mirror of https://gogs.blitter.com/RLabs/xs
GenAuthToken() now uses client-supplied ConnHost
This commit is contained in:
parent
1efc1337df
commit
d9b34fa631
|
@ -68,7 +68,7 @@ func AuthUserByPasswd(username string, auth string, fname string) (valid bool, a
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
func AuthUserByToken(username string, auth string) (valid bool) {
|
func AuthUserByToken(username string, connhostname string, auth string) (valid bool) {
|
||||||
u, ue := user.Lookup(username)
|
u, ue := user.Lookup(username)
|
||||||
if ue != nil {
|
if ue != nil {
|
||||||
return false
|
return false
|
||||||
|
|
|
@ -16,6 +16,7 @@ import (
|
||||||
type Session struct {
|
type Session struct {
|
||||||
op []byte
|
op []byte
|
||||||
who []byte
|
who []byte
|
||||||
|
connhost []byte
|
||||||
termtype []byte // client initial $TERM
|
termtype []byte // client initial $TERM
|
||||||
cmd []byte
|
cmd []byte
|
||||||
authCookie []byte
|
authCookie []byte
|
||||||
|
@ -44,6 +45,14 @@ func (h *Session) SetWho(w []byte) {
|
||||||
h.who = w
|
h.who = w
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (h Session) ConnHost() []byte {
|
||||||
|
return h.connhost
|
||||||
|
}
|
||||||
|
|
||||||
|
func (h *Session) SetConnHost(n []byte) {
|
||||||
|
h.connhost = n
|
||||||
|
}
|
||||||
|
|
||||||
func (h Session) TermType() []byte {
|
func (h Session) TermType() []byte {
|
||||||
return h.termtype
|
return h.termtype
|
||||||
}
|
}
|
||||||
|
@ -87,10 +96,11 @@ func (h *Session) SetStatus(s uint32) {
|
||||||
h.status = s
|
h.status = s
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewSession(op, who, ttype, cmd, authcookie []byte, status uint32) *Session {
|
func NewSession(op, who, connhost, ttype, cmd, authcookie []byte, status uint32) *Session {
|
||||||
return &Session{
|
return &Session{
|
||||||
op: op,
|
op: op,
|
||||||
who: who,
|
who: who,
|
||||||
|
connhost: connhost,
|
||||||
termtype: ttype,
|
termtype: ttype,
|
||||||
cmd: cmd,
|
cmd: cmd,
|
||||||
authCookie: authcookie,
|
authCookie: authcookie,
|
||||||
|
|
|
@ -366,7 +366,7 @@ func main() {
|
||||||
}
|
}
|
||||||
flag.Parse()
|
flag.Parse()
|
||||||
|
|
||||||
remoteUser, tmpHost, tmpPath, pathIsDest, otherArgs :=
|
remoteUser, remoteHost, tmpPath, pathIsDest, otherArgs :=
|
||||||
parseNonSwitchArgs(flag.Args())
|
parseNonSwitchArgs(flag.Args())
|
||||||
//fmt.Println("otherArgs:", otherArgs)
|
//fmt.Println("otherArgs:", otherArgs)
|
||||||
|
|
||||||
|
@ -379,8 +379,8 @@ func main() {
|
||||||
uname = remoteUser
|
uname = remoteUser
|
||||||
}
|
}
|
||||||
|
|
||||||
if tmpHost != "" {
|
if remoteHost != "" {
|
||||||
server = tmpHost + ":" + fmt.Sprintf("%d", port)
|
server = remoteHost + ":" + fmt.Sprintf("%d", port)
|
||||||
}
|
}
|
||||||
if tmpPath == "" {
|
if tmpPath == "" {
|
||||||
tmpPath = "."
|
tmpPath = "."
