Noratrieb/cluelessh
1
0
Fork 0
mirror of https://github.com/Noratrieb/cluelessh.git synced 2026-01-14 16:35:06 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Auth cleanup

Browse source
This commit is contained in:
nora 2024-08-30 01:21:50 +02:00
parent 5102c3ff64
commit 185d77e94f
7 changed files with 76 additions and 115 deletions
Download patch file Download diff file Expand all files Collapse all files

28
bin/cluelesshd/src/auth.rs
View file

@ -5,8 +5,9 @@ use std::io;
use cluelessh_keys::{
authorized_keys::{self, AuthorizedKeys},
public::{PublicKey, PublicKeyWithComment},
signature::Signature,
};
use cluelessh_protocol::auth::{CheckPubkey, VerifySignature};
use cluelessh_protocol::auth::VerifySignature;
use eyre::eyre;
use tracing::debug;
use users::{os::unix::UserExt, User};
@ -58,20 +59,13 @@ impl UserPublicKey {
}
}
pub fn verify_signature(&self, data: &[u8], signature: &[u8]) -> bool {
pub fn verify_signature(&self, data: &[u8], signature: &Signature) -> bool {
self.key.key.verify_signature(data, signature)
}
}
pub async fn verify_signature(auth: VerifySignature) -> eyre::Result<Option<User>> {
let Ok(public_key) = PublicKey::from_wire_encoding(&auth.pubkey) else {
return Ok(None);
};
if auth.pubkey_alg_name != public_key.algorithm_name() {
return Ok(None);
}
let result = UserPublicKey::for_user_and_key(auth.user.clone(), &public_key).await;
let result = UserPublicKey::for_user_and_key(auth.user.clone(), &auth.public_key).await;
debug!(user = %auth.user, err = ?result.as_ref().err(), "Attempting publickey signature");
@ -82,7 +76,7 @@ pub async fn verify_signature(auth: VerifySignature) -> eyre::Result<Option<User
let sign_data = cluelessh_keys::signature::signature_data(
auth.session_identifier,
&auth.user,
&public_key,
&auth.public_key,
);
if user_key.verify_signature(&sign_data, &auth.signature) {
@ -100,16 +94,10 @@ pub async fn verify_signature(auth: VerifySignature) -> eyre::Result<Option<User
}
}
pub async fn check_pubkey(auth: CheckPubkey) -> eyre::Result<bool> {
let Ok(public_key) = PublicKey::from_wire_encoding(&auth.pubkey) else {
return Ok(false);
};
if auth.pubkey_alg_name != public_key.algorithm_name() {
return Ok(false);
}
let result = UserPublicKey::for_user_and_key(auth.user.clone(), &public_key).await;
pub async fn check_pubkey(user: String, public_key: PublicKey) -> eyre::Result<bool> {
let result = UserPublicKey::for_user_and_key(user.clone(), &public_key).await;
debug!(user = %auth.user, err = ?result.as_ref().err(), "Attempting publickey check");
debug!(%user, err = ?result.as_ref().err(), "Attempting publickey check");
match result {
Ok(_) => Ok(true),

7
bin/cluelesshd/src/connection.rs
View file

@ -69,8 +69,7 @@ async fn connection_inner(state: SerializedConnectionState) -> Result<()> {
.verify_signature(
msg.user,
msg.session_identifier,
msg.pubkey_alg_name,
msg.pubkey,
msg.public_key,
msg.signature,
)
.await
@ -82,9 +81,7 @@ async fn connection_inner(state: SerializedConnectionState) -> Result<()> {
rpc_client
.check_public_key(
msg.user,
msg.session_identifier,
msg.pubkey_alg_name,
msg.pubkey,
msg.public_key,
)
.await
})

