云原生应用程序能否使用密钥认证方式 SSH 连接到自身?

huangapple go评论52阅读模式
英文:

Can a Cloud Foundry app ssh to itself with key authentication?

问题

我有一个 CF 应用程序,需要访问一个 SFTP 服务器进行集成测试,我想利用本地容器的配置来使其充当一个。

我明白根据文档的说明,一个应用程序可以通过代理进行 SSH 到自身,但获取用于cf:<应用程序GUID>用户名的密码是一个我想尽量避免的复杂问题。

如果我 SSH 到应用程序容器,我确实可以通过代理进行 SSH,但如果我尝试 SSH 到 localhost:2222,我会收到一个“拒绝公钥”的错误消息,表明它支持密钥认证。

在应用程序容器中是否有一个私钥可供应用程序用于连接到自身的 SSH/SFTP?

英文:

I have a CF app that needs access to an sftp server for integration testing and I'd like to take advantage of the local container being configured to enable it to act as one.

I understand it's possible as explained in the docs for an app to ssh to itself through the proxy, but obtaining a password to use with the cf:&lt;application-guid&gt; username is a complication that I'd like to avoid if possible.

If I ssh into the app container, I can indeed ssh through the proxy, but if I try to ssh to localhost:2222, I get a "public key denied" error message, suggesting that it would support key authentication.

Is there a private key available in the app container that the app can use to connect to ssh/sftp to itself?

答案1

得分: 1

是的,在应用程序容器环境中存在一个私钥:运行在应用程序容器内的 diego-sshd SSH 服务器进程在其环境中有其自己的私钥,存储在名为 SSHD_HOSTKEY 的环境变量中。

一旦你使用 cf ssh 进入应用程序容器获取一个 shell 会话,以下是一种快速提取该 PEM 编码私钥值到文件并使用它来进行身份验证到 diego-sshd 服务器的方法:

$ strings /proc/$(pidof diego-sshd)/environ | awk '/-----BEGIN/,/-----END/' | sed 's/SSHD_HOSTKEY=//g' > sshdkey
$ chmod 0600 sshdkey
$ ssh -i sshdkey -p 2222 localhost

你需要使用 chmod 命令来限制私钥文件的权限,只允许 vcap 用户在应用程序容器中访问,否则 SSH 客户端会报权限过于开放的错误。

一旦你开始了 SSH 会话,很难分辨你是否已经完成了任何操作,因为 shell 提示符看起来与现有的 CF SSH 会话相同,但你可以通过跟踪你的 shell 的 PID 通过进程树来进行检查:

$ pstree -pT $(pidof diego-sshd)
diego-sshd(8)───bash(259)───pstree(323)

$ echo $$
259

$ ssh -i sshdkey -p 2222 localhost

$ pstree -pT $(pidof diego-sshd)
diego-sshd(8)─┬─bash(259)───ssh(341)
              └─bash(342)───pstree(353)

$ echo $$
342

在这种情况下,

  • 259 是由初始的 CF SSH 会话启动的 bash 进程的 PID,
  • 341 是启动嵌套 SSH 会话的 ssh 进程的 PID,
  • 342 是由客户端会话启动的 bash 进程的 PID。

关于 CF 内部发生了什么的一些背景信息:

英文:

Yes, there is a private key available in the app container environment: the diego-sshd SSH server process running inside the app container has its own private key stored in its environment as the SSHD_HOSTKEY environment variable.

Once you've used cf ssh to get a shell session inside the app container, here's a quick way to extract that PEM-encoded private key value to a file and then to use it to authenticate to the diego-sshd server:

$ strings /proc/$(pidof diego-sshd)/environ | awk &#39;/-----BEGIN/,/-----END/&#39; | sed &#39;s/SSHD_HOSTKEY=//g&#39; &gt; sshdkey
$ chmod 0600 sshdkey
$ ssh -i sshdkey -p 2222 localhost

You need the chmod command to restrict permissions on the private key file to only the vcap user in the app container, as otherwise the SSH client will complain that permissions are too open.

It's hard to tell that you've done anything once you start that SSH session, as the shell prompt will look identical to the existing CF SSH session, but you can check by tracing your shell's PID through the process tree:

$ pstree -pT $(pidof diego-sshd)
diego-sshd(8)───bash(259)───pstree(323)

$ echo $$
259

$ ssh -i sshdkey -p 2222 localhost

$ pstree -pT $(pidof diego-sshd)
diego-sshd(8)─┬─bash(259)───ssh(341)
              └─bash(342)───pstree(353)

$ echo $$
342

In this case,

  • 259 is the PID of the bash process started by the initial CF SSH session,
  • 341 is the PID of the ssh process starting the nested SSH session,
  • 342 is the PID of the bash process started by that client's session.

Some background on what's going on with the CF internals:

huangapple
  • 本文由 发表于 2023年6月5日 11:25:35
  • 转载请务必保留本文链接:https://go.coder-hub.com/76403333.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定