knife-ssh-agent 0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: cc3b43a18489830619cbfc04c9b1ffe83810ca11
+  data.tar.gz: 73ab4cd0cd3c8acc3b689f3df06f50ccbb1aae6a
+SHA512:
+  metadata.gz: '056804ad96cf5e79de9827dd0b336ee930d0edd49e20bdfe2262804b51b1155f70806a3da3d3540727c19b4b5c35e7046cbb5dd29634b5ead64d32478c29dfcd'
+  data.tar.gz: f844a004f1ae94596c418e9a37c9ff8c005ce7970ca0728070b72ff2ac1d39476778adf2bae3e51e8e5773ab6511ce597e967e985d3e2f57ea3f2d139f8950f4

data/.gitignore

@@ -0,0 +1,2 @@
+.bundle/
+Gemfile.lock*

data/.rubocop.yml

@@ -0,0 +1,34 @@
+AllCops:
+  Exclude:
+  - bundle/**/*
+  TargetRubyVersion: 2.3
+
+Metrics/ClassLength:
+  Max: 200
+
+Metrics/LineLength:
+  Max: 230
+
+Metrics/MethodLength:
+  Max: 30
+
+Metrics/AbcSize:
+  Max: 52
+
+Metrics/CyclomaticComplexity:
+  Max: 25
+
+Metrics/PerceivedComplexity:
+  Max: 10
+
+Naming/FileName:
+  Enabled: false
+
+Style/Documentation:
+  Enabled: false
+
+Style/HashSyntax:
+  EnforcedStyle: ruby19_no_mixed_keys
+
+Style/FrozenStringLiteralComment:
+  Enabled: false

data/.travis.yml

@@ -0,0 +1,11 @@
+language: ruby
+rvm:
+- 2.4
+deploy:
+  provider: rubygems
+  gem: knife-ssh-agent
+  on:
+    tags: true
+    repo: criteo/knife-ssh-agent
+  api_key:
+    secure: lUZj460tSYMs4gm7uX0/8vk8R9/cLAJeys4FacVsGwQK5dCIyQBWioNzGrvXHJzjksP378nwX7SeHIFGFAKBkpCQX82ORGjaqgfnZDN0mxAZ5HqKbYdlU5nxeM5vm80tk4v77qFyvuX8XHCMTvZKpR1djA4ZIteCAw0CVFPqRelUzKpSFjytUge7vIorjnbjACCC9fh5rxUFDzLVZVECJT4WH2HTnoo9SL9ec2kQrwHgzUV4lUIrJkyKZtHkL6Iaw/YSPPPDSyd2llf6HuFV9ivzZ8uOEZHKT4qQ1EBxToobHEUjD2GvmfvjKPuZJBB+A5GEcHwVIRI59TRu8YQBoEGhiS6z6jFPJs8us9wfwquAYR195nbDPyZl5Ru1ebblsRd7BON+o0cHUP7d9a41mEufvoyxPMjA0m6cNJSbe0ve+fBM+gte63kIWdq6K6CV1UqZBpitEt4fUM5hPPjQRaexYxgMZ+RVY7pEKMwoG79G3enApb4riZK5+lcY7wl2cc9FfMCy6hqhXDvZ83TKiXb3zY6DdTn7yikOBKuphK4By/C5pTUcP79CIrEOTIunbsVg6f+ge1Y9MZ8i7BWUzlCq/HNwebcYYJ1nF/PvIqKHKCdpoJ1ItqtSxZme4s5MKn9eselYXgUry6J61RvnlfK4/+hZ8DzsG5+BRDI3EP0=

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

data/LICENSE.txt

@@ -0,0 +1,19 @@
+Copyright (c) 2017 Vincent Minet
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,34 @@
+# knife-ssh-agent
+
+Authenticate to a chef server using a SSH agent.
+
+## Compatibility
+This only works with RSA keys, as it is the only kind supported by chef.
+Non RSA keys listed by the agent will be ignore.
+
+The SSH agent must be compatbile with SHA-256 as the hash function for the
+RSASSA-PKCS1-v1_5 signature (see draft-rsa-dsa-sha2-256-03.txt).
+
+* OpenSSH is compatible since version 7.2
+* GNOME keyring is not compatible
+
+## Usage
+
+The following configuration options must be set in your knife.rb
+
+```
+knife[:use_ssh_agent] = true
+authentication_protocol_version '1.3'
+```
+
+Version 1.3 of the authentication protocol is required as it's the only one
+compatible with the signatures generated by the agent.
+
+If your ssh-agent has multiple RSA identities, you can choose which one will be
+used to sign requets by adding this to your knife.rb
+
+```
+knife[:ssh_agent_identity] = '~/.ssh/chef-rsa-key' # .pub is optional
+```
+
+Otherwise, the first RSA identity listed by the agent will be used.

