mirror of https://gogs.blitter.com/RLabs/xs
-Moved taunting of failed logins to client-side
-Added byte auth pass/fail stage prior to shell/copy session start
This commit is contained in:
parent
9ff35a69fe
commit
b33e9de139
|
@ -37,7 +37,7 @@ import (
|
||||||
// const CSExtendedCode - extended (>255 UNIX exit status) codes
|
// const CSExtendedCode - extended (>255 UNIX exit status) codes
|
||||||
// This indicate channel-related or internal errors
|
// This indicate channel-related or internal errors
|
||||||
const (
|
const (
|
||||||
CSEBadAuth = 1024 // failed login
|
CSEBadAuth = 1024 // Failed login password
|
||||||
CSETruncCSO // No CSOExitStatus in payload
|
CSETruncCSO // No CSOExitStatus in payload
|
||||||
CSEStillOpen // Channel closed unexpectedly
|
CSEStillOpen // Channel closed unexpectedly
|
||||||
CSEExecFail // cmd.Start() (exec) failed
|
CSEExecFail // cmd.Start() (exec) failed
|
||||||
|
|
|
@ -27,6 +27,7 @@ import (
|
||||||
|
|
||||||
hkexsh "blitter.com/go/hkexsh"
|
hkexsh "blitter.com/go/hkexsh"
|
||||||
"blitter.com/go/hkexsh/hkexnet"
|
"blitter.com/go/hkexsh/hkexnet"
|
||||||
|
"blitter.com/go/hkexsh/spinsult"
|
||||||
isatty "github.com/mattn/go-isatty"
|
isatty "github.com/mattn/go-isatty"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -163,7 +164,7 @@ func doCopyMode(conn *hkexnet.Conn, remoteDest bool, files string, rec *cmdSpec)
|
||||||
// an ExitStatus() method with the same signature.
|
// an ExitStatus() method with the same signature.
|
||||||
if status, ok := exiterr.Sys().(syscall.WaitStatus); ok {
|
if status, ok := exiterr.Sys().(syscall.WaitStatus); ok {
|
||||||
exitStatus = uint32(status.ExitStatus())
|
exitStatus = uint32(status.ExitStatus())
|
||||||
log.Printf("Exit Status: %d", exitStatus)
|
log.Printf("Exit Status: %d", exitStatus) //#
|
||||||
fmt.Print(stdErrBuffer)
|
fmt.Print(stdErrBuffer)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -285,9 +286,9 @@ func doShellMode(isInteractive bool, conn *hkexnet.Conn, oldState *hkexsh.State,
|
||||||
log.Println(outerr)
|
log.Println(outerr)
|
||||||
fmt.Println(outerr)
|
fmt.Println(outerr)
|
||||||
_ = hkexsh.Restore(int(os.Stdin.Fd()), oldState) // Best effort.
|
_ = hkexsh.Restore(int(os.Stdin.Fd()), oldState) // Best effort.
|
||||||
os.Exit(254)
|
log.Println("[Hanging up]")
|
||||||
|
os.Exit(0)
|
||||||
}
|
}
|
||||||
log.Println("[Sent EOF]")
|
|
||||||
}()
|
}()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -309,6 +310,10 @@ func UsageCp() {
|
||||||
flag.PrintDefaults()
|
flag.PrintDefaults()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func rejectUserMsg() string {
|
||||||
|
return "Begone, " + spinsult.GetSentence() + "\r\n"
|
||||||
|
}
|
||||||
|
|
||||||
// hkexsh - a client for secure shell and file copy operations.
|
// hkexsh - a client for secure shell and file copy operations.
