Example #1
0
func (l *sshListener) checkLogin(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
	if bytes.Equal(key.Marshal(), l.id.PublicKey().Marshal()) && conn.User() == "termite" {
		return nil, nil
	}

	return nil, fmt.Errorf("denied")
}
Example #2
0
func checkAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
	status, err := exitStatus(exec.Command(authChecker[0],
		append(authChecker[1:], conn.User(), string(bytes.TrimSpace(ssh.MarshalAuthorizedKey(key))))...).Run())
	if err != nil {
		return nil, err
	}
	if status.Status == 0 {
		return nil, nil
	}
	return nil, ErrUnauthorized
}
Example #3
0
func HandlePublicKeyCallback(conn ssh.ConnMetadata, key ssh.PublicKey) (perm *ssh.Permissions, err error) {
	publicKeys, err := userext.ReadUserAuthKeys(conn.User())
	if err != nil {
		return
	}
	for _, v := range publicKeys {
		perm, err := new(ssh.CertChecker).Authenticate(conn, v)
		if err != nil {
			continue
		}
		return perm, nil
	}
	return
}
Example #4
0
// handleAuth checks authentication against etcd using CanConnect and sets the needed
// environment variables for later parts of the builder to use. It takes in the SSH
// connection metadata, the public key of the user, and returns the SSH
// permissions of the connection and an error if they are not authorized.
func handleAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
	if conn.User() != "git" {
		return nil, ErrUnauthorized
	}

	keydata := string(bytes.TrimSpace(ssh.MarshalAuthorizedKey(key)))

	etcd := etcd.NewClient([]string{*etcduplink})

	fp := utils.GetFingerprint(keydata)

	user, allowed := utils.CanConnect(etcd, keydata)
	if allowed {
		log.Printf("User %s (%s) accepted with fingerprint %s", user, conn.RemoteAddr().String(), fp)
		return &ssh.Permissions{
			Extensions: map[string]string{
				"environ":     fmt.Sprintf("USER=%s\nKEY='%s'\nFINGERPRINT=%s\n", user, keydata, fp),
				"user":        user,
				"fingerprint": fp,
			},
		}, nil
	} else {
		log.Printf("Connection from %s rejected (bad key)", conn.RemoteAddr().String())
	}

	return nil, ErrUnauthorized
}
Example #5
0
func (srv *Server) authUser(meta ssh.ConnMetadata, key ssh.PublicKey) (perm *ssh.Permissions, err error) {
	userid := meta.User()
	log.Debug("username from client: %s", userid)
	remote := meta.RemoteAddr()

	// split user and host from username
	i := strings.SplitN(userid, "@", 2)
	if len(i) < 2 {
		i = strings.SplitN(userid, "/", 2)
		if len(i) < 2 {
			err = ErrIllegalUserName
			log.Error("%s", err.Error())
			return
		}
	}
	account := i[0]
	host := i[1]

	username, err := srv.findPubkey(key)
	if err != nil {
		log.Error("%s", err.Error())
		return
	}

	scs, err := srv.createSshConnServer(username, remote.String(), account, host)
	if err != nil {
		log.Error("%s", err.Error())
		return
	}
	if scs == nil {
		log.Error("can't create server")
		return
	}

	srv.mu.Lock()
	defer srv.mu.Unlock()
	srv.scss[remote] = scs
	return
}
Example #6
0
// Log all authentication attempts
func HandleAuthLogCallback(conn ssh.ConnMetadata, method string, err error) {
	log.Printf("Login attempt for user %s from %s with client %s",
		conn.User(),
		conn.RemoteAddr(),
		string(conn.ClientVersion()))
}