summaryrefslogtreecommitdiff
path: root/internal/ssh/server/publickeycallback.go
blob: bcc900452fcdcd4f6637cca4ba5cd2f6ab3d9013 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

package server

import (
	"fmt"
	"os"
	goUser "os/user"

	"github.com/mimecast/dtail/internal/config"
	"github.com/mimecast/dtail/internal/io/dlog"
	user "github.com/mimecast/dtail/internal/user/server"

	gossh "golang.org/x/crypto/ssh"
)

// PublicKeyCallback is for the server to check whether a public SSH key is
// authorized ot not.
func PublicKeyCallback(c gossh.ConnMetadata,
	offeredPubKey gossh.PublicKey) (*gossh.Permissions, error) {

	user, err := user.New(c.User(), c.RemoteAddr().String())
	if err != nil {
		return nil, err
	}
	dlog.Server.Info(user, "Incoming authorization")

	authorizedKeysFile, err := authorizedKeysFile(user)
	if err != nil {
		return nil, err
	}

	dlog.Server.Info(user, "Reading", authorizedKeysFile)
	authorizedKeysBytes, err := os.ReadFile(authorizedKeysFile)
	if err != nil {
		return nil, fmt.Errorf("Unable to read authorized keys file|%s|%s|%s",
			authorizedKeysFile, user, err.Error())
	}

	return verifyAuthorizedKeys(user, authorizedKeysBytes, offeredPubKey)
}

func verifyAuthorizedKeys(user *user.User, authorizedKeysBytes []byte,
	offeredPubKey gossh.PublicKey) (*gossh.Permissions, error) {

	authorizedKeysMap := map[string]bool{}
	for len(authorizedKeysBytes) > 0 {
		authorizedPubKey, _, _, restBytes, err := gossh.ParseAuthorizedKey(authorizedKeysBytes)
		if err != nil {
			return nil, fmt.Errorf("unable to parse authorized keys bytes|%s|%s",
				user, err.Error())
		}
		authorizedKeysMap[string(authorizedPubKey.Marshal())] = true
		authorizedKeysBytes = restBytes
		dlog.Server.Debug(user, "Authorized public key fingerprint",
			gossh.FingerprintSHA256(authorizedPubKey))
	}

	dlog.Server.Debug(user, "Offered public key fingerprint", gossh.FingerprintSHA256(offeredPubKey))
	if authorizedKeysMap[string(offeredPubKey.Marshal())] {
		return &gossh.Permissions{
			Extensions: map[string]string{"pubkey-fp": gossh.FingerprintSHA256(offeredPubKey)},
		}, nil
	}

	return nil, fmt.Errorf("%s|public key of user not authorized", user)
}

func authorizedKeysFile(user *user.User) (string, error) {
	if config.Env("DTAIL_INTEGRATION_TEST_RUN_MODE") {
		// In this case, we expect a pub key in the current directory.
		return "./id_rsa.pub", nil
	}

	cwd, err := os.Getwd()
	if err != nil {
		return "", err
	}

	// Check for cached version in the dserver directory.
	authorizedKeysFile := fmt.Sprintf("%s/%s/%s.authorized_keys", cwd,
		config.Common.CacheDir, user.Name)
	if _, err = os.Stat(authorizedKeysFile); err == nil {
		return authorizedKeysFile, nil
	}

	// As the last option, check the regular SSH path.
	osUser, err := goUser.Lookup(user.Name)
	if err != nil {
		return "", err
	}
	authorizedKeysFile = fmt.Sprintf("%s/.ssh/authorized_keys", osUser.HomeDir)
	if _, err = os.Stat(authorizedKeysFile); err == nil {
		return authorizedKeysFile, nil
	}

	return "", fmt.Errorf("unable to find a any authorized keys file")
}
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-17 12:29:32 +0000