Noratrieb/cluelessh
1
0
Fork 0
mirror of https://github.com/Noratrieb/cluelessh.git synced 2026-01-14 16:35:06 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

stuff

Browse source
This commit is contained in:
nora 2024-08-25 18:42:19 +02:00
parent 8114b5a195
commit d41e474f33
9 changed files with 174 additions and 71 deletions
Download patch file Download diff file Expand all files Collapse all files

1
Cargo.lock generated
View file

@ -438,6 +438,7 @@ dependencies = [
"tokio",
"tracing",
"tracing-subscriber",
"users",
]
[[package]]

5
bin/cluelessh-faked/src/main.rs
View file

@ -43,10 +43,11 @@ async fn main() -> eyre::Result<()> {
info!(password = %auth.password, "Got password");
// Don't worry queen, your password is correct!
Ok(())
Ok(true)
})
})),
verify_pubkey: None,
check_pubkey: None,
verify_signature: None,
auth_banner: Some(
"\
!! this system ONLY allows catgirls to enter !!\r\n\

1
bin/cluelesshd/Cargo.toml
View file

@ -12,6 +12,7 @@ tracing.workspace = true
eyre.workspace = true
tracing-subscriber = { version = "0.3.18", features = ["env-filter", "json"] }
rustix = { version = "0.38.34", features = ["pty", "termios", "procfs", "process", "stdio"] }
users = "0.11.0"
[lints]
workspace = true

42
bin/cluelesshd/src/main.rs
View file

@ -3,7 +3,7 @@ mod pty;
use std::{io, net::SocketAddr, process::ExitStatus, sync::Arc};
use cluelessh_tokio::{server::ServerAuthVerify, Channel};
use eyre::{bail, Context, Result};
use eyre::{bail, Context, OptionExt, Result};
use pty::Pty;
use rustix::termios::Winsize;
use tokio::{
@ -18,6 +18,7 @@ use cluelessh_protocol::{
ChannelUpdateKind, SshStatus,
};
use tracing_subscriber::EnvFilter;
use users::os::unix::UserExt;
#[tokio::main(flavor = "current_thread")]
async fn main() -> eyre::Result<()> {
@ -36,16 +37,22 @@ async fn main() -> eyre::Result<()> {
let listener = TcpListener::bind(addr).await.wrap_err("binding listener")?;
let auth_verify = ServerAuthVerify {
verify_password: Some(Arc::new(|auth| {
verify_password: None,
verify_signature: Some(Arc::new(|auth| {
Box::pin(async move {
debug!(user = %auth.user, "Attempting password login");
// Don't worry queen, your password is correct!
debug!(user = %auth.user, "Attempting publickey login");
warn!("Letting in unauthenticated user");
Ok(())
Ok(true)
})
})),
verify_pubkey: None,
auth_banner: Some("welcome to my server!!!\r\ni hope you enjoy our stay.\r\n".to_owned()),
check_pubkey: Some(Arc::new(|auth| {
Box::pin(async move {
debug!(user = %auth.user, "Attempting publickey check");
warn!("Letting in unauthenticated user");
Ok(true)
})
})),
auth_banner: Some("welcome to my server!!!\r\ni hope you enjoy your stay.\r\n".to_owned()),
};
let mut listener = cluelessh_tokio::server::ServerListener::new(listener, auth_verify);
@ -95,9 +102,10 @@ async fn handle_connection(
}
while let Some(channel) = conn.next_new_channel() {
let user = conn.inner().authenticated_user().unwrap().to_owned();
if *channel.kind() == ChannelKind::Session {
tokio::spawn(async {
let _ = handle_session_channel(channel).await;
tokio::spawn(async move {
let _ = handle_session_channel(user, channel).await;
});
} else {
warn!("Trying to open non-session channel");
@ -107,16 +115,18 @@ async fn handle_connection(
}
struct SessionState {
user: String,
pty: Option<Pty>,
channel: Channel,
process_exit_send: mpsc::Sender<Result<ExitStatus, io::Error>>,
process_exit_recv: mpsc::Receiver<Result<ExitStatus, io::Error>>,
}
async fn handle_session_channel(channel: Channel) -> Result<()> {
async fn handle_session_channel(user: String, channel: Channel) -> Result<()> {
let (process_exit_send, process_exit_recv) = tokio::sync::mpsc::channel(1);
let mut state = SessionState {
user,
pty: None,
channel,
process_exit_send,
@ -200,7 +210,13 @@ impl SessionState {
}
}
ChannelRequest::Shell { want_reply } => {
let shell = "bash";
let user = self.user.clone();
let user =
tokio::task::spawn_blocking(move || users::get_user_by_name(&user))
.await?
.ok_or_eyre("failed to find user")?;
let shell = user.shell();
let mut cmd = Command::new(shell);
cmd.env_clear();
@ -210,8 +226,8 @@ impl SessionState {
}
// TODO: **user** home directory
cmd.current_dir(std::env::var("HOME").unwrap_or_else(|_| "/".to_owned()));
cmd.env("USER", "nora");
cmd.current_dir(user.home_dir());
cmd.env("USER", user.name());
let mut shell = cmd.spawn()?;
let process_exit_send = self.process_exit_send.clone();

