2016-02-19 09:35:16 +00:00
|
|
|
"""SSH-agent implementation using hardware authentication devices."""
|
2015-06-15 13:37:16 +00:00
|
|
|
import argparse
|
2015-10-23 09:45:32 +00:00
|
|
|
import functools
|
2016-01-04 17:17:08 +00:00
|
|
|
import logging
|
2016-02-19 18:48:16 +00:00
|
|
|
import re
|
2016-01-09 14:06:47 +00:00
|
|
|
import os
|
2016-02-19 18:48:16 +00:00
|
|
|
import subprocess
|
2016-01-09 14:06:47 +00:00
|
|
|
import sys
|
2016-02-17 13:04:10 +00:00
|
|
|
import time
|
2015-06-15 13:37:16 +00:00
|
|
|
|
2016-02-15 18:53:14 +00:00
|
|
|
from . import client, formats, protocol, server
|
2015-06-15 13:37:16 +00:00
|
|
|
|
2015-06-16 07:20:11 +00:00
|
|
|
log = logging.getLogger(__name__)
|
|
|
|
|
2015-06-16 07:03:48 +00:00
|
|
|
|
2015-11-27 07:59:06 +00:00
|
|
|
def ssh_args(label):
|
2016-02-19 09:35:16 +00:00
|
|
|
"""Create SSH command for connecting specified server."""
|
2016-02-15 15:22:01 +00:00
|
|
|
identity = client.string_to_identity(label, identity_type=dict)
|
2015-11-27 07:59:06 +00:00
|
|
|
|
|
|
|
args = []
|
|
|
|
if 'port' in identity:
|
|
|
|
args += ['-p', identity['port']]
|
|
|
|
if 'user' in identity:
|
|
|
|
args += ['-l', identity['user']]
|
|
|
|
|
|
|
|
return ['ssh'] + args + [identity['host']]
|
|
|
|
|
|
|
|
|
2016-03-05 08:46:36 +00:00
|
|
|
def create_parser():
|
2016-02-19 09:35:16 +00:00
|
|
|
"""Create argparse.ArgumentParser for this tool."""
|
2015-06-15 13:37:16 +00:00
|
|
|
p = argparse.ArgumentParser()
|
2015-07-04 08:22:44 +00:00
|
|
|
p.add_argument('-v', '--verbose', default=0, action='count')
|
2015-07-04 07:47:32 +00:00
|
|
|
|
2016-01-04 17:17:08 +00:00
|
|
|
curve_names = [name.decode('ascii') for name in formats.SUPPORTED_CURVES]
|
|
|
|
curve_names = ', '.join(sorted(curve_names))
|
2015-10-23 09:45:32 +00:00
|
|
|
p.add_argument('-e', '--ecdsa-curve-name', metavar='CURVE',
|
|
|
|
default=formats.CURVE_NIST256,
|
2016-01-04 17:17:08 +00:00
|
|
|
help='specify ECDSA curve name: ' + curve_names)
|
2016-01-16 20:14:36 +00:00
|
|
|
p.add_argument('--timeout',
|
|
|
|
default=server.UNIX_SOCKET_TIMEOUT, type=float,
|
|
|
|
help='Timeout for accepting SSH client connections')
|
2016-01-26 19:14:52 +00:00
|
|
|
p.add_argument('--debug', default=False, action='store_true',
|
|
|
|
help='Log SSH protocol messages for debugging.')
|
2015-07-22 10:48:15 +00:00
|
|
|
return p
|
2015-07-21 11:38:26 +00:00
|
|
|
|
2016-03-05 08:51:22 +00:00
|
|
|
|
2016-03-05 08:46:36 +00:00
|
|
|
def create_agent_parser():
|
2016-03-05 08:51:22 +00:00
|
|
|
"""Specific parser for SSH connection."""
|
2016-03-05 08:46:36 +00:00
|
|
|
p = create_parser()
|
|
|
|
|
|
|
|
g = p.add_mutually_exclusive_group()
|
|
|
|
g.add_argument('-s', '--shell', default=False, action='store_true',
|
|
|
|
help='run ${SHELL} as subprocess under SSH agent')
|
|
|
|
g.add_argument('-c', '--connect', default=False, action='store_true',
|
|
|
|
help='connect to specified host via SSH')
|
2016-03-05 08:51:22 +00:00
|
|
|
|
|
|
|
p.add_argument('identity', type=str, default=None,
|
|
|
|
help='proto://[user@]host[:port][/path]')
|
|
|
|
p.add_argument('command', type=str, nargs='*', metavar='ARGUMENT',
|
|
|
|
help='command to run under the SSH agent')
|
|
|
|
return p
|
|
|
|
|
|
|
|
|
|
|
|
def create_git_parser():
|
|
|
|
"""Specific parser for git commands."""
|
|
|
|
p = create_parser()
|
|
|
|
|
|
|
|
p.add_argument('-r', '--remote', default='origin',
|
|
|
|
help='use this git remote URL to generate SSH identity')
|
|
|
|
p.add_argument('command', type=str, nargs='*', metavar='ARGUMENT',
|
|
|
|
help='Git command to run under the SSH agent')
|
2016-03-05 08:46:36 +00:00
|
|
|
return p
|
|
|
|
|
2015-06-15 13:37:16 +00:00
|
|
|
|
2015-07-22 10:48:15 +00:00
|
|
|
def setup_logging(verbosity):
|
2016-02-19 09:35:16 +00:00
|
|
|
"""Configure logging for this tool."""
