From 2ed374f45010a885b2c7da1eca8426926625e4ee Mon Sep 17 00:00:00 2001 From: vrenaville Date: Fri, 26 Mar 2021 13:06:46 +0100 Subject: [PATCH] [ADD] ssh key text as env variable --- README.md | 8 ++++++++ docker-compose.test.yml | 40 ++++++++++++++++++++++++++++++++++++---- docs/TESTING.md | 8 ++++++++ rootfs/entrypoint.sh | 20 ++++++++++++-------- 4 files changed, 64 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 8f8651d..d4020e3 100644 --- a/README.md +++ b/README.md @@ -190,11 +190,19 @@ the `known_hosts` file is provided. This can help avoid issues for hosts with dynamic IP addresses, but removes some additional protection against DNS spoofing attacks. Host IP Checking is enabled by default. +#### SSH_KEY + +You can specify the SSH key using Environnement variable. + +If both SSH_KEY and SSH_KEY_FILE are passed, SSH_KEY_FILE is used and SSH_KEY is ignored. + #### SSH_KEY_FILE In the event you wish to store the key in Docker Secrets, you may wish to set this to `/run/secrets/*secret-name*` +If both SSH_KEY and SSH_KEY_FILE are passed, SSH_KEY_FILE is used and SSH_KEY is ignored. + #### SSH_KNOWN_HOSTS_FILE In the event you wish to store the `known_hosts` in Docker Secrets, you may diff --git a/docker-compose.test.yml b/docker-compose.test.yml index 2b829bb..a300692 100644 --- a/docker-compose.test.yml +++ b/docker-compose.test.yml @@ -89,6 +89,32 @@ services: volumes: - sshkeys:/opt/ + local-with-env: + build: . + hostname: local + depends_on: + - bootloader + - remote + - target + environment: + - TERM=xterm + - SSH_BIND_IP=203.0.113.10 + - SSH_REMOTE_USER=root + - SSH_REMOTE_HOST=203.0.113.10 + - SSH_REMOTE_PORT=22 + - SSH_TARGET_HOST=203.0.113.100 + - SSH_TARGET_PORT=22 + - SSH_TUNNEL_PORT=11112 + - SSH_KNOWN_HOSTS_FILE=/dev/null + - SSH_STRICT_HOST_IP_CHECK=false + networks: + testnet: + ipv4_address: 203.0.113.112 + restart: always + volumes: + - sshkeys:/opt/ + entrypoint: ["sh", "-c", "SSH_KEY=`cat /opt/id_rsa` /entrypoint.sh"] + sut: build: context: ./test @@ -96,14 +122,20 @@ services: hostname: source depends_on: - local + - local-with-env command: /bin/sh -c "( while [ ! -f /opt/id_rsa ]; do echo 'waiting for ssh-keygen...'; sleep 2; done; while [ ! -f /opt/authorized_keys ]; do echo 'waiting for authorized_keys...'; sleep 2; done; while [ ! -f /opt/remote.txt ]; do echo 'waiting for remote...'; sleep 2; done; while [ ! -f /opt/target.txt ]; do echo 'waiting for target...'; sleep 2; done; - echo 'testing...' - ssh -o StrictHostKeyChecking=no -i /opt/id_rsa root@203.0.113.10 -p 11111 -C 'if [ `hostname` == "target" ]; then echo '[INFO ] success'; exit 0; else echo '[PANIC] hostname is not target'; exit 1; fi'; - )" + echo 'testing with key file'; + ssh -o StrictHostKeyChecking=no -i /opt/id_rsa root@203.0.113.10 -p 11111 -C 'if [ `hostname` == 'target' ]; then echo '[INFO ] success'; exit 0; else echo '[PANIC] hostname is not target' `hostname`; exit 1; fi'; + STATUS1=$$?; + echo 'testing with environment variable'; + ssh -o StrictHostKeyChecking=no -i /opt/id_rsa root@203.0.113.10 -p 11112 -C 'if [ `hostname` == 'target' ]; then echo '[INFO ] success'; exit 0; else echo '[PANIC] using env var, hostname is not target' `hostname`; exit 1; fi'; + STATUS2=$$?; + if [ $${STATUS1} = '0' -a $${STATUS2} = '0' ]; then exit 0 ; else exit 1 ; fi + )" networks: testnet: ipv4_address: 203.0.113.200 @@ -119,4 +151,4 @@ networks: - subnet: 203.0.113.0/24 volumes: - sshkeys: {} \ No newline at end of file + sshkeys: {} diff --git a/docs/TESTING.md b/docs/TESTING.md index c312910..85d7c63 100644 --- a/docs/TESTING.md +++ b/docs/TESTING.md @@ -35,6 +35,10 @@ Just a reminder, here is a text-based overview of a complete end-to-end setup. > The SOURCE (203.0.113.200) connects to the REMOTE (203.0.113.10) device > TUNNEL_PORT (:11111) to get to the TARGET (203.0.113.100) TARGET_PORT (:22). +There is a similar setup for local-with-env which is living on 203.0.113.112 +and setting up a tunnel on REMOTE (203.0.113.10) on port :11112. This setup +just passing the SSH key using an environment variable instead of a file. + ### 203.0.113.0/24 Do not be alarmed, the address space `203.0.113.0/24` is not actually on the @@ -204,6 +208,10 @@ Since this container never exists, and we need Docker Hub to test the exit code, we must use another container (`sut`) to actually perform testing. This service gets setup as if it was in production with one minor difference. +### local-with-env + +Same as local, but we pass the ssh key as an environment variable. + #### SSH_KNOWN_HOSTS_FILE and SSH_STRICT_HOST_IP_CHECK We do not want any caching or previous runs to taint the testing, so we diff --git a/rootfs/entrypoint.sh b/rootfs/entrypoint.sh index 623e72e..f586fd4 100755 --- a/rootfs/entrypoint.sh +++ b/rootfs/entrypoint.sh @@ -1,14 +1,18 @@ #!/usr/bin/dumb-init /bin/sh source version.sh - -# Set up key file -KEY_FILE=${SSH_KEY_FILE:=/id_rsa} -if [ ! -f "${KEY_FILE}" ]; then - echo "[FATAL] No SSH Key file found" - exit 1 -fi eval $(ssh-agent -s) -cat "${SSH_KEY_FILE}" | ssh-add -k - +if [ -n "${SSH_KEY_FILE}" ]; then + # Set up key file + if [ ! -f "${SSH_KEY_FILE}" ]; then + echo "[FATAL] No SSH Key file found" + exit 1 + fi + cat "${SSH_KEY_FILE}" | ssh-add -k - +else + if [ -n "${SSH_KEY}" ]; then + echo "${SSH_KEY}" | ssh-add -k - + fi +fi # If known_hosts is provided, STRICT_HOST_KEY_CHECKING=yes # Default CheckHostIP=yes unless SSH_STRICT_HOST_IP_CHECK=false