Integrate EC2 Instance Connect with SSM SSH functionality (#71)

Integrate EC2 instance connect with the ssm ssh functionality. This allows the public key for the session to be provisioned on the instance during the setup of the SSH session instead of requiring pre-existing SSH keys on the instance.

* Update dependencies and use go 1.17
* Fix error when launching ssm plugin
* Update ssm-session-client for bug fix with DNS target resolution

Author: mmmorris1975

.circleci/config.yml

@@ -6,7 +6,7 @@ version: 2.1
 orbs:
   go: circleci/[email protected]
   aws-cli: circleci/[email protected]
-  ruby: circleci/ruby@1.2.0
+  ruby: circleci/ruby@1.4.0
   windows: circleci/[email protected]
 
 jobs:
@@ -21,7 +21,7 @@ jobs:
   preflight:
     executor:
       name: go/default
-      tag: '1.16'
+      tag: '1.17'
 
     steps:
       - checkout
@@ -36,7 +36,7 @@ jobs:
   build-darwin:
     executor:
       name: go/default
-      tag: '1.16'
+      tag: '1.17'
 
     steps:
       - checkout
@@ -62,7 +62,7 @@ jobs:
   build-linux:
     executor:
       name: go/default
-      tag: '1.16'
+      tag: '1.17'
 
     steps:
       - checkout
@@ -96,7 +96,7 @@ jobs:
   build-windows:
     executor:
       name: go/default
-      tag: '1.16'
+      tag: '1.17'
 
     steps:
       - checkout
@@ -192,7 +192,7 @@ jobs:
   package-darwin:
     executor:
       name: go/default
-      tag: '1.16'
+      tag: '1.17'
     steps:
       - checkout
       - attach_workspace:
@@ -217,7 +217,7 @@ jobs:
   package-windows:
     executor:
       name: go/default
-      tag: '1.16'
+      tag: '1.17'
     steps:
       - checkout
       - attach_workspace:

cli/ssm_cmd.go

@@ -106,7 +106,7 @@ func execSsmPlugin(cfg aws.Config, in *ssm.StartSessionInput) error {
 	}
 
 	var ep aws.Endpoint
-	ep, err = cfg.EndpointResolverWithOptions.ResolveEndpoint(ssm.ServiceID, cfg.Region)
+	ep, err = ssm.NewDefaultEndpointResolver().ResolveEndpoint(cfg.Region, ssm.EndpointResolverOptions{})
 	if err != nil {
 		return err
 	}

cli/ssm_ssh_cmd.go

@@ -14,10 +14,16 @@
 package cli
 
 import (
+	"errors"
 	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/ec2instanceconnect"
 	"github.com/aws/aws-sdk-go-v2/service/ssm"
+	"github.com/kevinburke/ssh_config"
 	"github.com/mmmorris1975/ssm-session-client/ssmclient"
 	"github.com/urfave/cli/v2"
+	"golang.org/x/crypto/ssh"
+	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 )
@@ -32,11 +38,17 @@ whose value is EC2 instance ID.
 This feature is meant to be used in SSH configuration files according to the AWS documentation
 at https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html
 except that the ProxyCommand syntax changes to:
-  ProxyCommand sh -c "aws-runas ssm ssh profile_name %h:%p"
+  ProxyCommand aws-runas ssm ssh [--ec2ic] profile_name %r@%h:%p
 Where profile_name is the AWS configuration profile to use (you should also be able to use the
-AWS_PROFILE environment variable, in which case the profile_name could be omitted), and %h:%p
-are standard SSH configuration substitutions for the host and port number to connect with, and
-can be left as-is`
+AWS_PROFILE environment variable, in which case the profile_name could be omitted), and %r@%h:%p
+are standard SSH configuration substitutions for the remote user name, host and port number to connect with,
+and can be left as-is.  If the optional --ec2ic argument is supplied, the public key is provisioned on the
+remote system using EC2 Instance Connect during the SSH session setup.`
+
+var ec2InstanceConnectFlag = &cli.BoolFlag{
+	Name:  "ec2ic",
+	Usage: "Send public key to instance using EC2 Instance Connect",
+}
 
 var ssmSshCmd = &cli.Command{
 	Name:         "ssh",
@@ -45,40 +57,39 @@ var ssmSshCmd = &cli.Command{
 	Description:  ssmSshDesc,
 	BashComplete: bashCompleteProfile,
 
