local-server/cmd/dkl-local-server/ssh-secrets.go

package main

import (
	"bytes"
	"crypto"
	"crypto/ed25519"
	"encoding/pem"
	"fmt"
	"io"
	"os"
	"os/exec"
	"strconv"
	"strings"
	"time"

	"golang.org/x/crypto/ssh"
)

var sshHostKeys = KVSecrets[[]SSHKeyPair]{"hosts/ssh-host-keys"}

type SSHKeyPair struct {
	Type    string
	Public  string
	Private string
}

func getSSHKeyPairs(host string) (pairs []SSHKeyPair, err error) {
	pairs, _, err = sshHostKeys.Get(host)

	didGenerate := false

genLoop:
	for _, keyType := range []string{
		"rsa",
		"dsa",
		"ecdsa",
		"ed25519",
	} {
		for _, pair := range pairs {
			if pair.Type == keyType {
				continue genLoop
			}
		}

		err = func() (err error) {
			outFile, err := os.CreateTemp("/tmp", "dls-key.")
			if err != nil {
				return
			}

			outPath := outFile.Name()

			removeTemp := func() {
				os.Remove(outPath)
				os.Remove(outPath + ".pub")
			}

			removeTemp()
			defer removeTemp()

			var out, privKey, pubKey []byte

			cmd := exec.Command("ssh-keygen",
				"-N", "",
				"-C", "root@"+host,
				"-f", outPath,
				"-t", keyType)
			out, err = cmd.CombinedOutput()
			if err != nil {
				err = fmt.Errorf("ssh-keygen failed: %v: %s", err, string(out))
				return
			}

			privKey, err = os.ReadFile(outPath)
			if err != nil {
				return
			}

			pubKey, err = os.ReadFile(outPath + ".pub")
			if err != nil {
				return
			}

			pairs = append(pairs, SSHKeyPair{
				Type:    keyType,
				Public:  string(pubKey),
				Private: string(privKey),
			})
			didGenerate = true

			return
		}()

		if err != nil {
			return
		}
	}

	if didGenerate {
		err = sshHostKeys.Put(host, pairs)
		if err != nil {
			return
		}
	}

	return
}

var sshCAKeys = KVSecrets[string]{"ssh-ca-keys"}

func sshCAKey(cluster string) (caKeyPem string, err error) {
	storeKey := "clusters/" + cluster
	caKeyPem, _, err = sshCAKeys.Get(storeKey)
	if err != nil {
		return
	}

	if caKeyPem == "" {
		_, pk, err := ed25519.GenerateKey(nil)
		if err != nil {
			return "", err
		}

		pemBlock, err := ssh.MarshalPrivateKey(crypto.PrivateKey(pk), "")
		if err != nil {
			return "", err
		}

		caKeyPem = string(pem.EncodeToMemory(pemBlock))
		sshCAKeys.Put(storeKey, caKeyPem)
	}

	return
}

func sshCAPubKey(cluster string) (pubKey []byte, err error) {
	keyPem, err := sshCAKey(cluster)
	if err != nil {
		return
	}

	k, err := ssh.ParsePrivateKey([]byte(keyPem))
	if err != nil {
		return
	}

	pubKey = ssh.MarshalAuthorizedKey(k.PublicKey())
	return
}

// principal: user (login) to allow (ie: "root")
// validity: ssh-keygen validity string (ie: "+1h", "202506280811:202506281011", ""=forever)
// options:  ssh-keygen options (ie: "force-command=/bin/date +\"%F %T\"", "source-address=192.168.1.0/24,192.168.42.0/24"
func sshCASign(cluster string, userPubKey []byte, principal, validity string, options ...string) (cert []byte, err error) {
	caKey, err := sshCAKey(cluster)
	if err != nil {
		return
	}

	_, identity, _, _, err := ssh.ParseAuthorizedKey(userPubKey)
	if err != nil {
		return
	}

	userPubKeyFile, err := os.CreateTemp("/tmp", "user.pub")
	if err != nil {
		return
	}
	defer os.Remove(userPubKeyFile.Name())

