记一次瞎逼折腾
dotcloud悄无声息的远去了。我收到让转移应用的邮件才知道公司已经破产。
就在几天前,往dotcloud上部署微信机器人时还饶有兴趣瞎折腾了一下。当时发在cnodejs上
昨天,看到dotcloud提供一个secure shell,忽然脑洞大开,我觉得又可以花式Tunnel了。
┌─[reverland@reverland-R478-R429] - [~] - [2016-01-23 11:55:29] └─[0] <> export PATH=$PATH:$HOME/.local/bin ┌─[reverland@reverland-R478-R429] - [~] - [2016-01-23 11:55:34] └─[0] <> dcapp wechat/default run bash Connecting... [wechat/default]:~$
好奇,我能不用dcapp直接连接吗?什么原理?
于是翻了翻下载到dotcloudng的源码,开源软件就是好啊就是好。看到里头有个ssh命令
cmd = ssh_cmd(host_name, 'delete-cache', deployment_name)
于是打印了一下,发现就是普通的ssh连接。于是抱着试试看的心理连了一次,还真可以。。
ssh -t -p 2222 -- [email protected] TOKEN=t9Nd9ECasAgSD9UsYfcFwgysAF4bCL bash
翻翻源码没什么问题。但是,=–=是啥?,token又是啥?
=–=很快查到,为了防止bash解析后面的内容。但token呢?
env = 'TOKEN={token}'.format(token=self.api.get_token()['token'])
搜索了下没找到,cctrl引用了cclib,看到get\token
def get_token(self): """ We use get_token to get the token. """ return self._token
那又是哪里设置了token呢?一眼看到上面的=settoken=。。。
def set_token(self, token): """ We use set_token to set the token. """ self._token = token
检查set\token是在api init的时候
看看Api类,就抱着试试看的心理用试验了下。。。然而401?
var getSshToken = new Promise((resolve, reject) => { var req = https.request({ method: 'POST', path: '/token/', hostname: 'api.dotcloudapp.com', headers: { 'User-Agent': 'pycclib/1.6.2', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-length': 0, } }, (res)=> { resolve(res); } }); req.end(); })
我在想要不要把mitmproxy打开看看呢。忽然在文件中赫然看到个DEBUG标志,于是打开,清晰看到几次请求。发现第一次请求是不带任何参数的,就是401,在header中返回了一个sshtoken。紧接着第二次请求。这次http header中Authorization中多了一些东西:
ccssh signature=rqsolg/L43mTokqnwVCgfGpCxxxxxxxxxxxxxvsdv6HxXiyXkmEAg6kKvOHSjFhCprq2AuDQbU2Z7DHUcryu9bVRmBQvNOd2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/92uN4C6aUkXqCmlp16G0VC2qqE/QrEuvO72OXeMC8tL4RrU3Qn7tRzablDo2sNaCXkXMcjMtqM+DpuzqbOHZnn7lEwynbCPOtRGaGYnVRQtxxxxxxxxxxxufi6oxomKGk/6ch8C7yjEE9hfbbqFcXBZQw==,fingerprint=c6:xx:92:8a:86:xx:6b:af:fe:xx:19:62:1b:xx:2b:f0,sshtoken=unBVe7F36pCfVhtZEmPCaT,[email protected]
虽然公钥和数据签名也没什么影响,还是打上码= =
sshtoken是第一步在response header中www-authenticate中给的,其他的呢。
email很显然。。fingerprint,我自己的太熟悉了。。signature是啥?
看了下源码,发现是这个函数生成的signature
signature = sign_token(key_path, fingerprint, sshtoken)
数据签名函数简化如下,把错误处理去掉了,还懒得管缩进。
def sign_token(key_path, fingerprint, data): # from agent pkey = get_key_from_agent(fingerprint) # paramiko is inconsistent here in that the agent's key # returns Message objects for 'sign_ssh_data' whereas RSAKey # objects returns byte strings. # Workaround: cast both return values to string and build a # new Message object s = str(pkey.sign_ssh_data(data)) m = Message(s) m.rewind() m.get_string() # == 'ssh-rsa': return base64.b64encode(m.get_string())
于是自己查看文档试验了一下,
┌─[reverland@reverland-R478-R429] - [~/tmp/dcwall] - [2016-01-23 01:05:51] └─[0] <> ssh -v -t -p 2222 -- [email protected] TOKEN=tv8NczygRPK6cgp78azgXyKKrX9KPN bash OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /home/reverland/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to sshforwarder.dotcloudapp.com [130.211.165.15] port 2222. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /home/reverland/.ssh/id_rsa type 1 debug1: identity file /home/reverland/.ssh/id_rsa-cert type -1 debug1: identity file /home/reverland/.ssh/id_dsa type 2 debug1: identity file /home/reverland/.ssh/id_dsa-cert type -1 debug1: identity file /home/reverland/.ssh/id_ecdsa type -1 debug1: identity file /home/reverland/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/reverland/.ssh/id_ed25519 type -1 debug1: identity file /home/reverland/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.4 debug1: Remote protocol version 2.0, remote software version Twisted debug1: no match: Twisted debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA 5a:83:13:7c:d7:a1:cb:7c:ec:29:99:91:e4:bc:9d:01 debug1: Host '[sshforwarder.dotcloudapp.com]:2222' is known and matches the RSA host key. debug1: Found key in /home/reverland/.ssh/known_hosts:3689 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering DSA public key: /home/reverland/.ssh/id_dsa debug1: Authentications that can continue: publickey debug1: Offering RSA public key: /home/reverland/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 