[client,management] Rewrite the SSH feature (#4015)

client/wasm/internal/ssh/client.go

@@ -13,6 +13,7 @@ import (
 	"golang.org/x/crypto/ssh"
 
 	netbird "github.com/netbirdio/netbird/client/embed"
+	nbssh "github.com/netbirdio/netbird/client/ssh"
 )
 
 const (
@@ -45,34 +46,19 @@ func NewClient(nbClient *netbird.Client) *Client {
 }
 
 // Connect establishes an SSH connection through NetBird network
-func (c *Client) Connect(host string, port int, username string) error {
+func (c *Client) Connect(host string, port int, username, jwtToken string) error {
 	addr := fmt.Sprintf("%s:%d", host, port)
 	logrus.Infof("SSH: Connecting to %s as %s", addr, username)
 
-	var authMethods []ssh.AuthMethod
-
-	nbConfig, err := c.nbClient.GetConfig()
+	authMethods, err := c.getAuthMethods(jwtToken)
 	if err != nil {
-		return fmt.Errorf("get NetBird config: %w", err)
+		return err
 	}
-	if nbConfig.SSHKey == "" {
-		return fmt.Errorf("no NetBird SSH key available - key should be generated during client initialization")
-	}
-
-	signer, err := parseSSHPrivateKey([]byte(nbConfig.SSHKey))
-	if err != nil {
-		return fmt.Errorf("parse NetBird SSH private key: %w", err)
-	}
-
-	pubKey := signer.PublicKey()
-	logrus.Infof("SSH: Using NetBird key authentication with public key type: %s", pubKey.Type())
-
-	authMethods = append(authMethods, ssh.PublicKeys(signer))
 
 	config := &ssh.ClientConfig{
 		User:            username,
 		Auth:            authMethods,
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+		HostKeyCallback: nbssh.CreateHostKeyCallback(c.nbClient),
 		Timeout:         sshDialTimeout,
 	}
 
@@ -96,6 +82,33 @@ func (c *Client) Connect(host string, port int, username string) error {
 	return nil
 }
 
+// getAuthMethods returns SSH authentication methods, preferring JWT if available
+func (c *Client) getAuthMethods(jwtToken string) ([]ssh.AuthMethod, error) {
+	if jwtToken != "" {
+		logrus.Debugf("SSH: Using JWT password authentication")
+		return []ssh.AuthMethod{ssh.Password(jwtToken)}, nil
+	}
+
+	logrus.Debugf("SSH: No JWT token, using public key authentication")
+
+	nbConfig, err := c.nbClient.GetConfig()
+	if err != nil {
+		return nil, fmt.Errorf("get NetBird config: %w", err)
+	}
+
+	if nbConfig.SSHKey == "" {
+		return nil, fmt.Errorf("no NetBird SSH key available")
+	}
+
+	signer, err := ssh.ParsePrivateKey([]byte(nbConfig.SSHKey))
+	if err != nil {
+		return nil, fmt.Errorf("parse NetBird SSH private key: %w", err)
+	}
+
+	logrus.Debugf("SSH: Added public key auth")
+	return []ssh.AuthMethod{ssh.PublicKeys(signer)}, nil
+}
+
 // StartSession starts an SSH session with PTY
 func (c *Client) StartSession(cols, rows int) error {
 	if c.sshClient == nil {

client/wasm/internal/ssh/key.go

@@ -1,50 +0,0 @@
-//go:build js
-
-package ssh
-
-import (
-	"crypto/x509"
-	"encoding/pem"
-	"fmt"
-	"strings"
-
-	"github.com/sirupsen/logrus"
-	"golang.org/x/crypto/ssh"
-)
-
-// parseSSHPrivateKey parses a private key in either SSH or PKCS8 format
-func parseSSHPrivateKey(keyPEM []byte) (ssh.Signer, error) {
-	keyStr := string(keyPEM)
-	if !strings.Contains(keyStr, "-----BEGIN") {
-		keyPEM = []byte("-----BEGIN PRIVATE KEY-----\n" + keyStr + "\n-----END PRIVATE KEY-----")
-	}
-
-	signer, err := ssh.ParsePrivateKey(keyPEM)
-	if err == nil {
-		return signer, nil
-	}
-	logrus.Debugf("SSH: Failed to parse as SSH format: %v", err)
-
-	block, _ := pem.Decode(keyPEM)
-	if block == nil {
-		keyPreview := string(keyPEM)
-		if len(keyPreview) > 100 {
-			keyPreview = keyPreview[:100]
-		}
-		return nil, fmt.Errorf("decode PEM block from key: %s", keyPreview)
-	}
-
-	key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
-	if err != nil {
-		logrus.Debugf("SSH: Failed to parse as PKCS8: %v", err)
-		if rsaKey, err := x509.ParsePKCS1PrivateKey(block.Bytes); err == nil {
-			return ssh.NewSignerFromKey(rsaKey)
-		}
-		if ecKey, err := x509.ParseECPrivateKey(block.Bytes); err == nil {
-			return ssh.NewSignerFromKey(ecKey)
-		}
-		return nil, fmt.Errorf("parse private key: %w", err)
-	}
-
-	return ssh.NewSignerFromKey(key)
-}