	_, err = io.Copy(userPubKeyFile, bytes.NewBuffer(userPubKey))
	userPubKeyFile.Close()
	if err != nil {
		return
	}

	err = os.WriteFile(userPubKeyFile.Name(), userPubKey, 0600)
	if err != nil {
		return
	}

	serial := strconv.FormatInt(time.Now().Unix(), 10)
	cmd := exec.Command("ssh-keygen", "-q", "-s", "/dev/stdin", "-I", identity, "-z", serial, "-n", principal)

	if validity != "" {
		cmd.Args = append(cmd.Args, "-V", validity)
	}

	for _, opt := range options {
		cmd.Args = append(cmd.Args, "-O", opt)
	}

	cmd.Args = append(cmd.Args, userPubKeyFile.Name())

	stderr := new(bytes.Buffer)
	cmd.Stdin = bytes.NewBuffer([]byte(caKey))
	cmd.Stderr = stderr

	err = cmd.Run()
	if err != nil {
		err = fmt.Errorf("ssh-keygen sign failed: %s", strings.TrimSpace(stderr.String()))
		return
	}

	certFile := userPubKeyFile.Name() + "-cert.pub"
	cert, err = os.ReadFile(certFile)

	os.Remove(certFile)

	return
}
generate ssh secrets 2019-12-03 11:03:20 +01:00			`package main`

			`import (`
add ssh user CA support 2025-06-28 11:04:44 +02:00			`"bytes"`
			`"crypto"`
generate ssh secrets 2019-12-03 11:03:20 +01:00			`"crypto/ed25519"`
add ssh user CA support 2025-06-28 11:04:44 +02:00			`"encoding/pem"`
generate ssh secrets 2019-12-03 11:03:20 +01:00			`"fmt"`
add ssh user CA support 2025-06-28 11:04:44 +02:00			`"io"`
generate ssh secrets 2019-12-03 11:03:20 +01:00			`"os"`
			`"os/exec"`
add ssh user CA support 2025-06-28 11:04:44 +02:00			`"strconv"`
			`"strings"`
			`"time"`

			`"golang.org/x/crypto/ssh"`
generate ssh secrets 2019-12-03 11:03:20 +01:00			`)`

migration to new secrets nearly complete 2023-02-12 15:18:42 +01:00			`var sshHostKeys = KVSecrets[[]SSHKeyPair]{"hosts/ssh-host-keys"}`

generate ssh secrets 2019-12-03 11:03:20 +01:00			`type SSHKeyPair struct {`
			`Type string`
			`Public string`
			`Private string`
			`}`

migration to new secrets nearly complete 2023-02-12 15:18:42 +01:00			`func getSSHKeyPairs(host string) (pairs []SSHKeyPair, err error) {`
			`pairs, _, err = sshHostKeys.Get(host)`
generate ssh secrets 2019-12-03 11:03:20 +01:00
			`didGenerate := false`

			`genLoop:`
			`for _, keyType := range []string{`
			`"rsa",`
			`"dsa",`
			`"ecdsa",`
			`"ed25519",`
			`} {`
			`for _, pair := range pairs {`
			`if pair.Type == keyType {`
			`continue genLoop`
			`}`
			`}`

migration to new secrets nearly complete 2023-02-12 15:18:42 +01:00			`err = func() (err error) {`
resolve ioutil deprecations 2025-01-26 11:31:04 +01:00			`outFile, err := os.CreateTemp("/tmp", "dls-key.")`
migration to new secrets nearly complete 2023-02-12 15:18:42 +01:00			`if err != nil {`
			`return`
			`}`
generate ssh secrets 2019-12-03 11:03:20 +01:00
migration to new secrets nearly complete 2023-02-12 15:18:42 +01:00			`outPath := outFile.Name()`
generate ssh secrets 2019-12-03 11:03:20 +01:00
migration to new secrets nearly complete 2023-02-12 15:18:42 +01:00			`removeTemp := func() {`
			`os.Remove(outPath)`
			`os.Remove(outPath + ".pub")`
			`}`
generate ssh secrets 2019-12-03 11:03:20 +01:00
cosmestic 2023-02-12 18:59:14 +01:00			`removeTemp()`
migration to new secrets nearly complete 2023-02-12 15:18:42 +01:00			`defer removeTemp()`
generate ssh secrets 2019-12-03 11:03:20 +01:00
migration to new secrets nearly complete 2023-02-12 15:18:42 +01:00			`var out, privKey, pubKey []byte`