data/Rakefile

@@ -0,0 +1,5 @@
+require 'rubocop/rake_task'
+
+::RuboCop::RakeTask.new
+
+task default: %i[rubocop]

data/knife-ssh-agent.gemspec

@@ -0,0 +1,25 @@
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+require 'knife/ssh-agent/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'knife-ssh-agent'
+  spec.version       = KnifeSSHAgent::VERSION
+  spec.authors       = ['Vincent Minet']
+  spec.email         = ['v.minet@criteo.com']
+  spec.homepage      = 'https://github.com/criteo/knife-ssh-agent'
+  spec.license       = 'MIT'
+  spec.summary       = 'SSH Agent support for chef authentication'
+  spec.description   = 'Authenticate to a chef server using a SSH agent.'
+
+  spec.require_paths = 'lib'
+  spec.files         = `git ls-files -z`.split("\x0")
+
+  spec.add_development_dependency 'bundler', '>= 1.0'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rubocop'
+
+  spec.add_dependency 'chef'
+  spec.add_dependency 'net-ssh', '>= 4.2'
+end

data/lib/chef/knife/ssh_agent.rb

@@ -0,0 +1,6 @@
+require 'knife/ssh-agent'
+require 'chef/http/authenticator'
+require 'mixlib/authentication/signedheaderauth'
+
+Chef::HTTP::Authenticator.prepend(KnifeSSHAgent::Authenticator)
+Mixlib::Authentication::SigningObject.prepend(KnifeSSHAgent::SigningObject)

data/lib/knife/ssh-agent.rb

@@ -0,0 +1,6 @@
+require 'knife/ssh-agent/authenticator'
+require 'knife/ssh-agent/signedheaderauth'
+
+module KnifeSSHAgent
+  class AgentException < RuntimeError; end
+end

data/lib/knife/ssh-agent/authenticator.rb

@@ -0,0 +1,36 @@
+require 'net/ssh'
+require 'chef/config'
+
+module KnifeSSHAgent
+  module Authenticator
+    def load_signing_key(key_file, raw_key = nil)
+      use_agent  = Chef::Config[:knife][:use_ssh_agent]
+      ident_file = Chef::Config[:knife][:ssh_agent_identity]
+
+      return super(key_file, raw_key) unless use_agent
+
+      @key = if ident_file
+               load_ident_file(ident_file)
+             else
+               load_agent_default_ident
+             end
+    end
+
+    def load_ident_file(path)
+      file = [path + '.pub'].find(path) { |f| ::File.exist?(::File.expand_path(f)) }
+      Net::SSH::KeyFactory.load_public_key(file)
+    rescue Net::SSH::Exception
+      raise AgentException, "unable to find requested SSH identity: #{path}"
+    end
+
+    def load_agent_default_ident
+      agent = Net::SSH::Authentication::Agent.connect
+      ident = agent.identities.select { |id| id.ssh_type == 'ssh-rsa' }
+
+      raise AgentException, 'cannot retrieve a valid RSA key from the SSH agent' if ident.empty?
+      ident.first
+    ensure
+      agent&.close
+    end
+  end
+end

data/lib/knife/ssh-agent/signedheaderauth.rb

@@ -0,0 +1,36 @@
+require 'net/ssh'
+require 'chef/config'
+require 'mixlib/authentication'
+
+module KnifeSSHAgent
+  SSH_AGENT_RSA_SHA2_256 = Net::SSH::Authentication::Agent::SSH_AGENT_RSA_SHA2_256
+
+  module SigningObject
+    def do_sign(private_key, digest, sign_algorithm, sign_version)
+      use_agent = Chef::Config[:knife][:use_ssh_agent]
+
+      if use_agent
+        sign_with_agent(private_key, sign_algorithm, sign_version)
+      else
+        super(private_key, digest, sign_algorithm, sign_version)
+      end
+    end
+
+    def sign_with_agent(key, sign_algorithm, sign_version)
+      raise AgentException, 'ssh-agent requires authentication_protocol_version 1.3' unless sign_version == '1.3'
+
+      string_to_sign = canonicalize_request(sign_algorithm, sign_version)
+      begin
+        agent = Net::SSH::Authentication::Agent.connect
+        blob  = Net::SSH::Buffer.from(:raw, agent.sign(key, string_to_sign, SSH_AGENT_RSA_SHA2_256))
+        type  = blob.read_string
+
+        raise AgentException, "agent returned a '#{type}' signature (should be 'rsa-sha2-256')" unless type == 'rsa-sha2-256'
+
+        blob.read_string
+      ensure
+        agent&.close
+      end
+    end
+  end
+end

data/lib/knife/ssh-agent/version.rb

@@ -0,0 +1,3 @@
+module KnifeSSHAgent
+  VERSION = '0.1'.freeze
+end

metadata

@@ -0,0 +1,127 @@
+--- !ruby/object:Gem::Specification
+name: knife-ssh-agent
+version: !ruby/object:Gem::Version
+  version: '0.1'
+platform: ruby
+authors:
+- Vincent Minet
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-12-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: chef
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: net-ssh
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.2'
+description: Authenticate to a chef server using a SSH agent.
+email:
+- v.minet@criteo.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rubocop.yml"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- knife-ssh-agent.gemspec
+- lib/chef/knife/ssh_agent.rb
+- lib/knife/ssh-agent.rb
+- lib/knife/ssh-agent/authenticator.rb
+- lib/knife/ssh-agent/signedheaderauth.rb
+- lib/knife/ssh-agent/version.rb
+homepage: https://github.com/criteo/knife-ssh-agent
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.8
+signing_key: 
+specification_version: 4
+summary: SSH Agent support for chef authentication
+test_files: []