feat: add SSH port forwarding test and enable commands

Add SSH port forwarding testing and enablement capabilities with new flags and commands. Remove unused imports and fix duplicate struct fields.

Signed-off-by: cybermonkey <git@cybermonkey.net.au>

Author: CodeMonkeyCybersecurity

cmd/debug/ssh.go

@@ -18,10 +18,16 @@ import (
 )
 
 var (
-	sshDebugFormat     string
-	sshDebugClientOnly bool
-	sshDebugKeyPath    string
-	sshDebugSanitize   bool
+	sshDebugFormat            string
+	sshDebugClientOnly        bool
+	sshDebugKeyPath           string
+	sshDebugSanitize          bool
+	sshDebugTestForwarding    bool
+	sshDebugHost              string
+	sshDebugUser              string
+	sshDebugPort              string
+	sshDebugPassword          string
+	sshDebugForwardTestTarget string
 )
 
 var sshDebugCmd = &cobra.Command{
@@ -65,6 +71,9 @@ USAGE EXAMPLES:
   # Sanitize sensitive data before sharing
   eos debug ssh user@host --sanitize
 
+  # Test that port forwarding is allowed on the target
+  eos debug ssh --test-forwarding --host vhost1 --user henry
+
 TROUBLESHOOTING COMMON ISSUES:
 
 1. "Permission denied (publickey)" errors:
@@ -92,11 +101,21 @@ func init() {
 	sshDebugCmd.Flags().BoolVar(&sshDebugClientOnly, "client-only", false, "Run client-side diagnostics only (no server connection)")
 	sshDebugCmd.Flags().StringVar(&sshDebugKeyPath, "key", "", "Path to SSH private key (auto-detected if not specified)")
 	sshDebugCmd.Flags().BoolVar(&sshDebugSanitize, "sanitize", false, "Redact sensitive information (keys, paths)")
+	sshDebugCmd.Flags().BoolVar(&sshDebugTestForwarding, "test-forwarding", false, "Test whether SSH port forwarding is permitted on the target")
+	sshDebugCmd.Flags().StringVar(&sshDebugHost, "host", "", "Target host for --test-forwarding (e.g., vhost1 or user@vhost1)")
+	sshDebugCmd.Flags().StringVar(&sshDebugUser, "user", "", "SSH username for --test-forwarding")
+	sshDebugCmd.Flags().StringVar(&sshDebugPort, "port", "22", "SSH port for --test-forwarding")
+	sshDebugCmd.Flags().StringVar(&sshDebugPassword, "password", "", "SSH password for --test-forwarding (optional if key auth works)")
+	sshDebugCmd.Flags().StringVar(&sshDebugForwardTestTarget, "forward-target", "127.0.0.1:22", "Destination to probe through the forwarded connection")
 
 	debugCmd.AddCommand(sshDebugCmd)
 }
 
 func runSSHDebug(rc *eos_io.RuntimeContext, cmd *cobra.Command, args []string) error {
+	if sshDebugTestForwarding {
+		return runSSHForwardingTest(rc)
+	}
+
 	logger := otelzap.Ctx(rc.Ctx)
 
 	// Determine target (if provided)
@@ -170,6 +189,40 @@ func runSSHDebug(rc *eos_io.RuntimeContext, cmd *cobra.Command, args []string) e
 	return nil
 }
 