|
||||||
//
|
//
|
||||||
// While conforming to the basic net.Conn interface HKex.Conn has extra
|
// While conforming to the basic net.Conn interface HKex.Conn has extra
|
||||||
|
@ -533,34 +538,35 @@ func main() {
|
||||||
_, err = conn.Write(rec.cmd)
|
_, err = conn.Write(rec.cmd)
|
||||||
_, err = conn.Write(rec.authCookie)
|
_, err = conn.Write(rec.authCookie)
|
||||||
|
|
||||||
// Set up chaffing to server
|
// Read auth reply from server
|
||||||
conn.SetupChaff(chaffFreqMin, chaffFreqMax, chaffBytesMax) // enable client->server chaffing
|
authReply := make([]byte, 1) // bool: 0 = fail, 1 = pass
|
||||||
if chaffEnabled {
|
_, err = conn.Read(authReply)
|
||||||
conn.EnableChaff()
|
if authReply[0] == 0 {
|
||||||
defer conn.DisableChaff()
|
fmt.Fprintln(os.Stderr, rejectUserMsg())
|
||||||
defer conn.ShutdownChaff()
|
rec.status = 255
|
||||||
}
|
|
||||||
|
|
||||||
if shellMode {
|
|
||||||
doShellMode(isInteractive, conn, oldState, rec)
|
|
||||||
} else {
|
} else {
|
||||||
_, rec.status = doCopyMode(conn, pathIsDest, fileArgs, rec)
|
|
||||||
|
// Set up chaffing to server
|
||||||
|
conn.SetupChaff(chaffFreqMin, chaffFreqMax, chaffBytesMax) // enable client->server chaffing
|
||||||
|
if chaffEnabled {
|
||||||
|
conn.EnableChaff()
|
||||||
|
defer conn.DisableChaff()
|
||||||
|
defer conn.ShutdownChaff()
|
||||||
|
}
|
||||||
|
|
||||||
|
if shellMode {
|
||||||
|
doShellMode(isInteractive, conn, oldState, rec)
|
||||||
|
} else { // copyMode
|
||||||
|
_, rec.status = doCopyMode(conn, pathIsDest, fileArgs, rec)
|
||||||
|
}
|
||||||
|
|
||||||
|
if rec.status != 0 {
|
||||||
|
fmt.Fprintln(os.Stderr, "Remote end exited with status:", rec.status)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if oldState != nil {
|
if oldState != nil {
|
||||||
_ = hkexsh.Restore(int(os.Stdin.Fd()), oldState) // Best effort.
|
_ = hkexsh.Restore(int(os.Stdin.Fd()), oldState) // Best effort.
|
||||||
}
|
}
|
||||||
|
|
||||||
if rec.status != 0 {
|
|
||||||
fmt.Fprint(os.Stderr, "Remote end ")
|
|
||||||
if rec.status == hkexnet.CSEBadAuth {
|
|
||||||
// shell exit status can't hold CSEBadAuth (uint32)
|
|
||||||
rec.status = 255
|
|
||||||
fmt.Fprintln(os.Stderr, "replied: bad auth")
|
|
||||||
} else {
|
|
||||||
fmt.Fprintln(os.Stderr, "exited with status:", rec.status)
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
os.Exit(int(rec.status))
|
os.Exit(int(rec.status))
|
||||||
}
|
}
|
||||||
|
|
|
@ -27,7 +27,6 @@ import (
|
||||||
"blitter.com/go/goutmp"
|
"blitter.com/go/goutmp"
|
||||||
hkexsh "blitter.com/go/hkexsh"
|
hkexsh "blitter.com/go/hkexsh"
|
||||||
"blitter.com/go/hkexsh/hkexnet"
|
"blitter.com/go/hkexsh/hkexnet"
|
||||||
"blitter.com/go/hkexsh/spinsult"
|
|
||||||
"github.com/kr/pty"
|
"github.com/kr/pty"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -324,10 +323,6 @@ func runShellAs(who string, cmd string, interactive bool, conn hkexnet.Conn, cha
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
func rejectUserMsg() string {
|
|
||||||
return "Begone, " + spinsult.GetSentence() + "\r\n"
|
|
||||||
}
|
|
||||||
|
|
||||||
// Demo of a simple server that listens and spawns goroutines for each
|
// Demo of a simple server that listens and spawns goroutines for each
|
||||||
// connecting client. Note this code is identical to standard tcp
|
// connecting client. Note this code is identical to standard tcp
|
||||||
// server code, save for declaring 'hkex' rather than 'net'
|
// server code, save for declaring 'hkex' rather than 'net'
|
||||||
|
@ -454,19 +449,15 @@ func main() {
|
||||||
}
|
}
|
||||||
runtime.GC()
|
runtime.GC()
|
||||||
|
|
||||||
if !valid {
|
// Tell client if auth was valid
|
||||||
|
if valid {
|
||||||
|
hc.Write([]byte{1})
|
||||||
|
} else {
|
||||||
log.Println("Invalid user", string(rec.who))
|
log.Println("Invalid user", string(rec.who))
|
||||||
|
hc.Write([]byte{0})
|
||||||
// Signal other end auth failed
|
|
||||||
rec.status = hkexnet.CSEBadAuth
|
|
||||||
hc.SetStatus(hkexnet.CSEBadAuth)
|
|
||||||
s := make([]byte, 4)
|
|
||||||
binary.BigEndian.PutUint32(s, hkexnet.CSEBadAuth)
|
|
||||||
hc.WritePacket(s, hkexnet.CSOExitStatus)
|
|
||||||
|
|
||||||
hc.Write([]byte(rejectUserMsg()))
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Printf("[allowedCmds:%s]\n", allowedCmds)
|
log.Printf("[allowedCmds:%s]\n", allowedCmds)
|
||||||
|
|
||||||
if rec.op[0] == 'c' {
|
if rec.op[0] == 'c' {
|
||||||
|
|
Loading…
Reference in New Issue