Insecure mode (#52)

Insecure mode

This change adds an insecure flag that dictates the implementation of
the host key validation callback.

Author: davrodpin

cli/cli.go

@@ -15,20 +15,21 @@ type App struct {
 	args []string
 	flag *flag.FlagSet
 
-	Command     string
-	Local       HostInput
-	Remote      HostInput
-	Server      HostInput
-	Key         string
-	Verbose     bool
-	Help        bool
-	Version     bool
-	Alias       string
-	Start       string
-	AliasDelete bool
-	Detach      bool
-	Stop        string
-	AliasList   bool
+	Command      string
+	Local        HostInput
+	Remote       HostInput
+	Server       HostInput
+	Key          string
+	Verbose      bool
+	Help         bool
+	Version      bool
+	Alias        string
+	Start        string
+	AliasDelete  bool
+	Detach       bool
+	Stop         string
+	AliasList    bool
+	InsecureMode bool
 }
 
 // New creates a new instance of App.
@@ -55,6 +56,8 @@ func (c *App) Parse() error {
 	f.BoolVar(&c.Version, "version", false, "display the mole version")
 	f.BoolVar(&c.Detach, "detach", false, "(optional) run process in background")
 	f.StringVar(&c.Stop, "stop", "", "stop background process")
+	f.BoolVar(&c.InsecureMode, "insecure", false, "(optional) skip host key validation when connecting to ssh server")
+
 	f.Parse(c.args[1:])
 
 	if c.Help {
@@ -110,7 +113,7 @@ func (c App) Validate() error {
 // use the tool.
 func (c *App) PrintUsage() {
 	fmt.Fprintf(os.Stderr, "%s\n\n", `usage:
-	mole [-v] [-detach] [-local [<host>]:<port>] -remote [<host>]:<port> -server [<user>@]<host>[:<port>] [-key <key_path>]
+	mole [-v] [-insecure] [-detach] [-local [<host>]:<port>] -remote [<host>]:<port> -server [<user>@]<host>[:<port>] [-key <key_path>]
 	mole -alias <alias_name> [-v] [-local [<host>]:<port>] -remote [<host>]:<port> -server [<user>@]<host>[:<port>] [-key <key_path>]
 	mole -alias <alias_name> -delete
 	mole -start <alias_name>

cmd/mole/main.go

@@ -214,6 +214,8 @@ func start(app cli.App) error {
 		return err
 	}
 
+	s.Insecure = app.InsecureMode
+
 	log.Debugf("server: %s", s)
 
 	t := tunnel.New(app.Local.String(), s, app.Remote.String())

test-env/README.md

@@ -83,9 +83,9 @@ The ssh authentication key files, `test-env/key` and `test-env/key,pub` will
 ```sh
 $ make test-env
 <lots of output messages here>
-$ mole -remote 192.168.33.11:80 -server [email protected]:22122 -key test-env/key
-INFO[0000] listening on local address                    local_address="127.0.0.1:50640"
-$ curl 127.0.0.1:50640
+$ mole -insecure -local :21112 -remote 192.168.33.11:80 -server [email protected]:22122 -key test-env/key
+INFO[0000] listening on local address                    local_address="127.0.0.1:21112"
+$ curl 127.0.0.1:21112
 :)
 ```
 

tunnel/tunnel.go

@@ -26,6 +26,8 @@ type Server struct {
 	Address string
 	User    string
 	Key     string
+	// Insecure is a flag to indicate if the host keys should be validated.
+	Insecure bool
 }
 
 // NewServer creates a new instance of Server using $HOME/.ssh/config to
@@ -257,7 +259,7 @@ func sshClientConfig(server Server) (*ssh.ClientConfig, error) {
 		return nil, err
 	}
 
-	callback, err := knownHostsCallback()
+	clb, err := knownHostsCallback(server.Insecure)
 	if err != nil {
 		return nil, err
 	}
@@ -267,7 +269,7 @@ func sshClientConfig(server Server) (*ssh.ClientConfig, error) {
 		Auth: []ssh.AuthMethod{
 			ssh.PublicKeys(signer),
 		},
-		HostKeyCallback: callback,
+		HostKeyCallback: clb,
 		Timeout:         3 * time.Second,
 	}, nil
 }
@@ -279,17 +281,25 @@ func copyConn(writer, reader net.Conn) {
 	}
 }
 
-func knownHostsCallback() (ssh.HostKeyCallback, error) {
-	knownHostFile := filepath.Join(os.Getenv("HOME"), ".ssh", "known_hosts")
+func knownHostsCallback(insecure bool) (ssh.HostKeyCallback, error) {
+	var clb func(hostname string, remote net.Addr, key ssh.PublicKey) error
 
-	log.Debugf("known_hosts file used: %s", knownHostFile)
+	if insecure {
+		clb = func(hostname string, remote net.Addr, key ssh.PublicKey) error {
+			return nil
+		}
+	} else {
+		var err error
+		knownHostFile := filepath.Join(os.Getenv("HOME"), ".ssh", "known_hosts")
+		log.Debugf("known_hosts file used: %s", knownHostFile)
 