12
bin/cluelesshd/src/pty.rs
View file

@ -3,7 +3,6 @@
use std::{
io::{Read, Write},
os::fd::{AsRawFd, BorrowedFd, OwnedFd},
path::PathBuf,
};
use eyre::{Context, Result};
@ -24,6 +23,7 @@ pub struct Pty {
pub ctrl_write_send: mpsc::Sender<Vec<u8>>,
pub ctrl_read_recv: mpsc::Receiver<Vec<u8>>,
user_pty: OwnedFd,
user_pty_name: String,
}
impl Pty {
@ -37,12 +37,12 @@ impl Pty {
rustix::pty::unlockpt(&controller).wrap_err("unlocking pty")?;
let user_pty_name = rustix::pty::ptsname(&controller, Vec::new())?;
let user_pty_name =
std::str::from_utf8(user_pty_name.as_bytes()).wrap_err("pty name is invalid UTF-8")?;
let user_pty_name = PathBuf::from(user_pty_name);
let user_pty_name = std::str::from_utf8(user_pty_name.as_bytes())
.wrap_err("pty name is invalid UTF-8")?
.to_owned();
let user_pty =
rustix::fs::open(user_pty_name, OFlags::RDWR | OFlags::NOCTTY, Mode::empty())?;
rustix::fs::open(&user_pty_name, OFlags::RDWR | OFlags::NOCTTY, Mode::empty())?;
// Configure terminal:
rustix::termios::tcsetwinsize(&user_pty, winsize)?;
@ -85,6 +85,7 @@ impl Pty {
ctrl_write_send,
ctrl_read_recv,
user_pty,
user_pty_name,
})
}
@ -106,6 +107,7 @@ impl Pty {
Ok(())
});
cmd.env("TERM", &self.term);
cmd.env("SSH_TTY", &self.user_pty_name);
}
Ok(())

