main: Force passphrase auth even with pubkey auth

2025-04-15 00:20:37 +03:00 · 2020-04-16 11:30:13 -04:00 · 2020-04-16 11:30:13 -04:00 · b1bce027ad
commit b1bce027ad
parent 77143ad1e6
1 changed files with 38 additions and 19 deletions
--- a/cmd/ssh-chat/cmd.go
+++ b/cmd/ssh-chat/cmd.go
@ -82,7 +82,8 @@ func main() {
 	}

 	logLevel := logLevels[numVerbose]
-	sshchat.SetLogger(golog.New(os.Stderr, logLevel))
+	logger := golog.New(os.Stderr, logLevel)
+	sshchat.SetLogger(logger)

 	if logLevel == log.Debug {
 		// Enable logging from submodules
@ -113,8 +114,13 @@ func main() {
 	config := sshd.MakeAuth(auth)
 	config.AddHostKey(signer)
 	config.ServerVersion = "SSH-2.0-Go ssh-chat"
+	// FIXME: Should we be using config.NoClientAuth = true by default?

 	if options.Passphrase != "" {
+		if options.Whitelist != "" {
+			logger.Warning("Passphrase is disabled while whitelist is enabled.")
+		}
+		{
 			cb := config.KeyboardInteractiveCallback
 			config.KeyboardInteractiveCallback = func(conn ssh.ConnMetadata, challenge ssh.KeyboardInteractiveChallenge) (*ssh.Permissions, error) {
 				perm, err := cb(conn, challenge)
@ -135,6 +141,19 @@ func main() {
 				return nil, errors.New("incorrect passphrase")
 			}
 		}
+		{
+			// We also need to override the PublicKeyCallback to prevent rando pubkeys from bypassing
+			cb := config.PublicKeyCallback
+			config.PublicKeyCallback = func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
+				perms, err := cb(conn, key)
+				if err == nil {
+					err = errors.New("passphrase authentication required")
+				}
+				return perms, err
+			}
+		}
+
+	}

 	s, err := sshd.ListenSSH(options.Bind, config)
 	if err != nil {