refactor: new proxyCommands.env & stable ssh host key

Author: FabianKramm

helper/cmd/ssh.go

@@ -13,6 +13,7 @@ import (
 
 // SSHCmd holds the ssh cmd flags
 type SSHCmd struct {
+	HostKey        string
 	AuthorizedKeys string
 	Address        string
 }
@@ -28,6 +29,7 @@ func NewSSHCmd() *cobra.Command {
 	}
 
 	sshCmd.Flags().StringVar(&cmd.Address, "address", fmt.Sprintf(":%d", helperssh.DefaultPort), "Address to listen to")
+	sshCmd.Flags().StringVar(&cmd.HostKey, "host-key", "", "Base64 encoded host key to use")
 	sshCmd.Flags().StringVar(&cmd.AuthorizedKeys, "authorized-key", "", "Base64 encoded authorized keys to use")
 	return sshCmd
 }
@@ -52,7 +54,16 @@ func (cmd *SSHCmd) Run(_ *cobra.Command, _ []string) error {
 		}
 	}
 
-	server, err := helperssh.NewServer(cmd.Address, keys)
+	hostKey := []byte{}
+	if len(cmd.HostKey) > 0 {
+		var err error
+		hostKey, err = base64.StdEncoding.DecodeString(cmd.HostKey)
+		if err != nil {
+			return fmt.Errorf("decode host key")
+		}
+	}
+
+	server, err := helperssh.NewServer(cmd.Address, hostKey, keys)
 	if err != nil {
 		return err
 	}

helper/ssh/server.go

@@ -17,7 +17,7 @@ import (
 
 var DefaultPort = 8022
 
-func NewServer(addr string, keys []ssh.PublicKey) (*Server, error) {
+func NewServer(addr string, hostKey []byte, keys []ssh.PublicKey) (*Server, error) {
 	shell, err := getShell()
 	if err != nil {
 		return nil, err
@@ -64,6 +64,13 @@ func NewServer(addr string, keys []ssh.PublicKey) (*Server, error) {
 		},
 	}
 
+	if len(hostKey) > 0 {
+		err = server.sshServer.SetOption(ssh.HostKeyPEM(hostKey))
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	server.sshServer.Handler = server.handler
 	return server, nil
 }

pkg/devspace/config/versions/latest/schema.go

@@ -870,6 +870,9 @@ type ProxyCommand struct {
 
 	// SkipContainerEnv will not forward the container environment variables to the local command
 	SkipContainerEnv bool `yaml:"skipContainerEnv,omitempty" json:"skipContainerEnv,omitempty"`
+
+	// Env are extra environment variables to set for the command
+	Env map[string]string `yaml:"env,omitempty" json:"env,omitempty"`
 }
 
 type SSH struct {

pkg/devspace/services/proxycommands/server.go

@@ -180,6 +180,9 @@ func (s *Server) getCommand(sess ssh.Session) (*exec.Cmd, *types.ProxyCommand, e
 		cmd.Env = append(cmd.Env, command.Env...)
 	}
 	cmd.Env = append(cmd.Env, os.Environ()...)
+	for k, v := range reverseCommand.Env {
+		cmd.Env = append(cmd.Env, k+"="+v)
+	}
 	return cmd, command, nil
 }
 

pkg/devspace/services/ssh/keys.go

@@ -19,19 +19,37 @@ import (
 
 var (
 	DevSpaceSSHFolder         = "ssh"
+	DevSpaceSSHHostKeyFile    = "id_devspace_host_rsa"
 	DevSpaceSSHPrivateKeyFile = "id_devspace_rsa"
 	DevSpaceSSHPublicKeyFile  = "id_devspace_rsa.pub"
 )
 
 func init() {
 	homeDir, _ := homedir.Dir()
 	DevSpaceSSHFolder = filepath.Join(homeDir, constants.DefaultHomeDevSpaceFolder, DevSpaceSSHFolder)
+	DevSpaceSSHHostKeyFile = filepath.Join(DevSpaceSSHFolder, DevSpaceSSHHostKeyFile)
 	DevSpaceSSHPrivateKeyFile = filepath.Join(DevSpaceSSHFolder, DevSpaceSSHPrivateKeyFile)
 	DevSpaceSSHPublicKeyFile = filepath.Join(DevSpaceSSHFolder, DevSpaceSSHPublicKeyFile)
 }
 
 var keyLock sync.Mutex
 
+func MakeHostKey() (string, error) {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return "", err
+	}
+
+	// generate and write private key as PEM
+	var privKeyBuf strings.Builder
+	privateKeyPEM := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)}
+	if err := pem.Encode(&privKeyBuf, privateKeyPEM); err != nil {
+		return "", err
+	}
+
+	return privKeyBuf.String(), nil
+}
+
 func MakeSSHKeyPair() (string, string, error) {
 	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
@@ -56,6 +74,41 @@ func MakeSSHKeyPair() (string, string, error) {
 	return pubKeyBuf.String(), privKeyBuf.String(), nil
 }
 
+func getHostKey() (string, error) {
+	keyLock.Lock()
+	defer keyLock.Unlock()
+
+	_, err := os.Stat(DevSpaceSSHFolder)
+	if err != nil {
+		err = os.MkdirAll(DevSpaceSSHFolder, 0755)
+		if err != nil {
+			return "", err
+		}
+	}
+
+	// check if key pair exists
+	_, err = os.Stat(DevSpaceSSHHostKeyFile)
+	if err != nil {
+		privateKey, err := MakeHostKey()
+		if err != nil {
+			return "", errors.Wrap(err, "generate host key")
+		}
+
+		err = ioutil.WriteFile(DevSpaceSSHHostKeyFile, []byte(privateKey), 0600)
+		if err != nil {
+			return "", errors.Wrap(err, "write host key")
+		}
+	}
+
+	// read public key
+	out, err := ioutil.ReadFile(DevSpaceSSHHostKeyFile)
+	if err != nil {
+		return "", errors.Wrap(err, "read host ssh key")
+	}
+
+	return base64.StdEncoding.EncodeToString(out), nil
+}
+
 func getPublicKey() (string, error) {
 	keyLock.Lock()
 	defer keyLock.Unlock()

pkg/devspace/services/ssh/ssh.go

@@ -160,14 +160,20 @@ func startSSHWithRestart(ctx *devspacecontext.Context, arch, addr, sshHost strin
 		return err
 	}
 
+	// get host key
+	hostKey, err := getHostKey()
+	if err != nil {
+		return errors.Wrap(err, "generate host key")
+	}
+
 	// get public key
 	publicKey, err := getPublicKey()
 	if err != nil {
 		return errors.Wrap(err, "generate key pair")
 	}
 
 	// get command
-	command := []string{inject.DevSpaceHelperContainerPath, "ssh", "--authorized-key", publicKey}
+	command := []string{inject.DevSpaceHelperContainerPath, "ssh", "--authorized-key", publicKey, "--host-key", hostKey}
 	if addr != "" {
 		command = append(command, "--address", addr)
 	}