+	Hostnames          []string `mapstructure:"hostname"`
+	Network            string   `mapstructure:"network"`
+	NetworkOpts        []string `mapstructure:"network-opt"`
+	MetricAddr         string   `mapstructure:"metric-addr"`
+	Debug              bool     `mapstructure:"debug"`
 }
 
 func Start(opt Opt) error {
@@ -133,12 +134,13 @@ func Start(opt Opt) error {
 		}
 
 		s := &Server{
-			NodeAddr:        nodeAddr,
-			HostSigners:     hostSigners,
-			Signers:         signers,
-			NetworkProvider: network,
-			Logger:          logger.WithField("com", "server"),
-			MetricsProvider: mp,
+			NodeAddr:           nodeAddr,
+			AuthorizedKeysFile: opt.AuthorizedKeysFile,
+			HostSigners:        hostSigners,
+			Signers:            signers,
+			NetworkProvider:    network,
+			Logger:             logger.WithField("com", "server"),
+			MetricsProvider:    mp,
 		}
 		g.Add(func() error {
 			return s.ServeWithContext(context.Background(), sshln, wsln)
@@ -176,12 +178,13 @@ func parseNetworkOpt(opts []string) NetworkOptions {
 }
 
 type Server struct {
-	NodeAddr        string
-	HostSigners     []ssh.Signer
-	Signers         []ssh.Signer
-	NetworkProvider NetworkProvider
-	MetricsProvider provider.Provider
-	Logger          log.FieldLogger
+	NodeAddr           string
+	AuthorizedKeysFile string
+	HostSigners        []ssh.Signer
+	Signers            []ssh.Signer
+	NetworkProvider    NetworkProvider
+	MetricsProvider    provider.Provider
+	Logger             log.FieldLogger
 
 	sshln net.Listener
 	wsln  net.Listener
@@ -237,13 +240,14 @@ func (s *Server) ServeWithContext(ctx context.Context, sshln net.Listener, wsln
 				Logger:              s.Logger.WithField("com", "ssh-conn-dialer"),
 			}
 			sp := &sshProxy{
-				HostSigners:     s.HostSigners,
-				Signers:         s.Signers,
-				NodeAddr:        s.NodeAddr,
-				ConnDialer:      cd,
-				SessionRepo:     sessRepo,
-				Logger:          s.Logger.WithField("com", "ssh-proxy"),
-				MetricsProvider: s.MetricsProvider,
+				HostSigners:        s.HostSigners,
+				Signers:            s.Signers,
+				NodeAddr:           s.NodeAddr,
+				AuthorizedKeysFile: s.AuthorizedKeysFile,
+				ConnDialer:         cd,
+				SessionRepo:        sessRepo,
+				Logger:             s.Logger.WithField("com", "ssh-proxy"),
+				MetricsProvider:    s.MetricsProvider,
 			}
 			g.Add(func() error {
 				return sp.Serve(sshln)

server/sshproxy.go

@@ -3,6 +3,7 @@ package server
 import (
 	"fmt"
 	"net"
+	"os"
 	"sync"
 
 	"github.com/go-kit/kit/metrics/provider"
@@ -13,13 +14,14 @@ import (
 )
 
 type sshProxy struct {
-	HostSigners     []ssh.Signer
-	Signers         []ssh.Signer
-	NodeAddr        string
-	ConnDialer      connDialer
-	SessionRepo     *sessionRepo
-	Logger          log.FieldLogger
-	MetricsProvider provider.Provider
+	HostSigners        []ssh.Signer
+	Signers            []ssh.Signer
+	NodeAddr           string
+	AuthorizedKeysFile string
+	ConnDialer         connDialer
+	SessionRepo        *sessionRepo
+	Logger             log.FieldLogger
+	MetricsProvider    provider.Provider
 
 	routing *SSHRouting
 	mux     sync.Mutex
@@ -41,11 +43,13 @@ func (r *sshProxy) Serve(ln net.Listener) error {
 	r.routing = &SSHRouting{
 		HostSigners: r.HostSigners,
 		AuthPiper: &authPiper{
-			HostSigners: r.HostSigners,
-			Signers:     r.Signers,
-			SessionRepo: r.SessionRepo,
-			ConnDialer:  r.ConnDialer,
-			NodeAddr:    r.NodeAddr,
+			HostSigners:        r.HostSigners,
+			Signers:            r.Signers,
+			SessionRepo:        r.SessionRepo,
+			ConnDialer:         r.ConnDialer,
+			NodeAddr:           r.NodeAddr,
+			AuthorizedKeysFile: r.AuthorizedKeysFile,
+			Logger:             r.Logger.WithField("com", "auth"),
 		},
 		MetricsProvider: r.MetricsProvider,
 		Logger:          r.Logger,
@@ -56,11 +60,55 @@ func (r *sshProxy) Serve(ln net.Listener) error {
 }
 
