Allow SSH authentication via GSS.

Carreau · Carreau · commit 154ecede0dda · 2021-04-13T17:11:37.000-07:00
This attempt to implement GSS as requested in #946. I've tried to also document the other environment variable, though I couldn't find where or how they are supposed to be used. I'm also currently trying to find a deployment that could use GSS to test this, but haven't so far. I'm assuming that if GSS is enabled then it takes priority over username/password.
diff --git a/docs/source/config-options.md b/docs/source/config-options.md
@@ -451,6 +451,16 @@ The following environment variables can be used to influence functionality and a
     The port number used for ssh operations for installations choosing to
     configure the ssh server on a port other than the default 22.
 
+  EG_REMOTE_PWD=None
+    The password to use to ssh to remote hosts
+
+  EG_REMOTE_USER=None
+    The username to use when connecting to remote hosts (default to `getpass.getuser()`
+    when not set).
+
+  EG_REMOTE_GSS_SSH=None
+    Use gss instead of EG_REMOTE_USER and EG_REMOTE_PWD to connect to remote host via SSH.
+
   EG_YARN_CERT_BUNDLE=<custom_truststore_path>
     The path to a .pem or any other custom truststore used as a CA bundle in yarn-api-client.
 ```
diff --git a/enterprise_gateway/services/processproxies/processproxy.py b/enterprise_gateway/services/processproxies/processproxy.py
@@ -18,6 +18,7 @@
 import subprocess
 import sys
 import time
+import warnings
 
 from asyncio import Event, TimeoutError
 from calendar import timegm
@@ -586,18 +587,35 @@ def _get_ssh_client(self, host):
         global remote_user
         global remote_pwd
         if remote_user is None:
-            remote_user = os.getenv('EG_REMOTE_USER', getpass.getuser())
-            remote_pwd = os.getenv('EG_REMOTE_PWD')  # this should use password-less ssh
+            use_gss = os.getenv("EG_REMOTE_GSS_SSH", None)
+            remote_pwd = os.getenv("EG_REMOTE_PWD")  # this should use password-less ssh
+            remote_user = os.getenv("EG_REMOTE_USER", getpass.getuser())
+
+            if use_gss and (remote_pwd or remote_user):
+                warnings.warn(
+                    "Both `EG_REMOTE_GSS_SSH` and one of `EG_REMOTE_PWD` or `EG_REMOTE_USER` is set. "
+                    "Those options are mutually exclusive, you configuration may be incorrect. "
+                    "EG_REMOTE_GSS_SSH will take priority."
+                )
 
         try:
             ssh = paramiko.SSHClient()
             ssh.load_system_host_keys()
-            ssh.set_missing_host_key_policy(paramiko.RejectPolicy())
             host_ip = gethostbyname(host)
-            if remote_pwd:
-                ssh.connect(host_ip, port=ssh_port, username=remote_user, password=remote_pwd)
+            if use_gss:
+                ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+                ssh.connect(host_ip, port=ssh_port, gss_auth=True)
             else:
-                ssh.connect(host_ip, port=ssh_port, username=remote_user)
+                ssh.set_missing_host_key_policy(paramiko.RejectPolicy())
+                if remote_pwd:
+                    ssh.connect(
+                        host_ip,
+                        port=ssh_port,
+                        username=remote_user,
+                        password=remote_pwd,
+                    )
+                else:
+                    ssh.connect(host_ip, port=ssh_port, username=remote_user)
         except Exception as e:
             http_status_code = 500
             current_host = gethostbyname(gethostname())