104
lib/cluelessh-protocol/src/lib.rs
View file

@ -26,7 +26,7 @@ pub struct ServerConnection {
enum ServerConnectionState {
Setup(HashSet<AuthOption>, Option<String>),
Auth(auth::ServerAuth),
Open(cluelessh_connection::ChannelsState),
Open(cluelessh_connection::ChannelsState, String),
}
impl ServerConnection {
@ -63,7 +63,7 @@ impl ServerConnection {
self.transport.send_plaintext_packet(to_send);
}
}
ServerConnectionState::Open(con) => {
ServerConnectionState::Open(con, _) => {
con.recv_packet(packet)?;
}
}
@ -81,7 +81,7 @@ impl ServerConnection {
pub fn next_channel_update(&mut self) -> Option<cluelessh_connection::ChannelUpdate> {
match &mut self.state {
ServerConnectionState::Setup(..) | ServerConnectionState::Auth(_) => None,
ServerConnectionState::Open(con) => con.next_channel_update(),
ServerConnectionState::Open(con, _) => con.next_channel_update(),
}
}
@ -90,7 +90,7 @@ impl ServerConnection {
ServerConnectionState::Setup(..) | ServerConnectionState::Auth(_) => {
panic!("tried to get connection before it is ready")
}
ServerConnectionState::Open(con) => {
ServerConnectionState::Open(con, _) => {
con.do_operation(op);
self.progress();
}
@ -104,12 +104,14 @@ impl ServerConnection {
for to_send in auth.packets_to_send() {
self.transport.send_plaintext_packet(to_send);
}
if auth.is_authenticated() {
self.state =
ServerConnectionState::Open(cluelessh_connection::ChannelsState::new(true));
if let Some(user) = auth.authenticated_user() {
self.state = ServerConnectionState::Open(
cluelessh_connection::ChannelsState::new(true),
user.to_owned(),
);
}
}
ServerConnectionState::Open(con) => {
ServerConnectionState::Open(con, _) => {
for to_send in con.packets_to_send() {
self.transport.send_plaintext_packet(to_send);
}
@ -119,7 +121,7 @@ impl ServerConnection {
pub fn channels(&mut self) -> Option<&mut cluelessh_connection::ChannelsState> {
match &mut self.state {
ServerConnectionState::Open(channels) => Some(channels),
ServerConnectionState::Open(channels, _) => Some(channels),
_ => None,
}
}
@ -130,6 +132,13 @@ impl ServerConnection {
_ => None,
}
}
pub fn authenticated_user(&self) -> Option<&str> {
match &self.state {
ServerConnectionState::Open(_, user) => Some(user),
_ => None,
}
}
}
pub struct ClientConnection {
@ -263,7 +272,7 @@ pub mod auth {
pub struct ServerAuth {
has_failed: bool,
packets_to_send: VecDeque<Packet>,
is_authenticated: bool,
is_authenticated: Option<String>,
options: HashSet<AuthOption>,
banner: Option<String>,
server_requests: VecDeque<ServerRequest>,
@ -272,14 +281,28 @@ pub mod auth {
pub enum ServerRequest {
VerifyPassword(VerifyPassword),
VerifyPubkey(VerifyPubkey),
/// Check whether a pubkey is usable.
CheckPubkey(CheckPubkey),
/// Verify the signature from a pubkey.
VerifySignature(VerifySignature),
}
#[derive(Debug, Clone)]
pub struct VerifyPassword {
pub user: String,
pub password: String,
}
pub struct VerifyPubkey {
#[derive(Debug, Clone)]
pub struct CheckPubkey {
pub user: String,
pub session_identifier: [u8; 32],
pub pubkey_alg_name: Vec<u8>,
pub pubkey: Vec<u8>,
}
#[derive(Debug, Clone)]
