logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

Interactive-SSH-programs.md (8709B)

    

  1. ---
  2. date: 2019-09-02
  3. layout: post
  4. title: Building interactive SSH applications
  5. tags: [ssh, informational, sourcehut]
  6. ---
  8. After the announcement of [shell access for builds.sr.ht jobs][builds
  9. announcement], a few people sent me some questions, wondering how this sort of
  10. thing is done. Writing interactive SSH applications is actually pretty easy, but
  11. it does require some knowledge of the pieces involved and a little bit of
  12. general Unix literacy.
  14. [builds announcement]: https://drewdevault.com/2019/08/19/Introducing-shell-access-for-builds.html
  16. On the server, there are three steps which you can meddle with using OpenSSH:
  17. authentication, the shell session, and the command. The shell is pretty easily
  18. manipulated. For example, if you set the user's login shell to
  19. `/usr/bin/nethack`, then [nethack][nethack] will run when they log in. Editing
  20. this is pretty straightforward, just pop open `/etc/passwd` as root and set
  21. their shell to your desired binary. If the user SSHes into your server with a
  22. TTY allocated (which is done by default), then you'll be able to run a curses
  23. application or something interactive.
  25. [nethack]: https://www.nethack.org/
  27. <script
  28.   id="asciicast-CQ5iaFl8kMnOGV3x0TeI7vfjV"
  29.   src="https://asciinema.org/a/pafXXANiWHY9MOH2yXdVHHJRd.js" async
  30. ></script>
  31. <noscript><i>This article includes third-party JavaScript content from
  32. asciinema.org, a free- and open-source platform that I trust.</i></noscript>
  34. However, a downside to this is that, if you choose a "shell" which does not
  35. behave like a shell, it will break when the user passes additional command line
  36. arguments, such as `ssh user@host ls -a`. To address this, instead of overriding
  37. the shell, we can override the *command* which is run. The best place to do this
  38. is in the user's `authorized_keys` file. Before each line, you can add options
  39. which apply to users who log in with that key. One of these options is the
  40. "command" option. If you add this to `/home/user/.ssh/authorized_keys` instead:
  42. ```
  43. command="/usr/bin/nethack" ssh-rsa ... user
  44. ```
  46. Then it'll use the user's shell (which should probably be `/bin/sh`) to run
  47. `nethack`, which will work regardless of the command supplied by the user (which
  48. is stored into `SSH_ORIGINAL_COMMAND` in the environment, should you need it).
  49. There are probably some other options you want to set here, as well, for
  50. security reasons:
  52. ```
  53. restrict,pty,command="..." ssh-rsa ... user
  54. ```
  56. The full list of options you can set here is available in the `sshd(8)` man
  57. page. `restrict` just turns off most stuff by default, and `pty` explicitly
  58. re-enables TTY allocation, so that we can do things like curses. This will work
  59. if you want to explicitly authorize specific people, one at a time, in your
  60. `authorized_keys` file, to use your SSH-driven application.  However, there's
  61. one more place where we can meddle: the `AuthorizedKeysCommand` in
  62. `/etc/ssh/sshd_config`. Instead of having OpenSSH read from the
  63. `authorized_keys` file in the user's home directory, it can execute an arbitrary
  64. program and read the `authorized_keys` file from its stdout. For example, on
  65. Sourcehut we use something like this:
  67. ```
  68. AuthorizedKeysCommand /usr/bin/gitsrht-dispatch "%u" "%h" "%t" "%k"
  69. AuthorizedKeysUser root
  70. ```
  72. Respectively, these format strings will supply the command with the username
  73. attempting login, the user's home directory, the type of key in use (e.g.
  74. `ssh-rsa`), and the base64-encoded key itself. More options are available - see
  75. `TOKENS`, in the `sshd_config(8)` man page. The key supplied here can be used to
  76. identify the user - on Sourcehut we look up their SSH key in the database. Then
  77. you can choose whether or not to admit the user based on any logic of your
  78. choosing, and print an appropriate `authorized_keys` to stdout. You can also
  79. take this opportunity to forward this information along to the command that gets
  80. executed, by appending them to the command option or by using the environment
  81. options.
  83. ## How this works on builds.sr.ht
  85. We use a somewhat complex system for incoming SSH connections, which I won't go
  86. into here - it's only necessary to support multiple SSH applications on the same
  87. server, like git.sr.ht and builds.sr.ht. For builds.sr.ht, we accept all
  88. connections and authenticate later on. This means our AuthorizedKeysCommand is
  89. quite simple:
  91. ```python
  92. #!/usr/bin/env python3
  93. # We just let everyone in at this stage, authentication is done later on.
  94. import sys
  95. key_type = sys.argv[3]
