- Make the port of the publickey api scan configurable

- Add logic with public key scan to the Docker-local part
- Update Readme

Author: raethlein

Dockerfile

@@ -74,7 +74,8 @@ ENV SSH_PERMIT_TARGET_HOST="*" \
     SSH_PERMIT_TARGET_PORT="*" \ 
     SSH_TARGET_KEY_PATH="~/.ssh/id_ed25519.pub" \ 
     MANUAL_AUTH_FILE="false" \
-    SSHD_ENVIRONMENT_VARIABLES="${_RESOURCES_PATH}/sshd_environment"
+    SSHD_ENVIRONMENT_VARIABLES="${_RESOURCES_PATH}/sshd_environment" \
+    SSH_TARGET_PUBLICKEY_API_PORT=8080
 
 RUN \
     chmod -R ug+rwx $_RESOURCES_PATH && \

README.md

@@ -37,7 +37,7 @@ This SSH proxy can be deployed as a standalone docker container that allows to p
 
 ### Prerequisites
 
-The target containers must run an SSH server and provide a valid public key that can be found under `$SSH_TARGET_KEY_PATH` (default: `~/.ssh/id_ed25519.pub`).
+The target containers must run an SSH server and provide a valid public key via a `/publickey` endpoint. If this does not exist, the ssh-proxy tries to exec into the target container and search for the publickey under under `$SSH_TARGET_KEY_PATH` (default: `~/.ssh/id_ed25519.pub`).
 
 > ℹ️ _The SSH proxy accepts an incoming key, if it belongs to one of the targets key, in other words the proxy/bastion server authorizes all target public keys. It is still not possible to login to the proxy directly. The authorization happens only for creating and tunneling the final connection._
 
@@ -106,15 +106,20 @@ The container can be configured with the following environment variables (`--env
         <td>Defines on which port the other containers can be reached via ssh. The ssh connection to the target can only be made via this port then. The default value '*' permits any port.</td>
         <td>*</td>
     </tr>
+    <tr>
+        <td>SSH_TARGET_PUBLICKEY_API_PORT</td>
+        <td>Port where the target pod exposes the /publickey endpoint (if used).</td>
+        <td>8080</td>
+    </tr> 
     <tr>
         <td>SSH_TARGET_KEY_PATH</td>
         <td>The path inside the target containers where the manager looks for a valid public key.
-        Consider that `~` will be resolved to the target container's home.</td>
+        Consider that `~` will be resolved to the target container's home. Only used when the target container does not return a public key via the /publickey endpoint.</td>
         <td>~/.ssh/id_ed25519.pub</td>
     </tr>
     <tr>
         <td>MANUAL_AUTH_FILE</td>
-        <td>Disables the bastion's public key fetching method and you have to maintain the /etc/ssh/authorized_keys_cache file yourself (e.g. by mounting a respective file there)</td>
+        <td>Disables the bastion's public key fetching method and you have to maintain the /etc/ssh/authorized_keys_cache file yourself (e.g. by mounting a respective file there). Only used when the target container does not return a public key via the /publickey endpoint.</td>
         <td>false</td>
     </tr>
 </table>

docker-res/ssh/update_authorized_keys.py

@@ -20,6 +20,7 @@
 
 SSH_PERMIT_TARGET_HOST = os.getenv("SSH_PERMIT_TARGET_HOST", "*")
 SSH_TARGET_KEY_PATH = os.getenv("SSH_TARGET_KEY_PATH", "~/.ssh/id_ed25519.pub")
+SSH_TARGET_PUBLICKEY_API_PORT = os.getenv("SSH_TARGET_PUBLICKEY_API_PORT", 8080)
 
 authorized_keys_cache_file = "/etc/ssh/authorized_keys_cache"
 authorized_keys_cache_file_lock = "cache_files.lock"
@@ -92,7 +93,7 @@ def get_authorized_keys_kubernetes(query_cache: list = []) -> (list, list):
 
         key = None
         # Try to get the public key via an API call first
-        publickey_url = "http://{}:8091/publickey".format(pod_ip)
+        publickey_url = "http://{}:{}/publickey".format(pod_ip, str(SSH_TARGET_PUBLICKEY_API_PORT))
         timeout_seconds = 10
         try:
             request = requests.request("GET", publickey_url, timeout=timeout_seconds)
@@ -145,9 +146,24 @@ def get_authorized_keys_docker(query_cache: list = []) -> (list, list):
             new_query_cache.append(container.id)
             continue
 
-        exec_result = container.exec_run(PRINT_KEY_COMMAND)
-        authorized_keys.append(exec_result[1].decode("utf-8"))
-        new_query_cache.append(container.id)
+        key = None
+        # Try to get the public key via an API call first
+        publickey_url = "http://{}:{}/publickey".format(container.id, str(SSH_TARGET_PUBLICKEY_API_PORT))
+        timeout_seconds = 10
+        try:
+            request = requests.request("GET", publickey_url, timeout=timeout_seconds)
+            if request.status_code == 200:
+                key = request.text
+        except requests.exceptions.ConnectTimeout:
+            print("Connection to {ip} timed out after {timeout} seconds. Will try to exec into the pod to retrieve the key.".format(ip=pod_ip, timeout=str(timeout_seconds)))
+
+        if key is None:
+            exec_result = container.exec_run(PRINT_KEY_COMMAND)
+            key = exec_result[1].decode("utf-8")
+        
+        if key is not None:
+            authorized_keys.append(key)
+            new_query_cache.append(container.id)
 
     return authorized_keys, new_query_cache