Remove host key env vars

Author: cedws

README.md

@@ -31,17 +31,20 @@ Connection closed by UNKNOWN port 65535
 
 sshgate doesn't care about the username used for the jump hop. It doesn't care about the usernames in subsequent hops either; that information is opaque, it simply forwards the traffic to the client.
 
-Since we didn't pass any SSH host keys to sshgate earlier, it generated an ephemeral ED25519 host key on startup. For the server to have a persistent identity, generate an SSH keypair and set `SSHGATE_HOST_KEY_PATH_*` to the path of the private key.
+Since we didn't pass any SSH host keys to sshgate earlier, it generated an ephemeral ED25519 host key on startup. For the server to have a persistent identity, generate an SSH keypair and set `host_key_paths` in the config file accordingly. You may set an ED25519, ECDSA, and RSA host key.
 
 For example, to set the server's ED25519 identity:
 
 ```
 ssh-keygen -t ed25519 -f sshgate
-export SSHGATE_HOST_KEY_PATH_ED25519=./sshgate
 ```
 
-You can also set an RSA and ECDSA identity if you wish.
+Add to the config:
 
-- `SSHGATE_HOST_KEY_PATH_RSA`
-- `SSHGATE_HOST_KEY_PATH_ED25519`
-- `SSHGATE_HOST_KEY_PATH_ECDSA`
+```json
+{
+  "host_key_paths": {
+    "ed25519": "./sshgate"
+  }
+}
+```

pkg/sshgate/config.go

@@ -1,8 +1,6 @@
 package sshgate
 
 import (
-	"crypto/ed25519"
-	"crypto/rand"
 	"encoding/json"
 	"fmt"
 	"os"
@@ -20,8 +18,15 @@ type RawRule struct {
 	Ports []int    `json:"ports,omitempty"`
 }
 
+type HostKeyPaths struct {
+	ECDSA   string `json:"ecdsa,omitempty"`
+	ED25519 string `json:"ed25519,omitempty"`
+	RSA     string `json:"rsa,omitempty"`
+}
+
 type Config struct {
-	Identities []Identity `json:"identities,omitempty"`
+	Identities   []Identity   `json:"identities,omitempty"`
+	HostKeyPaths HostKeyPaths `json:"host_key_paths"`
 
 	signers          []ssh.Signer
 	identityRulesets map[string][]*Ruleset
@@ -63,7 +68,7 @@ func ReadConfig(path string) (*Config, error) {
 		return nil, err
 	}
 
-	config.signers, err = parseHostKeys()
+	config.signers, err = parseHostKeys(config.HostKeyPaths)
 	if err != nil {
 		return nil, fmt.Errorf("invalid host keys: %w", err)
 	}
@@ -73,27 +78,31 @@ func ReadConfig(path string) (*Config, error) {
 	return &config, nil
 }
 
-func parseHostKeys() ([]ssh.Signer, error) {
+func parseHostKeys(hostKeyPaths HostKeyPaths) ([]ssh.Signer, error) {
 	var signers []ssh.Signer
 
-	for _, envVar := range []string{
-		"SSHGATE_HOST_KEY_PATH_RSA",
-		"SSHGATE_HOST_KEY_PATH_ED25519",
-		"SSHGATE_HOST_KEY_PATH_ECDSA",
+	for keyType, keyPath := range map[string]string{
+		"ssh-ecdsa":   hostKeyPaths.ECDSA,
+		"ssh-ed25519": hostKeyPaths.ED25519,
+		"ssh-rsa":     hostKeyPaths.RSA,
 	} {
-		keyPath := os.Getenv(envVar)
 		if keyPath == "" {
 			continue
 		}
 
 		key, err := os.ReadFile(keyPath)
 		if err != nil {
-			return nil, fmt.Errorf("failed to read host key %s: %w", envVar, err)
+			return nil, fmt.Errorf("failed to read host key %s: %w", keyPath, err)
 		}
 
 		signer, err := ssh.ParsePrivateKey([]byte(key))
 		if err != nil {
-			return nil, fmt.Errorf("failed to parse host key %s: %w", envVar, err)
+			return nil, fmt.Errorf("failed to parse host key %s: %w", keyPath, err)
+		}
+
+		// Don't allow key of unexpected type to be smuggled in
+		if signer.PublicKey().Type() != keyType {
+			return nil, fmt.Errorf("expected key of type %s but got %s", keyType, signer.PublicKey().Type())
 		}
 
 		signers = append(signers, signer)
@@ -102,20 +111,6 @@ func parseHostKeys() ([]ssh.Signer, error) {
 	return signers, nil
 }
 
-func generateSigner() (ssh.Signer, error) {
-	_, privKey, err := ed25519.GenerateKey(rand.Reader)
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate Ed25519 key: %w", err)
-	}
-
-	signer, err := ssh.NewSignerFromSigner(privKey)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create signer: %w", err)
-	}
-
-	return signer, nil
-}
-
 func parseIdentities(identities []Identity) map[string][]*Ruleset {
 	rulesByFingerprints := make(map[string][]*Ruleset)
 

pkg/sshgate/sshgate.go

@@ -3,6 +3,8 @@ package sshgate
 import (
 	"bytes"
 	"context"
+	"crypto/ed25519"
+	"crypto/rand"
 	"encoding/binary"
 	"errors"
 	"fmt"
@@ -51,6 +53,20 @@ func readUint32(r *bytes.Reader) (uint32, error) {
 	return v, nil
 }
 
+func generateSigner() (ssh.Signer, error) {
+	_, privKey, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate Ed25519 key: %w", err)
+	}
+
+	signer, err := ssh.NewSignerFromSigner(privKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create signer: %w", err)
+	}
+
+	return signer, nil
+}
+
 type directTCPIPExtraData struct {
 	DestHost   string
 	DestPort   int
@@ -107,7 +123,7 @@ func (s *Server) ListenAndServe(ctx context.Context) error {
 		PublicKeyCallback: s.pubkeyCallback,
 	}
 
-	var signers []ssh.Signer
+	signers := make([]ssh.Signer, len(s.config.signers))
 	if copy(signers, s.config.signers) == 0 {
 		slog.Warn("no host keys provided in config, generating ephemeral ed25519 host key")