third-party-mirrors/ssh-chat
1
0
Fork 0
mirror of https://github.com/shazow/ssh-chat.git synced 2025-04-15 00:20:37 +03:00
Code Issues Projects Releases Wiki Activity

main: Force passphrase auth even with pubkey auth

Browse Source
This commit is contained in:
Andrey Petrov 2020-04-16 11:30:13 -04:00
parent 77143ad1e6
commit b1bce027ad
1 changed files with 38 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
cmd/ssh-chat/cmd.go
View File

@ -82,7 +82,8 @@ func main() {
} }
logLevel := logLevels[numVerbose] logLevel := logLevels[numVerbose]
sshchat.SetLogger(golog.New(os.Stderr, logLevel)) logger := golog.New(os.Stderr, logLevel)
sshchat.SetLogger(logger)
if logLevel == log.Debug { if logLevel == log.Debug {
// Enable logging from submodules // Enable logging from submodules
@ -113,27 +114,45 @@ func main() {
config := sshd.MakeAuth(auth) config := sshd.MakeAuth(auth)
config.AddHostKey(signer) config.AddHostKey(signer)
config.ServerVersion = "SSH-2.0-Go ssh-chat" config.ServerVersion = "SSH-2.0-Go ssh-chat"
// FIXME: Should we be using config.NoClientAuth = true by default?
if options.Passphrase != "" { if options.Passphrase != "" {
cb := config.KeyboardInteractiveCallback if options.Whitelist != "" {
config.KeyboardInteractiveCallback = func(conn ssh.ConnMetadata, challenge ssh.KeyboardInteractiveChallenge) (*ssh.Permissions, error) { logger.Warning("Passphrase is disabled while whitelist is enabled.")
perm, err := cb(conn, challenge)
if err != nil {
return perm, err
}
answers, err := challenge("", "", []string{"Passphrase required to connect: "}, []bool{true})
if err != nil {
return nil, err
}
if len(answers) == 1 && answers[0] == options.Passphrase {
// Success
return perm, nil
}
// It's not gonna do much but may as well throttle brute force attempts a little
time.Sleep(2 * time.Second)
return nil, errors.New("incorrect passphrase")
} }
{
cb := config.KeyboardInteractiveCallback
config.KeyboardInteractiveCallback = func(conn ssh.ConnMetadata, challenge ssh.KeyboardInteractiveChallenge) (*ssh.Permissions, error) {
perm, err := cb(conn, challenge)
if err != nil {
return perm, err
}
answers, err := challenge("", "", []string{"Passphrase required to connect: "}, []bool{true})
if err != nil {
return nil, err
}
if len(answers) == 1 && answers[0] == options.Passphrase {
// Success
return perm, nil
}
// It's not gonna do much but may as well throttle brute force attempts a little
time.Sleep(2 * time.Second)
return nil, errors.New("incorrect passphrase")
}
}
{
// We also need to override the PublicKeyCallback to prevent rando pubkeys from bypassing
cb := config.PublicKeyCallback
config.PublicKeyCallback = func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
perms, err := cb(conn, key)
if err == nil {
err = errors.New("passphrase authentication required")
}
return perms, err
}
}
} }
s, err := sshd.ListenSSH(options.Bind, config) s, err := sshd.ListenSSH(options.Bind, config)