// handleAuth checks authentication against etcd using CanConnect and sets the needed // environment variables for later parts of the builder to use. It takes in the SSH // connection metadata, the public key of the user, and returns the SSH // permissions of the connection and an error if they are not authorized. func handleAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) { if conn.User() != "git" { return nil, ErrUnauthorized } keydata := string(bytes.TrimSpace(ssh.MarshalAuthorizedKey(key))) etcd := etcd.NewClient([]string{*etcduplink}) fp := utils.GetFingerprint(keydata) user, allowed := utils.CanConnect(etcd, keydata) if allowed { log.Printf("User %s (%s) accepted with fingerprint %s", user, conn.RemoteAddr().String(), fp) return &ssh.Permissions{ Extensions: map[string]string{ "environ": fmt.Sprintf("USER=%s\nKEY='%s'\nFINGERPRINT=%s\n", user, keydata, fp), "user": user, "fingerprint": fp, }, }, nil } else { log.Printf("Connection from %s rejected (bad key)", conn.RemoteAddr().String()) } return nil, ErrUnauthorized }
func (srv *Server) authUser(meta ssh.ConnMetadata, key ssh.PublicKey) (perm *ssh.Permissions, err error) { userid := meta.User() log.Debug("username from client: %s", userid) remote := meta.RemoteAddr() // split user and host from username i := strings.SplitN(userid, "@", 2) if len(i) < 2 { i = strings.SplitN(userid, "/", 2) if len(i) < 2 { err = ErrIllegalUserName log.Error("%s", err.Error()) return } } account := i[0] host := i[1] username, err := srv.findPubkey(key) if err != nil { log.Error("%s", err.Error()) return } scs, err := srv.createSshConnServer(username, remote.String(), account, host) if err != nil { log.Error("%s", err.Error()) return } if scs == nil { log.Error("can't create server") return } srv.mu.Lock() defer srv.mu.Unlock() srv.scss[remote] = scs return }
// Log all authentication attempts func HandleAuthLogCallback(conn ssh.ConnMetadata, method string, err error) { log.Printf("Login attempt for user %s from %s with client %s", conn.User(), conn.RemoteAddr(), string(conn.ClientVersion())) }