small fixes

2026-01-14 08:25:05 +01:00 · 2024-08-30 01:38:58 +02:00 · 2024-08-30 01:38:58 +02:00 · 026965bda5
commit 026965bda5
parent 185d77e94f
19 changed files with 124 additions and 106 deletions
--- a/bin/cluelessh-faked/src/main.rs
+++ b/bin/cluelessh-faked/src/main.rs
@ -102,6 +102,8 @@ async fn main() -> eyre::Result<()> {

    let transport_config = cluelessh_protocol::transport::server::ServerConfig {
        host_keys: pub_host_keys,
+        // This is definitely who we are.
+        server_identification: b"SSH-2.0-OpenSSH_9.7\r\n".to_vec(),
    };

    let mut listener =
--- a/bin/cluelessh/src/main.rs
+++ b/bin/cluelessh/src/main.rs
@ -69,7 +69,7 @@ async fn main() -> eyre::Result<()> {
                    result.wrap_err("failed to prompt password")
                })
            }),
-            sign_pubkey: Arc::new(move |session_identifier| {
+            sign_pubkey: Arc::new(move |session_id| {
                let mut attempted_public_keys = HashSet::new();
                let username = username.clone();
                Box::pin(async move {
@ -93,11 +93,8 @@ async fn main() -> eyre::Result<()> {
                    }
                    let pubkey = PublicKey::from_wire_encoding(&identity.key_blob)?;

-                    let sign_data = cluelessh_keys::signature::signature_data(
-                        session_identifier,
-                        &username,
-                        &pubkey,
-                    );
+                    let sign_data =
+                        cluelessh_keys::signature::signature_data(session_id.0, &username, &pubkey);
                    let signature = agent
                        .sign(&identity.key_blob, &sign_data, 0)
                        .await
--- a/bin/cluelesshd/src/auth.rs
+++ b/bin/cluelesshd/src/auth.rs
@ -74,7 +74,7 @@ pub async fn verify_signature(auth: VerifySignature) -> eyre::Result<Option<User
            // Verify signature...

            let sign_data = cluelessh_keys::signature::signature_data(
-                auth.session_identifier,
+                auth.session_id.0,
                &auth.user,
                &auth.public_key,
            );
--- a/bin/cluelesshd/src/config.rs
+++ b/bin/cluelesshd/src/config.rs
@ -80,7 +80,6 @@ fn default_false() -> bool {
    false
 }

-
 fn addr_default() -> IpAddr {
    IpAddr::V4(Ipv4Addr::UNSPECIFIED)
 }
--- a/bin/cluelesshd/src/connection.rs
+++ b/bin/cluelesshd/src/connection.rs
@ -52,7 +52,10 @@ async fn connection_inner(state: SerializedConnectionState) -> Result<()> {
    let stream = TcpStream::from_std(stream)?;

    let host_keys = state.pub_host_keys;
-    let transport_config = cluelessh_transport::server::ServerConfig { host_keys };
+    let transport_config = cluelessh_transport::server::ServerConfig {
+        host_keys,
+        server_identification: b"SSH-2.0-ClueleSSH_0.1\r\n".to_vec(),
+    };

    let rpc_client = unsafe { OwnedFd::from_raw_fd(PRIVSEP_CONNECTION_RPC_CLIENT_FD) };
    let rpc_client1 = Arc::new(rpc::Client::from_fd(rpc_client)?);
@ -66,25 +69,13 @@ async fn connection_inner(state: SerializedConnectionState) -> Result<()> {
            let rpc_client = rpc_client1.clone();
            Box::pin(async move {
                rpc_client
-                    .verify_signature(
-                        msg.user,
-                        msg.session_identifier,
-                        msg.public_key,
-                        msg.signature,
-                    )
+                    .verify_signature(msg.user, msg.session_id, msg.public_key, msg.signature)
                    .await
            })
        })),
        check_pubkey: Some(Arc::new(move |msg| {
            let rpc_client = rpc_client2.clone();
-            Box::pin(async move {
-                rpc_client
-                    .check_public_key(
-                        msg.user,
-                        msg.public_key,
-                    )
-                    .await
-            })
+            Box::pin(async move { rpc_client.check_public_key(msg.user, msg.public_key).await })
        })),
        auth_banner: config.auth.banner,
        do_key_exchange: Arc::new(move |msg| {
--- a/bin/cluelesshd/src/rpc.rs
+++ b/bin/cluelesshd/src/rpc.rs
@ -14,6 +14,7 @@ use cluelessh_keys::public::PublicKey;
 use cluelessh_keys::signature::Signature;
 use cluelessh_protocol::auth::VerifySignature;
 use cluelessh_transport::crypto::AlgorithmName;
+use cluelessh_transport::SessionId;
 use eyre::bail;
 use eyre::ensure;
 use eyre::eyre;
@ -56,7 +57,7 @@ enum Request {
    /// If it is okay, store the user so we can later spawn a process as them.
    VerifySignature {
        user: String,
-        session_identifier: [u8; 32],
+        session_id: SessionId,
        public_key: PublicKey,
        signature: Signature,
    },
@ -115,7 +116,7 @@ impl secrecy::DebugSecret for SerializableSharedSecret {}

