Stuff

Implement certificate authentication, certificate requires :gokrazy: principal
Read first line of /etc/passwd for home and shell
Shell uses `-l` to make it a login shell which will run .profile

breakglass.go

@@ -10,6 +10,7 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
+	"errors"
 	"flag"
 	"fmt"
 	"io/ioutil"
@@ -17,6 +18,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"path"
 	"strings"
 	"syscall"
 
@@ -28,7 +30,11 @@ import (
 var (
 	authorizedKeysPath = flag.String("authorized_keys",
 		"/perm/breakglass.authorized_keys",
-		"path to an OpenSSH authorized_keys file")
+		"path to an OpenSSH authorized_keys file; if the value is 'ec2', fetch the SSH key(s) from the AWS IMDSv2 metadata")
+
+	authorizedUserCAPath = flag.String("authorized_ca",
+		"/perm/breakglass.authorized_user_ca",
+		"path to an OpenSSH TrustedUserCAKeys file; note the certificate must list ':gokrazy:' as a valid principal")
 
 	hostKeyPath = flag.String("host_key",
 		"/perm/breakglass.host_key",
@@ -39,16 +45,26 @@ var (
 		"port for breakglass to listen on")
 
 	enableBanner = flag.Bool("enable_banner",
-		false,
+		true,
 		"Adds a banner to greet the user on login")
 
 	forwarding = flag.String("forward",
 		"",
 		"allow port forwarding. Use `loopback` for loopback interfaces and `private-network` for private networks")
+
+	home  = "/perm/home"
+	shell = ""
 )
 
 func loadAuthorizedKeys(path string) (map[string]bool, error) {
-	b, err := ioutil.ReadFile(path)
+	var b []byte
+	var err error
+	switch path {
+	case "ec2":
+		b, err = loadAWSEC2SSHKeys()
+	default:
+		b, err = ioutil.ReadFile(path)
+	}
 	if err != nil {
 		return nil, err
 	}
@@ -60,15 +76,7 @@ func loadAuthorizedKeys(path string) (map[string]bool, error) {
 		if tr := strings.TrimSpace(s.Text()); tr == "" || strings.HasPrefix(tr, "#") {
 			continue
 		}
-		pubKey, comment, _, _, err := ssh.ParseAuthorizedKey(s.Bytes())
-
-		// This warning can be removed once the mentioned issue is resolved
-		if keyType := pubKey.Type(); keyType == "ssh-rsa" {
-			log.Print("Warning: You added a ssh-rsa key to your authorized keys, these do currently not work.")
-			log.Print("Further information: https://github.com/gokrazy/breakglass/issues/11")
-			log.Printf("Affected key: %s [...] %s (line %d)", keyType, comment, lineNum)
-		}
-
+		pubKey, _, _, _, err := ssh.ParseAuthorizedKey(s.Bytes())
 		if err != nil {
 			return nil, err
 		}
@@ -81,6 +89,19 @@ func loadAuthorizedKeys(path string) (map[string]bool, error) {
 	return result, nil
 }
 
+func loadPasswd(passwd string) {
+	b, err := os.ReadFile(passwd)
+	if err != nil {
+		return
+	}
+	fields := bytes.SplitN(bytes.SplitN(b, []byte("\n"), 2)[0], []byte(":"), 7)
+	if len(fields) != 7 {
+		return
+	}
+	home = path.Clean(string(fields[5]))
+	shell = path.Clean(string(fields[6]))
+}
+
 func loadHostKey(path string) (ssh.Signer, error) {
 	b, err := ioutil.ReadFile(path)
 	if err != nil {
@@ -178,7 +199,7 @@ func initMOTD() error {
 		return err
 	}
 
-	motd = fmt.Sprintf(`              __                           
+	motd = fmt.Sprintf(`              __
  .-----.-----|  |--.----.---.-.-----.--.--.
  |  _  |  _  |    <|   _|  _  |-- __|  |  |
  |___  |_____|__|__|__| |___._|_____|___  |
@@ -198,6 +219,8 @@ func main() {
 
 	gokrazy.DontStartOnBoot()
 
