Compare commits
11 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
317388e81d | ||
|
|
96ead754ed | ||
|
|
3a3e3fa81d | ||
|
|
bdba5287b5 | ||
|
|
aded9bc067 | ||
|
|
4fbd9df64c | ||
|
|
e2181393d0 | ||
|
|
7aeddd4032 | ||
|
|
30c6f7d6f0 | ||
|
|
04efa5aaea | ||
|
|
6d7fa14eb0 |
@@ -6,16 +6,18 @@ import (
|
||||
"bufio"
|
||||
"bytes"
|
||||
"context"
|
||||
"crypto/ed25519"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
"flag"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"net"
|
||||
"os"
|
||||
"path"
|
||||
"strings"
|
||||
"syscall"
|
||||
|
||||
@@ -31,6 +33,10 @@ var (
|
||||
"/perm/breakglass.authorized_keys",
|
||||
"path to an OpenSSH authorized_keys file; if the value is 'ec2', fetch the SSH key(s) from the AWS IMDSv2 metadata")
|
||||
|
||||
authorizedUserCAPath = flag.String("authorized_ca",
|
||||
"/perm/breakglass.authorized_user_ca",
|
||||
"path to an OpenSSH TrustedUserCAKeys file; note the certificate must list ':gokrazy:' as a valid principal")
|
||||
|
||||
hostKeyPath = flag.String("host_key",
|
||||
"/perm/breakglass.host_key",
|
||||
"path to a PEM-encoded RSA, DSA or ECDSA private key (create using e.g. ssh-keygen -f /perm/breakglass.host_key -N '' -t rsa)")
|
||||
@@ -46,6 +52,9 @@ var (
|
||||
forwarding = flag.String("forward",
|
||||
"",
|
||||
"allow port forwarding. Use `loopback` for loopback interfaces and `private-network` for private networks")
|
||||
|
||||
home = "/perm/home"
|
||||
shell = ""
|
||||
)
|
||||
|
||||
func loadAuthorizedKeys(path string) (map[string]bool, error) {
|
||||
@@ -81,6 +90,19 @@ func loadAuthorizedKeys(path string) (map[string]bool, error) {
|
||||
return result, nil
|
||||
}
|
||||
|
||||
func loadPasswd(passwd string) {
|
||||
b, err := os.ReadFile(passwd)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
fields := bytes.SplitN(bytes.SplitN(b, []byte("\n"), 2)[0], []byte(":"), 7)
|
||||
if len(fields) != 7 {
|
||||
return
|
||||
}
|
||||
home = path.Clean(string(fields[5]))
|
||||
shell = path.Clean(string(fields[6]))
|
||||
}
|
||||
|
||||
func loadHostKey(path string) (ssh.Signer, error) {
|
||||
b, err := ioutil.ReadFile(path)
|
||||
if err != nil {
|
||||
@@ -91,7 +113,7 @@ func loadHostKey(path string) (ssh.Signer, error) {
|
||||
}
|
||||
|
||||
func createHostKey(path string) (ssh.Signer, error) {
|
||||
key, err := rsa.GenerateKey(rand.Reader, 1024)
|
||||
_, key, err := ed25519.GenerateKey(rand.Reader)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -154,7 +176,7 @@ func initMOTD() error {
|
||||
return err
|
||||
}
|
||||
|
||||
motd = fmt.Sprintf(` __
|
||||
motd = fmt.Sprintf(` __
|
||||
.-----.-----| |--.----.---.-.-----.--.--.