|
2015-07-21 11:38:26 +00:00
|
|
|
fmt = ('%(asctime)s %(levelname)-12s %(message)-100s '
|
|
|
|
'[%(filename)s:%(lineno)d]')
|
2015-07-04 08:22:44 +00:00
|
|
|
levels = [logging.WARNING, logging.INFO, logging.DEBUG]
|
2015-07-22 10:48:15 +00:00
|
|
|
level = levels[min(verbosity, len(levels) - 1)]
|
2015-07-21 11:38:26 +00:00
|
|
|
logging.basicConfig(format=fmt, level=level)
|
2015-06-15 13:37:16 +00:00
|
|
|
|
2015-07-22 10:48:15 +00:00
|
|
|
|
2016-02-19 18:48:16 +00:00
|
|
|
def git_host(remote_name):
|
2016-02-19 18:51:19 +00:00
|
|
|
"""Extract git SSH host for specified remote name."""
|
2016-02-19 18:48:16 +00:00
|
|
|
output = subprocess.check_output('git config --local --list'.split())
|
|
|
|
pattern = r'remote\.{}\.url=(.*)'.format(remote_name)
|
|
|
|
matches = re.findall(pattern, output)
|
|
|
|
log.debug('git remote "%r": %r', remote_name, matches)
|
|
|
|
if len(matches) != 1:
|
|
|
|
raise ValueError('{:d} git remotes found: %s', matches)
|
|
|
|
url = matches[0].strip()
|
|
|
|
user, url = url.split('@', 1)
|
2016-03-05 12:56:58 +00:00
|
|
|
host, _ = url.split(':', 1) # skip unused path (1 key per user@host)
|
|
|
|
return 'ssh://{}@{}'.format(user, host)
|
2016-02-19 18:48:16 +00:00
|
|
|
|
2016-02-19 18:51:19 +00:00
|
|
|
|
2016-02-15 15:22:01 +00:00
|
|
|
def ssh_sign(conn, label, blob):
|
2016-02-19 09:35:16 +00:00
|
|
|
"""Perform SSH signature using given hardware device connection."""
|
2016-02-17 13:04:10 +00:00
|
|
|
now = time.strftime('%Y-%m-%d %H:%M:%S')
|
|
|
|
return conn.sign_ssh_challenge(label=label, blob=blob, visual=now)
|
2015-08-17 15:04:44 +00:00
|
|
|
|
|
|
|
|
2016-03-05 09:15:23 +00:00
|
|
|
def run_server(conn, public_key, command, debug, timeout):
|
|
|
|
"""Common code for run_agent and run_git below."""
|
|
|
|
try:
|
|
|
|
signer = functools.partial(ssh_sign, conn=conn)
|
|
|
|
public_keys = [formats.import_public_key(public_key)]
|
|
|
|
handler = protocol.Handler(keys=public_keys, signer=signer,
|
|
|
|
debug=debug)
|
|
|
|
with server.serve(handler=handler, timeout=timeout) as env:
|
|
|
|
return server.run_process(command=command, environ=env)
|
|
|
|
except KeyboardInterrupt:
|
|
|
|
log.info('server stopped')
|
|
|
|
|
|
|
|
|
|
|
|
def run_agent(client_factory=client.Client):
|
2016-02-19 09:35:16 +00:00
|
|
|
"""Run ssh-agent using given hardware client factory."""
|
2015-08-17 15:09:45 +00:00
|
|
|
args = create_agent_parser().parse_args()
|
2015-07-22 10:48:15 +00:00
|
|
|
setup_logging(verbosity=args.verbose)
|
|
|
|
|
2016-02-15 15:22:01 +00:00
|
|
|
with client_factory(curve=args.ecdsa_curve_name) as conn:
|
2015-07-04 18:57:57 +00:00
|
|
|
label = args.identity
|
|
|
|
command = args.command
|
|
|
|
|
2016-02-15 15:22:01 +00:00
|
|
|
public_key = conn.get_public_key(label=label)
|
2015-06-17 13:52:11 +00:00
|
|
|
|
2015-07-04 08:22:44 +00:00
|
|
|
if args.connect:
|
2015-11-27 07:59:06 +00:00
|
|
|
command = ssh_args(label) + args.command
|
2015-07-04 08:22:44 +00:00
|
|
|
log.debug('SSH connect: %r', command)
|
|
|
|
|
2016-02-15 18:38:34 +00:00
|
|
|
use_shell = bool(args.shell)
|
|
|
|
if use_shell:
|
|
|
|
command = os.environ['SHELL']
|
2015-07-04 08:22:44 +00:00
|
|
|
log.debug('using shell: %r', command)
|
|
|
|
|
|
|
|
if not command:
|
|
|
|
sys.stdout.write(public_key)
|
|
|
|
return
|
2015-06-17 13:52:11 +00:00
|
|
|
|
2016-03-05 09:15:23 +00:00
|
|
|
return run_server(conn=conn, public_key=public_key, command=command,
|
|
|
|
debug=args.debug, timeout=args.timeout)
|
2015-10-23 09:45:32 +00:00
|
|
|
|
|
|
|
|
2016-03-05 09:15:23 +00:00
|
|
|
def run_git(client_factory=client.Client):
|
|
|
|
"""Run git under ssh-agent using given hardware client factory."""
|
|
|
|
args = create_git_parser().parse_args()
|
|
|
|
setup_logging(verbosity=args.verbose)
|
|
|
|
|
|
|
|
with client_factory(curve=args.ecdsa_curve_name) as conn:
|
|
|
|
label = git_host(args.remote)
|
|
|
|
|
|
|
|
public_key = conn.get_public_key(label=label)
|
|
|
|
|
|
|
|
if not args.command:
|
|
|
|
sys.stdout.write(public_key)
|
|
|
|
return
|
|
|
|
|
|
|
|
return run_server(conn=conn, public_key=public_key,
|
|
|
|
command=(['git'] + args.command),
|
|
|
|
debug=args.debug, timeout=args.timeout)
|