+func runSSHForwardingTest(rc *eos_io.RuntimeContext) error {
+	logger := otelzap.Ctx(rc.Ctx)
+
+	if sshDebugHost == "" {
+		return fmt.Errorf("--host is required when using --test-forwarding")
+	}
+
+	connCfg, err := ssh.BuildConnectionConfig(sshDebugHost, sshDebugUser, sshDebugPort, sshDebugKeyPath, sshDebugPassword, "")
+	if err != nil {
+		return err
+	}
+
+	result, err := ssh.TestForwarding(rc, connCfg, sshDebugForwardTestTarget)
+	if err != nil {
+		return err
+	}
+
+	if result.Success {
+		logger.Info("SSH port forwarding test passed",
+			zap.String("host", connCfg.Host),
+			zap.String("user", connCfg.User),
+			zap.String("target", result.Target),
+			zap.String("message", result.Message))
+		return nil
+	}
+
+	logger.Warn("SSH port forwarding test failed",
+		zap.String("host", connCfg.Host),
+		zap.String("user", connCfg.User),
+		zap.String("target", result.Target),
+		zap.String("message", result.Message))
+	return fmt.Errorf("port forwarding blocked: %s", result.Message)
+}
+
 // formatSSHDiagnosticReport formats the diagnostic report based on the requested format
 func formatSSHDiagnosticReport(report *ssh.SSHDiagnosticReport, format string, sanitize bool) (string, error) {
 	switch format {

cmd/read/ssh.go

@@ -0,0 +1,79 @@
+package read
+
+import (
+	"fmt"
+
+	"github.com/CodeMonkeyCybersecurity/eos/pkg/eos_cli"
+	"github.com/CodeMonkeyCybersecurity/eos/pkg/eos_io"
+	"github.com/CodeMonkeyCybersecurity/eos/pkg/ssh"
+	"github.com/spf13/cobra"
+	"github.com/uptrace/opentelemetry-go-extra/otelzap"
+	"go.uber.org/zap"
+)
+
+var (
+	sshReadHost     string
+	sshReadUser     string
+	sshReadPort     string
+	sshReadKey      string
+	sshReadPassword string
+	sshReadSudoPass string
+)
+
+// readSSHCmd reports SSH forwarding-related configuration for a remote host.
+var readSSHCmd = &cobra.Command{
+	Use:   "ssh",
+	Short: "Inspect SSH forwarding configuration on a host",
+	Long: `Shows forwarding-related sshd_config directives and SSH service status.
+
+Examples:
+  eos read ssh --host vhost1
+  eos read ssh --host user@vhost1 --key ~/.ssh/id_ed25519
+  eos read ssh --host vhost1 --user henry --password '...' --sudo-pass '...'`,
+	RunE: eos_cli.Wrap(func(rc *eos_io.RuntimeContext, cmd *cobra.Command, args []string) error {
+		if sshReadHost == "" {
+			return fmt.Errorf("--host is required (e.g., vhost1 or user@vhost1)")
+		}
+
+		connCfg, err := ssh.BuildConnectionConfig(sshReadHost, sshReadUser, sshReadPort, sshReadKey, sshReadPassword, sshReadSudoPass)
+		if err != nil {
+			return err
+		}
+
+		logger := otelzap.Ctx(rc.Ctx)
+		logger.Info("Connecting to host for SSH forwarding status",
+			zap.String("host", connCfg.Host),
+			zap.String("user", connCfg.User),
+			zap.String("port", connCfg.Port))
+
+		client, err := ssh.ConnectSSHClient(rc, connCfg)
+		if err != nil {
+			return fmt.Errorf("failed to connect to %s: %w", connCfg.Host, err)
+		}
+		defer func() { _ = client.Close() }()
+
+		status, err := ssh.ReadForwardingStatus(rc, client)
+		if err != nil {
+			return err
+		}
+
+		logger.Info("SSH forwarding configuration",
+			zap.String("allow_tcp_forwarding", status.AllowTcpForwarding),
+			zap.String("allow_stream_local_forwarding", status.AllowStreamLocalForwarding),
+			zap.Strings("permit_open", status.PermitOpen),
+			zap.String("service_status", status.ServiceStatus))
+
+		return nil
+	}),
+}
+
+func init() {
+	ReadCmd.AddCommand(readSSHCmd)
+
+	readSSHCmd.Flags().StringVar(&sshReadHost, "host", "", "Target host (e.g., vhost1 or user@vhost1)")
+	readSSHCmd.Flags().StringVar(&sshReadUser, "user", "", "SSH username override (defaults to current user)")
+	readSSHCmd.Flags().StringVar(&sshReadPort, "port", "22", "SSH port (default 22)")
+	readSSHCmd.Flags().StringVar(&sshReadKey, "key", "", "Path to SSH private key (defaults to first available)")
+	readSSHCmd.Flags().StringVar(&sshReadPassword, "password", "", "SSH password (optional if key-based auth works)")
+	readSSHCmd.Flags().StringVar(&sshReadSudoPass, "sudo-pass", "", "Sudo password for reading sshd_config (defaults to --password)")
+}