pub struct VerifySignature {
pub user: String,
pub session_identifier: [u8; 32],
pub pubkey_alg_name: Vec<u8>,
@ -303,7 +326,7 @@ pub mod auth {
has_failed: false,
packets_to_send: VecDeque::new(),
options,
is_authenticated: false,
is_authenticated: None,
session_ident,
banner,
server_requests: VecDeque::new(),
@ -311,7 +334,7 @@ pub mod auth {
}
pub fn recv_packet(&mut self, packet: Packet) -> Result<()> {
assert!(!self.is_authenticated, "Must not feed more packets to authentication after authentication is been completed, check with .is_authenticated()");
assert!(self.is_authenticated.is_none(), "Must not feed more packets to authentication after authentication is been completed, check with .is_authenticated()");
// This is a super simplistic implementation of RFC4252 SSH authentication.
// We ask for a public key, and always let that one pass.
@ -366,24 +389,31 @@ pub mod auth {
self.send_failure();
}
// Whether the client is just checking whether the public key is allowed.
let is_check = p.bool()?;
if is_check {
todo!();
}
let has_signature = p.bool()?;
let pubkey_alg_name = p.string()?;
let public_key_blob = p.string()?;
let signature = p.string()?;
self.server_requests
.push_back(ServerRequest::VerifyPubkey(VerifyPubkey {
user: username.to_owned(),
session_identifier: self.session_ident,
pubkey_alg_name: pubkey_alg_name.to_vec(),
pubkey: public_key_blob.to_vec(),
signature: signature.to_vec(),
}));
// Whether the client is just checking whether the public key is allowed.
if !has_signature {
self.server_requests
.push_back(ServerRequest::CheckPubkey(CheckPubkey {
user: username.to_owned(),
session_identifier: self.session_ident,
pubkey_alg_name: pubkey_alg_name.to_vec(),
pubkey: public_key_blob.to_vec(),
}));
} else {
let signature = p.string()?;
self.server_requests
.push_back(ServerRequest::VerifySignature(VerifySignature {
user: username.to_owned(),
session_identifier: self.session_ident,
pubkey_alg_name: pubkey_alg_name.to_vec(),
pubkey: public_key_blob.to_vec(),
signature: signature.to_vec(),
}));
}
}
_ if self.has_failed => {
return Err(peer_error!(
@ -402,10 +432,20 @@ pub mod auth {
Ok(())
}
pub fn verification_result(&mut self, is_ok: bool) {
pub fn pubkey_check_result(&mut self, is_ok: bool, alg: &[u8], key_blob: &[u8]) {
if is_ok {
self.queue_packet(Packet::new_msg_userauth_pk_ok(alg, key_blob));
} else {
self.send_failure();
// It's ok, don't treat this as a fatal failure.
}
}
// TODO: improve types with a newtype around an authenticated user
pub fn verification_result(&mut self, is_ok: bool, user: String) {
if is_ok {
self.queue_packet(Packet::new_msg_userauth_success());
self.is_authenticated = true;
self.is_authenticated = Some(user);
} else {
self.send_failure();
self.has_failed = true;
@ -416,8 +456,8 @@ pub mod auth {
self.packets_to_send.drain(..)
}
pub fn is_authenticated(&self) -> bool {
self.is_authenticated
pub fn authenticated_user(&self) -> Option<&str> {
self.is_authenticated.as_deref()
}
pub fn server_requests(&mut self) -> impl Iterator<Item = ServerRequest> + '_ {

