func (l *sshListener) checkLogin(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) { if bytes.Equal(key.Marshal(), l.id.PublicKey().Marshal()) && conn.User() == "termite" { return nil, nil } return nil, fmt.Errorf("denied") }
// handleAuth checks authentication against etcd using CanConnect and sets the needed // environment variables for later parts of the builder to use. It takes in the SSH // connection metadata, the public key of the user, and returns the SSH // permissions of the connection and an error if they are not authorized. func handleAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) { if conn.User() != "git" { return nil, ErrUnauthorized } keydata := string(bytes.TrimSpace(ssh.MarshalAuthorizedKey(key))) etcd := etcd.NewClient([]string{*etcduplink}) fp := utils.GetFingerprint(keydata) user, allowed := utils.CanConnect(etcd, keydata) if allowed { log.Printf("User %s (%s) accepted with fingerprint %s", user, conn.RemoteAddr().String(), fp) return &ssh.Permissions{ Extensions: map[string]string{ "environ": fmt.Sprintf("USER=%s\nKEY='%s'\nFINGERPRINT=%s\n", user, keydata, fp), "user": user, "fingerprint": fp, }, }, nil } else { log.Printf("Connection from %s rejected (bad key)", conn.RemoteAddr().String()) } return nil, ErrUnauthorized }
func checkAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) { status, err := exitStatus(exec.Command(authChecker[0], append(authChecker[1:], conn.User(), string(bytes.TrimSpace(ssh.MarshalAuthorizedKey(key))))...).Run()) if err != nil { return nil, err } if status.Status == 0 { return nil, nil } return nil, ErrUnauthorized }
func HandlePublicKeyCallback(conn ssh.ConnMetadata, key ssh.PublicKey) (perm *ssh.Permissions, err error) { publicKeys, err := userext.ReadUserAuthKeys(conn.User()) if err != nil { return } for _, v := range publicKeys { perm, err := new(ssh.CertChecker).Authenticate(conn, v) if err != nil { continue } return perm, nil } return }
func (srv *Server) authUser(meta ssh.ConnMetadata, key ssh.PublicKey) (perm *ssh.Permissions, err error) { userid := meta.User() log.Debug("username from client: %s", userid) remote := meta.RemoteAddr() // split user and host from username i := strings.SplitN(userid, "@", 2) if len(i) < 2 { i = strings.SplitN(userid, "/", 2) if len(i) < 2 { err = ErrIllegalUserName log.Error("%s", err.Error()) return } } account := i[0] host := i[1] username, err := srv.findPubkey(key) if err != nil { log.Error("%s", err.Error()) return } scs, err := srv.createSshConnServer(username, remote.String(), account, host) if err != nil { log.Error("%s", err.Error()) return } if scs == nil { log.Error("can't create server") return } srv.mu.Lock() defer srv.mu.Unlock() srv.scss[remote] = scs return }
// Log all authentication attempts func HandleAuthLogCallback(conn ssh.ConnMetadata, method string, err error) { log.Printf("Login attempt for user %s from %s with client %s", conn.User(), conn.RemoteAddr(), string(conn.ClientVersion())) }