Merge pull request #4940 from hashicorp/bastion-agent-auth

comm/ssh: Add support for using SSH Agent auth towards a bastion host.
9 years ago · 554622f808
parent e40b324907 d4ecf4acb3
commit 554622f808
3 changed files with 24 additions and 3 deletions
--- a/helper/communicator/config.go
+++ b/helper/communicator/config.go
@ -28,6 +28,7 @@ type Config struct {
 	SSHHandshakeAttempts  int           `mapstructure:"ssh_handshake_attempts"`
 	SSHBastionHost        string        `mapstructure:"ssh_bastion_host"`
 	SSHBastionPort        int           `mapstructure:"ssh_bastion_port"`
+	SSHBastionAgentAuth   bool          `mapstructure:"ssh_bastion_agent_auth"`
 	SSHBastionUsername    string        `mapstructure:"ssh_bastion_username"`
 	SSHBastionPassword    string        `mapstructure:"ssh_bastion_password"`
 	SSHBastionPrivateKey  string        `mapstructure:"ssh_bastion_private_key_file"`
@ -159,7 +160,7 @@ func (c *Config) prepareSSH(ctx *interpolate.Context) []error {
 		}
 	}

-	if c.SSHBastionHost != "" {
+	if c.SSHBastionHost != "" && !c.SSHBastionAgentAuth {
 		if c.SSHBastionPassword == "" && c.SSHBastionPrivateKey == "" {
 			errs = append(errs, errors.New(
 				"ssh_bastion_password or ssh_bastion_private_key_file must be specified"))
--- a/helper/communicator/step_connect_ssh.go
+++ b/helper/communicator/step_connect_ssh.go
@ -5,6 +5,7 @@ import (
 	"fmt"
 	"log"
 	"net"
+	"os"
 	"strings"
 	"time"

@ -13,6 +14,7 @@ import (
 	"github.com/hashicorp/packer/packer"
 	"github.com/mitchellh/multistep"
 	gossh "golang.org/x/crypto/ssh"
+	"golang.org/x/crypto/ssh/agent"
 )

 // StepConnectSSH is a step that only connects to SSH.
@ -213,8 +215,23 @@ func sshBastionConfig(config *Config) (*gossh.ClientConfig, error) {
 		auth = append(auth, gossh.PublicKeys(signer))
 	}

+	if config.SSHBastionAgentAuth {
+		authSock := os.Getenv("SSH_AUTH_SOCK")
+		if authSock == "" {
+			return nil, fmt.Errorf("SSH_AUTH_SOCK is not set")
+		}
+
+		sshAgent, err := net.Dial("unix", authSock)
+		if err != nil {
+			return nil, fmt.Errorf("Cannot connect to SSH Agent socket %q: %s", authSock, err)
+		}
+
+		auth = append(auth, gossh.PublicKeysCallback(agent.NewClient(sshAgent).Signers))
+	}
+
 	return &gossh.ClientConfig{
-		User: config.SSHBastionUsername,
-		Auth: auth,
+		User:            config.SSHBastionUsername,
+		Auth:            auth,
+		HostKeyCallback: gossh.InsecureIgnoreHostKey(),
 	}, nil
 }
--- a/website/source/docs/templates/communicator.html.md
+++ b/website/source/docs/templates/communicator.html.md
@ -58,6 +58,9 @@ the SSH agent to the remote host.

 The SSH communicator has the following options:

+- `ssh_bastion_agent_auth` (boolean) - If true, the local SSH agent will
+    be used to authenticate with the bastion host. Defaults to false.
+
 - `ssh_bastion_host` (string) - A bastion host to use for the actual
    SSH connection.