 #[derive(Debug, Serialize, Deserialize)]
 pub struct KeyExchangeResponse {
-    pub hash: [u8; 32],
+    pub hash: SessionId,
    pub server_ephemeral_public_key: Vec<u8>,
    pub shared_secret: secrecy::Secret<SerializableSharedSecret>,
    pub signature: Signature,
@ -259,7 +260,7 @@ impl Server {
            }
            Request::VerifySignature {
                user,
-                session_identifier,
+                session_id,
                public_key,
                signature,
            } => {
@ -269,7 +270,7 @@ impl Server {
                }
                let is_ok = crate::auth::verify_signature(VerifySignature {
                    user,
-                    session_identifier,
+                    session_id,
                    public_key,
                    signature,
                })
@ -487,13 +488,13 @@ impl Client {
    pub async fn verify_signature(
        &self,
        user: String,
-        session_identifier: [u8; 32],
+        session_id: SessionId,
        public_key: PublicKey,
        signature: Signature,
    ) -> Result<bool> {
        self.request_response::<VerifySignatureResponse>(&Request::VerifySignature {
            user,
-            session_identifier,
+            session_id,
            public_key,
            signature,
        })
--- a/bin/cluelesshd/src/sandbox.rs
+++ b/bin/cluelesshd/src/sandbox.rs
@ -14,7 +14,9 @@ use rustix::{
 use seccompiler::{BpfProgram, SeccompAction, SeccompFilter, SeccompRule, TargetArch};
 use tracing::{debug, trace, warn};

-use crate::{SerializedConnectionState, PRIVSEP_CONNECTION_RPC_CLIENT_FD, PRIVSEP_CONNECTION_STREAM_FD};
+use crate::{
+    SerializedConnectionState, PRIVSEP_CONNECTION_RPC_CLIENT_FD, PRIVSEP_CONNECTION_STREAM_FD,
+};

 #[tracing::instrument(skip(state), ret)]
 pub fn drop_privileges(state: &SerializedConnectionState) -> Result<()> {
@ -228,12 +230,24 @@ fn seccomp() -> Result<()> {
            (libc::SYS_eventfd2, vec![]),
            (libc::SYS_epoll_wait, vec![]),
            (libc::SYS_epoll_ctl, vec![]),
-            (libc::SYS_fcntl, vec![]), // todo: restrict (72)
+            (libc::SYS_fcntl, vec![]), // todo: restrict this
            (libc::SYS_socketpair, vec![]),
-            (libc::SYS_sendmsg, vec![limit_fd(PRIVSEP_CONNECTION_RPC_CLIENT_FD)],),
-            (libc::SYS_recvmsg, vec![limit_fd(PRIVSEP_CONNECTION_RPC_CLIENT_FD)]),
-            (libc::SYS_sendto, vec![limit_fd(PRIVSEP_CONNECTION_STREAM_FD)]),
-            (libc::SYS_recvfrom, vec![limit_fd(PRIVSEP_CONNECTION_STREAM_FD)]),
+            (
+                libc::SYS_sendmsg,
+                vec![limit_fd(PRIVSEP_CONNECTION_RPC_CLIENT_FD)],
+            ),
+            (
+                libc::SYS_recvmsg,
+                vec![limit_fd(PRIVSEP_CONNECTION_RPC_CLIENT_FD)],
+            ),
+            (
+                libc::SYS_sendto,
+                vec![limit_fd(PRIVSEP_CONNECTION_STREAM_FD)],
+            ),
+            (
+                libc::SYS_recvfrom,
+                vec![limit_fd(PRIVSEP_CONNECTION_STREAM_FD)],
+            ),
            (libc::SYS_getrandom, vec![]),
            (libc::SYS_rt_sigaction, vec![]),
            (libc::SYS_rt_sigprocmask, vec![]),