Add ssh authenatication with jwt (#4550)

2026-04-23 02:36:42 +00:00 · 2025-10-07 23:38:27 +02:00
parent 7e0bbaaa3c
commit d9efe4e944
50 changed files with 4429 additions and 2336 deletions
--- a/client/wasm/internal/ssh/client.go
+++ b/client/wasm/internal/ssh/client.go
@@ -13,6 +13,7 @@ import (
 	"golang.org/x/crypto/ssh"

 	netbird "github.com/netbirdio/netbird/client/embed"
+	nbssh "github.com/netbirdio/netbird/client/ssh"
 )

 const (
@@ -45,34 +46,19 @@ func NewClient(nbClient *netbird.Client) *Client {
 }

 // Connect establishes an SSH connection through NetBird network
-func (c *Client) Connect(host string, port int, username string) error {
+func (c *Client) Connect(host string, port int, username, jwtToken string) error {
 	addr := fmt.Sprintf("%s:%d", host, port)
 	logrus.Infof("SSH: Connecting to %s as %s", addr, username)

-	var authMethods []ssh.AuthMethod
-
-	nbConfig, err := c.nbClient.GetConfig()
+	authMethods, err := c.getAuthMethods(jwtToken)
 	if err != nil {
-		return fmt.Errorf("get NetBird config: %w", err)
+		return err
 	}
-	if nbConfig.SSHKey == "" {
-		return fmt.Errorf("no NetBird SSH key available - key should be generated during client initialization")
-	}
-
-	signer, err := parseSSHPrivateKey([]byte(nbConfig.SSHKey))
-	if err != nil {
-		return fmt.Errorf("parse NetBird SSH private key: %w", err)
-	}
-
-	pubKey := signer.PublicKey()
-	logrus.Infof("SSH: Using NetBird key authentication with public key type: %s", pubKey.Type())
-
-	authMethods = append(authMethods, ssh.PublicKeys(signer))

 	config := &ssh.ClientConfig{
 		User:            username,
 		Auth:            authMethods,
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+		HostKeyCallback: nbssh.CreateHostKeyCallback(c.nbClient),
 		Timeout:         sshDialTimeout,
 	}

@@ -96,6 +82,33 @@ func (c *Client) Connect(host string, port int, username string) error {
 	return nil
 }

+// getAuthMethods returns SSH authentication methods, preferring JWT if available
+func (c *Client) getAuthMethods(jwtToken string) ([]ssh.AuthMethod, error) {
+	if jwtToken != "" {
+		logrus.Debugf("SSH: Using JWT password authentication")
+		return []ssh.AuthMethod{ssh.Password(jwtToken)}, nil
+	}
+
+	logrus.Debugf("SSH: No JWT token, using public key authentication")
+
+	nbConfig, err := c.nbClient.GetConfig()
+	if err != nil {
+		return nil, fmt.Errorf("get NetBird config: %w", err)
+	}
+
+	if nbConfig.SSHKey == "" {
+		return nil, fmt.Errorf("no NetBird SSH key available")
+	}
+
+	signer, err := ssh.ParsePrivateKey([]byte(nbConfig.SSHKey))
+	if err != nil {
+		return nil, fmt.Errorf("parse NetBird SSH private key: %w", err)
+	}
+
+	logrus.Debugf("SSH: Added public key auth")
+	return []ssh.AuthMethod{ssh.PublicKeys(signer)}, nil
+}
+
 // StartSession starts an SSH session with PTY
 func (c *Client) StartSession(cols, rows int) error {
 	if c.sshClient == nil {