Don't allow embedded ssh servers

Author: plorenz

CHANGELOG.SSH.md

@@ -0,0 +1,108 @@
+## What's New
+
+* Ziti Component Management Access (Experimental)
+
+## Ziti Component Management Access
+
+This release contains an experimental feature allowing Ziti Administrators to allow access to management services for ziti components.
+
+This initial release is focused on providing access to SSH, but other management tools could potentially use the same data pipe.
+
+### Why
+
+Ideally one shouldn't use a system to manage itself. However, it can be nice to have a backup way to access a system, when things 
+go wrong. This could also be a helpful tool for small installations. 
+
+Accessing controllers and routers via the management plane and control plane is bad from a separation of data concerns perspective,
+but good from minimizing requirements perspective. To access a Ziti SSH service, An SDK client needs access to the REST API, the 
+edge router with a control channel connection and links to the public routers. With this solution, only the REST API and the control
+channel are needed.
+ 
+### Security
+
+In order to access a component the following is required:
+
+1. The user must be a Ziti administrator
+2. The user must be able to reach the Fabric Management API (which can be locked down)
+3. The feature must be enabled on the controller used for access
+4. The feature must be enabled on the destination component
+5. A destination must be configured on the destination component
+6. The destination must be to a port on 127.0.0.1. This can't be used to access external systems.
+8. The user must have access to the management component. If SSH, this would be an SSH key or other SSH credentials
+9. If using SSH, the SSH server only needs to listen on the loopback interface. So SSH doesn't need to be listening on the network
+
+**Warnings**
+1. If you do not intend to use the feature, do not enable it.
+2. If you enable the feature, follow best practices for good SSH hygiene (audit logs, locked down permissions, etc)
+
+### What's the Data Flow?
+
+The path for accessing controllers is: 
+
+* Ziti CLI to
+* Controller Fabric Management API to
+* a network service listing on the loopback interface, such as SSH.
+
+The path for accessing routers is: 
+
+* Ziti CLI to
+* Controller Fabric Management API to 
+* a router via the control channel to
+* a network service listing on the loopback interface, such as SSH.
+
+What does this look like? 
+
+Each controller you want to allow access through, must enable the feature.
+
+Example controller config:
+
+```
+mgmt:
+  pipe:
+    enabled: true
+    enableExperimentalFeature: true 
+    destination: 127.0.0.1:22
+```
+
+Note that if you want to allow access through the controller, but not to the controller itself, you can 
+leave out the `destination` setting.
+
+The router config is identical.
+
+```
+mgmt:
+  pipe:
+    enabled: true
+    enableExperimentalFeature: true
+    destination: 127.0.0.1:22
+```
+
+### SSH Access
+
+If your components are set up to point to an SSH server, you can access them as follows:
+
+
+```
+    ziti fabric ssh  --key /path/to/keyfile ctrl_client
+    ziti fabric ssh  --key /path/to/keyfile ubuntu@ctrl_client
+    ziti fabric ssh  --key /path/to/keyfile -u ubuntu ctrl_client
+```
+
+Using the OpenSSH Client is also supported with the `--proxy-mode` flag. This also opens up access to `scp`. 
+
+```
+    ssh -i ~/.fablab/instances/smoketest/ssh_private_key.pem -o ProxyCommand='ziti fabric ssh router-east-1 --proxy-mode' ubuntu@router-east-1
+    scp -i ~/.fablab/instances/smoketest/ssh_private_key.pem -o ProxyCommand='ziti fabric ssh ctrl1 --proxy-mode' ubuntu@ctrl1:./fablab/bin/ziti .
+```
+
+Note that you must have credentials to the host machine in addition to being a Ziti Administrator. 
+
+### Alternate Access
+
+You can use the proxy mode to get a pipe to whatever service you've got configured.
+
+`ziti fabric ssh ctrl1 --proxy-mode`
+
+It's up to you to connect whatever your management client is to that local pipe. Right now it only supports 
+proxy via the stdin/stdout of the process. Supporting TCP or Unix Domain Socket proxies wouldn't be difficult
+if there was use case for them.

