docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3381 from bamarni/issue-3359 

[SSH] Allow private keys with 0400 permissions (fixes #3359)
This commit is contained in:
Nathan LeClaire 2016-05-23 18:28:50 -07:00
parent 33f23be924 650629a936
commit 6002b411ce
2 changed files with 39 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
libmachine/ssh/client.go
View File

@ -332,9 +332,12 @@ func NewExternalClient(sshBinaryPath, user, host string, port int, auth *Auth) (
mode := fi.Mode() mode := fi.Mode()
log.Debugf("Using SSH private key: %s (%s)", privateKeyPath, mode) log.Debugf("Using SSH private key: %s (%s)", privateKeyPath, mode)
// Private key file should have strict permissions // Private key file should have strict permissions
if mode != 0600 { perm := mode.Perm()
// Abort with correct message if perm&0400 == 0 {
return nil, fmt.Errorf("Permissions %#o for '%s' are too open.", mode, privateKeyPath) return nil, fmt.Errorf("'%s' is not readable", privateKeyPath)
}
if perm&0077 != 0 {
return nil, fmt.Errorf("permissions %#o for '%s' are too open", perm, privateKeyPath)
} }
} }
args = append(args, "-i", privateKeyPath) args = append(args, "-i", privateKeyPath)

42
libmachine/ssh/client_test.go
View File

@ -1,6 +1,9 @@
package ssh package ssh
import ( import (
"fmt"
"io/ioutil"
"os"
"runtime" "runtime"
"testing" "testing"
@ -46,39 +49,58 @@ func TestGetSSHCmdArgs(t *testing.T) {
} }
func TestNewExternalClient(t *testing.T) { func TestNewExternalClient(t *testing.T) {
keyFile, err := ioutil.TempFile("", "docker-machine-tests-dummy-private-key")
if err != nil {
t.Fatal(err)
}
defer keyFile.Close()
keyFilename := keyFile.Name()
defer os.Remove(keyFilename)
cases := []struct { cases := []struct {
sshBinaryPath string sshBinaryPath string
user string user string
host string host string
port int port int
auth *Auth auth *Auth
perm os.FileMode
expectedError string expectedError string
skipOS string skipOS string
}{ }{
{ {
sshBinaryPath: "/usr/local/bin/ssh",
user: "docker",
host: "localhost",
port: 22,
auth: &Auth{Keys: []string{"/tmp/private-key-not-exist"}}, auth: &Auth{Keys: []string{"/tmp/private-key-not-exist"}},
expectedError: "stat /tmp/private-key-not-exist: no such file or directory", expectedError: "stat /tmp/private-key-not-exist: no such file or directory",
skipOS: "none", skipOS: "none",
}, },
{ {
sshBinaryPath: "/usr/local/bin/ssh", auth: &Auth{Keys: []string{keyFilename}},
user: "docker", perm: 0400,
host: "localhost", skipOS: "windows",
port: 22, },
auth: &Auth{Keys: []string{"/dev/null"}}, {
expectedError: "Permissions 0410000666 for '/dev/null' are too open.", auth: &Auth{Keys: []string{keyFilename}},
perm: 0100,
expectedError: fmt.Sprintf("'%s' is not readable", keyFilename),
skipOS: "windows",
},
{
auth: &Auth{Keys: []string{keyFilename}},
perm: 0644,
expectedError: fmt.Sprintf("permissions 0644 for '%s' are too open", keyFilename),
skipOS: "windows", skipOS: "windows",
}, },
} }
for _, c := range cases { for _, c := range cases {
if runtime.GOOS != c.skipOS { if runtime.GOOS != c.skipOS {
keyFile.Chmod(c.perm)
_, err := NewExternalClient(c.sshBinaryPath, c.user, c.host, c.port, c.auth) _, err := NewExternalClient(c.sshBinaryPath, c.user, c.host, c.port, c.auth)
if c.expectedError != "" {
assert.EqualError(t, err, c.expectedError) assert.EqualError(t, err, c.expectedError)
} else {
assert.Equal(t, err, nil)
}
} }
} }
} }