Pubkey server (#1)

Author: Ruteri

Makefile

@@ -11,11 +11,6 @@ v:
 clean:
 	rm -rf build/
 
-.PHONY: build-cli
-build-cli:
-	@mkdir -p ./build
-	go build -trimpath -ldflags "-X github.com/flashbots/ssh-pubkey-server/common.Version=${VERSION}" -v -o ./build/cli cmd/cli/main.go
-
 .PHONY: build-httpserver
 build-httpserver:
 	@mkdir -p ./build
@@ -64,15 +59,6 @@ cover-html:
 	go tool cover -html=/tmp/go-sim-lb.cover.tmp
 	unlink /tmp/go-sim-lb.cover.tmp
 
-.PHONY: docker-cli
-docker-cli:
-	DOCKER_BUILDKIT=1 docker build \
-		--platform linux/amd64 \
-		--build-arg VERSION=${VERSION} \
-		--file cli.dockerfile \
-		--tag your-project \
-	.
-
 .PHONY: docker-httpserver
 docker-httpserver:
 	DOCKER_BUILDKIT=1 docker build \

README.md

@@ -3,33 +3,16 @@
 [![Goreport status](https://goreportcard.com/badge/github.com/flashbots/ssh-pubkey-server)](https://goreportcard.com/report/github.com/flashbots/go-template)
 [![Test status](https://github.com/flashbots/ssh-pubkey-server/workflows/Checks/badge.svg?branch=main)](https://github.com/flashbots/go-template/actions?query=workflow%3A%22Checks%22)
 
-Toolbox and building blocks for new Go projects, to get started quickly and right-footed!
-
-* [`Makefile`](https://github.com/flashbots/ssh-pubkey-server/blob/main/Makefile) with `lint`, `test`, `build`, `fmt` and more
-* Linting with `gofmt`, `gofumpt`, `go vet`, `staticcheck` and `golangci-lint`
-* Logging setup using the [slog logger](https://pkg.go.dev/golang.org/x/exp/slog) (with debug and json logging options)
-* [GitHub Workflows](.github/workflows/) for linting and testing, as well as releasing and publishing Docker images
-* Entry files for [CLI](/cmd/cli/main.go) and [HTTP server](/cmd/httpserver/main.go)
-* Webserver with
-  * Graceful shutdown, implementing `livez`, `readyz` and draining API handlers
-  * Prometheus metrics
-  * Using https://pkg.go.dev/github.com/go-chi/chi/v5 for routing
-  * [Urfave](https://cli.urfave.org/) for cli args
-* https://github.com/uber-go/nilaway
-* See also:
-  * Public project setup: https://github.com/flashbots/flashbots-repository-template
-  * Repository for common Go utilities: https://github.com/flashbots/go-utils
-
-Pick and choose whatever is useful to you! Don't feel the need to use everything, or even to follow this structure.
-
 ---
 
 ## Getting started
 
-**Build CLI**
+**Run CLI**
+
+The following will request server ssh pubkey through a proxy, and separately run ssh-keyscan and will return the matching server keys that you can then append to your known_hosts.  
 
 ```bash
-make build-cli
+./cmd/cli/add_to_known_hosts.sh <attested http proxy> <host ip> >> ~/.ssh/known_hosts
 ```
 
 **Build HTTP server**
@@ -38,6 +21,12 @@ make build-cli
 make build-httpserver
 ```
 
+**Run pubkey server**
+
+```bash
+go run ./cmd/httpserver/main.go [--listen-addr=127.0.0.1:8080] [--ssh-pubkey-file=/etc/ssh/ssh_host_ed25519_key.pub]
+```
+
 **Install dev dependencies**
 
 ```bash

cli.dockerfile

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# Usage: ./add_to_known_hosts.sh <http proxy> <host ip> >> ~/.ssh/known_hosts
+# Makes sure the pubkey returned from proxy matches ssh-keyscan of the host, and formats in a way that can be appended to known_hosts
+
+if [ $1 = "-h" ]; then
+	echo "Usage: ./add_to_known_hosts.sh <http proxy> <host ip> >> ~/.ssh/known_hosts (or append manually)"
+	exit 0;
+fi
+
+pubkey=`curl -s $1/pubkey`
+ssh-keyscan -H "$2" 2>/dev/null | grep "${pubkey}"

cmd/cli/add_to_known_hosts.sh

@@ -14,6 +14,11 @@ import (
 )
 
 var flags []cli.Flag = []cli.Flag{
+	&cli.StringFlag{
+		Name:  "ssh-pubkey-file",
+		Value: "/etc/ssh/ssh_host_ed25519_key.pub",
+		Usage: "path to file containing pubkey to serve",
+	},
 	&cli.StringFlag{
 		Name:  "listen-addr",
 		Value: "127.0.0.1:8080",
@@ -93,6 +98,8 @@ func main() {
 				GracefulShutdownDuration: 30 * time.Second,
 				ReadTimeout:              60 * time.Second,
 				WriteTimeout:             30 * time.Second,
+
+				SSHPubkeyPath: cCtx.String("ssh-pubkey-file"),
 			}
 
 			srv, err := httpserver.New(cfg)

cmd/cli/main.go

@@ -1,6 +1,6 @@
 module github.com/flashbots/ssh-pubkey-server
 
-go 1.21
+go 1.22
 
 require (
 	github.com/flashbots/go-utils v0.6.1-0.20240610084140-4461ab748667

cmd/httpserver/main.go

@@ -7,7 +7,7 @@ import (
 	"github.com/flashbots/ssh-pubkey-server/metrics"
 )
 
