Esempio n. 1
0
/*
SSHChallenge performs the challenge-response process to authenticate a connecting client to its SSH keys.
*/
func (sm *server) SSHChallenge(m protocol.MessageReadWriteCloser) (*User, error) {
	for {
		challenge := make([]byte, 64)
		for i := 0; i < len(challenge); i++ {
			challenge[i] = byte(rand.Int() % 256)
		}

		response := &protocol.Message{
			ServerResponse: &protocol.ServerResponse{
				Challenge: &protocol.SSHChallenge{
					Challenge: challenge,
				},
			},
		}

		err := m.Write(response)
		if err != nil {
			return nil, err
		}

		challengeResponseMessage, err := m.Read()
		if err != nil {
			return nil, err
		}

		r := challengeResponseMessage.GetServerRequest()
		if r == nil {
			return nil, errors.New("not a server request")
		}
		cr := r.GetChallengeResponse()
		if cr == nil {
			return nil, errors.New("not a server request")
		}

		// Compose this into the proper format for Authenticate.
		sig := &ssh.Signature{
			Format: cr.GetFormat(),
			Blob:   cr.GetSignature(),
		}
		verifiedUser, err := sm.authenticator.Authenticate("derp", challenge, sig)
		if err != nil {
			return nil, err
		}
		if verifiedUser != nil {
			log.Debug("Verification completed for user %s!", verifiedUser.Username)
			return verifiedUser, nil
		}
		// continue around the loop, letting the client try another key
		verificationFailure := &protocol.Message{
			ServerResponse: &protocol.ServerResponse{
				VerificationFailure: &protocol.SSHVerificationFailure{},
			},
		}
		err = m.Write(verificationFailure)
		if err != nil {
			return nil, err
		}

	}
}
Esempio n. 2
0
func testHandler(msc protocol.MessageReadWriteCloser) {
	for {
		msg, _ := msc.Read()

		if pingReq := msg.GetPing(); pingReq != nil {
			pingResp := protocol.Ping_RESPONSE
			msc.Write(&protocol.Message{
				Ping: &protocol.Ping{
					Type: &pingResp,
				},
			})
		}

	}
}
Esempio n. 3
0
func DummyServer(c protocol.MessageReadWriteCloser) {
	for {
		msg, err := c.Read()
		if err != nil {
			return
		}

		if msg.GetServerRequest() != nil {
			serverRequest := msg.GetServerRequest()

			accessKey := "access"
			secret := "secret"
			token := "token"
			exp := int64(0)

			if serverRequest.GetAssumeRole() != nil {
				challenge := &protocol.Message{
					ServerResponse: &protocol.ServerResponse{
						Challenge: &protocol.SSHChallenge{
							Challenge: []byte("foo"),
						},
					},
				}
				err = c.Write(challenge)
			} else if serverRequest.GetChallengeResponse() != nil {
				creds := &protocol.Message{
					ServerResponse: &protocol.ServerResponse{
						Credentials: &protocol.STSCredentials{
							AccessKeyId:     &accessKey,
							SecretAccessKey: &secret,
							AccessToken:     &token,
							Expiration:      &exp,
						},
					},
				}
				err = c.Write(creds)
			}
		}
	}
}
Esempio n. 4
0
/*
ConnectionHandler is the root of the state machine created for
each socket that is opened.
*/
func (sm *server) HandleConnection(m protocol.MessageReadWriteCloser) {
	// Loop as long as we have this connection alive.
	log.Debug("Opening new connection handler.")
	for {
		recvMsg, err := m.Read()
		if err != nil {
			// EOFs are normal, so we don't want to report them as errors.
			if err.Error() != "EOF" {
				log.Errorf("Error reading data from stream: %s", err.Error())
			}
			// Right now the behaviour of this is to terminate the connection
			// when we run into an error; should it perhaps send a NAK response
			// and keep the connection open for another retry?
			break
		}

		if pingMsg := recvMsg.GetPing(); pingMsg != nil {
			sm.HandlePing(m, pingMsg)
		} else if reqMsg := recvMsg.GetServerRequest(); reqMsg != nil {
			sm.HandleServerRequest(m, reqMsg)
		}
	}
}
Esempio n. 5
0
func (h *cliHandler) HandleConnection(c protocol.MessageReadWriteCloser) {
	for {
		msg, err := c.Read()
		if err != nil {
			return
		}
		if msg.GetAgentRequest() != nil {
			dr := msg.GetAgentRequest()

			var (
				sshAgentSock string
				sshKeyBytes  []byte
			)

			sshAgentSock = dr.GetSshAgentSock()
			if sshAgentSock != "" {
				log.Debug("SSH_AUTH_SOCK included in this request: %s", sshAgentSock)
			}

			sshKeyBytes = dr.GetSshKeyFile()
			if sshKeyBytes != nil {
				log.Debug("SSH keyfile included in this request.")
			}

			SSHSetAgentSock(sshAgentSock, sshKeyBytes)

			if dr.GetAssumeRole() != nil {
				log.Debug("Handling AssumeRole request.")
				assumeRole := dr.GetAssumeRole()

				err := h.client.AssumeRole(assumeRole.GetRole())

				var agentResponse protocol.AgentResponse
				if err == nil {
					agentResponse.Success = &protocol.Success{}
				} else {
					log.Errorf(err.Error())
					e := err.Error()
					agentResponse.Failure = &protocol.Failure{
						ErrorMessage: &e,
					}
				}
				msg = &protocol.Message{
					AgentResponse: &agentResponse,
				}
				err = c.Write(msg)
				if err != nil {
					return
				}
			} else if dr.GetGetUserCredentials() != nil {
				log.Debug("Handling GetSessionToken request.")
				err := h.client.GetUserCredentials()

				var agentResponse protocol.AgentResponse
				if err == nil {
					agentResponse.Success = &protocol.Success{}
				} else {
					log.Errorf(err.Error())
					e := err.Error()
					agentResponse.Failure = &protocol.Failure{
						ErrorMessage: &e,
					}
				}
				msg = &protocol.Message{
					AgentResponse: &agentResponse,
				}
				err = c.Write(msg)
				if err != nil {
					return
				}
			} else {
				log.Errorf("Unexpected agent request: %s", dr)
				c.Close()
				return
			}
		} else {
			log.Errorf("Unexpected message: %s", msg)
			c.Close()
			return
		}
	}
}