cosmestic 2023-02-12 18:59:14 +01:00			`cmd := exec.Command("ssh-keygen",`
migration to new secrets nearly complete 2023-02-12 15:18:42 +01:00			`"-N", "",`
			`"-C", "root@"+host,`
			`"-f", outPath,`
cosmestic 2023-02-12 18:59:14 +01:00			`"-t", keyType)`
			`out, err = cmd.CombinedOutput()`
migration to new secrets nearly complete 2023-02-12 15:18:42 +01:00			`if err != nil {`
			`err = fmt.Errorf("ssh-keygen failed: %v: %s", err, string(out))`
			`return`
			`}`

resolve ioutil deprecations 2025-01-26 11:31:04 +01:00			`privKey, err = os.ReadFile(outPath)`
migration to new secrets nearly complete 2023-02-12 15:18:42 +01:00			`if err != nil {`
			`return`
			`}`

resolve ioutil deprecations 2025-01-26 11:31:04 +01:00			`pubKey, err = os.ReadFile(outPath + ".pub")`
migration to new secrets nearly complete 2023-02-12 15:18:42 +01:00			`if err != nil {`
			`return`
			`}`
generate ssh secrets 2019-12-03 11:03:20 +01:00
migration to new secrets nearly complete 2023-02-12 15:18:42 +01:00			`pairs = append(pairs, SSHKeyPair{`
			`Type: keyType,`
			`Public: string(pubKey),`
			`Private: string(privKey),`
			`})`
			`didGenerate = true`

			`return`
			`}()`
generate ssh secrets 2019-12-03 11:03:20 +01:00
			`if err != nil {`
			`return`
			`}`
			`}`

			`if didGenerate {`
migration to new secrets nearly complete 2023-02-12 15:18:42 +01:00			`err = sshHostKeys.Put(host, pairs)`
			`if err != nil {`
			`return`
			`}`
generate ssh secrets 2019-12-03 11:03:20 +01:00			`}`

			`return`
			`}`

add ssh user CA support 2025-06-28 11:04:44 +02:00			`var sshCAKeys = KVSecrets[string]{"ssh-ca-keys"}`
generate ssh secrets 2019-12-03 11:03:20 +01:00
add ssh user CA support 2025-06-28 11:04:44 +02:00			`func sshCAKey(cluster string) (caKeyPem string, err error) {`
			`storeKey := "clusters/" + cluster`
			`caKeyPem, _, err = sshCAKeys.Get(storeKey)`
generate ssh secrets 2019-12-03 11:03:20 +01:00			`if err != nil {`
			`return`
			`}`

add ssh user CA support 2025-06-28 11:04:44 +02:00			`if caKeyPem == "" {`
			`_, pk, err := ed25519.GenerateKey(nil)`
			`if err != nil {`
			`return "", err`
			`}`

			`pemBlock, err := ssh.MarshalPrivateKey(crypto.PrivateKey(pk), "")`
			`if err != nil {`
			`return "", err`
			`}`

			`caKeyPem = string(pem.EncodeToMemory(pemBlock))`
			`sshCAKeys.Put(storeKey, caKeyPem)`
			`}`

