address ethan's review

francoismichel · May 31, 2024 · 832649e · 832649e
1 parent 7b432fc
commit 832649e
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 30 deletions.
diff --git a/auth/plugins/pubkey_authentication/client/privkey_auth.go b/auth/plugins/pubkey_authentication/client/privkey_auth.go
@@ -132,6 +132,8 @@ func (m *PrivkeyFileAuthMethod) PrepareRequestForAuth(request *http.Request, ssh
 				filePubkey, _, _, _, err := ssh.ParseAuthorizedKey(pubkeyBytes)
 				if err == nil {
 					pubkey = filePubkey
+				} else {
+					log.Warn().Msgf("an error happened when trying to parse the %s.pub file for agent-based authentication: %s", m.Filename(), err)
 				}
 			}
 		}
@@ -145,7 +147,6 @@ func (m *PrivkeyFileAuthMethod) PrepareRequestForAuth(request *http.Request, ssh
 			}
 		}
 		// now, try to see of the agent manages this key
-		foundAgentKey := false
 		if pubkey != nil {
 			for _, agentKey := range agentKeys {
 				if bytes.Equal(agentKey.Marshal(), pubkey.Marshal()) {
@@ -158,22 +159,20 @@ func (m *PrivkeyFileAuthMethod) PrepareRequestForAuth(request *http.Request, ssh
 		}
 
 		// key not handled by agent, let's try to decrypt it ourselves
-		if !foundAgentKey {
-			fmt.Printf("passphrase for private key stored in %s:", m.Filename())
-			var passphraseBytes []byte
-			passphraseBytes, err = term.ReadPassword(int(syscall.Stdin))
-			fmt.Println()
-			if err != nil {
-				log.Error().Msgf("could not get passphrase: %s", err)
-				return err
-			}
-			passphrase := string(passphraseBytes)
-			m.passphrase = &passphrase
-			jwtBearerKey, signingMethod, err = m.getCryptoMaterial()
-			if err != nil {
-				log.Error().Msgf("could not load private key: %s", err)
-				return err
-			}
+		fmt.Printf("passphrase for private key stored in %s:", m.Filename())
+		var passphraseBytes []byte
+		passphraseBytes, err = term.ReadPassword(int(syscall.Stdin))
+		fmt.Println()
+		if err != nil {
+			log.Error().Msgf("could not get passphrase: %s", err)
+			return err
+		}
+		passphrase := string(passphraseBytes)
+		m.passphrase = &passphrase
+		jwtBearerKey, signingMethod, err = m.getCryptoMaterial()
+		if err != nil {
+			log.Error().Msgf("could not load private key: %s", err)
+			return err
 		}
 	} else if err != nil {
 		log.Warn().Msgf("Could not load private key: %s", err)

diff --git a/auth/plugins/pubkey_authentication/client/pubkey_auth.go b/auth/plugins/pubkey_authentication/client/pubkey_auth.go
@@ -72,8 +72,25 @@ var _ config.CLIOptionParser = &PrivkeyOptionParser{}
 
 // agentSigningMethod implements jwt.SigningMethod to use the SSH agent with the jwt lib
 type agentSigningMethod struct {
-	Agent agent.ExtendedAgent
-	Key   ssh.PublicKey
+	agent agent.ExtendedAgent
+	key   ssh.PublicKey
+	alg   string
+}
+
+func NewAgentSigningMethod(agent agent.ExtendedAgent, key ssh.PublicKey) (*agentSigningMethod, error) {
+	ret := &agentSigningMethod{
+		key:   key,
+		agent: agent,
+	}
+	switch key.Type() {
+	case "ssh-rsa":
+		ret.alg = "RS256"
+	case "ssh-ed25519":
+		ret.alg = "EdDSA"
+	default:
+		return nil, fmt.Errorf("unsupported key type for agent signing method")
+	}
+	return ret, nil
 }
 
 func (m *agentSigningMethod) Verify(signingString string, sig []byte, key interface{}) error {
@@ -85,21 +102,15 @@ func (m *agentSigningMethod) Sign(signingString string, key interface{}) ([]byte
 	if !ok {
 		return nil, fmt.Errorf("bad key type: %T instead of ssh.PublicKey", pk)
 	}
-	signature, err := m.Agent.SignWithFlags(pk, []byte(signingString), agent.SignatureFlagRsaSha256)
+	signature, err := m.agent.SignWithFlags(pk, []byte(signingString), agent.SignatureFlagRsaSha256)
 	if err != nil {
 		return nil, err
 	}
 	return signature.Blob, nil
 }
 
 func (m *agentSigningMethod) Alg() string {
-	switch m.Key.Type() {
-	case "ssh-rsa":
-		return "RS256"
-	case "ssh-ed25519":
-		return "EdDSA"
-	}
-	return ""
+	return m.alg
 }
 
 type PubkeyAuthMethod struct {
@@ -114,9 +125,9 @@ func NewPubkeyAuthMethod(pubkey *agent.Key) *PubkeyAuthMethod {
 func (m *PubkeyAuthMethod) PrepareRequestForAuth(request *http.Request, sshAgent agent.ExtendedAgent, roundTripper *http3.RoundTripper, username string, conversation *ssh3.Conversation) error {
 	log.Debug().Msgf("try agent-based pubkey auth using pubkey %s", m.Key.String())
 
-	signingMethod := &agentSigningMethod{
-		Agent: sshAgent,
-		Key:   m.Key,
+	signingMethod, err := NewAgentSigningMethod(sshAgent, m.Key)
+	if err != nil {
+		return err
 	}
 
 	bearerToken, err := ssh3.BuildJWTBearerToken(signingMethod, m.Key, username, conversation)