1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
package server
import (
"dtail/config"
"dtail/logger"
"dtail/server/user"
"fmt"
"io/ioutil"
"os"
osUser "os/user"
gossh "golang.org/x/crypto/ssh"
)
// PublicKeyCallback is for the server to check whether a public SSH key is authorized ot not.
func PublicKeyCallback(c gossh.ConnMetadata, pubKey gossh.PublicKey) (*gossh.Permissions, error) {
user := user.New(c.User(), c.RemoteAddr().String())
logger.Info(user, "Incoming authorization")
cwd, err := os.Getwd()
if err != nil {
return nil, fmt.Errorf("Unable to get current working directory|%s|", err.Error())
}
authorizedKeysFile := fmt.Sprintf("%s/%s/%s.authorized_keys", cwd, config.Common.CacheDir, user.Name)
if _, err := os.Stat(authorizedKeysFile); os.IsNotExist(err) {
user, err := osUser.Lookup(user.Name)
if err != nil {
return nil, fmt.Errorf("Unable to authorize|%s|%s|", user, err.Error())
}
// Fallback to ~
authorizedKeysFile = user.HomeDir + "/.ssh/authorized_keys"
}
logger.Info(user, "Reading", authorizedKeysFile)
authorizedKeysBytes, err := ioutil.ReadFile(authorizedKeysFile)
if err != nil {
return nil, fmt.Errorf("Unable to read authorized keys file|%s|%s|%s", authorizedKeysFile, user, err.Error())
}
authorizedKeysMap := map[string]bool{}
for len(authorizedKeysBytes) > 0 {
pubKey, _, _, rest, err := gossh.ParseAuthorizedKey(authorizedKeysBytes)
if err != nil {
return nil, fmt.Errorf("Unable to parse authorized keys bytes|%s|%s", user, err.Error())
}
authorizedKeysMap[string(pubKey.Marshal())] = true
authorizedKeysBytes = rest
}
if authorizedKeysMap[string(pubKey.Marshal())] {
logger.Debug("Public key fingerprint", gossh.FingerprintSHA256(pubKey), user)
return &gossh.Permissions{
Extensions: map[string]string{
"pubkey-fp": gossh.FingerprintSHA256(pubKey),
},
}, nil
}
return nil, fmt.Errorf("Unknown public key|%s", user)
}
|