+	loadPasswd("/etc/passwd")
+
 	authorizedKeys, err := loadAuthorizedKeys(*authorizedKeysPath)
 	if err != nil {
 		if os.IsNotExist(err) {
@@ -206,19 +229,59 @@ func main() {
 		log.Fatal(err)
 	}
 
+	authorizedUserCertificateCA, err := loadAuthorizedKeys(strings.TrimPrefix(*authorizedUserCAPath, "ec2"))
+	if err != nil {
+		if os.IsNotExist(err) {
+			log.Printf("TrustedUserCAKeys not loaded")
+		}
+	}
+
 	if err := initMOTD(); err != nil {
 		log.Print(err)
 	}
-
-	config := &ssh.ServerConfig{
-		PublicKeyCallback: func(conn ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.Permissions, error) {
+	certChecker := ssh.CertChecker{
+		IsUserAuthority: func(auth ssh.PublicKey) bool {
+			return authorizedUserCertificateCA[string(auth.Marshal())]
+		},
+		UserKeyFallback: func(conn ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.Permissions, error) {
 			if authorizedKeys[string(pubKey.Marshal())] {
 				log.Printf("user %q successfully authorized from remote addr %s", conn.User(), conn.RemoteAddr())
-				return nil, nil
+				return &ssh.Permissions{map[string]string{}, map[string]string{}}, nil
 			}
 			return nil, fmt.Errorf("public key not found in %s", *authorizedKeysPath)
 		},
 	}
+	config := &ssh.ServerConfig{
+		PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
+			cert, ok := key.(*ssh.Certificate)
+			if !ok {
+				if certChecker.UserKeyFallback != nil {
+					return certChecker.UserKeyFallback(conn, key)
+				}
+				return nil, errors.New("ssh: normal key pairs not accepted")
+			}
+
+			if cert.CertType != ssh.UserCert {
+				return nil, fmt.Errorf("ssh: cert has type %d", cert.CertType)
+			}
+			if !certChecker.IsUserAuthority(cert.SignatureKey) {
+				return nil, fmt.Errorf("ssh: certificate signed by unrecognized authority")
+			}
+
+			if err := certChecker.CheckCert(":gokrazy:", cert); err != nil {
+				return nil, err
+			}
+			if cert.Permissions.CriticalOptions == nil {
+				cert.Permissions.CriticalOptions = map[string]string{}
+			}
+			if cert.Permissions.Extensions == nil {
+				cert.Permissions.Extensions = map[string]string{}
+			}
+
+			return &cert.Permissions, nil
+
+		},
+	}
 
 	signer, err := loadHostKey(*hostKeyPath)
 	if err != nil {
@@ -268,7 +331,7 @@ func main() {
 			}
 
 			go func(conn net.Conn) {
-				_, chans, reqs, err := ssh.NewServerConn(conn, config)
+				c, chans, reqs, err := ssh.NewServerConn(conn, config)
 				if err != nil {
 					log.Printf("handshake: %v", err)
 					return
@@ -278,7 +341,7 @@ func main() {
 				go ssh.DiscardRequests(reqs)
 
 				for newChannel := range chans {
-					handleChannel(newChannel)
+					handleChannel(newChannel, c)
 				}
 			}(conn)
 		}

