Пример #1
0
/* ci returns a string containing info from an ssh.ConnMetadata */
func ci(m ssh.ConnMetadata) string {
	return fmt.Sprintf(
		"Address:%v Target:%v Version:%q User:%q",
		m.RemoteAddr(),
		victimName(m),
		m.ClientVersion(),
		m.User(),
	)
}
Пример #2
0
/* logAttempt logs an authorization attempt. */
func logAttempt(conn ssh.ConnMetadata, method, cred string, suc bool) {
	log.Printf(
		"Address:%v Authorization Attempt Version:%q User:%q %v:%q "+
			"Successful:%v",
		conn.RemoteAddr(),
		string(conn.ClientVersion()),
		conn.User(),
		method,
		cred,
		suc,
	)
}
Пример #3
0
func passAuthCallback(conn ssh.ConnMetadata, password []byte) (*ssh.Permissions, error) {
	guid := uuid.NewV4()
	ip, remotePort := parseIpPortFrom(conn)
	login := SshLogin{RemoteAddr: ip,
		RemotePort: remotePort,
		Username:   conn.User(),
		Password:   string(password),
		Guid:       guid.String(),
		Version:    string(conn.ClientVersion()),
		LoginType:  "password",
	}
	login.Save()
	return &ssh.Permissions{Extensions: map[string]string{"guid": guid.String()}}, nil
}
Пример #4
0
// authPassword records any incoming request trying to auth with a username/password
func authPassword(conn ssh.ConnMetadata, password []byte) (*ssh.Permissions, error) {

	r := &AuthEvent{
		Time:        fmt.Sprintf("%d", time.Now().Unix()),
		AuthType:    "sshPass",
		SrcIP:       strings.Split(conn.RemoteAddr().String(), ":")[0],
		DestIP:      extIP,
		User:        conn.User(),
		TypeData:    fmt.Sprintf("client-version: %s", strconv.QuoteToASCII(string(conn.ClientVersion()))),
		Credentials: strconv.QuoteToASCII(string(password)),
	}

	addToBatch(r)

	return nil, errAuthenticationFailed
}
Пример #5
0
func keyAuthCallback(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
	guid := uuid.NewV4()
	ip, remotePort := parseIpPortFrom(conn)
	login := SshLogin{RemoteAddr: ip,
		RemotePort: remotePort,
		Username:   conn.User(),
		Guid:       guid.String(),
		Version:    string(conn.ClientVersion()),
		PublicKey:  key.Marshal(),
		KeyType:    string(key.Type()),
		LoginType:  "key",
	}
	go login.Save()
	//log.Println("Fail to authenticate", conn, ":", err)
	//return nil, errors.New("invalid authentication")
	return &ssh.Permissions{Extensions: map[string]string{"guid": guid.String()}}, nil
}
Пример #6
0
/* decidePassword decides whether the connection attempt is allowed and logs
the attempt with the auth type (password, keyboard-interactive). */
func decidePassword(
	conn ssh.ConnMetadata,
	password []byte,
	authType string,
) (*ssh.Permissions, error) {
	/* Check if the version string is on the whitelist */
	/* Check if the version string is on the blacklist */
	/* TODO: Finish these */

	u := conn.User()      /* Username */
	p := string(password) /* Password */
	ua := false           /* User allowed */
	pa := false           /* Password allowed */

	/* Make sure the client's version is allowed */
	if !versionAllowed(string(conn.ClientVersion())) {
		log.Printf("%v VersionFail", ci(conn))
		return nil, fmt.Errorf("version")
	}

	/* Check if the username is allowed */
	if _, ok := allowedUsers[u]; ok {
		ua = true
	}

	/* Check if the password is allowed for all users */
	if _, ok := allowedPasswords[p]; ok {
		pa = true
	}

	/* Check if there's a user-specific password if he's not allowed yet */
	if !ua || !pa {
		if ps, ok := allowedUserPasswords[u]; ok {
			if _, ok := ps[p]; ok {
				ua = true
				pa = true
			}
		}
	}

	/* If there's a random chance, apply it and save the password */
	if !ua || !pa && 0 != allowedRandProb {
		if rand.Float64() < allowedRandProb {
			/* If we're here, we win */
			ua = true
			pa = true
			/* Save if we're meant to */
			if saveAllowedPasswords {
				saveUserPass(u, p)
				verbose("Saved allowed creds: %q / %q", u, p)
			}
		}
	}

	/* If the user's allowed, log it, give up */
	if ua && pa {
		log.Printf("%v Type:%v PasswordOK:%q", ci(conn), authType, p)
		return nil, nil
	}

	/* If not, :( */
	log.Printf("%v Type:%v PasswordFail:%q", ci(conn), authType, p)
	return nil, fmt.Errorf("no")

}
Пример #7
0
// authKey records any incoming request trying to auth with an ssh key
func authKey(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {

	r := &AuthEvent{
		Time:     fmt.Sprintf("%d", time.Now().Unix()),
		AuthType: "sshKey",
		SrcIP:    strings.Split(conn.RemoteAddr().String(), ":")[0],
		DestIP:   extIP,
		User:     conn.User(),
		TypeData: fmt.Sprintf("ssh-key-type: %s client-version: %s", key.Type(), strconv.QuoteToASCII(string(conn.ClientVersion()))),
	}

	h := sha256.New()
	h.Write(key.Marshal())
	r.Credentials = base64.StdEncoding.EncodeToString(h.Sum(nil))

	addToBatch(r)

	return nil, errAuthenticationFailed
}