sshproxy-managerd: enhance host healthcheck

Instead of just checking if a port is reachable we try to connect to the
SSH server using an already connected user.

Gopkg.toml

@@ -47,6 +47,12 @@ ignored = [
   branch = "v2"
   source = "https://github.com/go-yaml/yaml.git"
 
+[[constraint]]
+  name = "golang.org/x/crypto"
+  # Cannot use a more recent version because of commit 83c378c48 which is
+  # incompatible with Go 1.8.
+  revision = "dccd99e89d39b13e12f1103c72e3bc49eb40a833"
+
 [prune]
   non-go = true
   go-tests = true

route/route.go

@@ -12,9 +12,11 @@ package route
 import (
 	"math/rand"
 	"net"
+	"regexp"
 	"time"
 
 	"github.com/op/go-logging"
+	"golang.org/x/crypto/ssh"
 )
 
 var log = logging.MustGetLogger("sshproxy/route")
@@ -30,6 +32,8 @@ var (
 	DefaultRouteKeyword = "default:22"
 )
 
+var unableToAuthenticateRegexp = regexp.MustCompile(`handshake failed: ssh: unable to authenticate`)
+
 // HostChecker is the interface that wraps the Check method.
 //
 // Check tests if a connection to host:port can be made.
@@ -63,6 +67,28 @@ func CanConnect(hostport string) bool {
 	return true
 }
 
+// MightAuthenticate tests if a connection to host:port can initiate an handshake.
+func MightAuthenticate(hostport string, user string) bool {
+	sshConfig := &ssh.ClientConfig{
+		User: user,
+		Auth: []ssh.AuthMethod{
+			ssh.Password("ThisIsNotIntendedToBeAValidPasswordButWeDontReallyCare"),
+		},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	}
+	log.Debug("Dialing %s with user %s", hostport, user)
+	client, err := ssh.Dial("tcp", hostport, sshConfig)
+	if err != nil {
+		if unableToAuthenticateRegexp.MatchString(err.Error()) {
+			return true
+		}
+		log.Warning("Error while dialing %v", err)
+		return false
+	}
+	client.Close()
+	return true
+}
+
 // selectDestinationOrdered selects the first reachable destination from a list
 // of destinations. It returns a string "host:port", an empty string (if no
 // destination is found) or an error.

sshproxy-managerd/sshproxy-managerd.go

@@ -16,6 +16,7 @@ import (
 	"flag"
 	"fmt"
 	"io/ioutil"
+	"math/rand"
 	"net"
 	"os"
 	"os/signal"
@@ -186,10 +187,42 @@ func (hc *hostChecker) DoCheck(hostport string) State {
 	if route.CanConnect(hostport) {
 		state = Up
 	}
+	canaryUser, err := pickUser()
+	if err == nil && canaryUser != "" && state == Up {
+		if route.MightAuthenticate(hostport, canaryUser) {
+			log.Debug("Succefully tried to authenticate to %s as %s", hostport, canaryUser)
+		} else {
+			log.Debug("Unable to try to authenticate against %s as %s", hostport, canaryUser)
+			state = Down
+		}
+	} else if err != nil {
+		log.Debugf("Unable to try to authenticate, found no user to spoof (%s)", err)
+	}
 	hc.Update(hostport, state, time.Now())
 	return state
 }
 
+func pickUser() (string, error) {
+	chosenUser := ""
+	if len(proxiedConnections) > 0 {
+		chosenItem := rand.Intn(len(proxiedConnections))
+		for k := range proxiedConnections {
+			if chosenItem == 0 {
+				user, err := getUserFromKey(k)
+				if err != nil {
+					return "", err
+				}
+				chosenUser = user
+				break
+			}
+			chosenItem--
+		}
+	} else {
+		return "", errors.New("no proxied connections, unable to pick a random user")
+	}
+	return chosenUser, nil
+}
+
 // Update updates (or creates) the state of an host in the internal view.
 func (hc *hostChecker) Update(hostport string, state State, ts time.Time) {
 	if s, ok := hc.States[hostport]; ok {
@@ -672,6 +705,8 @@ func main() {
 	}
 	defer l.Close()
 
+	rand.Seed(time.Now().Unix()) // initialize global pseudo random generator
+
 	log.Info("listening on %s\n", config.Listen)
 
 	queue := make(chan *request)