-	callback, err := knownhosts.New(knownHostFile)
-	if err != nil {
-		return nil, fmt.Errorf("error while parsing 'known_hosts' file: %s: %v", knownHostFile, err)
+		clb, err = knownhosts.New(knownHostFile)
+		if err != nil {
+			return nil, fmt.Errorf("error while parsing 'known_hosts' file: %s: %v", knownHostFile, err)
+		}
 	}
 
-	return callback, nil
+	return clb, nil
 }
 
 func reconcileHostname(givenHostname, resolvedHostname string) string {

tunnel/tunnel_test.go

@@ -166,9 +166,10 @@ func TestTunnelOptions(t *testing.T) {
 
 }
 
+//TODO teardown the tunnel
 func TestTunnel(t *testing.T) {
 	expected := "ABC"
-	tun := prepareTunnel(t)
+	tun := prepareTunnel(t, false)
 
 	select {
 	case <-tun.Ready:
@@ -191,6 +192,37 @@ func TestTunnel(t *testing.T) {
 	if expected != response {
 		t.Errorf("expected: %s, value: %s", expected, response)
 	}
+
+	tun.Stop()
+}
+
+func TestInsecureTunnel(t *testing.T) {
+	expected := "ABC"
+	tun := prepareTunnel(t, true)
+
+	select {
+	case <-tun.Ready:
+		t.Log("tunnel is ready to accept connections")
+	case <-time.After(1 * time.Second):
+		t.Errorf("no connection after a while")
+		return
+	}
+
+	resp, err := http.Get(fmt.Sprintf("http://%s/%s", tun.listener.Addr(), expected))
+	if err != nil {
+		t.Errorf("error while making local connection: %v", err)
+		return
+	}
+	defer resp.Body.Close()
+
+	body, _ := ioutil.ReadAll(resp.Body)
+	response := string(body)
+
+	if expected != response {
+		t.Errorf("expected: %s, value: %s", expected, response)
+	}
+
+	tun.Stop()
 }
 
 func TestRandomLocalPort(t *testing.T) {
@@ -244,13 +276,18 @@ func TestMain(m *testing.M) {
 
 // prepareTunnel creates a Tunnel object making sure all infrastructure
 // dependencies (ssh and http servers) are ready.
-func prepareTunnel(t *testing.T) *Tunnel {
-	sshAddr := createSSHServer(keyPath)
-	generateKnownHosts(sshAddr.String(), publicKeyPath, knownHostsPath)
-	s, _ := NewServer("mole", sshAddr.String(), "")
+func prepareTunnel(t *testing.T, insecure bool) *Tunnel {
+	ssh := createSSHServer(keyPath)
+	srv, _ := NewServer("mole", ssh.Addr().String(), "")
 
-	httpAddr := createWebServer()
-	tun := &Tunnel{local: "127.0.0.1:0", server: s, remote: httpAddr.String(), done: make(chan error), Ready: make(chan bool, 1)}
+	srv.Insecure = insecure
+
+	if !insecure {
+		generateKnownHosts(ssh.Addr().String(), publicKeyPath, knownHostsPath)
+	}
+
+	web := createWebServer()
+	tun := &Tunnel{local: "127.0.0.1:0", server: srv, remote: web.Addr().String(), done: make(chan error), Ready: make(chan bool, 1)}
 
 	go func(t *testing.T) {
 		err := tun.Start()
@@ -322,19 +359,24 @@ func get(client http.Client, resource string) (string, error) {
 //
 // Example: If the request URI is /this-is-a-test, the response will be
 // this-is-a-test
-func createWebServer() net.Addr {
+func createWebServer() net.Listener {
 
 	handler := func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprintf(w, r.URL.Path[1:])
 	}
-	http.HandleFunc("/", handler)
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", handler)
+
+	server := &http.Server{
+		Handler: mux,
+	}
+
 	l, _ := net.Listen("tcp", "127.0.0.1:0")
 
-	go func(l net.Listener) {
-		http.Serve(l, nil)
-	}(l)
+	go server.Serve(l)
 
-	return l.Addr()
+	return l
 }
 
 // createSSHServer starts a SSH server that authenticates connections using
@@ -347,7 +389,7 @@ func createWebServer() net.Addr {
 // References:
 // https://gist.github.com/jpillora/b480fde82bff51a06238
 // https://tools.ietf.org/html/rfc4254#section-7.2
-func createSSHServer(keyPath string) net.Addr {
+func createSSHServer(keyPath string) net.Listener {
 	conf := &ssh.ServerConfig{
 		PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
 			return &ssh.Permissions{}, nil
@@ -398,7 +440,7 @@ func createSSHServer(keyPath string) net.Addr {
 		}
 	}(l)
 
-	return l.Addr()
+	return l
 }
 
 // generateKnownHosts creates a new "known_hosts" file on a given path with a