mirror of
https://github.com/Noratrieb/cluelessh.git
synced 2026-01-14 16:35:06 +01:00
small fixes
This commit is contained in:
parent
185d77e94f
commit
026965bda5
19 changed files with 124 additions and 106 deletions
|
|
@ -74,7 +74,7 @@ pub async fn verify_signature(auth: VerifySignature) -> eyre::Result<Option<User
|
|||
// Verify signature...
|
||||
|
||||
let sign_data = cluelessh_keys::signature::signature_data(
|
||||
auth.session_identifier,
|
||||
auth.session_id.0,
|
||||
&auth.user,
|
||||
&auth.public_key,
|
||||
);
|
||||
|
|
|
|||
|
|
@ -80,7 +80,6 @@ fn default_false() -> bool {
|
|||
false
|
||||
}
|
||||
|
||||
|
||||
fn addr_default() -> IpAddr {
|
||||
IpAddr::V4(Ipv4Addr::UNSPECIFIED)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -52,7 +52,10 @@ async fn connection_inner(state: SerializedConnectionState) -> Result<()> {
|
|||
let stream = TcpStream::from_std(stream)?;
|
||||
|
||||
let host_keys = state.pub_host_keys;
|
||||
let transport_config = cluelessh_transport::server::ServerConfig { host_keys };
|
||||
let transport_config = cluelessh_transport::server::ServerConfig {
|
||||
host_keys,
|
||||
server_identification: b"SSH-2.0-ClueleSSH_0.1\r\n".to_vec(),
|
||||
};
|
||||
|
||||
let rpc_client = unsafe { OwnedFd::from_raw_fd(PRIVSEP_CONNECTION_RPC_CLIENT_FD) };
|
||||
let rpc_client1 = Arc::new(rpc::Client::from_fd(rpc_client)?);
|
||||
|
|
@ -66,25 +69,13 @@ async fn connection_inner(state: SerializedConnectionState) -> Result<()> {
|
|||
let rpc_client = rpc_client1.clone();
|
||||
Box::pin(async move {
|
||||
rpc_client
|
||||
.verify_signature(
|
||||
msg.user,
|
||||
msg.session_identifier,
|
||||
msg.public_key,
|
||||
msg.signature,
|
||||
)
|
||||
.verify_signature(msg.user, msg.session_id, msg.public_key, msg.signature)
|
||||
.await
|
||||
})
|
||||
})),
|
||||
check_pubkey: Some(Arc::new(move |msg| {
|
||||
let rpc_client = rpc_client2.clone();
|
||||
Box::pin(async move {
|
||||
rpc_client
|
||||
.check_public_key(
|
||||
msg.user,
|
||||
msg.public_key,
|
||||
)
|
||||
.await
|
||||
})
|
||||
Box::pin(async move { rpc_client.check_public_key(msg.user, msg.public_key).await })
|
||||
})),
|
||||
auth_banner: config.auth.banner,
|
||||
do_key_exchange: Arc::new(move |msg| {
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ use cluelessh_keys::public::PublicKey;
|
|||
use cluelessh_keys::signature::Signature;
|
||||
use cluelessh_protocol::auth::VerifySignature;
|
||||
use cluelessh_transport::crypto::AlgorithmName;
|
||||
use cluelessh_transport::SessionId;
|
||||
use eyre::bail;
|
||||
use eyre::ensure;
|
||||
use eyre::eyre;
|
||||
|
|
@ -56,7 +57,7 @@ enum Request {
|
|||
/// If it is okay, store the user so we can later spawn a process as them.