  96. b64key = sys.argv[4]
  98. keys = (f"command=\"buildsrht-shell '{b64key}'\",restrict,pty " +
  99.     f"{key_type} {b64key} somebody\n")
  100. print(keys)
  101. sys.exit(0)
  102. ```
  104. The command, `buildsrht-shell`, does some more interesting stuff. First, the
  105. user is told to connect with a command like `ssh builds@buildhost connect <job
  106. ID>`, so we use the `SSH_ORIGINAL_COMMAND` variable to grab the command line
  107. they included:
  109. ```python
  110. cmd = os.environ.get("SSH_ORIGINAL_COMMAND") or ""
  111. cmd = shlex.split(cmd)
  112. if len(cmd) != 2:
  113.     fail("Usage: ssh ... connect <job ID>")
  114. op = cmd[0]
  115. if op not in ["connect", "tail"]:
  116.     fail("Usage: ssh ... connect <job ID>")
  117. job_id = int(cmd[1])
  118. ```
  120. Then we do some authentication, fetching the job info from the local job runner
  121. and checking their key against meta.sr.ht (the authentication service).
  123. ```python
  124. b64key = sys.argv[1]
  126. def get_info(job_id):
  127.     r = requests.get(f"http://localhost:8080/job/{job_id}/info")
  128.     if r.status_code != 200:
  129.         return None
  130.     return r.json()
  132. info = get_info(job_id)
  133. if not info:
  134.     fail("No such job found.")
  136. meta_origin = get_origin("meta.sr.ht")
  137. r = requests.get(f"{meta_origin}/api/ssh-key/{b64key}")
  138. if r.status_code == 200:
  139.     username = r.json()["owner"]["name"]
  140. elif r.status_code == 404:
  141.     fail("We don't recognize your SSH key. Make sure you've added it to " +
  142.         f"your account.\n{get_origin('meta.sr.ht', external=True)}/keys")
  143. else:
  144.     fail("Temporary authentication failure. Try again later.")
  146. if username != info["username"]:
  147.     fail("You are not permitted to connect to this job.")
  148. ```
  150. There are two modes from here on out: connecting and tailing. The former logs
  151. into the local build VM, and the latter prints the logs to the terminal.
  152. Connecting looks like this:
  154. ```python
  155. def connect(job_id, info):
  156.     """Opens a shell on the build VM"""
  157.     limit = naturaltime(datetime.utcnow() - deadline)
  158.     print(f"Your VM will be terminated {limit}, or when you log out.")
  159.     print()
  160.     requests.post(f"http://localhost:8080/job/{job_id}/claim")
  161.     sys.stdout.flush()
  162.     sys.stderr.flush()
  163.     tty = os.open("/dev/tty", os.O_RDWR)
  164.     os.dup2(0, tty)
  165.     subprocess.call([
  166.         "ssh", "-qt",
  167.         "-p", str(info["port"]),
  168.         "-o", "UserKnownHostsFile=/dev/null",
  169.         "-o", "StrictHostKeyChecking=no",
  170.         "-o", "LogLevel=quiet",
  171.         "build@localhost", "bash"
  172.     ])
  173.     requests.post(f"http://localhost:8080/job/{job_id}/terminate")
  174. ```
  176. This is pretty self explanatory, except perhaps for the dup2 - we just open
  177. `/dev/tty` and make `stdin` a copy of it. Some interactive applications
  178. misbehave if stdin is not a tty, and this mimics the normal behavior of SSH.
  179. Then we log into the build VM over SSH, which with stdin/stdout/stderr rigged up
  180. like so will allow the user to interact with the build VM. After that completes,
  181. we terminate the VM.
  183. This is mostly plumbing work that just serves to get the user from point A to
  184. point B. The tail functionality is more application-like:
  186. ```python
  187. def tail(job_id, info):
  188.     """Tails the build logs to stdout"""
  189.     logs = os.path.join(cfg("builds.sr.ht::worker", "buildlogs"), str(job_id))
  190.     p = subprocess.Popen(["tail", "-f", os.path.join(logs, "log")])
  191.     tasks = set()
  192.     procs = [p]
  193.     # holy bejeezus this is hacky
  194.     while True:
  195.         for task in manifest.tasks:
  196.             if task.name in tasks:
  197.                 continue
  198.             path = os.path.join(logs, task.name, "log")
  199.             if os.path.exists(path):
  200.                 procs.append(subprocess.Popen(
  201.                     f"tail -f {shlex.quote(path)} | " +
  202.                     "awk '{ print \"[" + shlex.quote(task.name) + "] \" $0 }'",
  203.                     shell=True))
  204.                 tasks.update({ task.name })
  205.         info = get_info(job_id)
  206.         if not info:
  207.             break
  208.         if info["task"] == info["tasks"]:
  209.             for p in procs:
  210.                 p.kill()
  211.             break
  212.         time.sleep(3)
  214. if op == "connect":
  215.     if info["task"] != info["tasks"] and info["status"] == "running":
  216.         tail(job_id, info)
  217.     connect(job_id, info)
  218. elif op == "tail":
  219.     tail(job_id, info)
  220. ```
  222. This... I... let's just pretend you never saw this. And that's how SSH access to
  223. builds.sr.ht works!