-func (s *Server) handleAPI(w http.ResponseWriter, r *http.Request) {
+func (s *Server) handleGetPubkey(w http.ResponseWriter, r *http.Request) {
 	m := s.metricsSrv.Float64Histogram(
 		"request_duration_api",
 		"API request handling duration",
@@ -18,9 +18,10 @@ func (s *Server) handleAPI(w http.ResponseWriter, r *http.Request) {
 		m.Record(r.Context(), float64(time.Since(start).Microseconds()))
 	}(time.Now())
 
-	// do work
-
-	w.WriteHeader(http.StatusOK)
+	_, err := w.Write(s.sshPubkey)
+	if err != nil {
+		s.log.Error("could not serve pubkey", "err", err)
+	}
 }
 
 func (s *Server) handleLivenessCheck(w http.ResponseWriter, r *http.Request) {

go.mod

@@ -32,9 +32,22 @@ func Test_Handlers_Healthcheck_Drain_Undrain(t *testing.T) {
 		DrainDuration: latency,
 		ListenAddr:    listenAddr,
 		Log:           getTestLogger(),
+		SSHPubkeyPath: "./test_key.pub",
 	})
 	require.NoError(t, err)
 
+	{ // Check pubkey
+		req := httptest.NewRequest(http.MethodGet, "http://localhost"+listenAddr+"/pubkey", nil) //nolint:goconst,nolintlint
+		w := httptest.NewRecorder()
+		s.handleGetPubkey(w, req)
+		resp := w.Result()
+		defer resp.Body.Close()
+		data, err := io.ReadAll(resp.Body)
+		require.NoError(t, err)
+		require.Equal(t, http.StatusOK, resp.StatusCode)
+		require.Equal(t, data, []byte("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFGGVd5nQewq0hETk2Tr/P7OZxTW/4aftdfh9/cAe7FC"))
+	}
+
 	{ // Check health
 		req := httptest.NewRequest(http.MethodGet, "http://localhost"+listenAddr+"/readyz", nil) //nolint:goconst,nolintlint
 		w := httptest.NewRecorder()

httpserver/handler.go

@@ -1,15 +1,17 @@
 package httpserver
 
 import (
+	"bytes"
 	"context"
 	"errors"
 	"log/slog"
 	"net/http"
+	"os"
 	"time"
 
+	"github.com/flashbots/go-utils/httplogger"
 	"github.com/flashbots/ssh-pubkey-server/common"
 	"github.com/flashbots/ssh-pubkey-server/metrics"
-	"github.com/flashbots/go-utils/httplogger"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
 	"go.uber.org/atomic"
@@ -25,13 +27,17 @@ type HTTPServerConfig struct {
 	GracefulShutdownDuration time.Duration
 	ReadTimeout              time.Duration
 	WriteTimeout             time.Duration
+
+	SSHPubkeyPath string
 }
 
 type Server struct {
 	cfg     *HTTPServerConfig
 	isReady atomic.Bool
 	log     *slog.Logger
 
+	sshPubkey []byte
+
 	srv        *http.Server
 	metricsSrv *metrics.MetricsServer
 }
@@ -42,16 +48,24 @@ func New(cfg *HTTPServerConfig) (srv *Server, err error) {
 		return nil, err
 	}
 
+	sshPubkey, err := os.ReadFile(cfg.SSHPubkeyPath)
+	if err != nil {
+		return nil, err
+	}
+	// pubkey is in the form <type> <key> <host>. we want to drop the host
+	sshPubkey = bytes.Join(bytes.Fields(sshPubkey)[0:2], []byte(" "))
+
 	srv = &Server{
 		cfg:        cfg,
 		log:        cfg.Log,
+		sshPubkey:  sshPubkey,
 		srv:        nil,
 		metricsSrv: metricsSrv,
 	}
 	srv.isReady.Swap(true)
 
 	mux := chi.NewRouter()
-	mux.With(srv.httpLogger).Get("/api", srv.handleAPI) // Never serve at `/` (root) path
+	mux.With(srv.httpLogger).Get("/pubkey", srv.handleGetPubkey) // Never serve at `/` (root) path
 	mux.With(srv.httpLogger).Get("/livez", srv.handleLivenessCheck)
 	mux.With(srv.httpLogger).Get("/readyz", srv.handleReadinessCheck)
 	mux.With(srv.httpLogger).Get("/drain", srv.handleDrain)

httpserver/handler_test.go

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFGGVd5nQewq0hETk2Tr/P7OZxTW/4aftdfh9/cAe7FC user@host