-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcscs-cl
executable file
·300 lines (257 loc) · 9.18 KB
/
cscs-cl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
#!/bin/bash
# This script sets the environment properly so that a user can access CSCS
# login nodes via ssh.
# Copyright (C) 2023, ETH Zuerich, Switzerland
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# AUTHORS Massimo Benini, Eduard Durech
# Function to check if keys are valid by attempting a test connection
function check_keys() {
ssh -q ela exit 2>/dev/null
return $?
}
# Function to setup SSH config if it doesn't exist
function setup_ssh_config() {
local username="$1"
local ssh_config="$2"
# Create .ssh directory if it doesn't exist
mkdir -p "$HOME/.ssh"
touch "$ssh_config"
cat >> "$ssh_config" << EOF
Host ela ela.cscs.ch
Hostname ela.cscs.ch
User ${username}
ForwardAgent yes
ForwardX11 yes
forwardX11Trusted yes
StrictHostKeyChecking accept-new
IdentityFile ~/.ssh/cscs-key
Host clariden clariden.cscs.ch
Hostname clariden.cscs.ch
User ${username}
ForwardAgent yes
StrictHostKeyChecking accept-new
IdentityFile ~/.ssh/cscs-key
ProxyJump ela
EOF
}
function setup_keys() {
local ssh_config="$HOME/.ssh/config"
local is_first_time=0
local secure_mode=$1
#Params
MFA_KEYS_URL="https://sshservice.cscs.ch/api/v1/auth/ssh-keys/signed-key"
#Detect OS
OS="$(uname)"
case "${OS}" in
'Linux')
OS='Linux'
;;
'FreeBSD')
OS='FreeBSD'
;;
'WindowsNT')
OS='Windows'
;;
'Darwin')
OS='Mac'
;;
*) ;;
esac
#OS validation
if [ "${OS}" != "Mac" ] && [ "${OS}" != "Linux" ]; then
echo "This script works only on Mac-OS or Linux. Aborting."
exit 1
fi
# Check if config exists and has clariden entry
if grep -q "Host clariden" "$ssh_config" 2>/dev/null; then
USERNAME=$(grep -A2 "Host clariden" "$ssh_config" | grep "User" | awk '{print $2}')
if [ -n "$USERNAME" ]; then
echo "Existing username : $USERNAME"
else
read -p "Username : " USERNAME
fi
else
is_first_time=1
read -p "Username : " USERNAME
# Setup SSH config with username
setup_ssh_config "${USERNAME}" "${ssh_config}"
fi
read -s -p "Password : " PASSWORD
echo
read -s -p "Enter OTP (6-digit code) : " OTP
echo
#Validate inputs
if ! [[ "${USERNAME}" =~ ^[[:lower:]_][[:lower:][:digit:]_-]{2,15}$ ]]; then
echo "Username is not valid."
exit 1
fi
if [ -z "${PASSWORD}" ]; then
echo "Password is empty."
exit 1
fi
if ! [[ "${OTP}" =~ ^[[:digit:]]{6} ]]; then
echo "OTP is not valid, OTP must contains only six digits."
exit 1
fi
echo " Authenticating to the SSH key service..."
HEADERS=(-H "Content-Type: application/json" -H "accept: application/json")
KEYS=$(curl -s -S --ssl-reqd \
"${HEADERS[@]}" \
-d "{\"username\": \"$USERNAME\", \"password\": \"$PASSWORD\", \"otp\": \"$OTP\"}" \
"$MFA_KEYS_URL")
if [ $? != 0 ]; then
exit 1
fi
echo " Retrieving the SSH keys..."
DICT_KEY=$(echo ${KEYS} | cut -d \" -f 2)
if [ "${DICT_KEY}" == "payload" ]; then
MESSAGE=$(echo ${KEYS} | cut -d \" -f 6)
! [ -z "${MESSAGE}" ] && echo "${MESSAGE}"
echo "Error fetching the SSH keys. Aborting."
exit 1
fi
PUBLIC=$(echo ${KEYS} | cut -d \" -f 4)
PRIVATE=$(echo ${KEYS} | cut -d \" -f 8)
#Check if keys are empty:
if [ -z "${PUBLIC}" ] || [ -z "${PRIVATE}" ]; then
echo "Error fetching the SSH keys. Aborting."
exit 1
fi
echo " Setting up the SSH keys into your home folder..."
#Check ~/.ssh folder and store the keys
echo ${PUBLIC} | awk '{gsub(/\\n/,"\n")}1' > ~/.ssh/cscs-key-cert.pub || exit 1
echo ${PRIVATE} | awk '{gsub(/\\n/,"\n")}1' > ~/.ssh/cscs-key || exit 1
#Setting permissions:
chmod 644 ~/.ssh/cscs-key-cert.pub || exit 1
chmod 600 ~/.ssh/cscs-key || exit 1
#Format the keys:
if [ "${OS}" = "Mac" ]
then
sed -i '' -e '$ d' ~/.ssh/cscs-key-cert.pub || exit 1
sed -i '' -e '$ d' ~/.ssh/cscs-key || exit 1
else [ "${OS}" = "Linux" ]
sed '$d' ~/.ssh/cscs-key-cert.pub || exit 1
sed '$d' ~/.ssh/cscs-key || exit 1
fi
echo " Completed."
