func (l *sshListener) checkLogin(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
if bytes.Equal(key.Marshal(), l.id.PublicKey().Marshal()) && conn.User() == "termite" {
return nil, nil
}
return nil, fmt.Errorf("denied")
}
func checkAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
status, err := exitStatus(exec.Command(authChecker[0],
append(authChecker[1:], conn.User(), string(bytes.TrimSpace(ssh.MarshalAuthorizedKey(key))))...).Run())
if err != nil {
return nil, err
}
if status.Status == 0 {
return nil, nil
}
return nil, ErrUnauthorized
}
func HandlePublicKeyCallback(conn ssh.ConnMetadata, key ssh.PublicKey) (perm *ssh.Permissions, err error) {
publicKeys, err := userext.ReadUserAuthKeys(conn.User())
if err != nil {
return
}
for _, v := range publicKeys {
perm, err := new(ssh.CertChecker).Authenticate(conn, v)
if err != nil {
continue
}
return perm, nil
}
return
}
// handleAuth checks authentication against etcd using CanConnect and sets the needed
// environment variables for later parts of the builder to use. It takes in the SSH
// connection metadata, the public key of the user, and returns the SSH
// permissions of the connection and an error if they are not authorized.
func handleAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
if conn.User() != "git" {
return nil, ErrUnauthorized
}
keydata := string(bytes.TrimSpace(ssh.MarshalAuthorizedKey(key)))
etcd := etcd.NewClient([]string{*etcduplink})
fp := utils.GetFingerprint(keydata)
user, allowed := utils.CanConnect(etcd, keydata)
if allowed {
log.Printf("User %s (%s) accepted with fingerprint %s", user, conn.RemoteAddr().String(), fp)
return &ssh.Permissions{
Extensions: map[string]string{
"environ": fmt.Sprintf("USER=%s\nKEY='%s'\nFINGERPRINT=%s\n", user, keydata, fp),
"user": user,
"fingerprint": fp,
},
}, nil
} else {
log.Printf("Connection from %s rejected (bad key)", conn.RemoteAddr().String())
}
return nil, ErrUnauthorized
}
func (srv *Server) authUser(meta ssh.ConnMetadata, key ssh.PublicKey) (perm *ssh.Permissions, err error) {
userid := meta.User()
log.Debug("username from client: %s", userid)
remote := meta.RemoteAddr()
// split user and host from username
i := strings.SplitN(userid, "@", 2)
if len(i) < 2 {
i = strings.SplitN(userid, "/", 2)
if len(i) < 2 {
err = ErrIllegalUserName
log.Error("%s", err.Error())
return
}
}
account := i[0]
host := i[1]
username, err := srv.findPubkey(key)
if err != nil {
log.Error("%s", err.Error())
return
}
scs, err := srv.createSshConnServer(username, remote.String(), account, host)
if err != nil {
log.Error("%s", err.Error())
return
}
if scs == nil {
log.Error("can't create server")
return
}
srv.mu.Lock()
defer srv.mu.Unlock()
srv.scss[remote] = scs
return
}
// Log all authentication attempts
func HandleAuthLogCallback(conn ssh.ConnMetadata, method string, err error) {
log.Printf("Login attempt for user %s from %s with client %s",
conn.User(),
conn.RemoteAddr(),
string(conn.ClientVersion()))
}