knife-ssh-agent 0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +2 -0
- data/.rubocop.yml +34 -0
- data/.travis.yml +11 -0
- data/Gemfile +3 -0
- data/LICENSE.txt +19 -0
- data/README.md +34 -0
- data/Rakefile +5 -0
- data/knife-ssh-agent.gemspec +25 -0
- data/lib/chef/knife/ssh_agent.rb +6 -0
- data/lib/knife/ssh-agent.rb +6 -0
- data/lib/knife/ssh-agent/authenticator.rb +36 -0
- data/lib/knife/ssh-agent/signedheaderauth.rb +36 -0
- data/lib/knife/ssh-agent/version.rb +3 -0
- metadata +127 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: cc3b43a18489830619cbfc04c9b1ffe83810ca11
|
4
|
+
data.tar.gz: 73ab4cd0cd3c8acc3b689f3df06f50ccbb1aae6a
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: '056804ad96cf5e79de9827dd0b336ee930d0edd49e20bdfe2262804b51b1155f70806a3da3d3540727c19b4b5c35e7046cbb5dd29634b5ead64d32478c29dfcd'
|
7
|
+
data.tar.gz: f844a004f1ae94596c418e9a37c9ff8c005ce7970ca0728070b72ff2ac1d39476778adf2bae3e51e8e5773ab6511ce597e967e985d3e2f57ea3f2d139f8950f4
|
data/.gitignore
ADDED
data/.rubocop.yml
ADDED
@@ -0,0 +1,34 @@
|
|
1
|
+
AllCops:
|
2
|
+
Exclude:
|
3
|
+
- bundle/**/*
|
4
|
+
TargetRubyVersion: 2.3
|
5
|
+
|
6
|
+
Metrics/ClassLength:
|
7
|
+
Max: 200
|
8
|
+
|
9
|
+
Metrics/LineLength:
|
10
|
+
Max: 230
|
11
|
+
|
12
|
+
Metrics/MethodLength:
|
13
|
+
Max: 30
|
14
|
+
|
15
|
+
Metrics/AbcSize:
|
16
|
+
Max: 52
|
17
|
+
|
18
|
+
Metrics/CyclomaticComplexity:
|
19
|
+
Max: 25
|
20
|
+
|
21
|
+
Metrics/PerceivedComplexity:
|
22
|
+
Max: 10
|
23
|
+
|
24
|
+
Naming/FileName:
|
25
|
+
Enabled: false
|
26
|
+
|
27
|
+
Style/Documentation:
|
28
|
+
Enabled: false
|
29
|
+
|
30
|
+
Style/HashSyntax:
|
31
|
+
EnforcedStyle: ruby19_no_mixed_keys
|
32
|
+
|
33
|
+
Style/FrozenStringLiteralComment:
|
34
|
+
Enabled: false
|
data/.travis.yml
ADDED
@@ -0,0 +1,11 @@
|
|
1
|
+
language: ruby
|
2
|
+
rvm:
|
3
|
+
- 2.4
|
4
|
+
deploy:
|
5
|
+
provider: rubygems
|
6
|
+
gem: knife-ssh-agent
|
7
|
+
on:
|
8
|
+
tags: true
|
9
|
+
repo: criteo/knife-ssh-agent
|
10
|
+
api_key:
|
11
|
+
secure: lUZj460tSYMs4gm7uX0/8vk8R9/cLAJeys4FacVsGwQK5dCIyQBWioNzGrvXHJzjksP378nwX7SeHIFGFAKBkpCQX82ORGjaqgfnZDN0mxAZ5HqKbYdlU5nxeM5vm80tk4v77qFyvuX8XHCMTvZKpR1djA4ZIteCAw0CVFPqRelUzKpSFjytUge7vIorjnbjACCC9fh5rxUFDzLVZVECJT4WH2HTnoo9SL9ec2kQrwHgzUV4lUIrJkyKZtHkL6Iaw/YSPPPDSyd2llf6HuFV9ivzZ8uOEZHKT4qQ1EBxToobHEUjD2GvmfvjKPuZJBB+A5GEcHwVIRI59TRu8YQBoEGhiS6z6jFPJs8us9wfwquAYR195nbDPyZl5Ru1ebblsRd7BON+o0cHUP7d9a41mEufvoyxPMjA0m6cNJSbe0ve+fBM+gte63kIWdq6K6CV1UqZBpitEt4fUM5hPPjQRaexYxgMZ+RVY7pEKMwoG79G3enApb4riZK5+lcY7wl2cc9FfMCy6hqhXDvZ83TKiXb3zY6DdTn7yikOBKuphK4By/C5pTUcP79CIrEOTIunbsVg6f+ge1Y9MZ8i7BWUzlCq/HNwebcYYJ1nF/PvIqKHKCdpoJ1ItqtSxZme4s5MKn9eselYXgUry6J61RvnlfK4/+hZ8DzsG5+BRDI3EP0=
|
data/Gemfile
ADDED
data/LICENSE.txt
ADDED
@@ -0,0 +1,19 @@
|
|
1
|
+
Copyright (c) 2017 Vincent Minet
|
2
|
+
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