56
bin/cluelesshd/src/rpc.rs
View file

@ -12,7 +12,6 @@ use std::process::Stdio;
use cluelessh_keys::private::PlaintextPrivateKey;
use cluelessh_keys::public::PublicKey;
use cluelessh_keys::signature::Signature;
use cluelessh_protocol::auth::CheckPubkey;
use cluelessh_protocol::auth::VerifySignature;
use cluelessh_transport::crypto::AlgorithmName;
use eyre::bail;
@ -51,18 +50,15 @@ enum Request {
KeyExchange(KeyExchangeRequest),
CheckPublicKey {
user: String,
session_identifier: [u8; 32],
pubkey_alg_name: String,
pubkey: Vec<u8>,
pubkey: PublicKey,
},
/// Verify that the public key signature for the user is okay.
/// If it is okay, store the user so we can later spawn a process as them.
VerifySignature {
user: String,
session_identifier: [u8; 32],
pubkey_alg_name: String,
pubkey: Vec<u8>,
signature: Vec<u8>,
public_key: PublicKey,
signature: Signature,
},
/// Request a PTY. We create a new PTY and give the client an FD to the controller.
PtyReq(PtyRequest),
@ -253,26 +249,18 @@ impl Server {
}
Request::CheckPublicKey {
user,
session_identifier,
pubkey_alg_name,
pubkey,
pubkey: public_key,
} => {
let is_ok = crate::auth::check_pubkey(CheckPubkey {
user,
session_identifier,
pubkey_alg_name,
pubkey,
})
.await
.map_err(|err| err.to_string());
let is_ok = crate::auth::check_pubkey(user, public_key)
.await
.map_err(|err| err.to_string());
self.respond::<CheckPublicKeyResponse>(is_ok).await?;
}
Request::VerifySignature {
user,
session_identifier,
pubkey_alg_name,
pubkey,
public_key,
signature,
} => {
if self.authenticated_user.is_some() {
@ -282,8 +270,7 @@ impl Server {
let is_ok = crate::auth::verify_signature(VerifySignature {
user,
session_identifier,
pubkey_alg_name,
pubkey,
public_key,
signature,
})
.await
@ -492,35 +479,22 @@ impl Client {
})
}
pub async fn check_public_key(
&self,
user: String,
session_identifier: [u8; 32],
pubkey_alg_name: String,
pubkey: Vec<u8>,
) -> Result<bool> {
self.request_response::<CheckPublicKeyResponse>(&Request::CheckPublicKey {
user,
session_identifier,
pubkey_alg_name,
pubkey,
})
.await
pub async fn check_public_key(&self, user: String, pubkey: PublicKey) -> Result<bool> {
self.request_response::<CheckPublicKeyResponse>(&Request::CheckPublicKey { user, pubkey })
.await
}
pub async fn verify_signature(
&self,
user: String,
session_identifier: [u8; 32],
pubkey_alg_name: String,
pubkey: Vec<u8>,
signature: Vec<u8>,
public_key: PublicKey,
signature: Signature,
) -> Result<bool> {
self.request_response::<VerifySignatureResponse>(&Request::VerifySignature {
user,
session_identifier,
pubkey_alg_name,
pubkey,
public_key,
signature,
})
.await

38
lib/cluelessh-keys/src/public.rs
View file

@ -2,14 +2,15 @@
// <https://datatracker.ietf.org/doc/html/rfc4716> exists but is kinda weird
use std::fmt::Display;
use std::fmt::{Debug, Display};
use base64::Engine;
use tracing::debug;
use cluelessh_format::{ParseError, Reader, Writer};
#[derive(Debug, Clone, PartialEq, Eq)]
use crate::signature::Signature;
#[derive(Clone, PartialEq, Eq)]
pub enum PublicKey {
Ed25519 {
public_key: ed25519_dalek::VerifyingKey,
@ -87,27 +88,14 @@ impl PublicKey {
}
}
pub fn verify_signature(&self, data: &[u8], signature: &[u8]) -> bool {
pub fn verify_signature(&self, data: &[u8], signature: &Signature) -> bool {
match self {
PublicKey::Ed25519 { public_key } => {
let mut s = Reader::new(signature);
let Ok(alg) = s.utf8_string() else {
return false;
};
if alg != "ssh-ed25519" {
return false;
PublicKey::Ed25519 { public_key } => match signature {
Signature::Ed25519 { signature } => {
public_key.verify_strict(data, &signature).is_ok()
}
let Ok(signature) = s.string() else {
return false;
};
let Ok(signature) = ed25519_dalek::Signature::from_slice(signature) else {
debug!("Invalid signature length");
return false;
};
public_key.verify_strict(data, &signature).is_ok()
}
_ => false,
},
PublicKey::EcdsaSha2NistP256 { .. } => {
todo!("ecdsa-sha2-nistp256 signature verification")
}
@ -115,6 +103,12 @@ impl PublicKey {
}
}
impl Debug for PublicKey {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
Display::fmt(&self, f)
}
}
impl Display for PublicKey {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
match self {

2
lib/cluelessh-keys/src/signature.rs
View file

@ -18,7 +18,7 @@ pub fn signature_data(session_id: [u8; 32], username: &str, pubkey: &PublicKey)
s.finish()
}
#[derive(Debug)]
#[derive(Debug, Clone, Copy)]
pub enum Signature {
Ed25519 { signature: ed25519_dalek::Signature },
EcdsaSha2NistP256 { signature: p256::ecdsa::Signature },