|
||||||
|
@ -533,17 +533,18 @@ func main() {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Set up session params and send over to server
|
// Set up session params and send over to server
|
||||||
rec := hkexsh.NewSession(op, []byte(uname), []byte(os.Getenv("TERM")), []byte(cmdStr), []byte(authCookie), 0)
|
rec := hkexsh.NewSession(op, []byte(uname), []byte(remoteHost), []byte(os.Getenv("TERM")), []byte(cmdStr), []byte(authCookie), 0)
|
||||||
_, err = fmt.Fprintf(conn, "%d %d %d %d %d\n",
|
_, err = fmt.Fprintf(conn, "%d %d %d %d %d %d\n",
|
||||||
len(rec.Op()), len(rec.Who()), len(rec.TermType()), len(rec.Cmd()), len(rec.AuthCookie(true)))
|
len(rec.Op()), len(rec.Who()), len(rec.ConnHost()), len(rec.TermType()), len(rec.Cmd()), len(rec.AuthCookie(true)))
|
||||||
_, err = conn.Write(rec.Op())
|
_, err = conn.Write(rec.Op())
|
||||||
_, err = conn.Write(rec.Who())
|
_, err = conn.Write(rec.Who())
|
||||||
|
_, err = conn.Write(rec.ConnHost())
|
||||||
_, err = conn.Write(rec.TermType())
|
_, err = conn.Write(rec.TermType())
|
||||||
_, err = conn.Write(rec.Cmd())
|
_, err = conn.Write(rec.Cmd())
|
||||||
_, err = conn.Write(rec.AuthCookie(true))
|
_, err = conn.Write(rec.AuthCookie(true))
|
||||||
|
|
||||||
//Security scrub
|
//Security scrub
|
||||||
authCookie = nil
|
authCookie = ""
|
||||||
runtime.GC()
|
runtime.GC()
|
||||||
|
|
||||||
// Read auth reply from server
|
// Read auth reply from server
|
||||||
|
|
|
@ -316,11 +316,12 @@ func runShellAs(who, ttype string, cmd string, interactive bool, conn hkexnet.Co
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
func GenAuthToken(who string) string {
|
func GenAuthToken(who string, connhost string) string {
|
||||||
tokenA, e := os.Hostname()
|
//tokenA, e := os.Hostname()
|
||||||
if e != nil {
|
//if e != nil {
|
||||||
tokenA = "badhost"
|
// tokenA = "badhost"
|
||||||
}
|
//}
|
||||||
|
tokenA := connhost
|
||||||
|
|
||||||
tokenB := make([]byte, 64)
|
tokenB := make([]byte, 64)
|
||||||
_, _ = rand.Read(tokenB)
|
_, _ = rand.Read(tokenB)
|
||||||
|
@ -404,16 +405,16 @@ func main() {
|
||||||
//Otherwise data will be sitting in the channel that isn't
|
//Otherwise data will be sitting in the channel that isn't
|
||||||
//passed down to the command handlers.
|
//passed down to the command handlers.
|
||||||
var rec hkexsh.Session
|
var rec hkexsh.Session
|
||||||
var len1, len2, len3, len4, len5 uint32
|
var len1, len2, len3, len4, len5, len6 uint32
|
||||||
|
|
||||||
n, err := fmt.Fscanf(hc, "%d %d %d %d %d\n", &len1, &len2, &len3, &len4, &len5)
|
n, err := fmt.Fscanf(hc, "%d %d %d %d %d %d\n", &len1, &len2, &len3, &len4, &len5, &len6)
|
||||||
log.Printf("hkexsh.Session read:%d %d %d %d %d\n", len1, len2, len3, len4, len5)
|
log.Printf("hkexsh.Session read:%d %d %d %d %d %d\n", len1, len2, len3, len4, len5, len6)
|
||||||
|
|
||||||
if err != nil || n < 5 {
|
if err != nil || n < 6 {
|
||||||
log.Println("[Bad hkexsh.Session fmt]")
|
log.Println("[Bad hkexsh.Session fmt]")
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
//fmt.Printf(" lens:%d %d %d %d %d\n", len1, len2, len3, len4, len5)
|
//fmt.Printf(" lens:%d %d %d %d %d %d\n", len1, len2, len3, len4, len5, len6)
|
||||||
|
|
||||||
tmp := make([]byte, len1, len1)
|
tmp := make([]byte, len1, len1)
|
||||||
_, err = io.ReadFull(hc, tmp)
|
_, err = io.ReadFull(hc, tmp)
|
||||||
|
@ -433,13 +434,21 @@ func main() {
