Partial fixes to client login env; Added missing Conn.Listener interface methods to hkex.Conn.Listener

This commit is contained in:
Russ Magee 2018-01-26 16:15:39 -08:00
parent 52423b7144
commit 2b44c87815
3 changed files with 37 additions and 11 deletions

View File

@ -1,14 +1,17 @@
Package herradurakex is a drop-in replacement for golang/pkg/net facilities Package herradurakex is a drop-in replacement for golang/pkg/net facilities
(net.Dial(), net.Listen(), net.Accept() and the net.Conn type) using the (net.Dial(), net.Listen(), net.Accept() and the net.Conn type), yielding
experimental HerraduraKEx key exchange algorithm, first released at 'secure' sockets using the experimental HerraduraKEx key exchange algorithm
(Omar Elejandro Herrera Reyna's github page)[github.com/Caume/HerraduraKEx]. first released by (Omar Elejandro Herrera Reyna's github page)[github.com/Caume/HerraduraKEx].
One can simply replace calls to net.Dial() with hkex.Dial(), and likewise One can simply replace calls to net.Dial() with hkex.Dial(), and likewise
net.Listen() with hkex.Listen(), to obtain connections (hkex.Conn) conforming net.Listen() with hkex.Listen(), to obtain connections (hkex.Conn) conforming
to the basic net.Conn interface. Upon Dial(), the HerraduraKEx key exchange to the basic net.Conn interface. Upon Dial(), the HerraduraKEx key exchange
is initiated (whereby client and server independently derive the same is initiated (whereby client and server independently derive the same
keying material) and session algorithms to be used are exchanged allowing an keying material).
encrypted channel between client and server.
Above this layer, apps (such as the demo/server/ and demo/client code) can
then negotiate session settings (cipher/hmac algorithms, etc.) to be used
for further communication.
NOTE: Due to the experimental nature of the HerraduraKEx algorithm used to NOTE: Due to the experimental nature of the HerraduraKEx algorithm used to
derive crypto keying material on each end, this algorithm and the derive crypto keying material on each end, this algorithm and the
@ -40,7 +43,7 @@ $ go build demo/client/client.go && go build demo/server/server.go
$ go build demo/hkexpasswd/hkexpasswd.go $ go build demo/hkexpasswd/hkexpasswd.go
[To set accounts & passwords] [To set accounts & passwords]
$ sudo echo "joebloggs:*:*:*" >/etc/hkex.passwd $ sudo echo "joebloggs:*:*:*" >/etc/hkexsh.passwd
$ sudo ./hkexpasswd -u joebloggs $ sudo ./hkexpasswd -u joebloggs
[ in separate shells ] [ in separate shells ]

View File

@ -78,12 +78,27 @@ func runShellAs(who string, cmd string, interactive bool, conn hkex.Conn) (err e
fmt.Sscanf(u.Gid, "%d", &gid) fmt.Sscanf(u.Gid, "%d", &gid)
fmt.Println("uid:", uid, "gid:", gid) fmt.Println("uid:", uid, "gid:", gid)
// Need to clear server's env and set key vars of the
// target user. This isn't perfect (TERM doesn't seem to
// work 100%; ANSI/xterm colour isn't working even
// if we set "xterm" or "ansi" here; and line count
// reported by 'stty -a' defaults to 24 regardless
// of client shell window used to run client.
// Investigate -- rlm 2018-01-26)
os.Clearenv()
os.Setenv("HOME", u.HomeDir)
os.Setenv("TERM", "vt102") // TODO: server or client option?
var c *exec.Cmd var c *exec.Cmd
if interactive { if interactive {
c = exec.Command("/bin/bash", "-i") c = exec.Command("/bin/bash", "-i", "-l")
} else { } else {
c = exec.Command("/bin/bash", "-c", cmd) c = exec.Command("/bin/bash", "-c", cmd)
} }
//If os.Clearenv() isn't called by server above these will be seen in the
//client's session env.
//c.Env = []string{"HOME=" + u.HomeDir, "SUDO_GID=", "SUDO_UID=", "SUDO_USER=", "SUDO_COMMAND=", "MAIL=", "LOGNAME="+who}
c.Dir = u.HomeDir
c.SysProcAttr = &syscall.SysProcAttr{} c.SysProcAttr = &syscall.SysProcAttr{}
c.SysProcAttr.Credential = &syscall.Credential{Uid: uid, Gid: gid} c.SysProcAttr.Credential = &syscall.Credential{Uid: uid, Gid: gid}
c.Stdin = conn c.Stdin = conn
@ -215,14 +230,14 @@ func main() {
// Returned hopefully via an EOF or exit/logout; // Returned hopefully via an EOF or exit/logout;
// Clear current op so user can enter next, or EOF // Clear current op so user can enter next, or EOF
rec.op[0] = 0 rec.op[0] = 0
log.Println("[Command complete]") fmt.Println("[Command complete]")
} else if rec.op[0] == 's' { } else if rec.op[0] == 's' {
log.Println("[Running shell]") log.Println("[Running shell]")
runShellAs(string(rec.who), string(rec.cmd), true, conn) runShellAs(string(rec.who), string(rec.cmd), true, conn)
// Returned hopefully via an EOF or exit/logout; // Returned hopefully via an EOF or exit/logout;
// Clear current op so user can enter next, or EOF // Clear current op so user can enter next, or EOF
rec.op[0] = 0 rec.op[0] = 0
log.Println("[Exiting shell]") fmt.Println("[Exiting shell]")
} else { } else {
log.Println("[Bad cmdSpec]") log.Println("[Bad cmdSpec]")
} }

View File

@ -225,14 +225,22 @@ func Listen(protocol string, ipport string) (hl HKExListener, e error) {
return return
} }
// Close a hkex Listener // Close a hkex Listener - closes the Listener.
// Any blocked Accept operations will be unblocked and return errors.
// //
// See go doc io.Close // See go doc net.Listener.Close
func (hl HKExListener) Close() error { func (hl HKExListener) Close() error {
log.Println("[Listener Closed]") log.Println("[Listener Closed]")
return hl.l.Close() return hl.l.Close()
} }
// Addr returns a the listener's network address.
//
// See go doc net.Listener.Addr
func (hl HKExListener) Addr() net.Addr {
return hl.l.Addr()
}
// Accept a client connection, conforming to net.Listener.Accept() // Accept a client connection, conforming to net.Listener.Accept()
// //
// See go doc net.Listener.Accept // See go doc net.Listener.Accept