74
lib/cluelessh-tokio/src/server.rs
View file

@ -12,7 +12,7 @@ use tokio::{
};
use cluelessh_protocol::{
auth::{AuthOption, VerifyPassword, VerifyPubkey},
auth::{AuthOption, CheckPubkey, VerifyPassword, VerifySignature},
ChannelUpdateKind, SshStatus,
};
use eyre::{eyre, ContextCompat, OptionExt, Result, WrapErr};
@ -49,16 +49,18 @@ pub struct ServerConnection<S> {
}
enum Operation {
VerifyPassword(Result<()>),
VerifyPubkey(Result<()>),
VerifyPassword(String, Result<bool>),
CheckPubkey(Result<bool>, Vec<u8>, Vec<u8>),
VerifySignature(String, Result<bool>),
}
pub type AuthFn<A, R> = Arc<dyn Fn(A) -> BoxFuture<'static, R> + Send + Sync>;
#[derive(Clone)]
pub struct ServerAuthVerify {
pub verify_password:
Option<Arc<dyn Fn(VerifyPassword) -> BoxFuture<'static, Result<()>> + Send + Sync>>,
pub verify_pubkey:
Option<Arc<dyn Fn(VerifyPubkey) -> BoxFuture<'static, Result<()>> + Send + Sync>>,
pub verify_password: Option<AuthFn<VerifyPassword, Result<bool>>>,
pub verify_signature: Option<AuthFn<VerifySignature, Result<bool>>>,
pub check_pubkey: Option<AuthFn<CheckPubkey, Result<bool>>>,
pub auth_banner: Option<String>,
}
fn _assert_send_sync() {
@ -104,13 +106,18 @@ impl<S: AsyncRead + AsyncWrite> ServerConnection<S> {
if auth_verify.verify_password.is_some() {
options.insert(AuthOption::Password);
}
if auth_verify.verify_pubkey.is_some() {
if auth_verify.verify_signature.is_some() {
options.insert(AuthOption::PublicKey);
}
if options.is_empty() {
panic!("no auth options provided");
}
assert_eq!(
auth_verify.check_pubkey.is_some(),
auth_verify.verify_signature.is_some(),
"Public key auth only partially supported"
);
Self {
stream: Box::pin(stream),
@ -151,20 +158,42 @@ impl<S: AsyncRead + AsyncWrite> ServerConnection<S> {
.clone()
.ok_or_eyre("password auth not supported")?;
tokio::spawn(async move {
let result = verify(password_verify).await;
let _ = send.send(Operation::VerifyPassword(result)).await;
let result = verify(password_verify.clone()).await;
let _ = send
.send(Operation::VerifyPassword(password_verify.user, result))
.await;
});
}
cluelessh_protocol::auth::ServerRequest::VerifyPubkey(pubkey_verify) => {
cluelessh_protocol::auth::ServerRequest::CheckPubkey(check_pubkey) => {
let send = self.operations_send.clone();
let verify = self
let check = self
.auth_verify
.verify_pubkey
.check_pubkey
.clone()
.ok_or_eyre("pubkey auth not supported")?;
tokio::spawn(async move {
let result = verify(pubkey_verify).await;
let _ = send.send(Operation::VerifyPubkey(result)).await;
let result = check(check_pubkey.clone()).await;
let _ = send
.send(Operation::CheckPubkey(
result,
check_pubkey.pubkey_alg_name,
check_pubkey.pubkey,
))
.await;
});
}
cluelessh_protocol::auth::ServerRequest::VerifySignature(pubkey_verify) => {
let send = self.operations_send.clone();
let verify = self
.auth_verify
.verify_signature
.clone()
.ok_or_eyre("pubkey auth not supported")?;
tokio::spawn(async move {
let result = verify(pubkey_verify.clone()).await;
let _ = send
.send(Operation::VerifySignature(pubkey_verify.user, result))
.await;
});
}
}
@ -279,11 +308,14 @@ impl<S: AsyncRead + AsyncWrite> ServerConnection<S> {
}
op = self.operations_recv.recv() => {
match op {
Some(Operation::VerifyPubkey(result)) => if let Some(auth) = self.proto.auth() {
auth.verification_result(result.is_ok());
Some(Operation::VerifySignature(user, result)) => if let Some(auth) = self.proto.auth() {
auth.verification_result(result?, user);
},
Some(Operation::VerifyPassword(result)) => if let Some(auth) = self.proto.auth() {
auth.verification_result(result.is_ok());
Some(Operation::CheckPubkey(result, alg, key_blob)) => if let Some(auth) = self.proto.auth() {
auth.pubkey_check_result(result?, &alg, &key_blob);
},
Some(Operation::VerifyPassword(user, result)) => if let Some(auth) = self.proto.auth() {
auth.verification_result(result?, user);
},
None => {}
}
@ -336,4 +368,8 @@ impl<S: AsyncRead + AsyncWrite> ServerConnection<S> {
pub fn next_new_channel(&mut self) -> Option<Channel> {
self.new_channels.pop_front()
}
pub fn inner(&self) -> &cluelessh_protocol::ServerConnection {
&self.proto
}
}

2
lib/cluelessh-transport/src/numbers.rs
View file

@ -32,6 +32,7 @@ pub const SSH_MSG_USERAUTH_SUCCESS: u8 = 52;
pub const SSH_MSG_USERAUTH_BANNER: u8 = 53;
// 60 to 79 User authentication method specific (numbers can be reused for different authentication methods)
pub const SSH_MSG_USERAUTH_PK_OK: u8 = 60;
// -----
// Connection protocol:
@ -70,6 +71,7 @@ pub fn packet_type_to_string(packet_type: u8) -> &'static str {
51 => "SSH_MSG_USERAUTH_FAILURE",
52 => "SSH_MSG_USERAUTH_SUCCESS",
53 => "SSH_MSG_USERAUTH_BANNER",
60 => "SSH_MSG_USERAUTH_PK_OK",
80 => "SSH_MSG_GLOBAL_REQUEST",
81 => "SSH_MSG_REQUEST_SUCCESS",
82 => "SSH_MSG_REQUEST_FAILURE",

4
lib/cluelessh-transport/src/packet/ctors.rs
View file

@ -92,6 +92,10 @@ ctors! {
fn new_msg_userauth_banner(SSH_MSG_USERAUTH_BANNER; msg: string, language_tag: string);
// 60 to 79 User authentication method specific (numbers can be reused for different authentication methods)
fn new_msg_userauth_pk_ok(SSH_MSG_USERAUTH_PK_OK;
key_alg: string,
key_blob: string,
);
// -----
// Connection protocol: