ssh-rm/main.go at master · agy/ssh-rm · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
package main

import (
	"errors"
	"flag"
	"net"
	"os"
	"strings"

	"golang.org/x/crypto/ssh"
	"golang.org/x/crypto/ssh/agent"
)

func Fingerprint(fp string) (func(ssh.PublicKey) string, error) {
	if fp == "" {
		return nil, errors.New("invalid fingerprint")
	}

	hash := strings.Split(fp, ":")[0]
	switch hash {
	case "SHA256":
		return ssh.FingerprintSHA256, nil
	case "MD5":
		return ssh.FingerprintLegacyMD5, nil
	}

	return nil, errors.New("invalid key fingerprint")
}

func main() {
	var (
		fingerprint = flag.String("fingerprint", "", "fingerprint")
	)
	flag.Parse()

	if *fingerprint == "" {
		flag.Usage()
		os.Exit(0)
	}

	conn, err := net.Dial("unix", os.Getenv("SSH_AUTH_SOCK"))
	if err != nil {
		panic(err)
	}
	defer conn.Close()

	sshAgent := agent.NewClient(conn)

	// Grab keys in the agent
	keys, err := sshAgent.List()
	if err != nil {
		panic(err)
	}

	if len(keys) == 0 {
		os.Exit(0)
	}

	// Combine this with the below logic in a separate function
	fpFunc, err := Fingerprint(*fingerprint)
	if err != nil {
		panic(err)
	}

	for _, key := range keys {
		pub, err := ssh.ParsePublicKey(key.Blob)
		if err != nil {
			panic(err)
		}

		// If it's a cert, fingerprint the key embedded in the cert
		if sshCert, ok := pub.(*ssh.Certificate); ok {
			k, err := ssh.ParsePublicKey(sshCert.Key.Marshal())
			if err != nil {
				panic(err)
			}

			if fpFunc(k) != *fingerprint {
				continue
			}
		} else {
			if fpFunc(pub) != *fingerprint {
				continue
			}
		}

		if err := sshAgent.Remove(pub); err != nil {
			panic(err)
		}

	}
}