// Callback function responsible for authenticating the SSH client.
func keyAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
log.Printf("(keyAuth) >> New client conn from '%s' authenticating with '%s'\n", conn.RemoteAddr(), key.Type())
// Create a fingerprint of the external provided pub key.
fpProvidedPubKey, err := pubKeyFingerprint(key)
if err != nil {
log.Printf("(keyAuth) >> Error: Unable to create fingerprint for provided PubKey: %s\n", err.Error())
}
log.Printf("(keyAuth) >> Fingerprint of provided PubKey : %s\n", fpProvidedPubKey)
// Get all the pub keys for a given user.
authorizedPubKeys, err := getPubKeysForUser(conn.User())
if err != nil {
return nil, fmt.Errorf("(keyAuth) >> No pub key for user '%s' found / user not allowed to connect.", conn.User())
}
// Check if the user is allowed to connect at all (meaning: the must be a subdirectory in the 'data' dir
// matching the provided SSH username).
var authSuccess bool = false
for i, authPubKey := range authorizedPubKeys {
fpAuthorizedPubKey, err := pubKeyFingerprint(authPubKey)
if err != nil {
log.Printf("(keyAuth) >> Error: Unable to create fingerprint for authorized PubKey %d: %s\n", i, err.Error())
}
log.Printf("(keyAuth) >> Fingerprint of authorized PubKey %d: %s\n", i, fpAuthorizedPubKey)
// Check if username and Public Key combination is allowed to establish a connection.
if theseTwoPublicKeysAreEqual(key, authPubKey) {
authSuccess = true
break
}
}
if authSuccess {
log.Printf("(keyAuth) >> Correct username '%s' and public key provided.", conn.User())
// Signaling success / authentication passed.
return nil, nil
}
log.Printf("(keyAuth) >> Wrong username '%s' and/or public key provided.", conn.User())
return nil, fmt.Errorf("Wrong username and/or public key.")
}