279 debug1: Authentication succeeded (publickey). Authenticated to sshforwarder.dotcloudapp.com ([130.211.165.15]:2222). debug1: channel 0: new [client-session] debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LC_IDENTIFICATION = zh_CN.UTF-8 debug1: Sending env LC_TIME = zh_CN.UTF-8 debug1: Sending env LC_NUMERIC = zh_CN.UTF-8 debug1: Sending env LC_PAPER = zh_CN.UTF-8 debug1: Sending env LC_MEASUREMENT = zh_CN.UTF-8 debug1: Sending env LC_ADDRESS = zh_CN.UTF-8 debug1: Sending env LC_MONETARY = zh_CN.UTF-8 debug1: Sending env LANG = en_US.UTF-8 debug1: Sending env LC_NAME = zh_CN.UTF-8 debug1: Sending env LC_TELEPHONE = zh_CN.UTF-8 debug1: Sending env LC_CTYPE = en_US.UTF-8 debug1: Sending command: TOKEN=tv8NczygRPK6cgp78azgXyKKrX9KPN bash Connecting... [wechat/default]:~$
想了想这个认证过程。
- https请求服务器,得到sshtoken
- 用私钥给sshtoken的sha1哈希签名,连同公钥fingerprint,email,sshtoken一并发送给服务器
- (这一步是我猜的)服务器验证fingerprint身份(之前dcuser时应该已经密码认证传过公钥,待验证),服务器使用客户公钥解密签名,将解密得到的哈希和sshtoken的sha1哈希进行对比,实现身份验证和sshtoken 验证。返回再下一步ssh连接时要传递的token
- 客户端ssh连接forward.dotcloudapp.com,认证通过后,服务器端需要检查Token的值来启动程序实例。为什么要检查呢?我猜,因为dotcloud免费用户控制只能运行一个Worker实例。。。
于是,自己实现了下这个过程。
var exec = require('child_process').exec; var https = require('https'); var EMAIL = '[email protected]'; var getSshToken = new Promise((resolve, reject) => { var req = https.request({ method: 'POST', path: '/token/', hostname: 'api.dotcloudapp.com', headers: { 'User-Agent': 'pycclib/1.6.2', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-length': 0, } }, (res)=> { if ('www-authenticate' in res.headers) { //console.log(res.headers['www-authenticate']); var result = /sshtoken=(.+)$/mg.exec(res.headers['www-authenticate']) if (!result) { reject("fail to get ssh token"); } var sshtoken = result[1]; resolve(sshtoken); } }); req.end(); }) function getAuth(sshtoken) { var p1 = getSignature(sshtoken); var p2 = getFingerPrint(); var p3 = Promise.all([p1, p2]).then((k)=>{ return new Promise((resolve, reject)=>{ var authorization = 'ccssh '; authorization += ('signature=' + k[0] + ','); authorization += ('fingerprint=' + k[1] + ','); authorization += ('sshtoken=' + sshtoken + ','); authorization += ('email=' + EMAIL); console.log(authorization); resolve(authorization); }); }); return p3; } function getSignature(sshtoken) { return new Promise((resolve, reject)=>{ var cmd = 'echo -ne "' + sshtoken + '" | openssl sha1 -binary | openssl pkeyutl -sign -inkey ~/.ssh/id_rsa -pkeyopt digest:sha1'; //console.log(cmd); exec(cmd, // 以下两个参数非常重要 { encoding: 'binary', shell: '/bin/bash', }, (error, stdout, stderr) => { if (error) { reject(error); } // 注意要binary而不是utf8 resolve(new Buffer(stdout, 'binary').toString('base64')); }); }); } function getFingerPrint() { return new Promise((resolve, reject)=>{ exec('ssh-keygen -lf ~/.ssh/id_rsa.pub', (error, stdout, stderr) => { if (error) { reject(error); } resolve(stdout.toString().split(' ')[1]); }); }); } function getToken(authorization){ var p = new Promise((resolve, reject)=>{ var req = https.request({ method: 'POST', path: '/token/', hostname: 'api.dotcloudapp.com', headers: { 'User-Agent': 'pycclib/1.6.2', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-length': 0, 'Authorization': authorization, } }, (res)=> { if (res.statusCode != 200) { reject("fail to get token"); } var data = ''; res.on('data', (chunk)=>{ data += chunk; }); res.on('end', ()=>{ resolve(data); }) }); req.end(); }); return p; } getSshToken.then(getAuth).then(getToken).then(console.log).catch(console.error);
一点也不顺利:
我用的v5.0.0,看了看文档里赫然写着stderror是Buffer好么
callback Function called with the output when process terminates error Error stdout Buffer stderr Buffer
然而实际上怎么是String…..是我理解不对么?
其次,echo在/bin/sh和/bin/bash中不是一回事,一个是内置命令,一个是单独程序。。。
再次,深刻体会到该binary的时候一定得binary,字符串在我这里只能utf-8。。再Buffer后完全不是之前的binary数据。被坑得半死不活。
最后,Cheers
[wechat/default]:~$ curl https://twitter.com | md5sum % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 70740 100 70740 0 0 219k 0 --:--:-- --:--:-- --:--:-- 262k 9f9f288dbfb5fbf379244ed9a75f7ebf -
不过tunnel还是没成功,不过也不是为了tunnel不是。
总结
Just for fun!
学习下dotcloud的cli认证原理
不知道heroku是不是类似的认证方式
我要好好研究下ssh forward原理。