breakglassaws.go

@@ -0,0 +1,84 @@
+// Code for interacting with AWS EC2.
+
+package main
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+)
+
+// getEC2MetadataToken returns an IMDSv2 token from the AWS EC2 metadata
+// server. This is needed for subsequent metadata requests, at least when
+// the VM was created in IMDSv2-required mode, as is common.
+//
+// See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
+func getEC2MetadataToken() (string, error) {
+	req, _ := http.NewRequest("PUT", "http://169.254.169.254/latest/api/token", nil)
+	req.Header.Add("X-aws-ec2-metadata-token-ttl-seconds", "300")
+	res, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("failed to get metadata token: %w", err)
+	}
+	defer res.Body.Close()
+	if res.StatusCode != 200 {
+		return "", fmt.Errorf("failed to get metadata token: %v", res.Status)
+	}
+	all, err := io.ReadAll(res.Body)
+	if err != nil {
+		return "", fmt.Errorf("failed to read metadata token: %w", err)
+	}
+	return strings.TrimSpace(string(all)), nil
+}
+
+// loadAWSEC2SSHKeys returns 1 or more SSH public keys from the AWS
+// EC2 metadata server and returns them concatenanted, one per line,
+// as if they were all together in an ~/.ssh/authorized_keys file.
+//
+// See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html#instance-metadata-ex-5
+func loadAWSEC2SSHKeys() ([]byte, error) {
+	token, err := getEC2MetadataToken()
+	if err != nil {
+		return nil, err
+	}
+	var authorizedKeys bytes.Buffer
+	getKeyIndex := func(idx int) error {
+		req, _ := http.NewRequest("GET", fmt.Sprintf("http://169.254.169.254/latest/meta-data/public-keys/%d/openssh-key", idx), nil)
+		req.Header.Add("X-aws-ec2-metadata-token", token)
+		res, err := http.DefaultClient.Do(req)
+		if err != nil {
+			return err
+		}
+		defer res.Body.Close()
+		if res.StatusCode != 200 {
+			return errors.New(res.Status)
+		}
+		all, err := io.ReadAll(res.Body)
+		if err != nil {
+			return err
+		}
+		// Write out a ~/.ssh/authorized_keys -looking file,
+		// with each key on its own line.
+		fmt.Fprintf(&authorizedKeys, "%s\n", bytes.TrimSpace(all))
+		return nil
+	}
+	for i := 0; ; i++ {
+		err := getKeyIndex(i)
+		if err == nil {
+			continue
+		}
+		if i == 0 {
+			// We expect at least one SSH key (index 0) if the
+			// use requested this mode, so return an error if the
+			// first one fails.
+			return nil, err
+		}
+		// But on subsequent errors, just assume we've hit the end.
+		// This is a little lazy.
+		break
+	}
+	return authorizedKeys.Bytes(), nil
+}

busybox.go

@@ -0,0 +1,53 @@
+package main
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"strings"
+	"syscall"
+)
+
+const wellKnownBusybox = "/usr/local/bin/busybox"
+
+// mountBin bind-mounts /bin to a tmpfs.
+func mountBin() error {
+	b, err := os.ReadFile("/proc/self/mountinfo")
+	if err != nil {
+		return err
+	}
+	for _, line := range strings.Split(strings.TrimSpace(string(b)), "\n") {
+		parts := strings.Fields(line)
+		if len(parts) < 5 {
+			continue
+		}
+		mountpoint := parts[4]
+		log.Printf("Found mountpoint %q", parts[4])
+		if mountpoint == "/bin" {
+			log.Printf("/bin file system already mounted, nothing to do")
+			return nil
+		}
+	}
+
+	if err := syscall.Mount("tmpfs", "/bin", "tmpfs", 0, ""); err != nil {
+		return fmt.Errorf("mounting tmpfs on /bin: %v", err)
+	}
+
+	return nil
+}
+
+func installBusybox() error {
+	// /bin is read-only by default, so mount a tmpfs over it
+	if err := mountBin(); err != nil {
+		return err
+	}
+
+	install := exec.Command(wellKnownBusybox, "--install", "-s", "/bin")
+	install.Stdout = os.Stdout
+	install.Stderr = os.Stderr
+	if err := install.Run(); err != nil {
+		return fmt.Errorf("%v: %v", install.Args, err)
+	}
+	return nil
+}

cmd/breakglass/breakglass.go

@@ -241,7 +241,7 @@ func breakglass() error {
 	instance := flag.Arg(0)
 	instanceflag.SetInstance(instance)
 
-	cfg, err := config.ReadFromFile()
+	cfg, err := config.ApplyInstanceFlag()
 	if err != nil {
 		if os.IsNotExist(err) {
 			// best-effort compatibility for old setups

go.mod

@@ -1,22 +1,22 @@
 module github.com/gokrazy/breakglass
 
-go 1.19
+go 1.21
 
 require (
-	github.com/gokrazy/gokrazy v0.0.0-20211024151958-b718dd90ae71
-	github.com/gokrazy/internal v0.0.0-20230117180442-8b3fd7aed8bb
+	github.com/gokrazy/gokrazy v0.0.0-20230812092215-346db1998f83
+	github.com/gokrazy/internal v0.0.0-20250126213949-423a5b587b57
 	github.com/google/renameio/v2 v2.0.0
-	github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf
+	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/kr/pty v1.1.8
-	github.com/pkg/sftp v1.13.5-0.20220330091711-a17a626ab843
-	golang.org/x/crypto v0.1.0
+	github.com/pkg/sftp v1.13.5
+	golang.org/x/crypto v0.31.0
 )
 