# Only prompt for passphrase if in secure mode
if (( secure_mode )); then
exit_code_passphrase=1
while [ $exit_code_passphrase != 0 ]; do
ssh-keygen -f ~/.ssh/cscs-key -p
exit_code_passphrase=$?
done
fi
# Add key to ssh-agent
ssh-add -t 1d ~/.ssh/cscs-key
# Show appropriate completion message
if (( is_first_time )); then
cat << EOF
First time setup complete! You can now connect to Clariden.
Note: Keys expire after 24 hours. Just run this script again to refresh and connect.
EOF
else
echo "Keys have been refreshed. You can now connect to Clariden."
fi
}
# Function to read user.env and build ENV_VARS string
function build_env_vars() {
local env_vars=""
local local_git_ssh_keypath=""
#setup script will set user_env path
local user_env=""
if [ -f "$user_env" ]; then
# Read file and ensure processing of last line even without newline
while IFS='=' read -r key value || [ -n "$key" ]; do
# Skip empty or commented lines
[[ -z "$key" || "$key" =~ ^# ]] && continue
# Trim whitespace and quotes from value
value=$(echo "$value" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' -e 's/^"//' -e 's/"$//')
# Handle the special case for LOCAL_GIT_SSH_KEYPATH
if [ "$key" == "LOCAL_GIT_SSH_KEYPATH" ]; then
# Expand any environment variables in the path
local_git_ssh_keypath=$(eval echo "$value")
continue # Skip adding this to env_vars
fi
# Only add non-empty values
if [ ! -z "$value" ]; then
[ -z "$env_vars" ] && env_vars="export " || env_vars+=" "
env_vars+="${key}=${value}"
fi
done < "$user_env"
fi
# Return both values separated by a special delimiter that's unlikely to be in paths
echo "${env_vars}${local_git_ssh_keypath:+___SSH_KEY_DELIM___${local_git_ssh_keypath}}"
}
# Main logic - single entry point that handles all cases
if [[ "$1" == "--help" ]]; then
cat << EOF
Usage: $(basename "$0") [--secure] [command] # Setup keys and connect to Clariden
--secure Prompt to add a passphrase to the SSH keygen
command Optional command to execute on Clariden (if not provided, starts an interactive shell)
EOF
exit 0
fi
# Parse args
secure_mode=0
if [[ "$1" == "--secure" ]]; then
secure_mode=1
shift # Remove --secure from args
fi
# Check if keys are valid
if ! check_keys; then
# If keys are invalid, setup/refresh them
setup_keys $secure_mode
fi
# Parse the result from build_env_vars to get both ENV_VARS and git_ssh_keypath
build_env_result=$(build_env_vars)
ENV_VARS=$(echo "$build_env_result" | awk -F '___SSH_KEY_DELIM___' '{print $1}')
GIT_SSH_KEYPATH=$(echo "$build_env_result" | awk -F '___SSH_KEY_DELIM___' '{print $2}')
# If args $@ empty, use -t (interactive shell)
[ $# -eq 0 ] && TTY_FLAG=" -t" || TTY_FLAG=""
# TODO: Support ssh-agent if non-interactive, e.g. send signal to local when non-interactive finished
# Only setup SSH agent if interactive mode and have a Git key to add
if [ $# -eq 0 ] && [ -n "$GIT_SSH_KEYPATH" ] && [ -f "$GIT_SSH_KEYPATH" ]; then
existing_agent=false
if [ -n "$SSH_AGENT_PID" ] && ps -p $SSH_AGENT_PID > /dev/null; then
echo "Existing SSH agent ($SSH_AGENT_PID)"
existing_agent=true
else
echo "Starting SSH agent..."
eval $(ssh-agent)
fi
# Check if the key is already added
key_added=false
if ssh-add -l | grep -q "$(ssh-keygen -lf "$GIT_SSH_KEYPATH" | awk '{print $2}')"; then
echo "Git SSH key already in agent"
else
# Add the Git SSH key
echo "Adding Git SSH key..."
ssh-add "$GIT_SSH_KEYPATH" 2>/dev/null
key_added=true
fi
# Setup trap to kill agent on exit if we started it
trap 'if [ $existing_agent = false ]; then
eval $(ssh-agent -k);
else
echo "Existing SSH agent ($SSH_AGENT_PID) kept";
if [ $key_added = true ]; then
echo "Removing Git SSH key...";
ssh-add -d "$GIT_SSH_KEYPATH" 2>/dev/null;
fi;
fi' EXIT INT TERM QUIT ABRT HUP
fi
# If args $@ empty, default to interactive "exec \$SHELL -l"
ssh$TTY_FLAG clariden "${ENV_VARS:+$ENV_VARS; }${@:-exec \$SHELL -l}"