TheCloud/ssh-chat
1
0
Fork 0
mirror of https://github.com/shazow/ssh-chat.git synced 2025-09-08 11:49:46 -04:00
Code Issues Packages Projects Releases Wiki Activity

Auth.go: parse and record ssh key comments at startup

Browse Source
This commit is contained in:
nato 2023-01-23 17:41:22 -08:00
parent aaf0671f01
commit de92057033
5 changed files with 57 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
auth.go
View File

@ -18,7 +18,7 @@ import (
// KeyLoader loads public keys, e.g. from an authorized_keys file. // KeyLoader loads public keys, e.g. from an authorized_keys file.
// It must return a nil slice on error. // It must return a nil slice on error.
type KeyLoader func() ([]ssh.PublicKey, error) type KeyLoader func() ([]ssh.PublicKey, []string, error)
// ErrNotAllowed Is the error returned when a key is checked that is not allowlisted, // ErrNotAllowed Is the error returned when a key is checked that is not allowlisted,
// when allowlisting is enabled. // when allowlisting is enabled.
@ -55,12 +55,14 @@ func newAuthAddr(addr net.Addr) string {
// Auth stores lookups for bans, allowlists, and ops. It implements the sshd.Auth interface. // Auth stores lookups for bans, allowlists, and ops. It implements the sshd.Auth interface.
// If the contained passphrase is not empty, it complements a allowlist. // If the contained passphrase is not empty, it complements a allowlist.
type Auth struct { type Auth struct {
passphraseHash []byte passphraseHash []byte
bannedAddr *set.Set bannedAddr *set.Set
bannedClient *set.Set bannedClient *set.Set
banned *set.Set banned *set.Set
allowlist *set.Set allowlist *set.Set
ops *set.Set ops *set.Set
allowlistComments map[string]string
adminComments map[string]string
settingsMu sync.RWMutex settingsMu sync.RWMutex
allowlistMode bool allowlistMode bool
@ -71,11 +73,13 @@ type Auth struct {
// NewAuth creates a new empty Auth. // NewAuth creates a new empty Auth.
func NewAuth() *Auth { func NewAuth() *Auth {
return &Auth{ return &Auth{
bannedAddr: set.New(), bannedAddr: set.New(),
bannedClient: set.New(), bannedClient: set.New(),
banned: set.New(), banned: set.New(),
allowlist: set.New(), allowlist: set.New(),
ops: set.New(), ops: set.New(),
allowlistComments: make(map[string]string),
adminComments: make(map[string]string),
} }
} }
@ -158,7 +162,8 @@ func (a *Auth) CheckPassphrase(passphrase string) error {
} }
// Op sets a public key as a known operator. // Op sets a public key as a known operator.
func (a *Auth) Op(key ssh.PublicKey, d time.Duration) { // comment is the string that follows the public key in openssh authorized_keys format
func (a *Auth) Op(key ssh.PublicKey, comment string, d time.Duration) {
if key == nil { if key == nil {
return return
} }
@ -168,6 +173,12 @@ func (a *Auth) Op(key ssh.PublicKey, d time.Duration) {
} else { } else {
a.ops.Set(authItem) a.ops.Set(authItem)
} }
fingerprint := sshd.Fingerprint(key)
if len(a.adminComments[fingerprint]) == 0 {
a.adminComments[fingerprint] = comment
}
logger.Debugf("Added to ops: %q (for %s)", authItem.Key(), d) logger.Debugf("Added to ops: %q (for %s)", authItem.Key(), d)
} }
@ -189,11 +200,13 @@ func (a *Auth) LoadOps(loader KeyLoader) error {
func (a *Auth) ReloadOps() error { func (a *Auth) ReloadOps() error {
a.settingsMu.RLock() a.settingsMu.RLock()
defer a.settingsMu.RUnlock() defer a.settingsMu.RUnlock()
a.adminComments = make(map[string]string)
return addFromLoader(a.opLoader, a.Op) return addFromLoader(a.opLoader, a.Op)
} }
// Allowlist will set a public key as a allowlisted user. // Allowlist will set a public key as a allowlisted user.
func (a *Auth) Allowlist(key ssh.PublicKey, d time.Duration) { // comment is the string that follows the public key in openssh authorized_keys format
func (a *Auth) Allowlist(key ssh.PublicKey, comment string, d time.Duration) {
if key == nil { if key == nil {
return return
} }
@ -204,6 +217,12 @@ func (a *Auth) Allowlist(key ssh.PublicKey, d time.Duration) {
} else { } else {
err = a.allowlist.Set(authItem) err = a.allowlist.Set(authItem)
} }
fingerprint := sshd.Fingerprint(key)
if len(a.allowlistComments[fingerprint]) == 0 {
a.allowlistComments[fingerprint] = comment
}
if err == nil { if err == nil {
logger.Debugf("Added to allowlist: %q (for %s)", authItem.Key(), d) logger.Debugf("Added to allowlist: %q (for %s)", authItem.Key(), d)
} else { } else {
@ -223,16 +242,22 @@ func (a *Auth) LoadAllowlist(loader KeyLoader) error {
func (a *Auth) ReloadAllowlist() error { func (a *Auth) ReloadAllowlist() error {
a.settingsMu.RLock() a.settingsMu.RLock()
defer a.settingsMu.RUnlock() defer a.settingsMu.RUnlock()
a.allowlistComments = make(map[string]string)
return addFromLoader(a.allowlistLoader, a.Allowlist) return addFromLoader(a.allowlistLoader, a.Allowlist)
} }
func addFromLoader(loader KeyLoader, adder func(ssh.PublicKey, time.Duration)) error { func addFromLoader(loader KeyLoader, adder func(ssh.PublicKey, string, time.Duration)) error {
if loader == nil { if loader == nil {
return nil return nil
} }
keys, err := loader() keys, comments, err := loader()
for _, key := range keys { var comment string
adder(key, 0) for index, key := range keys {
comment = ""
if len(comments) > index {
comment = comments[index]
}
adder(key, comment, 0)
} }
return err return err
} }

