RusstopiaLabs
/
xs
mirror of https://gogs.blitter.com/RLabs/xs
1
0
Fork 0
Code Issues Releases Wiki Activity

GenAuthToken() now uses client-supplied ConnHost

This commit is contained in:
Russ Magee 2018-09-14 01:13:14 -07:00
parent 1efc1337df
commit d9b34fa631
4 changed files with 46 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hkexauth.go
View File

@ -68,7 +68,7 @@ func AuthUserByPasswd(username string, auth string, fname string) (valid bool, a
return return
} }
func AuthUserByToken(username string, auth string) (valid bool) { func AuthUserByToken(username string, connhostname string, auth string) (valid bool) {
u, ue := user.Lookup(username) u, ue := user.Lookup(username)
if ue != nil { if ue != nil {
return false return false

12
hkexsession.go
View File

@ -16,6 +16,7 @@ import (
type Session struct { type Session struct {
op []byte op []byte
who []byte who []byte
connhost []byte
termtype []byte // client initial $TERM termtype []byte // client initial $TERM
cmd []byte cmd []byte
authCookie []byte authCookie []byte
@ -44,6 +45,14 @@ func (h *Session) SetWho(w []byte) {
h.who = w h.who = w
} }
func (h Session) ConnHost() []byte {
return h.connhost
}
func (h *Session) SetConnHost(n []byte) {
h.connhost = n
}
func (h Session) TermType() []byte { func (h Session) TermType() []byte {
return h.termtype return h.termtype
} }
@ -87,10 +96,11 @@ func (h *Session) SetStatus(s uint32) {
h.status = s h.status = s
} }
func NewSession(op, who, ttype, cmd, authcookie []byte, status uint32) *Session { func NewSession(op, who, connhost, ttype, cmd, authcookie []byte, status uint32) *Session {
return &Session{ return &Session{
op: op, op: op,
who: who, who: who,
connhost: connhost,
termtype: ttype, termtype: ttype,
cmd: cmd, cmd: cmd,
authCookie: authcookie, authCookie: authcookie,

15
hkexsh/hkexsh.go
View File

@ -366,7 +366,7 @@ func main() {
} }
flag.Parse() flag.Parse()
remoteUser, tmpHost, tmpPath, pathIsDest, otherArgs := remoteUser, remoteHost, tmpPath, pathIsDest, otherArgs :=
parseNonSwitchArgs(flag.Args()) parseNonSwitchArgs(flag.Args())
//fmt.Println("otherArgs:", otherArgs) //fmt.Println("otherArgs:", otherArgs)
@ -379,8 +379,8 @@ func main() {
uname = remoteUser uname = remoteUser
} }
if tmpHost != "" { if remoteHost != "" {
server = tmpHost + ":" + fmt.Sprintf("%d", port) server = remoteHost + ":" + fmt.Sprintf("%d", port)
} }
if tmpPath == "" { if tmpPath == "" {
tmpPath = "." tmpPath = "."
@ -533,17 +533,18 @@ func main() {
} }
// Set up session params and send over to server // Set up session params and send over to server
rec := hkexsh.NewSession(op, []byte(uname), []byte(os.Getenv("TERM")), []byte(cmdStr), []byte(authCookie), 0) rec := hkexsh.NewSession(op, []byte(uname), []byte(remoteHost), []byte(os.Getenv("TERM")), []byte(cmdStr), []byte(authCookie), 0)
_, err = fmt.Fprintf(conn, "%d %d %d %d %d\n", _, err = fmt.Fprintf(conn, "%d %d %d %d %d %d\n",
len(rec.Op()), len(rec.Who()), len(rec.TermType()), len(rec.Cmd()), len(rec.AuthCookie(true))) len(rec.Op()), len(rec.Who()), len(rec.ConnHost()), len(rec.TermType()), len(rec.Cmd()), len(rec.AuthCookie(true)))
_, err = conn.Write(rec.Op()) _, err = conn.Write(rec.Op())
_, err = conn.Write(rec.Who()) _, err = conn.Write(rec.Who())
_, err = conn.Write(rec.ConnHost())
_, err = conn.Write(rec.TermType()) _, err = conn.Write(rec.TermType())
_, err = conn.Write(rec.Cmd()) _, err = conn.Write(rec.Cmd())
_, err = conn.Write(rec.AuthCookie(true)) _, err = conn.Write(rec.AuthCookie(true))
//Security scrub //Security scrub
authCookie = nil authCookie = ""
runtime.GC() runtime.GC()
// Read auth reply from server // Read auth reply from server

