managerd: Enchancing host healthcheck

route/route.go

@@ -12,9 +12,12 @@ package route
 import (
 	"math/rand"
 	"net"
+	"regexp"
 	"time"
 
 	"github.com/op/go-logging"
+
+	"golang.org/x/crypto/ssh"
 )
 
 var log = logging.MustGetLogger("sshproxy/route")
@@ -61,6 +64,31 @@ func CanConnect(hostport string) bool {
 	return true
 }
 
+// MightAuthenticate tests if a connection to host:port can initiate an handshake.
+func MightAuthenticate(hostport string, user string) bool {
+	ssh_config := &ssh.ClientConfig{
+		User: user,
+		Auth: []ssh.AuthMethod{
+			ssh.Password("ThisIsNotIntendedToBeAValidPasswordButWeDontReallyCare"),
+		},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	}
+	log.Debug("Dialing %s with user %s", hostport, user)
+	client, err := ssh.Dial("tcp", hostport, ssh_config)
+	if err != nil {
+		re_auth_failure := regexp.MustCompile(`handshake failed: ssh: unable to authenticate`).MatchString(err.Error())
+		if re_auth_failure {
+			return true
+		} else {
+			log.Warning("Error while dialing %v", err)
+			return false
+		}
+	} else {
+		client.Close()
+	}
+	return true
+}
+
 // selectDestinationOrdered selects the first reachable destination from a list
 // of destinations. It returns a string "host:port", an empty string (if no
 // destination is found) or an error.

sshproxy-managerd/sshproxy-managerd.go

@@ -15,6 +15,7 @@ import (
 	"flag"
 	"fmt"
 	"io/ioutil"
+	"math/rand"
 	"net"
 	"os"
 	"regexp"
@@ -165,10 +166,43 @@ func (hc *hostChecker) DoCheck(hostport string) State {
 	if route.CanConnect(hostport) {
 		state = Up
 	}
+	canary_user, err := PickUser()
+	if err == nil && canary_user != "" && state == Up {
+		if route.MightAuthenticate(hostport, canary_user) {
+			log.Debug("Succefully tried to authenticate to %s as %s", hostport, canary_user)
+		} else {
+			log.Debug("Unable to try to authenticate against %s as %s", hostport, canary_user)
+			state = Down
+		}
+	} else if err != nil {
+		log.Debugf("Unable to try to authenticate, found no user to spoof (%s)", err)
+	}
 	hc.Update(hostport, state, time.Now())
 	return state
 }
 
+func PickUser() (string, error) {
+	chosen_user := ""
+	if len(proxiedConnections) > 0 {
+		chosen_item := rand.Intn(len(proxiedConnections))
+		for k := range proxiedConnections {
+			if chosen_item == 0 {
+				user, err := getUserFromKey(k)
+				if err != nil {
+					return "", err
+				} else {
+					chosen_user = user
+					break
+				}
+			}
+			chosen_item--
+		}
+	} else {
+		return "", errors.New("No proxied connections, unable to pick a random user...")
+	}
+	return chosen_user, nil
+}
+
 // Update updates (or creates) the state of an host in the internal view.
 func (hc *hostChecker) Update(hostport string, state State, ts time.Time) {
 	if s, ok := hc.States[hostport]; ok {
@@ -631,6 +665,8 @@ func main() {
 	}
 	defer l.Close()
 
+	rand.Seed(time.Now().Unix()) // initialize global pseudo random generator
+
 	log.Info("listening on %s\n", config.Listen)
 
 	queue := make(chan *request)