Merge pull request #3381 from bamarni/issue-3359

[SSH] Allow private keys with 0400 permissions (fixes #3359)
2016-05-23 18:28:50 -07:00 · 2016-05-23 18:28:50 -07:00 · 6002b411ce
parent 33f23be924 650629a936
commit 6002b411ce
2 changed files with 39 additions and 14 deletions
--- a/libmachine/ssh/client.go
+++ b/libmachine/ssh/client.go
@ -332,9 +332,12 @@ func NewExternalClient(sshBinaryPath, user, host string, port int, auth *Auth) (
 				mode := fi.Mode()
 				log.Debugf("Using SSH private key: %s (%s)", privateKeyPath, mode)
 				// Private key file should have strict permissions
-				if mode != 0600 {
-					// Abort with correct message
-					return nil, fmt.Errorf("Permissions %#o for '%s' are too open.", mode, privateKeyPath)
+				perm := mode.Perm()
+				if perm&0400 == 0 {
+					return nil, fmt.Errorf("'%s' is not readable", privateKeyPath)
+				}
+				if perm&0077 != 0 {
+					return nil, fmt.Errorf("permissions %#o for '%s' are too open", perm, privateKeyPath)
 				}
 			}
 			args = append(args, "-i", privateKeyPath)
--- a/libmachine/ssh/client_test.go
+++ b/libmachine/ssh/client_test.go
@ -1,6 +1,9 @@
 package ssh

 import (
+	"fmt"
+	"io/ioutil"
+	"os"
 	"runtime"
 	"testing"

@ -46,39 +49,58 @@ func TestGetSSHCmdArgs(t *testing.T) {
 }

 func TestNewExternalClient(t *testing.T) {
+	keyFile, err := ioutil.TempFile("", "docker-machine-tests-dummy-private-key")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer keyFile.Close()
+
+	keyFilename := keyFile.Name()
+	defer os.Remove(keyFilename)
+
 	cases := []struct {
 		sshBinaryPath string
 		user          string
 		host          string
 		port          int
 		auth          *Auth
+		perm          os.FileMode
 		expectedError string
 		skipOS        string
 	}{
 		{
-			sshBinaryPath: "/usr/local/bin/ssh",
-			user:          "docker",
-			host:          "localhost",
-			port:          22,
 			auth:          &Auth{Keys: []string{"/tmp/private-key-not-exist"}},
 			expectedError: "stat /tmp/private-key-not-exist: no such file or directory",
 			skipOS:        "none",
 		},
 		{
-			sshBinaryPath: "/usr/local/bin/ssh",
-			user:          "docker",
-			host:          "localhost",
-			port:          22,
-			auth:          &Auth{Keys: []string{"/dev/null"}},
-			expectedError: "Permissions 0410000666 for '/dev/null' are too open.",
+			auth:   &Auth{Keys: []string{keyFilename}},
+			perm:   0400,
+			skipOS: "windows",
+		},
+		{
+			auth:          &Auth{Keys: []string{keyFilename}},
+			perm:          0100,
+			expectedError: fmt.Sprintf("'%s' is not readable", keyFilename),
+			skipOS:        "windows",
+		},
+		{
+			auth:          &Auth{Keys: []string{keyFilename}},
+			perm:          0644,
+			expectedError: fmt.Sprintf("permissions 0644 for '%s' are too open", keyFilename),
 			skipOS:        "windows",
 		},
 	}

 	for _, c := range cases {
 		if runtime.GOOS != c.skipOS {
+			keyFile.Chmod(c.perm)
 			_, err := NewExternalClient(c.sshBinaryPath, c.user, c.host, c.port, c.auth)
-			assert.EqualError(t, err, c.expectedError)
+			if c.expectedError != "" {
+				assert.EqualError(t, err, c.expectedError)
+			} else {
+				assert.Equal(t, err, nil)
+			}
 		}
 	}
 }