47
lib/cluelessh-protocol/src/lib.rs
View file

@ -277,6 +277,7 @@ pub mod auth {
use std::collections::{HashSet, VecDeque};
use cluelessh_format::{numbers, NameList};
use cluelessh_keys::{public::PublicKey, signature::Signature};
use cluelessh_transport::{packet::Packet, peer_error, Result};
use tracing::debug;
@ -293,7 +294,7 @@ pub mod auth {
pub enum ServerRequest {
VerifyPassword(VerifyPassword),
/// Check whether a pubkey is usable.
CheckPubkey(CheckPubkey),
CheckPubkey(CheckPublicKey),
/// Verify the signature from a pubkey.
VerifySignature(VerifySignature),
}
@ -305,20 +306,18 @@ pub mod auth {
}
#[derive(Debug, Clone)]
pub struct CheckPubkey {
pub struct CheckPublicKey {
pub user: String,
pub session_identifier: [u8; 32],
pub pubkey_alg_name: String,
pub pubkey: Vec<u8>,
pub public_key: PublicKey,
}
#[derive(Debug, Clone)]
pub struct VerifySignature {
pub user: String,
pub session_identifier: [u8; 32],
pub pubkey_alg_name: String,
pub pubkey: Vec<u8>,
pub signature: Vec<u8>,
pub public_key: PublicKey,
/// The signature. Guaranteed to match the algorithm of `public_key`.
pub signature: Signature,
}
#[derive(Debug, PartialEq, Eq, Hash)]
@ -405,24 +404,31 @@ pub mod auth {
let pubkey_alg_name = p.utf8_string()?;
let public_key_blob = p.string()?;
let public_key = PublicKey::from_wire_encoding(public_key_blob)?;
if pubkey_alg_name != public_key.algorithm_name() {
return Err(peer_error!("algorithm name mismatch"));
}
// Whether the client is just checking whether the public key is allowed.
if !has_signature {
self.server_requests
.push_back(ServerRequest::CheckPubkey(CheckPubkey {
self.server_requests.push_back(ServerRequest::CheckPubkey(
CheckPublicKey {
user: username.to_owned(),
session_identifier: self.session_ident,
pubkey_alg_name: pubkey_alg_name.to_owned(),
pubkey: public_key_blob.to_vec(),
}));
public_key,
},
));
} else {
let signature = p.string()?;
let signature = Signature::from_wire_encoding(signature)?;
if signature.algorithm_name() != public_key.algorithm_name() {
return Err(peer_error!("signature algorithm name mismatch"));
}
self.server_requests
.push_back(ServerRequest::VerifySignature(VerifySignature {
user: username.to_owned(),
session_identifier: self.session_ident,
pubkey_alg_name: pubkey_alg_name.to_owned(),
pubkey: public_key_blob.to_vec(),
signature: signature.to_vec(),
public_key,
signature,
}));
}
}
@ -443,9 +449,12 @@ pub mod auth {
Ok(())
}
pub fn pubkey_check_result(&mut self, is_ok: bool, alg: &str, key_blob: &[u8]) {
pub fn pubkey_check_result(&mut self, is_ok: bool, key: PublicKey) {
if is_ok {
self.queue_packet(Packet::new_msg_userauth_pk_ok(alg.as_bytes(), key_blob));
self.queue_packet(Packet::new_msg_userauth_pk_ok(
key.algorithm_name().as_bytes(),
&key.to_wire_encoding(),
));
} else {
self.send_failure();
// It's ok, don't treat this as a fatal failure.

13
lib/cluelessh-tokio/src/server.rs
View file

@ -14,7 +14,7 @@ use tokio::{
};
use cluelessh_protocol::{
auth::{AuthOption, CheckPubkey, VerifyPassword, VerifySignature},
auth::{AuthOption, CheckPublicKey, VerifyPassword, VerifySignature},
ChannelUpdateKind, SshStatus,
};
use eyre::{eyre, ContextCompat, OptionExt, Result, WrapErr};
@ -53,7 +53,7 @@ pub struct ServerConnection<S> {
enum Operation {
VerifyPassword(String, Result<bool>),
CheckPubkey(Result<bool>, String, Vec<u8>),
CheckPubkey(Result<bool>, PublicKey),
VerifySignature(String, Result<bool>),
KeyExchangeResponseReceived(Result<KeyExchangeResponse>),
}
@ -64,7 +64,7 @@ pub type AuthFn<A, R> = Arc<dyn Fn(A) -> BoxFuture<'static, R> + Send + Sync>;
pub struct ServerAuth {
pub verify_password: Option<AuthFn<VerifyPassword, Result<bool>>>,
pub verify_signature: Option<AuthFn<VerifySignature, Result<bool>>>,
pub check_pubkey: Option<AuthFn<CheckPubkey, Result<bool>>>,
pub check_pubkey: Option<AuthFn<CheckPublicKey, Result<bool>>>,
pub do_key_exchange: AuthFn<KeyExchangeParameters, Result<KeyExchangeResponse>>,
pub auth_banner: Option<String>,
}
@ -215,8 +215,7 @@ impl<S: AsyncRead + AsyncWrite> ServerConnection<S> {
let _ = send
.send(Operation::CheckPubkey(
result,
check_pubkey.pubkey_alg_name,
check_pubkey.pubkey,
check_pubkey.public_key,
))
.await;
});
@ -350,8 +349,8 @@ impl<S: AsyncRead + AsyncWrite> ServerConnection<S> {
Some(Operation::VerifySignature(user, result)) => if let Some(auth) = self.proto.auth() {
auth.verification_result(result?, user);
},
Some(Operation::CheckPubkey(result, alg, key_blob)) => if let Some(auth) = self.proto.auth() {
auth.pubkey_check_result(result?, &alg, &key_blob);
Some(Operation::CheckPubkey(result, public_key)) => if let Some(auth) = self.proto.auth() {
auth.pubkey_check_result(result?, public_key);
},
Some(Operation::VerifyPassword(user, result)) => if let Some(auth) = self.proto.auth() {
auth.verification_result(result?, user);