			`return`
			`}`

			`func sshCAPubKey(cluster string) (pubKey []byte, err error) {`
			`keyPem, err := sshCAKey(cluster)`
generate ssh secrets 2019-12-03 11:03:20 +01:00			`if err != nil {`
			`return`
			`}`

add ssh user CA support 2025-06-28 11:04:44 +02:00			`k, err := ssh.ParsePrivateKey([]byte(keyPem))`
generate ssh secrets 2019-12-03 11:03:20 +01:00			`if err != nil {`
			`return`
			`}`

add ssh user CA support 2025-06-28 11:04:44 +02:00			`pubKey = ssh.MarshalAuthorizedKey(k.PublicKey())`
generate ssh secrets 2019-12-03 11:03:20 +01:00			`return`
			`}`

add ssh user CA support 2025-06-28 11:04:44 +02:00			`// principal: user (login) to allow (ie: "root")`
			`// validity: ssh-keygen validity string (ie: "+1h", "202506280811:202506281011", ""=forever)`
			`// options: ssh-keygen options (ie: "force-command=/bin/date +\"%F %T\"", "source-address=192.168.1.0/24,192.168.42.0/24"`
			`func sshCASign(cluster string, userPubKey []byte, principal, validity string, options ...string) (cert []byte, err error) {`
			`caKey, err := sshCAKey(cluster)`
generate ssh secrets 2019-12-03 11:03:20 +01:00			`if err != nil {`
			`return`
			`}`

add ssh user CA support 2025-06-28 11:04:44 +02:00			`_, identity, _, _, err := ssh.ParseAuthorizedKey(userPubKey)`
			`if err != nil {`
			`return`
			`}`
generate ssh secrets 2019-12-03 11:03:20 +01:00
add ssh user CA support 2025-06-28 11:04:44 +02:00			`userPubKeyFile, err := os.CreateTemp("/tmp", "user.pub")`
			`if err != nil {`
			`return`
			`}`
			`defer os.Remove(userPubKeyFile.Name())`
generate ssh secrets 2019-12-03 11:03:20 +01:00
add ssh user CA support 2025-06-28 11:04:44 +02:00			`_, err = io.Copy(userPubKeyFile, bytes.NewBuffer(userPubKey))`
			`userPubKeyFile.Close()`
generate ssh secrets 2019-12-03 11:03:20 +01:00			`if err != nil {`
			`return`
			`}`

add ssh user CA support 2025-06-28 11:04:44 +02:00			`err = os.WriteFile(userPubKeyFile.Name(), userPubKey, 0600)`
generate ssh secrets 2019-12-03 11:03:20 +01:00			`if err != nil {`
			`return`
			`}`

add ssh user CA support 2025-06-28 11:04:44 +02:00			`serial := strconv.FormatInt(time.Now().Unix(), 10)`
			`cmd := exec.Command("ssh-keygen", "-q", "-s", "/dev/stdin", "-I", identity, "-z", serial, "-n", principal)`
generate ssh secrets 2019-12-03 11:03:20 +01:00
add ssh user CA support 2025-06-28 11:04:44 +02:00			`if validity != "" {`
			`cmd.Args = append(cmd.Args, "-V", validity)`
			`}`

			`for _, opt := range options {`
			`cmd.Args = append(cmd.Args, "-O", opt)`
			`}`
generate ssh secrets 2019-12-03 11:03:20 +01:00
add ssh user CA support 2025-06-28 11:04:44 +02:00			`cmd.Args = append(cmd.Args, userPubKeyFile.Name())`
generate ssh secrets 2019-12-03 11:03:20 +01:00
add ssh user CA support 2025-06-28 11:04:44 +02:00			`stderr := new(bytes.Buffer)`
			`cmd.Stdin = bytes.NewBuffer([]byte(caKey))`
			`cmd.Stderr = stderr`

			`err = cmd.Run()`
generate ssh secrets 2019-12-03 11:03:20 +01:00			`if err != nil {`
add ssh user CA support 2025-06-28 11:04:44 +02:00			`err = fmt.Errorf("ssh-keygen sign failed: %s", strings.TrimSpace(stderr.String()))`
generate ssh secrets 2019-12-03 11:03:20 +01:00			`return`
			`}`

add ssh user CA support 2025-06-28 11:04:44 +02:00			`certFile := userPubKeyFile.Name() + "-cert.pub"`
			`cert, err = os.ReadFile(certFile)`

			`os.Remove(certFile)`

generate ssh secrets 2019-12-03 11:03:20 +01:00			`return`
			`}`