common/datapipe/config.go

@@ -31,9 +31,8 @@ import (
 type LocalAccessType string
 
 const (
-	LocalAccessTypeNone              LocalAccessType = ""
-	LocalAccessTypePort              LocalAccessType = "local-port"
-	LocalAccessTypeEmbeddedSshServer LocalAccessType = "embedded-ssh-server"
+	LocalAccessTypeNone LocalAccessType = ""
+	LocalAccessTypePort LocalAccessType = "local-port"
 )
 
 type Config struct {
@@ -53,10 +52,6 @@ func (self *Config) IsLocalPort() bool {
 	return self.LocalAccessType == LocalAccessTypePort
 }
 
-func (self *Config) IsEmbedded() bool {
-	return self.LocalAccessType == LocalAccessTypeEmbeddedSshServer
-}
-
 func (self *Config) LoadConfig(m map[interface{}]interface{}) error {
 	log := pfxlog.Logger()
 	if v, ok := m["enabled"]; ok {
@@ -87,33 +82,13 @@ func (self *Config) LoadConfig(m map[interface{}]interface{}) error {
 					portStr := strings.TrimPrefix(destination, "127.0.0.1:")
 					port, err := strconv.ParseUint(portStr, 10, 16)
 					if err != nil {
-						log.WithError(err).Warn("mgmt.pipe is enabled, but destination not valid. Must be '127.0.0.1:<port>' or 'embedded'")
+						log.WithError(err).Warn("mgmt.pipe is enabled, but destination not valid; must be '127.0.0.1:<port>'")
 						self.Enabled = false
 						return nil
 					}
 					self.DestinationPort = uint16(port)
-				} else if destination == "embedded-ssh-server" {
-					self.LocalAccessType = LocalAccessTypeEmbeddedSshServer
-
-					if v, ok = m["authorizedKeysFile"]; ok {
-						if keysFile, ok := v.(string); ok {
-							self.AuthorizedKeysFile = keysFile
-						} else {
-							log.Warnf("mgmt.pipe is enabled, but 'embedded' destination configured and authorizedKeysFile configuration is not type string, but %T", v)
-							self.Enabled = false
-							return nil
-						}
-					}
-
-					if v, ok = m["shell"]; ok {
-						if s, ok := v.(string); ok {
-							self.ShellPath = s
-						} else {
-							log.Warnf("mgmt.pipe is enabled, but 'embedded' destination configured and shell configuration is not type string, but %T", v)
-						}
-					}
 				} else {
-					log.Warn("mgmt.pipe is enabled, but destination not valid. Must be 'localhost:port' or 'embedded'")
+					log.Warn("mgmt.pipe is enabled, but destination not valid; must be '127.0.0.1:<port>'")
 					self.Enabled = false
 					return nil
 				}

common/datapipe/ssh.go

@@ -1,3 +1,5 @@
+//go:build !windows
+
 /*
 	Copyright NetFoundry Inc.
 

common/datapipe/ssh_windows.go

@@ -0,0 +1,31 @@
+/*
+	Copyright NetFoundry Inc.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+	https://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+package datapipe
+
+import (
+	"errors"
+	"github.com/gliderlabs/ssh"
+)
+
+type SshRequestHandler struct {
+	config  *Config
+	options []ssh.Option
+}
+
+func (self *SshRequestHandler) HandleSshRequest(conn *EmbeddedSshConn) error {
+	return errors.New("ssh connection not supported on windows")
+}

controller/handler_mgmt/pipe.go

@@ -72,6 +72,11 @@ func (handler *mgmtPipeHandler) HandleReceive(msg *channel.Message, ch channel.C
 		return
 	}
 
+	if handler.pipe != nil {
+		handler.respondError(msg, "pipe already established on this endpoint, start a new mgmt connection to start a new pipe")
+		return
+	}
+
 	if request.DestinationType.CheckControllers() {
 		log.Infof("checking requested destination '%s' against local id '%s'", request.Destination, handler.network.GetAppId())
 		if request.Destination == handler.network.GetAppId() {
@@ -181,22 +186,17 @@ func (handler *mgmtPipeHandler) pipeToLocalhost(msg *channel.Message) {
 		return
 	}
 