2
auth_test.go
View File

@ -33,7 +33,7 @@ func TestAuthAllowlist(t *testing.T) {
t.Error("Failed to permit in default state:", err) t.Error("Failed to permit in default state:", err)
} }
auth.Allowlist(key, 0) auth.Allowlist(key, "", 0)
auth.SetAllowlistMode(true) auth.SetAllowlistMode(true)
keyClone, err := ClonePublicKey(key) keyClone, err := ClonePublicKey(key)

12
cmd/ssh-chat/cmd.go
View File

@ -200,28 +200,30 @@ func loaderFromFile(path string, logger *golog.Logger) sshchat.KeyLoader {
if path == "" { if path == "" {
return nil return nil
} }
return func() ([]ssh.PublicKey, error) { return func() ([]ssh.PublicKey, []string, error) {
file, err := os.Open(path) file, err := os.Open(path)
if err != nil { if err != nil {
return nil, err return nil, nil, err
} }
defer file.Close() defer file.Close()
var keys []ssh.PublicKey var keys []ssh.PublicKey
var comments []string
scanner := bufio.NewScanner(file) scanner := bufio.NewScanner(file)
for scanner.Scan() { for scanner.Scan() {
key, _, _, _, err := ssh.ParseAuthorizedKey(scanner.Bytes()) key, comment, _, _, err := ssh.ParseAuthorizedKey(scanner.Bytes())
if err != nil { if err != nil {
if err.Error() == "ssh: no key found" { if err.Error() == "ssh: no key found" {
continue // Skip line continue // Skip line
} }
return nil, err return nil, nil, err
} }
keys = append(keys, key) keys = append(keys, key)
comments = append(comments, comment)
} }
if keys == nil { if keys == nil {
logger.Warning("file", path, "contained no keys") logger.Warning("file", path, "contained no keys")
} }
return keys, nil return keys, comments, nil
} }
} }

8
host.go
View File

@ -626,7 +626,7 @@ func (h *Host) InitCommands(c *chat.Commands) {
member.IsOp = opValue member.IsOp = opValue
id := member.Identifier.(*Identity) id := member.Identifier.(*Identity)
h.auth.Op(id.PublicKey(), until) h.auth.Op(id.PublicKey(), "", until)
var body string var body string
if opValue { if opValue {
@ -780,7 +780,7 @@ func (h *Host) InitCommands(c *chat.Commands) {
if pk == nil { if pk == nil {
noKeyUsers = append(noKeyUsers, user.Identifier.Name()) noKeyUsers = append(noKeyUsers, user.Identifier.Name())
} else { } else {
h.auth.Allowlist(pk, 0) h.auth.Allowlist(pk, "", 0)
} }
} }
return nil return nil
@ -876,9 +876,9 @@ func (h *Host) InitCommands(c *chat.Commands) {
case "off": case "off":
h.auth.SetAllowlistMode(false) h.auth.SetAllowlistMode(false)
case "add": case "add":
replyLines = forPubkeyUser(args[1:], func(pk ssh.PublicKey) { h.auth.Allowlist(pk, 0) }) replyLines = forPubkeyUser(args[1:], func(pk ssh.PublicKey) { h.auth.Allowlist(pk, "", 0) })
case "remove": case "remove":
replyLines = forPubkeyUser(args[1:], func(pk ssh.PublicKey) { h.auth.Allowlist(pk, 1) }) replyLines = forPubkeyUser(args[1:], func(pk ssh.PublicKey) { h.auth.Allowlist(pk, "", 1) })
case "import": case "import":
replyLines, err = allowlistImport(args[1:]) replyLines, err = allowlistImport(args[1:])
case "reload": case "reload":

4
host_test.go
View File

@ -164,12 +164,12 @@ func TestHostAllowlist(t *testing.T) {
} }
clientKey := clientPrivateKey.PublicKey() clientKey := clientPrivateKey.PublicKey()
loadCount := -1 loadCount := -1
loader := func() ([]ssh.PublicKey, error) { loader := func() ([]ssh.PublicKey, []string, error) {
loadCount++ loadCount++
return [][]ssh.PublicKey{ return [][]ssh.PublicKey{
{}, {},
{clientKey}, {clientKey},
}[loadCount], nil }[loadCount], []string{}, nil
} }
auth.LoadAllowlist(loader) auth.LoadAllowlist(loader)