|
| 1 | +```mermaid |
| 2 | +sequenceDiagram |
| 3 | +participant User |
| 4 | +participant cf as cf CLI |
| 5 | +participant LB as SSH L4 Load Balancer (ssh.cf.{domain}:2222) |
| 6 | +participant UAA |
| 7 | +participant Proxy as ssh_proxy |
| 8 | +participant CC as Cloud Controller |
| 9 | +participant BBS |
| 10 | +participant TLS as TLS Proxy Sidecar (container) |
| 11 | +participant sshd as diego-sshd (container) |
| 12 | +
|
| 13 | +User->>cf: cf ssh myapp |
| 14 | +
|
| 15 | +Note over cf,CC: Get ssh route and host key fingerprint |
| 16 | +cf->>CC: GET / |
| 17 | +CC-->>cf: app_ssh.href: ssh.cf.{domain}:2222, app_ssh.meta.host_key_fingerprint |
| 18 | +
|
| 19 | +Note over cf,UAA: Get one-time authorization code |
| 20 | +cf->>UAA: GET /oauth/authorize?response_type=code&client_id=ssh-proxy (Bearer: existing CF access token) |
| 21 | +UAA-->>cf: 302 redirect with ?code=XyZ9... |
| 22 | +
|
| 23 | +Note over cf,LB: SSH entrypoint via load balancer |
| 24 | +cf->>LB: TCP connect ssh.cf.{domain}:2222 |
| 25 | +LB->>Proxy: L4 pass-through to ssh_proxy backend port 2222 |
| 26 | +
|
| 27 | +Note over cf,Proxy: SSH connection (encrypted after KEX) |
| 28 | +cf->>Proxy: SSH KEX (verify proxy host key against app_ssh_host_key_fingerprint from CF / info endpoint) |
| 29 | +cf->>Proxy: SSH userauth password=XyZ9..., user="cf:app-guid/instance-index" |
| 30 | +
|
| 31 | +Note over Proxy,UAA: Exchange code for token |
| 32 | +Proxy->>UAA: POST /oauth/token grant_type=authorization_code code=XyZ9... (Basic: ssh-proxy:secret) |
| 33 | +UAA-->>Proxy: access_token (JWT) |
| 34 | +
|
| 35 | +Note over Proxy,CC: Check SSH access permission |
| 36 | +Proxy->>CC: GET /internal/apps/app-guid/ssh_access/index (Bearer: access_token) |
| 37 | +CC-->>Proxy: 200 OK (SSH allowed) |
| 38 | +
|
| 39 | +Note over Proxy,BBS: Look up container address and keys |
| 40 | +Proxy->>BBS: ActualLRP + DesiredLRP for process_guid and process_version |
| 41 | +BBS-->>Proxy: container host:port, TLS address, host_fingerprint, private_key |
| 42 | +
|
| 43 | +Note over Proxy,TLS: Dial backend endpoint for app instance |
| 44 | +Proxy->>TLS: TLS dial (mTLS), verify ServerCertDomainSAN == instance_guid |
| 45 | +TLS->>sshd: plain TCP to backend sshd endpoint |
| 46 | +
|
| 47 | +Note over Proxy,sshd: SSH KEX with container daemon |
| 48 | +Proxy->>sshd: SSH KEX |
| 49 | +sshd-->>Proxy: host public key |
| 50 | +Proxy->>Proxy: verify host public key against host_fingerprint from DesiredLRP diego-ssh route |
| 51 | +Note right of Proxy: WARNING: if host key does not match host_fingerprint, reject connection and fail SSH |
| 52 | +
|
| 53 | +Note over Proxy,sshd: Authenticate to daemon |
| 54 | +Proxy->>sshd: SSH userauth publickey, private_key from DesiredLRP diego-ssh route (same keypair as -authorizedKey on sshd) |
| 55 | +sshd->>sshd: verify public key against -authorizedKey arg |
| 56 | +sshd-->>Proxy: auth success |
| 57 | +
|
| 58 | +Note over Proxy,sshd: Forward channel and data |
| 59 | +Proxy->>sshd: open session channel |
| 60 | +sshd-->>Proxy: channel open confirm |
| 61 | +User->>cf: interact with ssh session (PTY, exec, shell) |
| 62 | +cf->>LB: TCP data forwarding |
| 63 | +LB->>Proxy: TCP data forwarding |
| 64 | +Proxy->>sshd: TCP data forwarding |
| 65 | +``` |
0 commit comments