 require (
-	github.com/creack/pty v1.1.7 // indirect
+	github.com/creack/pty v1.1.18 // indirect
+	github.com/kenshaw/evdev v0.1.0 // indirect
 	github.com/kr/fs v0.1.0 // indirect
-	github.com/mdlayher/watchdog v0.0.0-20201005150459-8bdc4f41966b // indirect
+	github.com/mdlayher/watchdog v0.0.0-20221003142519-49be0df7b3b5 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	golang.org/x/sys v0.1.0 // indirect
-	rsc.io/goversion v1.2.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
 )

go.sum

@@ -1,61 +1,50 @@
-github.com/anatol/vmtest v0.0.0-20210623221036-69fc760fbd4b/go.mod h1:l08qtd2JHjoYWIROnbKoKCUqIbe54ndrXwDdyiDfq30=
-github.com/beevik/ntp v0.2.0/go.mod h1:hIHWr+l3+/clUnF44zdK+CWW7fO8dR5cIylAQ76NRpg=
-github.com/creack/pty v1.1.7 h1:6pwm8kMQKCmgUg0ZHTm5+/YvRK0s3THD/28+T6/kk4A=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
+github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
+github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/gokrazy/gokrazy v0.0.0-20211024151958-b718dd90ae71 h1:NHLkr4NYMY9gZGTI+jzIo38ZffMHkPbBzMcUDkyHs0g=
-github.com/gokrazy/gokrazy v0.0.0-20211024151958-b718dd90ae71/go.mod h1:eq2ROPhZJtxxEi21P8cbNqP8pwRBSpW/4LGKwNiQg2Y=
-github.com/gokrazy/internal v0.0.0-20210621162516-1b3b5687a06d/go.mod h1:Gqv1x1DNrObmBvVvblpZbvZizZ0dU5PwiwYHipmtY9Y=
-github.com/gokrazy/internal v0.0.0-20230117180442-8b3fd7aed8bb h1:MT59ew5neGiU6hqFOnlqwo6pavSpdX1JUgBOvzDjNec=
-github.com/gokrazy/internal v0.0.0-20230117180442-8b3fd7aed8bb/go.mod h1:ddHcxXZ/VVQOSAWcRBbkYY58+QOw4L145ye6phyDmRA=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/gokrazy/gokrazy v0.0.0-20230812092215-346db1998f83 h1:Y4sADvUYd/c0eqnqebipHHl0GMpAxOQeTzPnwI4ievM=
+github.com/gokrazy/gokrazy v0.0.0-20230812092215-346db1998f83/go.mod h1:9q5Tg+q+YvRjC3VG0gfMFut46dhbhtAnvUEp4lPjc6c=
+github.com/gokrazy/internal v0.0.0-20250126213949-423a5b587b57 h1:f5bEvO4we3fbfiBkECrrUgWQ8OH6J3SdB2Dwxid/Yx4=
+github.com/gokrazy/internal v0.0.0-20250126213949-423a5b587b57/go.mod h1:SJG1KwuJQXFEoBgryaNCkMbdISyovDgZd0xmXJRZmiw=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/gopacket v1.1.16/go.mod h1:UCLx9mCmAwsVbn6qQl1WIEt2SO7Nd2fD0th1TBAsqBw=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/renameio/v2 v2.0.0 h1:UifI23ZTGY8Tt29JbYFiuyIU3eX+RNFtUwefq9qAhxg=