4
|
+
of this software and associated documentation files (the "Software"), to deal
|
5
|
+
in the Software without restriction, including without limitation the rights
|
6
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
7
|
+
copies of the Software, and to permit persons to whom the Software is
|
8
|
+
furnished to do so, subject to the following conditions:
|
9
|
+
|
10
|
+
The above copyright notice and this permission notice shall be included in all
|
11
|
+
copies or substantial portions of the Software.
|
12
|
+
|
13
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
14
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
15
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
16
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
17
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
18
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
19
|
+
SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,34 @@
|
|
1
|
+
# knife-ssh-agent
|
2
|
+
|
3
|
+
Authenticate to a chef server using a SSH agent.
|
4
|
+
|
5
|
+
## Compatibility
|
6
|
+
This only works with RSA keys, as it is the only kind supported by chef.
|
7
|
+
Non RSA keys listed by the agent will be ignore.
|
8
|
+
|
9
|
+
The SSH agent must be compatbile with SHA-256 as the hash function for the
|
10
|
+
RSASSA-PKCS1-v1_5 signature (see draft-rsa-dsa-sha2-256-03.txt).
|
11
|
+
|
12
|
+
* OpenSSH is compatible since version 7.2
|
13
|
+
* GNOME keyring is not compatible
|
14
|
+
|
15
|
+
## Usage
|
16
|
+
|
17
|
+
The following configuration options must be set in your knife.rb
|
18
|
+
|
19
|
+
```
|
20
|
+
knife[:use_ssh_agent] = true
|
21
|
+
authentication_protocol_version '1.3'
|
22
|
+
```
|
23
|
+
|
24
|
+
Version 1.3 of the authentication protocol is required as it's the only one
|
25
|
+
compatible with the signatures generated by the agent.
|
26
|
+
|
27
|
+
If your ssh-agent has multiple RSA identities, you can choose which one will be
|
28
|
+
used to sign requets by adding this to your knife.rb
|
29
|
+
|
30
|
+
```
|
31
|
+
knife[:ssh_agent_identity] = '~/.ssh/chef-rsa-key' # .pub is optional
|
32
|
+
```
|
33
|
+
|
34
|
+
Otherwise, the first RSA identity listed by the agent will be used.
|
data/Rakefile
ADDED
@@ -0,0 +1,25 @@
|
|
1
|
+
lib = File.expand_path('../lib', __FILE__)
|
2
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
3
|
+
|
4
|
+
require 'knife/ssh-agent/version'
|
5
|
+
|
6
|
+
Gem::Specification.new do |spec|
|
7
|
+
spec.name = 'knife-ssh-agent'
|
8
|
+
spec.version = KnifeSSHAgent::VERSION
|
9
|
+
spec.authors = ['Vincent Minet']
|
10
|
+
spec.email = ['v.minet@criteo.com']
|
11
|
+
spec.homepage = 'https://github.com/criteo/knife-ssh-agent'
|
12
|
+
spec.license = 'MIT'
|
13
|
+
spec.summary = 'SSH Agent support for chef authentication'
|
14
|
+
spec.description = 'Authenticate to a chef server using a SSH agent.'