-	Flags: []cli.Flag{ssmUsePluginFlag},
+	Flags: []cli.Flag{ec2InstanceConnectFlag, ssmUsePluginFlag},
 
 	Action: func(ctx *cli.Context) error {
 		target, c, err := doSsmSetup(ctx, 2)
 		if err != nil {
 			return err
 		}
 
-		// default ssh port if we're passed a target which doesn't explicitly set one
-		port := "22"
-
-		// "preprocess" target so it's acceptable to checkTarget()
-		// Port number is expected to be the last element after splitting on ':' (except if using the
-		// plain tag_key:tag_value format without a port), all other parts will be passed to checkTarget()
-		parts := strings.Split(target, `:`)
-		if len(parts) == 2 {
-			// could be just tag_key:tag_value using default port, all other supported formats have
-			// port as the final element.  If Atoi can convert the string to a number, assume it's
-			// supposed to be a port, otherwise we'll use the default
-			if _, err = strconv.Atoi(parts[1]); err == nil {
-				target = parts[0]
-				port = parts[1]
-			}
-		} else if len(parts) > 2 {
-			// cases where port is expected to be the final element of the target specification
-			target = strings.Join(parts[:len(parts)-1], `:`)
-			port = parts[len(parts)-1]
-		}
+		user, host, port := parseTargetSpec(target)
 
-		ec2Id, err := ssmclient.ResolveTarget(target, c.ConfigProvider())
+		ec2Id, err := ssmclient.ResolveTarget(host, c.ConfigProvider())
 		if err != nil {
 			return err
 		}
 
+		if ctx.Bool(ec2InstanceConnectFlag.Name) {
+			var pubKey string
+			if pubKey, err = getPubKey(host); err != nil {
+				return err
+			}
+
+			ec2ic := ec2instanceconnect.NewFromConfig(c.ConfigProvider())
+			pubkeyIn := &ec2instanceconnect.SendSSHPublicKeyInput{
+				InstanceId:     &ec2Id,
+				InstanceOSUser: &user,
+				SSHPublicKey:   &pubKey,
+			}
+
+			if _, err = ec2ic.SendSSHPublicKey(ctx.Context, pubkeyIn); err != nil {
+				return err
+			}
+		}
+
 		if ctx.Bool(ssmUsePluginFlag.Name) {
 			params := map[string][]string{
 				"portNumber": {port},
@@ -87,7 +98,7 @@ var ssmSshCmd = &cli.Command{
 			in := &ssm.StartSessionInput{
 				DocumentName: aws.String("AWS-StartSSHSession"),
 				Parameters:   params,
-				Target:       aws.String(ec2Id),
+				Target:       &ec2Id,
 			}
 			return execSsmPlugin(c.ConfigProvider(), in)
 		}
@@ -100,3 +111,69 @@ var ssmSshCmd = &cli.Command{
 		return ssmclient.SSHSession(c.ConfigProvider(), in)
 	},
 }
+
+func parseTargetSpec(target string) (string, string, string) {
+	var user = "ec2-user"
+	var port = "22"
+	var host string
+
+	userHostPart := strings.Split(target, `@`)
+	if len(userHostPart) > 1 {
+		user = userHostPart[0]
+		userHostPart = userHostPart[1:]
+	}
+
+	// Format could be host:port or possibly tag_key:tag_value:port
+	hostPortPart := strings.Split(userHostPart[0], `:`)
+	if len(hostPortPart) == 1 {
+		// bare host, use default port
+		host = hostPortPart[0]
+	} else {
+		// Could be host:port, tag_key:tag_value with default port, or tag_key:tag_value:port
+		// Use Atoi to see if the last element is a numeric string and assume that's a port number
+		if i, err := strconv.Atoi(hostPortPart[len(hostPortPart)-1]); err == nil && i <= 65535 {
+			host = strings.Join(hostPortPart[:len(hostPortPart)-1], `:`)
+			port = hostPortPart[len(hostPortPart)-1]
+		} else {
+			host = strings.Join(hostPortPart, `:`)
+		}
+	}
+
+	return user, host, port
+}
+
+func getPubKey(host string) (string, error) {
+	var err error
+
+	for _, key := range ssh_config.GetAll(host, "IdentityFile") {
+		if strings.HasPrefix(key, "~/") {
+			dirname, _ := os.UserHomeDir()
+			key = filepath.Join(dirname, key[2:])
+		}
+
+		var bytes []byte
+		bytes, err = os.ReadFile(key)
+		if err != nil {
+			if os.IsNotExist(err) {
+				continue
+			}
+			return "", err
+		}
+
+		var signer ssh.Signer
+		signer, err = ssh.ParsePrivateKey(bytes)
+		if err != nil {
+			var protectedKeyErr *ssh.PassphraseMissingError
+			if errors.As(err, &protectedKeyErr) {
+				// FIXME handle a passphrase protected key ...
+				//   for now, just continue an hope there's an "unprotected" key in the list to try
+				continue
+			}
+			return "", err
+		}
+
+		return string(ssh.MarshalAuthorizedKey(signer.PublicKey())), nil
+	}
+
+	return "", errors.New("public key not available")
+}