 github.com/google/renameio/v2 v2.0.0/go.mod h1:BtmJXm5YlszgC+TD4HOEEUFgkJP3nLxehU6hfe7jRt4=
-github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf h1:7+FW5aGwISbqUtkfmIpZJGRgNFg2ioYPvFaUxdqpDsg=
-github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf/go.mod h1:RpwtwJQFrIEPstU94h88MWPXP2ektJZ8cZ0YntAmXiE=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
+github.com/kenshaw/evdev v0.1.0 h1:wmtceEOFfilChgdNT+c/djPJ2JineVsQ0N14kGzFRUo=
+github.com/kenshaw/evdev v0.1.0/go.mod h1:B/fErKCihUyEobz0mjn2qQbHgyJKFQAxkXSvkeeA/Wo=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/pty v1.1.8 h1:AkaSdXYQOWeaO3neb8EM634ahkXXe3jYbVh/F9lq+GI=
 github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
-github.com/mdlayher/raw v0.0.0-20190303161257-764d452d77af/go.mod h1:rC/yE65s/DoHB6BzVOUBNYBGTg772JVytyAytffIZkY=
-github.com/mdlayher/watchdog v0.0.0-20201005150459-8bdc4f41966b h1:7tUBfsEEBWfFeHOB7CUfoOamak+Gx/BlirfXyPk1WjI=
-github.com/mdlayher/watchdog v0.0.0-20201005150459-8bdc4f41966b/go.mod h1:bmoJUS6qOA3uKFvF3KVuhf7mU1KQirzQMeHXtPyKEqg=
-github.com/pkg/sftp v1.13.5-0.20220330091711-a17a626ab843 h1:aIV4Pjj4gI4eGy8t60Pfji8tdDDohxwBU5ZCb4ulHvw=
-github.com/pkg/sftp v1.13.5-0.20220330091711-a17a626ab843/go.mod h1:wHDZ0IZX6JcBYRK1TH9bcVq8G7TLpVHYIGJRFnmPfxg=
+github.com/mdlayher/watchdog v0.0.0-20221003142519-49be0df7b3b5 h1:80FAK3TW5lVymfHu3kvB1QvTZvy9Kmx1lx6sT5Ep16s=
+github.com/mdlayher/watchdog v0.0.0-20221003142519-49be0df7b3b5/go.mod h1:z0QjVpjpK4jksEkffQwS3+abQ3XFTm1bnimyDzWyUk0=
+github.com/pkg/sftp v1.13.5 h1:a3RLUqkyjYRtBTZJZ1VRrKbN3zhuPLlUc3sphVz81go=
+github.com/pkg/sftp v1.13.5/go.mod h1:wHDZ0IZX6JcBYRK1TH9bcVq8G7TLpVHYIGJRFnmPfxg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rtr7/dhcp4 v0.0.0-20181120124042-778e8c2e24a5/go.mod h1:FwstIpm6vX98QgtR8KEwZcVjiRn2WP76LjXAHj84fK0=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
-golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
-golang.org/x/net v0.0.0-20210610132358-84b48f89b13b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/sys v0.0.0-20201005065044-765f4ea38db3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210820121016-41cdb8703e55/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-rsc.io/goversion v1.2.0 h1:SPn+NLTiAG7w30IRK/DKp1BjvpWabYgxlLp/+kx5J8w=
-rsc.io/goversion v1.2.0/go.mod h1:Eih9y/uIBS3ulggl7KNJ09xGSLcuNaLgmvvqa07sgfo=