|
15
|
+
|
16
|
+
spec.require_paths = 'lib'
|
17
|
+
spec.files = `git ls-files -z`.split("\x0")
|
18
|
+
|
19
|
+
spec.add_development_dependency 'bundler', '>= 1.0'
|
20
|
+
spec.add_development_dependency 'rake'
|
21
|
+
spec.add_development_dependency 'rubocop'
|
22
|
+
|
23
|
+
spec.add_dependency 'chef'
|
24
|
+
spec.add_dependency 'net-ssh', '>= 4.2'
|
25
|
+
end
|
@@ -0,0 +1,36 @@
|
|
1
|
+
require 'net/ssh'
|
2
|
+
require 'chef/config'
|
3
|
+
|
4
|
+
module KnifeSSHAgent
|
5
|
+
module Authenticator
|
6
|
+
def load_signing_key(key_file, raw_key = nil)
|
7
|
+
use_agent = Chef::Config[:knife][:use_ssh_agent]
|
8
|
+
ident_file = Chef::Config[:knife][:ssh_agent_identity]
|
9
|
+
|
10
|
+
return super(key_file, raw_key) unless use_agent
|
11
|
+
|
12
|
+
@key = if ident_file
|
13
|
+
load_ident_file(ident_file)
|
14
|
+
else
|
15
|
+
load_agent_default_ident
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
19
|
+
def load_ident_file(path)
|
20
|
+
file = [path + '.pub'].find(path) { |f| ::File.exist?(::File.expand_path(f)) }
|
21
|
+
Net::SSH::KeyFactory.load_public_key(file)
|
22
|
+
rescue Net::SSH::Exception
|
23
|
+
raise AgentException, "unable to find requested SSH identity: #{path}"
|
24
|
+
end
|
25
|
+
|
26
|
+
def load_agent_default_ident
|
27
|
+
agent = Net::SSH::Authentication::Agent.connect
|
28
|
+
ident = agent.identities.select { |id| id.ssh_type == 'ssh-rsa' }
|
29
|
+
|
30
|
+
raise AgentException, 'cannot retrieve a valid RSA key from the SSH agent' if ident.empty?
|
31
|
+
ident.first
|
32
|
+
ensure
|
33
|
+
agent&.close
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
@@ -0,0 +1,36 @@
|
|
1
|
+
require 'net/ssh'
|
2
|
+
require 'chef/config'
|
3
|
+
require 'mixlib/authentication'
|
4
|
+
|
5
|
+
module KnifeSSHAgent
|
6
|
+
SSH_AGENT_RSA_SHA2_256 = Net::SSH::Authentication::Agent::SSH_AGENT_RSA_SHA2_256
|
7
|
+
|
8
|
+
module SigningObject
|
9
|
+
def do_sign(private_key, digest, sign_algorithm, sign_version)
|
10
|
+
use_agent = Chef::Config[:knife][:use_ssh_agent]
|
11
|
+
|
12
|
+
if use_agent
|
13
|
+
sign_with_agent(private_key, sign_algorithm, sign_version)
|
14
|
+
else
|
15
|
+
super(private_key, digest, sign_algorithm, sign_version)
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
19
|
+
def sign_with_agent(key, sign_algorithm, sign_version)
|
20
|
+
raise AgentException, 'ssh-agent requires authentication_protocol_version 1.3' unless sign_version == '1.3'
|
21
|
+
|
22
|
+
string_to_sign = canonicalize_request(sign_algorithm, sign_version)
|
23
|
+
begin
|
24
|
+
agent = Net::SSH::Authentication::Agent.connect
|
25
|
+
blob = Net::SSH::Buffer.from(:raw, agent.sign(key, string_to_sign, SSH_AGENT_RSA_SHA2_256))
|
26
|
+
type = blob.read_string
|
27
|
+
|
28
|
+
raise AgentException, "agent returned a '#{type}' signature (should be 'rsa-sha2-256')" unless type == 'rsa-sha2-256'
|
29
|
+
|
30
|
+
blob.read_string
|
31
|
+
ensure
|
32
|
+
agent&.close
|
33
|
+
end
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
metadata
ADDED
@@ -0,0 +1,127 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: knife-ssh-agent
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: '0.1'
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Vincent Minet
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