43
hkexshd/hkexshd.go
View File

@ -221,7 +221,7 @@ func runShellAs(who, ttype string, cmd string, interactive bool, conn hkexnet.Co
os.Setenv("HOME", u.HomeDir) os.Setenv("HOME", u.HomeDir)
os.Setenv("TERM", ttype) os.Setenv("TERM", ttype)
os.Setenv("HKEXSH", "1") os.Setenv("HKEXSH", "1")
var c *exec.Cmd var c *exec.Cmd
if interactive { if interactive {
c = exec.Command("/bin/bash", "-i", "-l") c = exec.Command("/bin/bash", "-i", "-l")
@ -316,11 +316,12 @@ func runShellAs(who, ttype string, cmd string, interactive bool, conn hkexnet.Co
return return
} }
func GenAuthToken(who string) string { func GenAuthToken(who string, connhost string) string {
tokenA, e := os.Hostname() //tokenA, e := os.Hostname()
if e != nil { //if e != nil {
tokenA = "badhost" // tokenA = "badhost"
} //}
tokenA := connhost
tokenB := make([]byte, 64) tokenB := make([]byte, 64)
_, _ = rand.Read(tokenB) _, _ = rand.Read(tokenB)
@ -404,16 +405,16 @@ func main() {
//Otherwise data will be sitting in the channel that isn't //Otherwise data will be sitting in the channel that isn't
//passed down to the command handlers. //passed down to the command handlers.
var rec hkexsh.Session var rec hkexsh.Session
var len1, len2, len3, len4, len5 uint32 var len1, len2, len3, len4, len5, len6 uint32
n, err := fmt.Fscanf(hc, "%d %d %d %d %d\n", &len1, &len2, &len3, &len4, &len5) n, err := fmt.Fscanf(hc, "%d %d %d %d %d %d\n", &len1, &len2, &len3, &len4, &len5, &len6)
log.Printf("hkexsh.Session read:%d %d %d %d %d\n", len1, len2, len3, len4, len5) log.Printf("hkexsh.Session read:%d %d %d %d %d %d\n", len1, len2, len3, len4, len5, len6)
if err != nil || n < 5 { if err != nil || n < 6 {
log.Println("[Bad hkexsh.Session fmt]") log.Println("[Bad hkexsh.Session fmt]")
return err return err
} }
//fmt.Printf(" lens:%d %d %d %d %d\n", len1, len2, len3, len4, len5) //fmt.Printf(" lens:%d %d %d %d %d %d\n", len1, len2, len3, len4, len5, len6)
tmp := make([]byte, len1, len1) tmp := make([]byte, len1, len1)
_, err = io.ReadFull(hc, tmp) _, err = io.ReadFull(hc, tmp)
@ -433,13 +434,21 @@ func main() {
tmp = make([]byte, len3, len3) tmp = make([]byte, len3, len3)
_, err = io.ReadFull(hc, tmp) _, err = io.ReadFull(hc, tmp)
if err != nil {
log.Println("[Bad hkexsh.Session.ConnHost]")
return err
}
rec.SetConnHost(tmp)
tmp = make([]byte, len4, len4)
_, err = io.ReadFull(hc, tmp)
if err != nil { if err != nil {
log.Println("[Bad hkexsh.Session.TermType]") log.Println("[Bad hkexsh.Session.TermType]")
return err return err
} }
rec.SetTermType(tmp) rec.SetTermType(tmp)
tmp = make([]byte, len4, len4) tmp = make([]byte, len5, len5)
_, err = io.ReadFull(hc, tmp) _, err = io.ReadFull(hc, tmp)
if err != nil { if err != nil {
log.Println("[Bad hkexsh.Session.Cmd]") log.Println("[Bad hkexsh.Session.Cmd]")
@ -447,7 +456,7 @@ func main() {
} }
rec.SetCmd(tmp) rec.SetCmd(tmp)
tmp = make([]byte, len5, len5) tmp = make([]byte, len6, len6)
_, err = io.ReadFull(hc, tmp) _, err = io.ReadFull(hc, tmp)
if err != nil { if err != nil {
log.Println("[Bad hkexsh.Session.AuthCookie]") log.Println("[Bad hkexsh.Session.AuthCookie]")
@ -455,12 +464,12 @@ func main() {
} }
rec.SetAuthCookie(tmp) rec.SetAuthCookie(tmp)
log.Printf("[hkexsh.Session: op:%c who:%s cmd:%s auth:****]\n", log.Printf("[hkexsh.Session: op:%c who:%s connhost:%s cmd:%s auth:****]\n",
rec.Op()[0], string(rec.Who()), string(rec.Cmd())) rec.Op()[0], string(rec.Who()), string(rec.ConnHost()), string(rec.Cmd()))
var valid bool var valid bool
var allowedCmds string // Currently unused var allowedCmds string // Currently unused
if hkexsh.AuthUserByToken(string(rec.Who()), string(rec.AuthCookie(true))) { if hkexsh.AuthUserByToken(string(rec.Who()), string(rec.ConnHost()), string(rec.AuthCookie(true))) {
valid = true valid = true
} else { } else {
valid, allowedCmds = hkexsh.AuthUserByPasswd(string(rec.Who()), string(rec.AuthCookie(true)), "/etc/hkexsh.passwd") valid, allowedCmds = hkexsh.AuthUserByPasswd(string(rec.Who()), string(rec.AuthCookie(true)), "/etc/hkexsh.passwd")
@ -485,7 +494,7 @@ func main() {
addr := hc.RemoteAddr() addr := hc.RemoteAddr()
hname := strings.Split(addr.String(), ":")[0] hname := strings.Split(addr.String(), ":")[0]
log.Printf("[Generating autologin token for [%s@%s]]\n", rec.Who(), hname) log.Printf("[Generating autologin token for [%s@%s]]\n", rec.Who(), hname)
token := GenAuthToken(string(rec.Who())) token := GenAuthToken(string(rec.Who()), string(rec.ConnHost()))
tokenCmd := fmt.Sprintf("echo \"%s\" | tee ~/.hkexsh_id", token) tokenCmd := fmt.Sprintf("echo \"%s\" | tee ~/.hkexsh_id", token)
runErr, cmdStatus := runShellAs(string(rec.Who()), string(rec.TermType()), tokenCmd, false, hc, chaffEnabled) runErr, cmdStatus := runShellAs(string(rec.Who()), string(rec.TermType()), tokenCmd, false, hc, chaffEnabled)
// Returned hopefully via an EOF or exit/logout; // Returned hopefully via an EOF or exit/logout;