|
||||
VerifySignature {
|
||||
user: String,
|
||||
session_identifier: [u8; 32],
|
||||
session_id: SessionId,
|
||||
public_key: PublicKey,
|
||||
signature: Signature,
|
||||
},
|
||||
|
|
@ -115,7 +116,7 @@ impl secrecy::DebugSecret for SerializableSharedSecret {}
|
|||
|
||||
#[derive(Debug, Serialize, Deserialize)]
|
||||
pub struct KeyExchangeResponse {
|
||||
pub hash: [u8; 32],
|
||||
pub hash: SessionId,
|
||||
pub server_ephemeral_public_key: Vec<u8>,
|
||||
pub shared_secret: secrecy::Secret<SerializableSharedSecret>,
|
||||
pub signature: Signature,
|
||||
|
|
@ -259,7 +260,7 @@ impl Server {
|
|||
}
|
||||
Request::VerifySignature {
|
||||
user,
|
||||
session_identifier,
|
||||
session_id,
|
||||
public_key,
|
||||
signature,
|
||||
} => {
|
||||
|
|
@ -269,7 +270,7 @@ impl Server {
|
|||
}
|
||||
let is_ok = crate::auth::verify_signature(VerifySignature {
|
||||
user,
|
||||
session_identifier,
|
||||
session_id,
|
||||
public_key,
|
||||
signature,
|
||||
})
|
||||
|
|
@ -487,13 +488,13 @@ impl Client {
|
|||
pub async fn verify_signature(
|
||||
&self,
|
||||
user: String,
|
||||
session_identifier: [u8; 32],
|
||||
session_id: SessionId,
|
||||
public_key: PublicKey,
|
||||
signature: Signature,
|
||||
) -> Result<bool> {
|
||||
self.request_response::<VerifySignatureResponse>(&Request::VerifySignature {
|
||||
user,
|
||||
session_identifier,
|
||||
session_id,
|
||||
public_key,
|
||||
signature,
|
||||
})
|
||||
|
|
|
|||
|
|
@ -14,7 +14,9 @@ use rustix::{
|
|||
use seccompiler::{BpfProgram, SeccompAction, SeccompFilter, SeccompRule, TargetArch};
|
||||
use tracing::{debug, trace, warn};
|
||||
|
||||
use crate::{SerializedConnectionState, PRIVSEP_CONNECTION_RPC_CLIENT_FD, PRIVSEP_CONNECTION_STREAM_FD};
|
||||
use crate::{
|
||||
SerializedConnectionState, PRIVSEP_CONNECTION_RPC_CLIENT_FD, PRIVSEP_CONNECTION_STREAM_FD,
|
||||
};
|
||||
|
||||
#[tracing::instrument(skip(state), ret)]
|
||||
pub fn drop_privileges(state: &SerializedConnectionState) -> Result<()> {
|
||||
|
|
@ -228,12 +230,24 @@ fn seccomp() -> Result<()> {
|
|||
(libc::SYS_eventfd2, vec![]),
|
||||
(libc::SYS_epoll_wait, vec![]),
|
||||
(libc::SYS_epoll_ctl, vec![]),
|
||||
(libc::SYS_fcntl, vec![]), // todo: restrict (72)
|
||||
(libc::SYS_fcntl, vec![]), // todo: restrict this
|
||||
(libc::SYS_socketpair, vec![]),
|
||||
(libc::SYS_sendmsg, vec![limit_fd(PRIVSEP_CONNECTION_RPC_CLIENT_FD)],),
|
||||
(libc::SYS_recvmsg, vec![limit_fd(PRIVSEP_CONNECTION_RPC_CLIENT_FD)]),
|
||||
(libc::SYS_sendto, vec![limit_fd(PRIVSEP_CONNECTION_STREAM_FD)]),
|
||||
(libc::SYS_recvfrom, vec![limit_fd(PRIVSEP_CONNECTION_STREAM_FD)]),
|
||||
(
|
||||
libc::SYS_sendmsg,
|
||||
vec![limit_fd(PRIVSEP_CONNECTION_RPC_CLIENT_FD)],
|
||||
),
|
||||
(
|
||||
libc::SYS_recvmsg,
|
||||
vec![limit_fd(PRIVSEP_CONNECTION_RPC_CLIENT_FD)],
|
||||
),
|
||||
(
|
||||
libc::SYS_sendto,
|
||||
vec![limit_fd(PRIVSEP_CONNECTION_STREAM_FD)],
|
||||
),
|
||||
(
|
||||
libc::SYS_recvfrom,
|
||||
vec![limit_fd(PRIVSEP_CONNECTION_STREAM_FD)],
|
||||
),
|
||||
(libc::SYS_getrandom, vec![]),
|
||||
(libc::SYS_rt_sigaction, vec![]),
|
||||
(libc::SYS_rt_sigprocmask, vec![]),
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue