added ssh support for Windows VMs (#8)

2018-10-23 10:42:16 -07:00 · 2018-10-23 10:42:16 -07:00 · 61fdec1429
--- a/parts/vars.t
+++ b/parts/vars.t
@ -70,6 +70,20 @@
          "sourceAddressPrefix": "*"
        },
        "name": "rdp"
+      },
+      {
+        "properties": {
+          "priority": 210,
+          "access": "Allow",
+          "direction": "Inbound",
+          "destinationPortRange": "22",
+          "sourcePortRange": "*",
+          "destinationAddressPrefix": "*",
+          "protocol": "Tcp",
+          "description": "Allow SSH",
+          "sourceAddressPrefix": "*"
+        },
+        "name": "ssh"
      }
    ],
    "securityRules": "[if(equals(parameters('osImageName'), 'WindowsServer_2016'), variables('windowsSecurityRules'), variables('linuxSecurityRules'))]",
--- a/parts/windowsProvision.ps1
+++ b/parts/windowsProvision.ps1
@ -2,6 +2,68 @@
 mkdir c:/tmp
 cd c:/tmp

+function InstallOpenSSH()
+{
+    $sshPubKey = "SSH_PUB_KEY"
+    if (!$sshPubKey) {
+        Write-Output "SSH public key is omitted. Skipping OpenSSH installation."
+        return
+    }
+    Write-Output "Installing OpenSSH"
+
+    try {
+        $rslt = ( get-service | where { $_.name -like "sshd" } )
+        if ($rslt.count -eq 0) {
+            $list = (Get-WindowsCapability -Online | ? Name -like 'OpenSSH.Server*')
+            if ($list) {
+                Add-WindowsCapability -Online -Name $list.Name
+                Install-Module -Force OpenSSHUtils
+            } else {
+                $open_ssh_uri = "https://github.com/PowerShell/Win32-OpenSSH/releases/download/v7.7.2.0p1-Beta/OpenSSH-Win64.zip"
+                $open_ssh_file = "C:/tmp/OpenSSH-Win64.zip"
+                & curl.exe -L -o $open_ssh_file $open_ssh_uri
+                & 7z x $open_ssh_file -oC:/tmp
+                c:/tmp/OpenSSH-Win64/install-sshd.ps1
+            }
+        }
+        Start-Service sshd
+        & netsh advfirewall firewall add rule name="SSH TCP Port 22" dir=in action=allow protocol=TCP localport=22
+
+        Write-Output "Creating authorized key"
+        $path = "C:\AzureData\authorized_keys"
+        Set-Content -Path $path -Value $sshPubKey -Encoding Ascii
+
+        (Get-Content C:\ProgramData\ssh\sshd_config) -replace "AuthorizedKeysFile(\s+).ssh/authorized_keys", "AuthorizedKeysFile $path" | Set-Content C:\ProgramData\ssh\sshd_config
+        $acl = Get-Acl -Path $path
+        $acl.SetAccessRuleProtection($True, $True)
+        $acl | Set-Acl -Path $path
+
+        $acl = Get-Acl -Path $path
+        $rules = $acl.Access
+        $usersToRemove = @("Everyone","BUILTIN\Users","NT AUTHORITY\Authenticated Users")
+        foreach ($u in $usersToRemove) {
+            $targetrule = $rules | where IdentityReference -eq $u
+            if ($targetrule) {
+                $acl.RemoveAccessRule($targetrule)
+            }
+        }
+        $acl | Set-Acl -Path $path
+
+        Restart-Service sshd
+
+        $sshStartCmd = "C:\AzureData\OpenSSHStart.ps1"
+        Set-Content -Path $sshStartCmd -Value "Start-Service sshd"
+
+        & schtasks.exe /CREATE /F /SC ONSTART /RU SYSTEM /RL HIGHEST /TN "SSH start" /TR "powershell.exe -ExecutionPolicy Bypass -File $sshStartCmd"
+        if ($LASTEXITCODE -ne 0) {
+            throw "Failed to add scheduled task $sshStartCmd"
+        }
+    }
+    catch {
+       Write-Output "OpenSSH install failed: $_"
+    }
+}
+
 ##
 #  Install git not only for git but also mingw64 including curl
 #
@ -24,6 +86,9 @@ $seven_zip_file = "c:/tmp/7z1805-x64.msi"
 & curl.exe -o $seven_zip_file  $seven_zip_uri 
 Start-Process -Wait -FilePath $seven_zip_file -ArgumentList " /quiet /passive"

+#  Install OpenSSH
+InstallOpenSSH
+
 # Install the intel sgx drivers
 & curl.exe  -o "c:/tmp/sgx_base.cab" "http://download.windowsupdate.com/d/msdownload/update/driver/drvs/2018/01/af564f2c-2bc5-43be-a863-437a5a0008cb_61e7ba0c2e17c87caf4d5d3cdf1f35f6be462b38.cab"
 & 7z x c:/tmp/sgx_base.cab -o"c:/tmp/sgx_base" -y
@ -87,5 +152,3 @@ $ocaml_uri  = "http://www.ocamlpro.com/pub/ocpwin/ocpwin-builds/ocpwin64/2016011
 & 7z x $ocaml_file -o"c:/Program Files/ocpwin64"
 pushd "C:\Program Files\ocpwin64\4.02.1+ocp1-msvc64-20160113\bin"
 & ./ocpwin -in
-
-
--- a/pkg/api/types.go
+++ b/pkg/api/types.go
@ -51,6 +51,7 @@ type CustomNodesDNS struct {
 type WindowsProfile struct {
 	AdminUsername         string            `json:"adminUsername"`
 	AdminPassword         string            `json:"adminPassword"`
+	SSHPubKey             string            `json:"sshPublicKey"`
 	ImageVersion          string            `json:"imageVersion"`
 	WindowsImageSourceURL string            `json:"windowsImageSourceURL"`
 	WindowsPublisher      string            `json:"windowsPublisher"`
--- a/pkg/engine/template_generator.go
+++ b/pkg/engine/template_generator.go
@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"runtime/debug"
+	"strings"
 	"text/template"

 	"github.com/Microsoft/oe-engine/pkg/api"
@ -136,11 +137,10 @@ func (t *TemplateGenerator) getTemplateFuncMap(cs *api.OpenEnclave) template.Fun
 			if err != nil {
 				// this should never happen and this is a bug
 				panic(fmt.Sprintf("BUG: %s", err.Error()))
-			} else {
-                //fmt.Printf(" get windows custom data from asset %s\n", b);
-            }
+			}
 			csStr := string(b)
-            return getBase64CustomScriptFromStr(csStr)
+			csStr = strings.Replace(csStr, "SSH_PUB_KEY", cs.Properties.WindowsProfile.SSHPubKey, -1)
+			return getBase64CustomScriptFromStr(csStr)
 		},
 		"GetAllowedVMSizes": func() string {
 			return api.GetAllowedVMSizes()