cli/ssm_ssh_cmd_test.go

@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2022 Michael Morris. All Rights Reserved.
+ *
+ * Licensed under the MIT license (the "License"). You may not use this file except in compliance
+ * with the License. A copy of the License is located at
+ *
+ * https://github.com/mmmorris1975/aws-runas/blob/master/LICENSE
+ *
+ * or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License
+ * for the specific language governing permissions and limitations under the License.
+ */
+
+package cli
+
+import (
+	"testing"
+)
+
+func Test_parseTargetSpec(t *testing.T) {
+	t.Run("user@instance:port", func(t *testing.T) {
+		user, host, port := parseTargetSpec("user@instance:2222")
+		if user != "user" || host != "instance" || port != "2222" {
+			t.Error("bad user, host, or port returned")
+		}
+	})
+
+	t.Run("user@tag:port", func(t *testing.T) {
+		user, host, port := parseTargetSpec("user@my_key:value:2222")
+		if user != "user" || host != "my_key:value" || port != "2222" {
+			t.Error("bad user, host, or port returned")
+		}
+	})
+
+	t.Run("user@instance", func(t *testing.T) {
+		user, host, port := parseTargetSpec("user@instance")
+		if user != "user" || host != "instance" || port != "22" {
+			t.Error("bad user, host, or port returned")
+		}
+	})
+
+	t.Run("user@tag", func(t *testing.T) {
+		user, host, port := parseTargetSpec("user@my_key:value")
+		if user != "user" || host != "my_key:value" || port != "22" {
+			t.Error("bad user, host, or port returned")
+		}
+	})
+
+	t.Run("instance:port", func(t *testing.T) {
+		user, host, port := parseTargetSpec("instance:2222")
+		if user != "ec2-user" || host != "instance" || port != "2222" {
+			t.Error("bad user, host, or port returned")
+		}
+	})
+
+	t.Run("tag:port", func(t *testing.T) {
+		user, host, port := parseTargetSpec("my_key:value:2222")
+		if user != "ec2-user" || host != "my_key:value" || port != "2222" {
+			t.Error("bad user, host, or port returned")
+		}
+	})
+}
+
+func Test_getPubKey(t *testing.T) {
+	t.Skip("not testable, can't specify custom config file location")
+}

docs/ssm.md

@@ -115,12 +115,12 @@ for instructions on setting up the local and remote system to allow SSH connecti
 