|
||||||
|
|
||||||
tmp = make([]byte, len3, len3)
|
tmp = make([]byte, len3, len3)
|
||||||
_, err = io.ReadFull(hc, tmp)
|
_, err = io.ReadFull(hc, tmp)
|
||||||
|
if err != nil {
|
||||||
|
log.Println("[Bad hkexsh.Session.ConnHost]")
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
rec.SetConnHost(tmp)
|
||||||
|
|
||||||
|
tmp = make([]byte, len4, len4)
|
||||||
|
_, err = io.ReadFull(hc, tmp)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Println("[Bad hkexsh.Session.TermType]")
|
log.Println("[Bad hkexsh.Session.TermType]")
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
rec.SetTermType(tmp)
|
rec.SetTermType(tmp)
|
||||||
|
|
||||||
tmp = make([]byte, len4, len4)
|
tmp = make([]byte, len5, len5)
|
||||||
_, err = io.ReadFull(hc, tmp)
|
_, err = io.ReadFull(hc, tmp)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Println("[Bad hkexsh.Session.Cmd]")
|
log.Println("[Bad hkexsh.Session.Cmd]")
|
||||||
|
@ -447,7 +456,7 @@ func main() {
|
||||||
}
|
}
|
||||||
rec.SetCmd(tmp)
|
rec.SetCmd(tmp)
|
||||||
|
|
||||||
tmp = make([]byte, len5, len5)
|
tmp = make([]byte, len6, len6)
|
||||||
_, err = io.ReadFull(hc, tmp)
|
_, err = io.ReadFull(hc, tmp)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Println("[Bad hkexsh.Session.AuthCookie]")
|
log.Println("[Bad hkexsh.Session.AuthCookie]")
|
||||||
|
@ -455,12 +464,12 @@ func main() {
|
||||||
}
|
}
|
||||||
rec.SetAuthCookie(tmp)
|
rec.SetAuthCookie(tmp)
|
||||||
|
|
||||||
log.Printf("[hkexsh.Session: op:%c who:%s cmd:%s auth:****]\n",
|
log.Printf("[hkexsh.Session: op:%c who:%s connhost:%s cmd:%s auth:****]\n",
|
||||||
rec.Op()[0], string(rec.Who()), string(rec.Cmd()))
|
rec.Op()[0], string(rec.Who()), string(rec.ConnHost()), string(rec.Cmd()))
|
||||||
|
|
||||||
var valid bool
|
var valid bool
|
||||||
var allowedCmds string // Currently unused
|
var allowedCmds string // Currently unused
|
||||||
if hkexsh.AuthUserByToken(string(rec.Who()), string(rec.AuthCookie(true))) {
|
if hkexsh.AuthUserByToken(string(rec.Who()), string(rec.ConnHost()), string(rec.AuthCookie(true))) {
|
||||||
valid = true
|
valid = true
|
||||||
} else {
|
} else {
|
||||||
valid, allowedCmds = hkexsh.AuthUserByPasswd(string(rec.Who()), string(rec.AuthCookie(true)), "/etc/hkexsh.passwd")
|
valid, allowedCmds = hkexsh.AuthUserByPasswd(string(rec.Who()), string(rec.AuthCookie(true)), "/etc/hkexsh.passwd")
|
||||||
|
@ -485,7 +494,7 @@ func main() {
|
||||||
addr := hc.RemoteAddr()
|
addr := hc.RemoteAddr()
|
||||||
hname := strings.Split(addr.String(), ":")[0]
|
hname := strings.Split(addr.String(), ":")[0]
|
||||||
log.Printf("[Generating autologin token for [%s@%s]]\n", rec.Who(), hname)
|
log.Printf("[Generating autologin token for [%s@%s]]\n", rec.Who(), hname)
|
||||||
token := GenAuthToken(string(rec.Who()))
|
token := GenAuthToken(string(rec.Who()), string(rec.ConnHost()))
|
||||||
tokenCmd := fmt.Sprintf("echo \"%s\" | tee ~/.hkexsh_id", token)
|
tokenCmd := fmt.Sprintf("echo \"%s\" | tee ~/.hkexsh_id", token)
|
||||||
runErr, cmdStatus := runShellAs(string(rec.Who()), string(rec.TermType()), tokenCmd, false, hc, chaffEnabled)
|
runErr, cmdStatus := runShellAs(string(rec.Who()), string(rec.TermType()), tokenCmd, false, hc, chaffEnabled)
|
||||||
// Returned hopefully via an EOF or exit/logout;
|
// Returned hopefully via an EOF or exit/logout;
|
||||||
|
|
Loading…
Reference in New Issue