commit baa2b590cc3a5f63bc52c3324f2835666b9ae450
author Sean McCullough <banksean@gmail.com> Wed Apr 23 10:40:08 2025 -0700
committer GitHub <noreply@github.com> Wed Apr 23 10:40:08 2025 -0700
tree 69b313aab41b2f3d3cd27c72ce7d09f6b6453aa6
parent 97188fc1955f036e57c42a2f345b3c01fc5f0dc0

sketch: initial container ssh support (#15)

Adds an in-process ssh server to the sketch agent running inside
the container.

The ssh server implementation uses https://github.com/gliderlabs/ssh/

This change does not automatically generate any keys (this may come later).
You specify the server identity private key and the user's authorized public
keys on the sketch command line.

The host sketch process reads these files from the cli flags at startup. Once
the container is launched, it passes these keys to to the container
sketch process via new /init POST body fields.

loop/server/sshserver.go

diff --git a/loop/server/sshserver.go b/loop/server/sshserver.go
new file mode 100644
index 0000000..2b1f9e8
--- /dev/null
+++ b/loop/server/sshserver.go
@@ -0,0 +1,60 @@
+package server
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"syscall"
+	"unsafe"
+
+	"github.com/creack/pty"
+	"github.com/gliderlabs/ssh"
+)
+
+func setWinsize(f *os.File, w, h int) {
+	syscall.Syscall(syscall.SYS_IOCTL, f.Fd(), uintptr(syscall.TIOCSWINSZ),
+		uintptr(unsafe.Pointer(&struct{ h, w, x, y uint16 }{uint16(h), uint16(w), 0, 0})))
+}
+
+func (s *Server) ServeSSH(ctx context.Context, hostKey, authorizedKeys []byte) error {
+	allowed, _, _, _, err := ssh.ParseAuthorizedKey(authorizedKeys)
+	if err != nil {
+		return fmt.Errorf("ServeSSH: couldn't parse authorized keys: %w", err)
+	}
+	return ssh.ListenAndServe(":2022",
+		func(s ssh.Session) {
+			handleSessionfunc(ctx, s)
+		},
+		ssh.HostKeyPEM(hostKey),
+		ssh.PublicKeyAuth(func(ctx ssh.Context, key ssh.PublicKey) bool {
+			return ssh.KeysEqual(key, allowed)
+		}),
+	)
+}
+
+func handleSessionfunc(ctx context.Context, s ssh.Session) {
+	cmd := exec.CommandContext(ctx, "/bin/bash")
+	ptyReq, winCh, isPty := s.Pty()
+	if isPty {
+		cmd.Env = append(cmd.Env, fmt.Sprintf("TERM=%s", ptyReq.Term))
+		f, err := pty.Start(cmd)
+		if err != nil {
+			panic(err)
+		}
+		go func() {
+			for win := range winCh {
+				setWinsize(f, win.Width, win.Height)
+			}
+		}()
+		go func() {
+			io.Copy(f, s) // stdin
+		}()
+		io.Copy(s, f) // stdout
+		cmd.Wait()
+	} else {
+		io.WriteString(s, "No PTY requested.\n")
+		s.Exit(1)
+	}
+}