Tuesday, April 20, 2021

Dealing with old ssh implementations

Over the last several releases, Fedora has removed support for old, broken crypto algorithms.  Unfortunately, this makes it harder to deal with old devices or servers that can't easily be upgraded.  For example, I have a switch that I can't connect to with the ssh on Fedora.

I can connect to it fine with the ssh on CentOS 7 though...  podman/docker to the rescue!

#!/bin/bash

get_container_runtime() {
    if [ -n "$CONTAINER_RUNTIME" ] ; then
        container_runtime=$CONTAINER_RUNTIME
        return
    fi

    podman=$( type -p podman )
    if [ -n "$podman" ] ; then
        container_runtime=$podman
        return
    fi

    docker=$( type -p docker )
    if [ -n "$docker" ] ; then
        container_runtime=$docker
        return
    fi

    echo 'No container runtime found.' >&2
    exit 1
}

get_container_runtime

set -e

container=${CONTAINER:-"centos:7"}

ssh_cmd=$( mktemp /tmp/ssh.XXXXXX )
chmod 700 "$ssh_cmd"

trap "rm -fv $ssh_cmd" EXIT

cat > "$ssh_cmd" <<END
#!/bin/sh
set -e
yum -y install /usr/bin/ssh
ssh $@
END

run_args=(
    -it
    --rm
    -v "$HOME/.ssh:/root/.ssh"
    -v "$ssh_cmd:$ssh_cmd"
)

if [ -n "$SSH_AUTH_SOCK" ] ; then
    run_args+=(
        -e=SSH_AUTH_SOCK
        -v "$SSH_AUTH_SOCK:$SSH_AUTH_SOCK"
    )
fi

$container_runtime run ${run_args[@]} \
    "$container" \
    "$ssh_cmd"

The script accepts all of the arguments that the container's ssh accepts (because it blindly passes them along). It automatically maps your .ssh directory and your ssh-agent socket. YMMV, but I've tested it on Fedora with podman and a Mac with docker.