I totally forgot about the consequences in the companion program when…

… I redacted the private key.. but now we can use the SSH agent at least. Is there a better solution to this?
stefansundin · May 30, 2019 · 20f8610 · 20f8610
1 parent d4204fc
commit 20f8610
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -35,6 +35,8 @@ Note that there is a gotcha when trying to apply a generated plan output file (s
 
 As a workaround, before you apply, run the companion program `terraform-open-ssh-tunnels` on the plan file first in order to reopen the SSH tunnels. [Download from the releases.](https://github.com/stefansundin/terraform-provider-ssh/releases/latest)
 
+Because of [this commit](https://github.com/stefansundin/terraform-provider-ssh/commit/37fa9835b75fde095c863fca89e2f28a0169919d), only the SSH agent is currently supported in this program. Let me know if you can think of a good fix for this.
+
 #### TODO
 
 - Support another hop (ProxyJump-like behavior)

diff --git a/terraform-open-ssh-tunnels/main.go b/terraform-open-ssh-tunnels/main.go
@@ -7,10 +7,12 @@ import (
 	"net"
 	"os"
 	"os/user"
+	"strconv"
 	"sync"
 
 	"github.com/hashicorp/terraform/terraform"
 	"golang.org/x/crypto/ssh"
+	"golang.org/x/crypto/ssh/agent"
 )
 
 // copied from https://github.com/hashicorp/terraform/blob/7149894e418d06274bc5827c872edd58d887aad9/communicator/ssh/provisioner.go#L213-L232
@@ -70,21 +72,33 @@ func main() {
 					username = currentUser.Username
 				}
 				host := d["host"]
-				privateKey := d["private_key"]
 				localAddress := d["local_address"]
 				remoteAddress := d["remote_address"]
+				sshAgent, _ := strconv.ParseBool(d["ssh_agent"])
 
-				fmt.Printf("%s Forwarding %s to %s via %s.\n", m.Path, localAddress, remoteAddress, host)
-
-				pubKeyAuth, err := readPrivateKey(privateKey)
-				if err != nil {
-					panic(err)
-				}
 				sshConf := &ssh.ClientConfig{
 					User:            username,
 					HostKeyCallback: ssh.InsecureIgnoreHostKey(),
-					Auth:            []ssh.AuthMethod{pubKeyAuth},
+					Auth:            []ssh.AuthMethod{},
 				}
+				if sshAgent {
+					sshAuthSock, ok := os.LookupEnv("SSH_AUTH_SOCK")
+					if ok {
+						conn, err := net.Dial("unix", sshAuthSock)
+						if err != nil {
+							panic(err)
+						}
+						agentClient := agent.NewClient(conn)
+						agentAuth := ssh.PublicKeysCallback(agentClient.Signers)
+						sshConf.Auth = append(sshConf.Auth, agentAuth)
+					}
+				}
+				if len(sshConf.Auth) == 0 {
+					fmt.Printf("Error: No authentication method configured. Only SSH agent authentication is supported in this program at the moment.\n")
+					return
+				}
+
+				fmt.Printf("%s Forwarding %s to %s via %s.\n", m.Path, localAddress, remoteAddress, host)
 
 				localListener, err := net.Listen("tcp", localAddress)
 				if err != nil {