date: 2017-12-08 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: bundler
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - ">="
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: '1.0'
|
20
|
+
type: :development
|
21
|
+
prerelease: false
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - ">="
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: '1.0'
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: rake
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - ">="
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: '0'
|
34
|
+
type: :development
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - ">="
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: '0'
|
41
|
+
- !ruby/object:Gem::Dependency
|
42
|
+
name: rubocop
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
44
|
+
requirements:
|
45
|
+
- - ">="
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: '0'
|
48
|
+
type: :development
|
49
|
+
prerelease: false
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
51
|
+
requirements:
|
52
|
+
- - ">="
|
53
|
+
- !ruby/object:Gem::Version
|
54
|
+
version: '0'
|
55
|
+
- !ruby/object:Gem::Dependency
|
56
|
+
name: chef
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - ">="
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: '0'
|
62
|
+
type: :runtime
|
63
|
+
prerelease: false
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
65
|
+
requirements:
|
66
|
+
- - ">="
|
67
|
+
- !ruby/object:Gem::Version
|
68
|
+
version: '0'
|
69
|
+
- !ruby/object:Gem::Dependency
|
70
|
+
name: net-ssh
|
71
|
+
requirement: !ruby/object:Gem::Requirement
|
72
|
+
requirements:
|
73
|
+
- - ">="
|
74
|
+
- !ruby/object:Gem::Version
|
75
|
+
version: '4.2'
|
76
|
+
type: :runtime
|
77
|
+
prerelease: false
|
78
|
+
version_requirements: !ruby/object:Gem::Requirement
|
79
|
+
requirements:
|
80
|
+
- - ">="
|
81
|
+
- !ruby/object:Gem::Version
|
82
|
+
version: '4.2'
|
83
|
+
description: Authenticate to a chef server using a SSH agent.
|
84
|
+
email:
|
85
|
+
- v.minet@criteo.com
|
86
|
+
executables: []
|
87
|
+
extensions: []
|
88
|
+
extra_rdoc_files: []
|
89
|
+
files:
|
90
|
+
- ".gitignore"
|
91
|
+
- ".rubocop.yml"
|
92
|
+
- ".travis.yml"
|
93
|
+
- Gemfile
|
94
|
+
- LICENSE.txt
|
95
|
+
- README.md
|
96
|
+
- Rakefile
|
97
|
+
- knife-ssh-agent.gemspec
|
98
|
+
- lib/chef/knife/ssh_agent.rb
|
99
|
+
- lib/knife/ssh-agent.rb
|
100
|
+
- lib/knife/ssh-agent/authenticator.rb
|
101
|
+
- lib/knife/ssh-agent/signedheaderauth.rb
|
102
|
+
- lib/knife/ssh-agent/version.rb
|
103
|
+
homepage: https://github.com/criteo/knife-ssh-agent
|
104
|
+
licenses:
|
105
|
+
- MIT
|
106
|
+
metadata: {}
|
107
|
+
post_install_message:
|
108
|
+
rdoc_options: []
|
109
|
+
require_paths:
|
110
|
+
- lib
|
111
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
112
|
+
requirements:
|
113
|
+
- - ">="
|
114
|
+
- !ruby/object:Gem::Version
|
115
|
+
version: '0'
|
116
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
117
|
+
requirements:
|
118
|
+
- - ">="
|
119
|
+
- !ruby/object:Gem::Version
|
120
|
+
version: '0'
|
121
|
+
requirements: []
|
122
|
+
rubyforge_project:
|
123
|
+
rubygems_version: 2.6.8
|
124
|
+
signing_key:
|
125
|
+
specification_version: 4
|
126
|
+
summary: SSH Agent support for chef authentication
|
127
|
+
test_files: []
|