-	if cfg.IsEmbedded() {
-		handler.pipeToEmbeddedSshServer(msg, pipeId)
-		return
-	}
-
-	log.Error("mgmt.pipe misconfigured, enabled, but neither localPort nor embedded enabled")
+	log.Error("mgmt.pipe misconfigured, enabled, but no local endpoint configured")
 	handler.respondError(msg, "server is misconfigured, unable to connect pipe")
 }
 
 func (handler *mgmtPipeHandler) pipeToLocalPort(msg *channel.Message, pipeId uint32) {
 	cfg := handler.registry.GetConfig()
 	log := pfxlog.ContextLogger(handler.ch.Label()).
-		WithField("destination", fmt.Sprintf("localhost:%d", cfg.DestinationPort)).
+		WithField("destination", fmt.Sprintf("127.0.0.1:%d", cfg.DestinationPort)).
 		WithField("pipeId", pipeId)
 
-	conn, err := net.Dial("tcp", fmt.Sprintf("localhost:%d", cfg.DestinationPort))
+	conn, err := net.Dial("tcp", fmt.Sprintf("127.0.0.1:%d", cfg.DestinationPort))
 	if err != nil {
 		log.WithError(err).Error("failed to connect mgmt pipe")
 		handler.respondError(msg, err.Error())
@@ -235,7 +235,7 @@ func (handler *mgmtPipeHandler) pipeToLocalPort(msg *channel.Message, pipeId uin
 	log.Info("started mgmt pipe to local controller")
 }
 
-func (handler *mgmtPipeHandler) pipeToEmbeddedSshServer(msg *channel.Message, pipeId uint32) {
+func (handler *mgmtPipeHandler) PipeToEmbeddedSshServer(msg *channel.Message, pipeId uint32) {
 	log := pfxlog.ContextLogger(handler.ch.Label()).
 		WithField("destination", "embedded-ssh-server").
 		WithField("pipeId", pipeId)

router/handler_ctrl/pipe.go

@@ -79,21 +79,16 @@ func (handler *ctrlPipeHandler) HandleReceive(msg *channel.Message, ch channel.C
 		return
 	}
 
-	if handler.env.GetMgmtPipeConfig().IsEmbedded() {
-		handler.pipeToEmbeddedSshServer(msg, req)
-		return
-	}
-
 	log.Error("no configured pipe handler")
 	handler.respondError(msg, "no configured pipe handler")
 }
 
 func (handler *ctrlPipeHandler) pipeToLocalPort(msg *channel.Message, req *ctrl_pb.CtrlPipeRequest) {
 	log := pfxlog.ContextLogger(handler.ch.Label()).
-		WithField("destination", fmt.Sprintf("localhost:%d", handler.env.GetMgmtPipeConfig().DestinationPort)).
+		WithField("destination", fmt.Sprintf("127.0.0.1:%d", handler.env.GetMgmtPipeConfig().DestinationPort)).
 		WithField("pipeId", req.ConnId)
 
-	conn, err := net.Dial("tcp", fmt.Sprintf("localhost:%d", handler.env.GetMgmtPipeConfig().DestinationPort))
+	conn, err := net.Dial("tcp", fmt.Sprintf("127.0.0.1:%d", handler.env.GetMgmtPipeConfig().DestinationPort))
 	if err != nil {
 		log.WithError(err).Error("failed to dial pipe destination")
 		handler.respondError(msg, err.Error())
@@ -126,7 +121,7 @@ func (handler *ctrlPipeHandler) pipeToLocalPort(msg *channel.Message, req *ctrl_
 	go pipe.readLoop()
 }
 
-func (handler *ctrlPipeHandler) pipeToEmbeddedSshServer(msg *channel.Message, req *ctrl_pb.CtrlPipeRequest) {
+func (handler *ctrlPipeHandler) PipeToEmbeddedSshServer(msg *channel.Message, req *ctrl_pb.CtrlPipeRequest) {
 	log := pfxlog.ContextLogger(handler.ch.Label()).
 		WithField("destination", "embedded-ssh-server").
 		WithField("pipeId", req.ConnId)