gokrazy / breakglass Goto Github PK

emergency/debugging access for gokrazy installations

License: BSD 3-Clause "New" or "Revised" License

Go 100.00%

breakglass's Introduction

Overview

With gokrazy, you can deploy your Go programs as appliances to a Raspberry Pi or PC (→ supported platforms).

For a long time, we were unhappy with having to care about security issues and Linux distribution maintenance on our various Raspberry Pis.

Then, we had a crazy idea: what if we got rid of memory-unsafe languages and all software we don’t strictly need?

Turns out this is feasible. gokrazy is the result.

→ Learn more at gokrazy.org

GitHub Repository structure

github.com/gokrazy/gokrazy: system code, main issue tracker, documentation
github.com/gokrazy/tools: SD card image creation code, pulling in:
- github.com/gokrazy/firmware: Raspberry Pi 3 or 4 firmware files
- github.com/gokrazy/rpi-eeprom: Raspberry Pi 4 EEPROM files
- github.com/gokrazy/kernel: pre-built kernel image and bootloader config

Documentation

gokrazy.org uses hugo for creating and generating the website. You can find the hugo install instructions here: Install Hugo. With hugo you can write documentation in Markdown and generate a static website from it.

The website subdirectory is hugo’s root directory. In order to preview the documentation or to re-generate the website, switch the directory to website.

To preview the website, run the hugo webserver:

hugo serve

Generate the website:

hugo

The updated website content will be stored in the ./docs directory. Do not update anything here manually.

breakglass's People

Contributors

Stargazers

Watchers

Forkers

happy-ferret anisse andig christian-heusel that-awesome-organization bdd tailscale damdo

breakglass's Issues

"sh": executable file not found in $PATH

Hi,

After transferring the breakglass.tar, the gokrazy output was:
2019/07/24 14:35:00 breakglass.go:81: user "root" successfully authorized from remote addr 192.168.0.79:37502 2019/07/24 14:35:00 scp.go:78: extracting "sh" 2019/07/24 14:35:00 ssh.go:52: requests exhausted

but when I launched a ssh session with: ssh gokrazy@host, gokrazy returned:
2019/07/24 14:35:19 breakglass.go:81: user "gokrazy" successfully authorized from remote addr 192.168.0.79:37506 2019/07/24 14:35:19 ssh.go:178: Starting cmd ["sh"] 2019/07/24 14:35:19 ssh.go:40: request("shell"): exec: "sh": executable file not found in $PATH
and on terminal shell request failed on channel 0

Do you have any idea why this happens?

Thank you

/etc/breakglass.authorized_keys: is a directory

This error surprised me - on macOS after setting up a new gokrazy device.

2024/06/06 12:44:12 gokrazy: attempt 5, starting ["/user/breakglass" "-authorized_keys=/etc/breakglass.authorized_keys"]
2024/06/06 12:44:12 breakglass.go:205: read /etc/breakglass.authorized_keys: is a directory

Trying to debug now.

OpenSSH 8.8 cannot log in: Unable to negotiate with 100.77.11.58 port 22: no matching host key type found. Their offer: ssh-rsa

I’m seeing the following error when trying to log in:

Unable to negotiate with 100.77.11.58 port 22: no matching host key type found. Their offer: ssh-rsa

This seems to have started with upgrading to OpenSSH 8.8

Allow users to upload key

The current SSH process is targeted at images built onsite but not suitable for CI-generated images:

host key generation could be integrated in breakglass itself imho
uploading user key should be possible through gokrazy admin UI if the key cannot be supplied during build

Document the requirements for the ssh keys

Apparently RSA Keys do not work with breakglass:

# ecdsa
2022/03/03 23:32:04 breakglass.go:117: user "chris" successfully authorized from remote addr 1.2.3.4:57006
2022/03/03 23:32:04 ssh.go:316: Starting cmd ["/tmp/serial-busybox/ash" "-c" "sh"]
2022/03/03 23:32:06 ssh.go:142: requests exhausted
# ed25519
2022/03/03 23:32:17 breakglass.go:117: user "chris" successfully authorized from remote addr 1.2.3.4:57008
2022/03/03 23:32:17 ssh.go:316: Starting cmd ["/tmp/serial-busybox/ash" "-c" "sh"]
2022/03/03 23:32:20 ssh.go:142: requests exhausted
# rsa
2022/03/03 23:32:31 breakglass.go:174: handshake: [ssh: no auth passed yet]

ssh output (click to expand)

$ ssh -v -i testkey_rsa johnny                                                                  255 ↵
OpenSSH_8.9p1 Debian-3, OpenSSL 1.1.1m  14 Dec 2021
debug1: Reading configuration data /home/chris/.ssh/config
debug1: Reading configuration data /home/chris/.ssh/config_mathi
debug1: Reading configuration data /home/chris/.ssh/config_mathphys
debug1: Reading configuration data /home/chris/.ssh/config_mathphys_teleport_proxy
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to johnny [1.2.3.4] port 22.
debug1: connect to address 1.2.3.4 port 22: No route to host
debug1: Connecting to johnny [1.2.3.4] port 22.
debug1: connect to address 1.2.3.4 port 22: No route to host
debug1: Connecting to johnny [1.2.3.4] port 22.
debug1: Connection established.
debug1: identity file testkey_rsa type 0
debug1: identity file testkey_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Debian-3
debug1: Remote protocol version 2.0, remote software version Go
debug1: compat_banner: no match: Go
debug1: Authenticating to johnny:22 as 'chris'
debug1: load_hostkeys: fopen /home/chris/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:6r4pozsLKfLbvVtiJcbFBiunBpMeOR9ecnFrO4fm8KY
debug1: load_hostkeys: fopen /home/chris/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'johnny' is known and matches the RSA host key.
debug1: Found key in /home/chris/.ssh/known_hosts:341
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 2 keys
debug1: Will attempt key: /home/chris/.ssh/id_rsa RSA SHA256:eZ4lCaCVZVXbOcBNqyLI4XLDjyUEoExRu3GF+hgSlMQ agent
debug1: Will attempt key: /home/chris/.ssh/[email protected] RSA SHA256:AAtYt2TtXf4QHT+c2uTLiSACq6PNdEj/6X6/CUfSXb8 agent
debug1: Will attempt key: testkey_rsa RSA SHA256:+9EnpHmzuv0vNhzsU/hwPdv03YhLMX/4tIJN/KH0Dto explicit
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/chris/.ssh/id_rsa RSA SHA256:eZ4lCaCVZVXbOcBNqyLI4XLDjyUEoExRu3GF+hgSlMQ agent
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Offering public key: /home/chris/.ssh/[email protected] RSA SHA256:AAtYt2TtXf4QHT+c2uTLiSACq6PNdEj/6X6/CUfSXb8 agent
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Offering public key: testkey_rsa RSA SHA256:+9EnpHmzuv0vNhzsU/hwPdv03YhLMX/4tIJN/KH0Dto explicit
debug1: send_pubkey_test: no mutual signature algorithm
debug1: No more authentication methods to try.
chris@johnny: Permission denied (publickey).

I am not sure whether this is expected and just needs documentation or if its is a bug ...

make parsing authorized_keys more robust

When copying ~/.ssh/authorized_keys from my workstation, breakglass can’t start. Once I remove all entries but the ssh-rsa one I want to use, things start working.

Will need to look more closely into this.

Support -tls=self-signed

Breakglass has no option that would allow it to be used with self-signed TLS certs generated by gokr-packer -tls=self-signed. Also no -insecure flag. Since gokrazy redirects to https when TLS is in use, breakglass won't work with TLS.

I think it should trust the same certs as gokr-packer does. Probably would need to move that code under internal/ but I think this is a refactoring @stapelberg would have opinions on so probably not a good PR candidate.

Enhancement: add port forwarding

It would be nice if the SSH implementation could forward local ports (potentially even remote ones?) for purpose of application support. I'd be happy to look into implementation if this is an acceptable use case and I could get some pointers where to find the relevant sub protocol.