ssh.go

@@ -2,12 +2,14 @@ package main
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"log"
 	"net"
 	"os"
 	"os/exec"
+	"path"
 	"strconv"
 	"strings"
 	"sync"
@@ -21,11 +23,15 @@ import (
 	"golang.org/x/crypto/ssh"
 )
 
-func handleChannel(newChan ssh.NewChannel) {
+func handleChannel(newChan ssh.NewChannel, conn *ssh.ServerConn) {
 	switch t := newChan.ChannelType(); t {
 	case "session":
-		handleSession(newChan)
+		handleSession(newChan, conn)
 	case "direct-tcpip":
+		if _, portForwardDenied := conn.Permissions.Extensions["no-port-forwarding"]; portForwardDenied {
+			newChan.Reject(ssh.Prohibited, "port forwarding is disabled. For you in particular :-P")
+			return
+		}
 		handleTCPIP(newChan)
 	default:
 		newChan.Reject(ssh.UnknownChannelType, fmt.Sprintf("unknown channel type: %q", t))
@@ -112,7 +118,7 @@ func handleTCPIP(newChan ssh.NewChannel) {
 	}()
 }
 
-func handleSession(newChannel ssh.NewChannel) {
+func handleSession(newChannel ssh.NewChannel, conn *ssh.ServerConn) {
 	channel, requests, err := newChannel.Accept()
 	if err != nil {
 		log.Printf("Could not accept channel (%s)", err)
@@ -120,12 +126,12 @@ func handleSession(newChannel ssh.NewChannel) {
 	}
 
 	// Sessions have out-of-band requests such as "shell", "pty-req" and "env"
-	go func(channel ssh.Channel, requests <-chan *ssh.Request) {
+	go func(channel ssh.Channel, requests <-chan *ssh.Request, conn *ssh.ServerConn) {
 		ctx, canc := context.WithCancel(context.Background())
 		defer canc()
 		s := session{channel: channel}
 		for req := range requests {
-			if err := s.request(ctx, req); err != nil {
+			if err := s.request(ctx, req, conn); err != nil {
 				log.Printf("request(%q): %v", req.Type, err)
 				errmsg := []byte(err.Error())
 				// Append a trailing newline; the error message is
@@ -139,7 +145,7 @@ func handleSession(newChannel ssh.NewChannel) {
 			}
 		}
 		log.Printf("requests exhausted")
-	}(channel, requests)
+	}(channel, requests, conn)
 }
 
 func expandPath(env []string) []string {
@@ -215,19 +221,36 @@ type exitStatus struct {
 }
 
 func findShell() string {
+	if _, err := os.Stat(wellKnownBusybox); err == nil {
+		// Install busybox to /bin to provide the typical userspace utilities
+		// in standard locations (makes Emacs TRAMP work, for example).
+		if err := installBusybox(); err != nil {
+			log.Printf("installing busybox failed: %v", err)
+			// fallthrough, we don't return /bin/sh as we read /etc/passwd
+		}
+	}
+	if _, err := exec.LookPath(shell); path.IsAbs(shell) && err == nil {
+		return shell
+	}
+	if path, err := exec.LookPath("bash"); err == nil {
+		return path
+	}
 	if path, err := exec.LookPath("sh"); err == nil {
 		return path
 	}
 	const wellKnownSerialShell = "/tmp/serial-busybox/ash"
-	if _, err := os.Stat(wellKnownSerialShell); err == nil {
+	if _, err := exec.LookPath(wellKnownSerialShell); err == nil {
 		return wellKnownSerialShell
 	}
 	return ""
 }
 
-func (s *session) request(ctx context.Context, req *ssh.Request) error {
+func (s *session) request(ctx context.Context, req *ssh.Request, conn *ssh.ServerConn) error {
 	switch req.Type {
 	case "pty-req":
+		if _, portForwardDenied := conn.Permissions.Extensions["no-pty"]; portForwardDenied {
+			return errors.New("Pseudo-Terminal is disabled. For you in particular :-P")
+		}
 		var r ptyreq
 		if err := ssh.Unmarshal(req.Payload, &r); err != nil {
 			return err
@@ -345,21 +368,25 @@ func (s *session) request(ctx context.Context, req *ssh.Request) error {
 
 		// Ensure the $HOME directory exists so that shell history works without
 		// any extra steps.
-		if err := os.MkdirAll("/perm/home", 0755); err != nil {
+		if err := os.MkdirAll(home, 0755); err != nil {
 			// TODO: Suppress -EROFS
 			log.Print(err)
 		}
 
 		var cmd *exec.Cmd
 		if shell := findShell(); shell != "" {
-			cmd = exec.CommandContext(ctx, shell, "-c", r.Command)
+			if r.Command == "sh" {
+				cmd = exec.CommandContext(ctx, shell, "-l")
+			} else {
+				cmd = exec.CommandContext(ctx, shell, "-c", r.Command)
+			}
 		} else {
 			cmd = exec.CommandContext(ctx, cmdline[0], cmdline[1:]...)
 		}
 		log.Printf("Starting cmd %q", cmd.Args)
 		env := expandPath(s.env)
 		env = append(env,
-			"HOME=/perm/home",
+			"HOME="+home,
 			"TMPDIR=/tmp")
 		cmd.Env = env
 		cmd.SysProcAttr = &syscall.SysProcAttr{}