 This is a sample ssh config file entry to enable SSH connectivity to an SSM connected instance.  The elements on the
 `Host` line can be modified to capture how you will be access the host, this example uses the EC2 instance ID.  For the
-`ProxyCommand`, the `my_profile` element can be omitted if you will supply the profile name another way (likely via the
+`ProxyCommand`, the `profile_name` element can be omitted if you will supply the profile name another way (likely via the
 AWS_PROFILE environment variable).
 
 ```text
 Host i-* mi-*
-    ProxyCommand sh -c "aws-runas ssm ssh my_profile %h:%p"
+    ProxyCommand aws-runas ssm ssh profile_name %r@%h:%p
 
 ```
 
@@ -143,13 +143,14 @@ DESCRIPTION:
    This feature is meant to be used in SSH configuration files according to the AWS documentation
    at https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html
    except that the ProxyCommand syntax changes to:
-     ProxyCommand sh -c "aws-runas ssm ssh profile_name %h:%p"
+     ProxyCommand aws-runas ssm ssh [--ec2ic] profile_name %r@%h:%p
    Where profile_name is the AWS configuration profile to use (you should also be able to use the
-   AWS_PROFILE environment variable, in which case the profile_name could be omitted), and %h:%p
-   are standard SSH configuration substitutions for the host and port number to connect with, and
-   can be left as-is
+   AWS_PROFILE environment variable, in which case the profile_name could be omitted), and %r@%h:%p
+   are standard SSH configuration substitutions for the remote user name, host and port number to connect with,
+   and can be left as-is.  If the optional --ec2ic argument is supplied, the public key is provisioned on the
+   remote system using EC2 Instance Connect during the SSH session setup.
 
 OPTIONS:
+   --ec2ic       Send public key to instance using EC2 Instance Connect (default: false)
    --plugin, -P  Use the SSM session plugin instead of built-in code (default: false)
-   --help, -h    show help (default: false)
 ```

go.mod

@@ -4,22 +4,24 @@ go 1.16
 
 require (
 	github.com/PuerkitoBio/goquery v1.8.0
-	github.com/aws/aws-sdk-go-v2 v1.11.2
-	github.com/aws/aws-sdk-go-v2/config v1.11.0
-	github.com/aws/aws-sdk-go-v2/service/ecr v1.11.0
-	github.com/aws/aws-sdk-go-v2/service/iam v1.12.0
-	github.com/aws/aws-sdk-go-v2/service/ssm v1.17.0
-	github.com/aws/aws-sdk-go-v2/service/sts v1.11.1
-	github.com/aws/smithy-go v1.9.0
+	github.com/aws/aws-sdk-go-v2 v1.13.0
+	github.com/aws/aws-sdk-go-v2/config v1.11.1
+	github.com/aws/aws-sdk-go-v2/service/ec2instanceconnect v1.11.0
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.11.1
+	github.com/aws/aws-sdk-go-v2/service/iam v1.13.2
+	github.com/aws/aws-sdk-go-v2/service/ssm v1.17.1
+	github.com/aws/aws-sdk-go-v2/service/sts v1.12.0
+	github.com/aws/smithy-go v1.10.0
 	github.com/dustin/go-humanize v1.0.1-0.20210705192016-249ff6c91207
+	github.com/kevinburke/ssh_config v1.1.1-0.20211102215853-c7f8dec5c76b
 	github.com/mmmorris1975/simple-logger v0.5.1
-	github.com/mmmorris1975/ssm-session-client v0.201.0
+	github.com/mmmorris1975/ssm-session-client v0.202.1
 	github.com/stretchr/testify v1.7.0 // indirect
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
 	github.com/urfave/cli/v2 v2.3.1-0.20211106113742-12b7dfd08cb0
-	golang.org/x/crypto v0.0.0-20211209193657-4570a0811e8b
-	golang.org/x/net v0.0.0-20211209124913-491a49abca63
-	golang.org/x/sys v0.0.0-20211213223007-03aa0b5f6827
+	golang.org/x/crypto v0.0.0-20220214200702-86341886e292
+	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd
+	golang.org/x/sys v0.0.0-20220209214540-3681064d5158
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 	gopkg.in/ini.v1 v1.66.2
 )