 type authPiper struct {
-	NodeAddr    string
-	SessionRepo *sessionRepo
-	ConnDialer  connDialer
-	Signers     []ssh.Signer
-	HostSigners []ssh.Signer
+	NodeAddr           string
+	AuthorizedKeysFile string
+	SessionRepo        *sessionRepo
+	ConnDialer         connDialer
+	Signers            []ssh.Signer
+	HostSigners        []ssh.Signer
+
+	Logger log.FieldLogger
+}
+
+func (a authPiper) CheckAuthorizedKeys(conn ssh.ConnMetadata, pk ssh.PublicKey) (ssh.PublicKey, error) {
+	if a.AuthorizedKeysFile == "" {
+		return pk, nil
+	}
+
+	user := conn.User()
+	id, err := api.DecodeIdentifier(user, string(conn.ClientVersion()))
+	if err != nil {
+		a.Logger.WithField("user", user).Error("unable to decode session identifier")
+		return nil, err
+	}
+
+	if id.Type != api.Identifier_HOST {
+		return pk, nil
+	}
+
+	var rest []byte
+	rest, err = os.ReadFile(a.AuthorizedKeysFile)
+	if err != nil {
+		a.Logger.WithField("path", a.AuthorizedKeysFile).Error("unable to load custom authorized_keys file")
+		return nil, err
+	}
+
+	var authedPubkey ssh.PublicKey
+	for len(rest) > 0 {
+		authedPubkey, _, _, rest, err = ssh.ParseAuthorizedKey(rest)
+
+		if err != nil {
+			return nil, err
+		}
+
+		if utils.KeysEqual(authedPubkey, pk) {
+			a.Logger.WithField("fingerprint", utils.FingerprintSHA256(pk)).Info("access granted")
+			return pk, nil
+		}
+	}
+
+	a.Logger.WithField("fingerprint", utils.FingerprintSHA256(pk)).Info("access denied")
+	return nil, fmt.Errorf("public key is not authorized")
 }
 
 func (a authPiper) PublicKeyCallback(conn ssh.ConnMetadata, pk ssh.PublicKey, challengeCtx ssh.ChallengeContext) (*ssh.Upstream, error) {
@@ -69,6 +117,13 @@ func (a authPiper) PublicKeyCallback(conn ssh.ConnMetadata, pk ssh.PublicKey, ch
 			return key, nil
 		},
 	}
+
+	// Check for authorized_hosts to allow proxying.
+	_, err := a.CheckAuthorizedKeys(conn, pk)
+	if err != nil {
+		return nil, err
+	}
+
 	auth, key, err := checker.Authenticate(conn.User(), pk)
 	if err == errCertNotSignedByHost {
 		err = nil

server/sshproxy_test.go

@@ -3,17 +3,31 @@ package server
 import (
 	"crypto/rand"
 	"net"
+	"os"
+	"path/filepath"
 	"strings"
 	"testing"
 
 	"github.com/go-kit/kit/metrics/provider"
 	"github.com/owenthereal/upterm/host/api"
+	"github.com/owenthereal/upterm/upterm"
 	"github.com/owenthereal/upterm/utils"
 	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/crypto/ssh"
 )
 
+const (
+	HostPublicKeyContent  = `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOA+rMcwWFPJVE2g6EwRPkYmNJfaS/+gkyZ99aR/65uz`
+	HostPrivateKeyContent = `-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACDgPqzHMFhTyVRNoOhMET5GJjSX2kv/oJMmffWkf+ubswAAAIiu5GOBruRj
+gQAAAAtzc2gtZWQyNTUxOQAAACDgPqzHMFhTyVRNoOhMET5GJjSX2kv/oJMmffWkf+ubsw
+AAAEDBHlsR95C/pGVHtQGpgrUi+Qwgkfnp9QlRKdEhhx4rxOA+rMcwWFPJVE2g6EwRPkYm
+NJfaS/+gkyZ99aR/65uzAAAAAAECAwQF
+-----END OPENSSH PRIVATE KEY-----`
+)
+
 func Test_sshProxy_dialUpstream(t *testing.T) {
 	logger := log.New()
 	logger.Level = log.DebugLevel
@@ -146,3 +160,80 @@ func testCertSigner(user string, signer ssh.Signer) (ssh.Signer, error) {
 
 	return ssh.NewCertSigner(cert, signer)
 }
+
+func Test_sshProxy_CheckAuthorizedKeys(t *testing.T) {
+	logger := log.New()
+	logger.Level = log.DebugLevel
+
+	proxySigner, err := ssh.ParsePrivateKey([]byte(TestPrivateKeyContent))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cs := HostCertSigner{
+		Hostnames: []string{"127.0.0.1"},
+	}
+
+	proxyCertSigner, err := cs.SignCert(proxySigner)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	proxyLn, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer proxyLn.Close()
+
+	proxyAddr := proxyLn.Addr().String()
+
+	cd := sidewayConnDialer{
+		NodeAddr:         proxyAddr,
+		NeighbourDialer:  tcpConnDialer{},
+		Logger:           logger,
+		SSHDDialListener: networks.Get("mem").SSHD(),
+	}
+
+	tempfile := filepath.Join(t.TempDir(), "authorized_keys")
+	if err := os.WriteFile(tempfile, []byte(HostPublicKeyContent), 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	proxy := &sshProxy{
+		HostSigners:        []ssh.Signer{proxyCertSigner},
+		Signers:            []ssh.Signer{proxySigner},
+		NodeAddr:           proxyAddr,
+		ConnDialer:         cd,
+		Logger:             logger,
+		MetricsProvider:    provider.NewDiscardProvider(),
+		AuthorizedKeysFile: tempfile,
+	}
+
+	go func() {
+		_ = proxy.Serve(proxyLn)
+	}()
+
+	hostSigner, err := ssh.ParsePrivateKey([]byte(HostPrivateKeyContent))
+
+	id := &api.Identifier{
+		Id:       xid.New().String(),
+		Type:     api.Identifier_HOST,
+		NodeAddr: proxyAddr,
+	}
+	user, err := api.EncodeIdentifier(id)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	config := &ssh.ClientConfig{
+		User:            user,
+		Auth:            []ssh.AuthMethod{ssh.PublicKeys(hostSigner)},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+		ClientVersion:   upterm.HostSSHClientVersion,
+	}
+
+	_, err = ssh.Dial("tcp", proxyAddr, config) // proxy to sshd
+	if err != nil {
+		t.Fatal(err)
+	}
+}