xs/hkexauth.go

131 lines
3.0 KiB
Go
Raw Normal View History

package hkexsh
// Package hkexsh - a secure terminal client/server written from scratch in Go
//
// Copyright (c) 2017-2018 Russell Magee
// Licensed under the terms of the MIT license (see LICENSE.mit in this
// distribution)
//
// golang implementation by Russ Magee (rmagee_at_gmail.com)
// Authentication routines for the HKExSh
import (
"bytes"
"encoding/csv"
"fmt"
"io"
"io/ioutil"
"log"
"os/user"
"runtime"
"strings"
"github.com/jameskeane/bcrypt"
)
func userExistsOnSystem(who string) bool {
_, userErr := user.Lookup(who)
return userErr == nil
}
// AuthUserByPasswd checks user login information using a password.
// This checks /etc/hkexsh.passwd for auth info, and system /etc/passwd
// to cross-check the user actually exists.
// nolint: gocyclo
func AuthUserByPasswd(username string, auth string, fname string) (valid bool, allowedCmds string) {
b, e := ioutil.ReadFile(fname) // nolint: gosec
if e != nil {
valid = false
log.Printf("ERROR: Cannot read %s!\n", fname)
}
r := csv.NewReader(bytes.NewReader(b))
r.Comma = ':'
r.Comment = '#'
2018-09-09 05:01:33 +00:00
r.FieldsPerRecord = 3 // username:salt:authCookie [TODO:disallowedCmdList (a,b,...)]
for {
record, err := r.Read()
if err == io.EOF {
// Use dummy entry if user not found
// (prevent user enumeration attack via obvious timing diff;
// ie., not attempting any auth at all)
record = []string{"$nosuchuser$",
"$2a$12$l0coBlRDNEJeQVl6GdEPbU",
"$2a$12$l0coBlRDNEJeQVl6GdEPbUC/xmuOANvqgmrMVum6S4i.EXPgnTXy6"}
username = "$nosuchuser$"
err = nil
}
if err != nil {
log.Fatal(err)
}
if username == record[0] {
tmp, err := bcrypt.Hash(auth, record[1])
if err != nil {
break
}
if tmp == record[2] && username != "$nosuchuser$" {
valid = true
}
break
}
}
// Security scrub
for i := range b {
b[i] = 0
}
r = nil
runtime.GC()
if !userExistsOnSystem(username) {
valid = false
}
return
}
// AuthUserByToken checks user login information against an auth token.
// Auth tokens are stored in each user's $HOME/.hkexsh_id and are requested
// via the -g option.
// The function also check system /etc/passwd to cross-check the user
// actually exists.
func AuthUserByToken(username string, connhostname string, auth string) (valid bool) {
auth = strings.TrimSpace(auth)
u, ue := user.Lookup(username)
if ue != nil {
return false
}
b, e := ioutil.ReadFile(fmt.Sprintf("%s/.hkexsh_id", u.HomeDir))
if e != nil {
log.Printf("INFO: Cannot read %s/.hkexsh_id\n", u.HomeDir)
return false
}
r := csv.NewReader(bytes.NewReader(b))
r.Comma = ':'
r.Comment = '#'
r.FieldsPerRecord = 2 // connhost:authtoken
for {
record, err := r.Read()
if err == io.EOF {
return false
}
record[0] = strings.TrimSpace(record[0])
record[1] = strings.TrimSpace(record[1])
//fmt.Println("auth:", auth, "record:",
// strings.Join([]string{record[0], record[1]}, ":"))
if (connhostname == record[0]) &&
(auth == strings.Join([]string{record[0], record[1]}, ":")) {
valid = true
break
}
}
if !userExistsOnSystem(username) {
valid = false
}
return
}