cmd/self/integration_test.go

@@ -10,7 +10,6 @@ import (
 
 	"github.com/CodeMonkeyCybersecurity/eos/pkg/backup"
 	"github.com/CodeMonkeyCybersecurity/eos/pkg/eos_io"
-	"github.com/CodeMonkeyCybersecurity/eos/pkg/verify"
 	"github.com/CodeMonkeyCybersecurity/eos/pkg/patterns"
 	"github.com/spf13/cobra"
 	"github.com/stretchr/testify/assert"

cmd/update/moni.go

@@ -8,7 +8,6 @@ import (
 	"fmt"
 
 	"github.com/CodeMonkeyCybersecurity/eos/pkg/bionicgpt"
-	"github.com/CodeMonkeyCybersecurity/eos/pkg/bionicgpt/apikeys"
 	"github.com/CodeMonkeyCybersecurity/eos/pkg/bionicgpt/postinstall"
 	"github.com/CodeMonkeyCybersecurity/eos/pkg/bionicgpt/refresh"
 	eos "github.com/CodeMonkeyCybersecurity/eos/pkg/eos_cli"
@@ -294,34 +293,6 @@ func runMoniPostInstall(rc *eos_io.RuntimeContext, cmd *cobra.Command, args []st
 	return nil
 }
 
-// runMoniRotateAPIKeys handles the API key rotation
-// Orchestration layer: delegates to pkg/bionicgpt/apikeys for business logic
-func runMoniRotateAPIKeys(rc *eos_io.RuntimeContext, cmd *cobra.Command, args []string) error {
-	logger := otelzap.Ctx(rc.Ctx)
-
-	logger.Info("Starting Moni API key rotation",
-		zap.String("install_dir", moniInstallDir))
-
-	// Build configuration
-	config := &apikeys.Config{
-		InstallDir: moniInstallDir,
-	}
-
-	// Validate configuration
-	if err := config.Validate(); err != nil {
-		return fmt.Errorf("invalid configuration: %w", err)
-	}
-
-	// Execute API key rotation
-	if err := apikeys.Execute(rc, config); err != nil {
-		logger.Error("API key rotation failed", zap.Error(err))
-		return fmt.Errorf("API key rotation failed: %w", err)
-	}
-
-	logger.Info("API key rotation completed successfully")
-	return nil
-}
-
 // runMoniRefresh handles the refresh operation
 // Orchestration layer: delegates to pkg/bionicgpt/refresh for business logic
 func runMoniRefresh(rc *eos_io.RuntimeContext, cmd *cobra.Command, args []string) error {
@@ -404,6 +375,9 @@ func runMoniRotateAPIKeys(rc *eos_io.RuntimeContext, cmd *cobra.Command, args []
 	logger.Info("   docker compose -f /opt/bionicgpt/docker-compose.yml logs -f app litellm-proxy")
 	logger.Info("")
 
+	return nil
+}
+
 // runMoniInit handles the Moni initialization worker
 // Orchestration layer: delegates to pkg/moni for business logic
 func runMoniInit(rc *eos_io.RuntimeContext, cmd *cobra.Command, args []string) error {

cmd/update/ssh.go

@@ -15,10 +15,15 @@ import (
 
 // TODO move to pkg/ to DRY up this code base but putting it with other similar functions
 var (
-	sshHost     string
-	sshKeyPath  string
-	sshHosts    string
-	sshUsername string
+	sshHost                string
+	sshKeyPath             string
+	sshHosts               string
+	sshUsername            string
+	sshEnableForwarding    bool
+	sshForwardUser         string
+	sshForwardPort         string
+	sshForwardPassword     string
+	sshForwardSudoPassword string
 )
 
 var SecureSSHCmd = &cobra.Command{
@@ -35,6 +40,10 @@ Examples:
   eos secure ssh --host user@hostname --key ~/.ssh/id_rsa
   eos secure ssh  # Interactive mode`,
 	RunE: eos.Wrap(func(rc *eos_io.RuntimeContext, cmd *cobra.Command, args []string) error {
+		if sshEnableForwarding {
+			return runEnableSSHForwarding(rc)
+		}
+
 		otelzap.Ctx(rc.Ctx).Info("Starting SSH security diagnostics")
 
 		// Get SSH host if not provided
@@ -259,4 +268,58 @@ func init() {
 	// Add flags for copy-keys command
 	CopyKeysCmd.Flags().StringVar(&sshHosts, "hosts", "", "Comma-separated list of hosts to copy keys to")
 	CopyKeysCmd.Flags().StringVar(&sshUsername, "user", "", "SSH username for remote hosts")
+
+	SecureSSHCmd.Flags().BoolVar(&sshEnableForwarding, "enable-forwarding", false, "Enable SSH port forwarding (AllowTcpForwarding/AllowStreamLocalForwarding yes, remove PermitOpen)")
+	SecureSSHCmd.Flags().StringVar(&sshForwardUser, "user", "", "SSH username for --enable-forwarding")
+	SecureSSHCmd.Flags().StringVar(&sshForwardPort, "port", "22", "SSH port for --enable-forwarding")
+	SecureSSHCmd.Flags().StringVar(&sshForwardPassword, "password", "", "SSH password for --enable-forwarding (optional if key auth works)")
+	SecureSSHCmd.Flags().StringVar(&sshForwardSudoPassword, "sudo-pass", "", "Sudo password for remote host (defaults to --password)")
+}
+
+func runEnableSSHForwarding(rc *eos_io.RuntimeContext) error {
+	logger := otelzap.Ctx(rc.Ctx)
+
+	if sshHost == "" {
+		var err error
+		sshHost, err = interaction.PromptUser(rc, "Enter SSH host (user@hostname[:port]): ")
+		if err != nil {
+			return fmt.Errorf("failed to get SSH host: %w", err)
+		}
+	}
+
+	connCfg, err := ssh.BuildConnectionConfig(sshHost, sshForwardUser, sshForwardPort, sshKeyPath, sshForwardPassword, sshForwardSudoPassword)
+	if err != nil {
+		return err
+	}
+
+	logger.Info("Enabling SSH forwarding on host",
+		zap.String("host", connCfg.Host),
+		zap.String("user", connCfg.User),
+		zap.String("port", connCfg.Port))
+
+	client, err := ssh.ConnectSSHClient(rc, connCfg)
+	if err != nil {
+		return fmt.Errorf("failed to connect to %s: %w", connCfg.Host, err)
+	}
+	defer func() { _ = client.Close() }()
+
+	result, err := ssh.EnableSSHForwarding(rc, client)
+	if err != nil {
+		return err
+	}
+
+	logger.Info("SSH forwarding enabled",
+		zap.String("backup", result.BackupPath),
+		zap.String("restart_command", result.RestartCommand),
+		zap.String("validation", result.ValidationOutput))
+
+	if result.Status != nil {
+		logger.Info("Forwarding status",
+			zap.String("allow_tcp_forwarding", result.Status.AllowTcpForwarding),
+			zap.String("allow_stream_local_forwarding", result.Status.AllowStreamLocalForwarding),
+			zap.Strings("permit_open", result.Status.PermitOpen),
+			zap.String("service_status", result.Status.ServiceStatus))
+	}
+
+	return nil
 }