Noratrieb/cluelessh
1
0
Fork 0
mirror of https://github.com/Noratrieb/cluelessh.git synced 2026-01-14 16:35:06 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Auth cleanup

Browse source
This commit is contained in:
nora 2024-08-30 01:21:50 +02:00
parent 5102c3ff64
commit 185d77e94f
7 changed files with 76 additions and 115 deletions
Download patch file Download diff file Expand all files Collapse all files

28
bin/cluelesshd/src/auth.rs
View file

@ -5,8 +5,9 @@ use std::io;
use cluelessh_keys::{
authorized_keys::{self, AuthorizedKeys},
public::{PublicKey, PublicKeyWithComment},
signature::Signature,
};
use cluelessh_protocol::auth::{CheckPubkey, VerifySignature};
use cluelessh_protocol::auth::VerifySignature;
use eyre::eyre;
use tracing::debug;
use users::{os::unix::UserExt, User};
@ -58,20 +59,13 @@ impl UserPublicKey {
}
}
pub fn verify_signature(&self, data: &[u8], signature: &[u8]) -> bool {
pub fn verify_signature(&self, data: &[u8], signature: &Signature) -> bool {
self.key.key.verify_signature(data, signature)
}
}
pub async fn verify_signature(auth: VerifySignature) -> eyre::Result<Option<User>> {
let Ok(public_key) = PublicKey::from_wire_encoding(&auth.pubkey) else {
return Ok(None);
};
if auth.pubkey_alg_name != public_key.algorithm_name() {
return Ok(None);
}
let result = UserPublicKey::for_user_and_key(auth.user.clone(), &public_key).await;
let result = UserPublicKey::for_user_and_key(auth.user.clone(), &auth.public_key).await;
debug!(user = %auth.user, err = ?result.as_ref().err(), "Attempting publickey signature");
@ -82,7 +76,7 @@ pub async fn verify_signature(auth: VerifySignature) -> eyre::Result<Option<User
let sign_data = cluelessh_keys::signature::signature_data(
auth.session_identifier,
&auth.user,
&public_key,
&auth.public_key,
);
if user_key.verify_signature(&sign_data, &auth.signature) {
@ -100,16 +94,10 @@ pub async fn verify_signature(auth: VerifySignature) -> eyre::Result<Option<User
}
}
pub async fn check_pubkey(auth: CheckPubkey) -> eyre::Result<bool> {
let Ok(public_key) = PublicKey::from_wire_encoding(&auth.pubkey) else {
return Ok(false);
};
if auth.pubkey_alg_name != public_key.algorithm_name() {
return Ok(false);
}
let result = UserPublicKey::for_user_and_key(auth.user.clone(), &public_key).await;
pub async fn check_pubkey(user: String, public_key: PublicKey) -> eyre::Result<bool> {
let result = UserPublicKey::for_user_and_key(user.clone(), &public_key).await;
debug!(user = %auth.user, err = ?result.as_ref().err(), "Attempting publickey check");
debug!(%user, err = ?result.as_ref().err(), "Attempting publickey check");
match result {
Ok(_) => Ok(true),

7
bin/cluelesshd/src/connection.rs
View file

@ -69,8 +69,7 @@ async fn connection_inner(state: SerializedConnectionState) -> Result<()> {
.verify_signature(
msg.user,
msg.session_identifier,
msg.pubkey_alg_name,
msg.pubkey,
msg.public_key,
msg.signature,
)
.await
@ -82,9 +81,7 @@ async fn connection_inner(state: SerializedConnectionState) -> Result<()> {
rpc_client
.check_public_key(
msg.user,
msg.session_identifier,
msg.pubkey_alg_name,
msg.pubkey,
msg.public_key,
)
.await
})

56
bin/cluelesshd/src/rpc.rs
View file

@ -12,7 +12,6 @@ use std::process::Stdio;
use cluelessh_keys::private::PlaintextPrivateKey;
use cluelessh_keys::public::PublicKey;
use cluelessh_keys::signature::Signature;
use cluelessh_protocol::auth::CheckPubkey;
use cluelessh_protocol::auth::VerifySignature;
use cluelessh_transport::crypto::AlgorithmName;
use eyre::bail;
@ -51,18 +50,15 @@ enum Request {
KeyExchange(KeyExchangeRequest),
CheckPublicKey {
user: String,
session_identifier: [u8; 32],
pubkey_alg_name: String,
pubkey: Vec<u8>,
pubkey: PublicKey,
},
/// Verify that the public key signature for the user is okay.
/// If it is okay, store the user so we can later spawn a process as them.
VerifySignature {
user: String,
session_identifier: [u8; 32],
pubkey_alg_name: String,
pubkey: Vec<u8>,
signature: Vec<u8>,
public_key: PublicKey,
signature: Signature,
},
/// Request a PTY. We create a new PTY and give the client an FD to the controller.
PtyReq(PtyRequest),
@ -253,26 +249,18 @@ impl Server {
}
Request::CheckPublicKey {
user,
session_identifier,
pubkey_alg_name,
pubkey,
pubkey: public_key,
} => {
let is_ok = crate::auth::check_pubkey(CheckPubkey {
user,
session_identifier,
pubkey_alg_name,
pubkey,
})
.await
.map_err(|err| err.to_string());
let is_ok = crate::auth::check_pubkey(user, public_key)
.await
.map_err(|err| err.to_string());
self.respond::<CheckPublicKeyResponse>(is_ok).await?;
}
Request::VerifySignature {
user,
session_identifier,
pubkey_alg_name,
pubkey,
public_key,
signature,
} => {
if self.authenticated_user.is_some() {
@ -282,8 +270,7 @@ impl Server {
let is_ok = crate::auth::verify_signature(VerifySignature {
user,
session_identifier,
pubkey_alg_name,
pubkey,
public_key,
signature,
})
.await
@ -492,35 +479,22 @@ impl Client {
})
}
pub async fn check_public_key(
&self,
user: String,
session_identifier: [u8; 32],
pubkey_alg_name: String,
pubkey: Vec<u8>,
) -> Result<bool> {
self.request_response::<CheckPublicKeyResponse>(&Request::CheckPublicKey {
user,
session_identifier,
pubkey_alg_name,
pubkey,
})
.await
pub async fn check_public_key(&self, user: String, pubkey: PublicKey) -> Result<bool> {
self.request_response::<CheckPublicKeyResponse>(&Request::CheckPublicKey { user, pubkey })
.await
}
pub async fn verify_signature(
&self,
user: String,
session_identifier: [u8; 32],
pubkey_alg_name: String,
pubkey: Vec<u8>,
signature: Vec<u8>,
public_key: PublicKey,
signature: Signature,
) -> Result<bool> {
self.request_response::<VerifySignatureResponse>(&Request::VerifySignature {
user,
session_identifier,
pubkey_alg_name,
pubkey,
public_key,
signature,
})
.await