This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update module golang.org/x/crypto to v0.23.0

Detected dependencies

Currently only the final byte is being parsed.

Spec: resin-io/hq#623

sshproxy should probably set the tty options of the process that is currently been exec()'ed accordingly when it receives a window-change event from the client. One thing I've also noticed is that a PTY session seemingly freezes if a window size is modified, I still can't tell if this is a sshproxy issue or not.

I'm not opening a separate issue, but tty size (rows/cols) should be set from the beginning - I'd expect pty-req event/request type to have this accompanying info.

In https://github.com/resin-io/sshproxy/blob/master/resin/main.go#L37:

import (
   [...]
   "github.com/resin-io/sshproxy"
   [...]
)

I'm new to Golang, but I got a bit confused with this ^ because trying to make changes to sshproxy.go and then rebuilding the project (make release) doesn't pick up new changes.

[edit] For more context, my working dir was /go/src/sshproxy , which was probably wrong in the first place - I've now been using /go/src/resin-io/sshproxy and rebuilding the artifacts seems to work fine.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

It is not necessary to log every incoming request

On moving from Debian Stretch to Buster as the base image, several changes have occurred. One of these appears to be the format in which keys are generated via ssh-keygen.

In Stretch, keys have the default PEM format:

-----BEGIN RSA PRIVATE KEY-----

In Buster, they've moved to the OpenSSH format:

-----BEGIN OPENSSH PRIVATE KEY-----

sshproxy uses ssh-keygen to create its keys on startup, so under Buster, it now generates keys it can't handle and fails to start the server.

We can quickfix this by adding -m PEM to the CLI use.

A longterm fix could be ensuring the correct keytypes are generated by sshproxy itself (or supporting the OpenSSH key format).

In https://github.com/resin-io/sshproxy/blob/master/sshproxy.go#L168

We should definitely not be accepting/setting arbitrary, client-side env variables, as it poses a security risk. Is this the case here?

[edit: ] it apparently is the case that user-sent env vars are always set, also renamed the issue title accordingly

The description might be a bit vague, I'm opening this ticket to make sure it doesn't slip through.

The steps to reproduce are

• Connect with resin ssh as usual
• kill -9 the ssh client process

While the sshproxy <-> client socket will be closed properly, the script that has been started by sshproxy will continue running and the proxy <-> device ssh connection will remain active.

==================
WARNING: DATA RACE
Write at 0x00c4201ba208 by goroutine 32:
  os/exec.(*Cmd).Wait()
      /usr/local/Cellar/go/1.9.2/libexec/src/os/exec/exec.go:450 +0x163
  github.com/resin-io/sshproxy.(*Server).handleRequests.func1.1()
      /Users/wrboyce/Dev/resin/.go/src/github.com/resin-io/sshproxy/sshproxy.go:249 +0x4c

Previous read at 0x00c4201ba208 by goroutine 30:
  github.com/resin-io/sshproxy.(*Server).handleRequests.func1()
      /Users/wrboyce/Dev/resin/.go/src/github.com/resin-io/sshproxy/sshproxy.go:269 +0x29b

Goroutine 32 (running) created at:
  github.com/resin-io/sshproxy.(*Server).handleRequests.func1()
      /Users/wrboyce/Dev/resin/.go/src/github.com/resin-io/sshproxy/sshproxy.go:248 +0x8a

Goroutine 30 (finished) created at:
  github.com/resin-io/sshproxy.(*Server).handleRequests()
      /Users/wrboyce/Dev/resin/.go/src/github.com/resin-io/sshproxy/sshproxy.go:246 +0xb0d
  github.com/resin-io/sshproxy.(*Server).handleChannels.func1()
      /Users/wrboyce/Dev/resin/.go/src/github.com/resin-io/sshproxy/sshproxy.go:176 +0x8a
==================

Reproducible using:

package sshproxy_test

import (
	"net"
	"time"
	"testing"

	"golang.org/x/crypto/ssh"
	"github.com/resin-io/sshproxy"
)

func TestRace(t *testing.T) {
	server, err := sshproxy.New("/tmp", "/bin/bash", false, nil, nil, nil)
	if err != nil {
		t.Errorf("error calling sshproxy.New :( %q", err)
	}
	port := "12345"
	go server.Listen(port)

	config := &ssh.ClientConfig{
		User: "user",
		Auth: []ssh.AuthMethod{
			ssh.Password("password"),
		},
		HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
			return nil
		},
	}
	for i := 0; i < 10; i++ {
		client, err := ssh.Dial("tcp", "localhost:12345", config)
		if err != nil {
			t.Errorf("Cannot connect to server :( %q", err)
		}
		session, err := client.NewSession()
		if err != nil {
			t.Errorf("Cannot create session :( %q", err)
		}
		time.Sleep(time.Second)
		_, err = session.SendRequest("exec", false, []byte{0, 0, 0, 4, 't', 'e', 's', 't'})
		if err != nil {
			t.Errorf("Cannot send exec request :( %q", err)
		}
		time.Sleep(time.Duration(i * 100) * time.Millisecond)
		client.Close()
	}
}

This README is pretty sweet (https://github.com/resin-io/sshproxy/blob/master/resin/README.md), it'd be great if we had it under the main folder (for a moment I thought documentation slipped through when transferring the repo, but it simply is one level deeper)

Ref.

https://app.frontapp.com/open/cnv_6s4t5l
https://www.flowdock.com/app/rulemotion/resin-tech/threads/fMzdZ0HIyA8TZYXTTZNGU9fs7w2
https://www.flowdock.com/app/rulemotion/resin-tech/threads/FCOgP-6bYRwFn_tRzs3wWgHHD7M

Front conversations