|
||||
| _ | _ | <| _| _ |-- __| | |
|
||||
|___ |_____|__|__|__| |___._|_____|___ |
|
||||
@@ -172,7 +194,9 @@ func main() {
|
||||
flag.Parse()
|
||||
log.SetFlags(log.LstdFlags | log.Lshortfile)
|
||||
|
||||
gokrazy.DontStartOnBoot()
|
||||
installBusybox()
|
||||
|
||||
loadPasswd("/etc/passwd")
|
||||
|
||||
authorizedKeys, err := loadAuthorizedKeys(*authorizedKeysPath)
|
||||
if err != nil {
|
||||
@@ -182,19 +206,59 @@ func main() {
|
||||
log.Fatal(err)
|
||||
}
|
||||
|
||||
authorizedUserCertificateCA, err := loadAuthorizedKeys(strings.TrimPrefix(*authorizedUserCAPath, "ec2"))
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
log.Printf("TrustedUserCAKeys not loaded")
|
||||
}
|
||||
}
|
||||
|
||||
if err := initMOTD(); err != nil {
|
||||
log.Print(err)
|
||||
}
|
||||
|
||||
config := &ssh.ServerConfig{
|
||||
PublicKeyCallback: func(conn ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.Permissions, error) {
|
||||
certChecker := ssh.CertChecker{
|
||||
IsUserAuthority: func(auth ssh.PublicKey) bool {
|
||||
return authorizedUserCertificateCA[string(auth.Marshal())]
|
||||
},
|
||||
UserKeyFallback: func(conn ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.Permissions, error) {
|
||||
if authorizedKeys[string(pubKey.Marshal())] {
|
||||
log.Printf("user %q successfully authorized from remote addr %s", conn.User(), conn.RemoteAddr())
|
||||
return nil, nil
|
||||
return &ssh.Permissions{map[string]string{}, map[string]string{}, map[any]any{}}, nil
|
||||
}
|
||||
return nil, fmt.Errorf("public key not found in %s", *authorizedKeysPath)
|
||||
},
|
||||
}
|
||||
config := &ssh.ServerConfig{
|
||||
PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
|
||||
cert, ok := key.(*ssh.Certificate)
|
||||
if !ok {
|
||||
if certChecker.UserKeyFallback != nil {
|
||||
return certChecker.UserKeyFallback(conn, key)
|
||||
}
|
||||
return nil, errors.New("ssh: normal key pairs not accepted")
|
||||
}
|
||||
|
||||
if cert.CertType != ssh.UserCert {
|
||||
return nil, fmt.Errorf("ssh: cert has type %d", cert.CertType)
|
||||
}
|
||||
if !certChecker.IsUserAuthority(cert.SignatureKey) {
|
||||
return nil, fmt.Errorf("ssh: certificate signed by unrecognized authority")
|
||||
}
|
||||
|
||||
if err := certChecker.CheckCert(":gokrazy:", cert); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if cert.Permissions.CriticalOptions == nil {
|
||||
cert.Permissions.CriticalOptions = map[string]string{}
|
||||
}
|
||||
if cert.Permissions.Extensions == nil {
|
||||
cert.Permissions.Extensions = map[string]string{}
|
||||
}
|
||||
|
||||
return &cert.Permissions, nil
|
||||
|
||||
},
|
||||
}
|
||||
|
||||
signer, err := loadHostKey(*hostKeyPath)
|
||||
if err != nil {
|
||||
@@ -244,7 +308,7 @@ func main() {
|
||||
}
|
||||
|
||||
go func(conn net.Conn) {
|
||||
_, chans, reqs, err := ssh.NewServerConn(conn, config)
|
||||
c, chans, reqs, err := ssh.NewServerConn(conn, config)
|
||||
if err != nil {
|
||||
log.Printf("handshake: %v", err)
|
||||
return
|
||||
@@ -254,12 +318,13 @@ func main() {
|
||||
go ssh.DiscardRequests(reqs)
|
||||
|
||||
for newChannel := range chans {
|
||||
handleChannel(newChannel)
|
||||
handleChannel(newChannel, c)
|
||||
}
|
||||
}(conn)
|
||||
}
|
||||
}
|
||||
|
||||
gokrazy.WaitFor("net-route")
|
||||
addrs, err := gokrazy.PrivateInterfaceAddrs()
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
|
||||
23
go.mod
23
go.mod
@@ -3,22 +3,25 @@ module github.com/gokrazy/breakglass
|
||||
go 1.24.0
|
||||
|
||||
require (
|
||||
github.com/gokrazy/gokapi v0.0.0-20250222071133-506fdb322775
|
||||
github.com/gokrazy/gokrazy v0.0.0-20250222061409-bd0bb5f1d0b5
|
||||
github.com/gokrazy/internal v0.0.0-20251208203110-3c1aa9087c82
|
||||
github.com/google/renameio/v2 v2.0.0
|
||||
github.com/gokrazy/gokapi v0.0.0-20251205165548-0927bab199d4
|
||||
github.com/gokrazy/gokrazy v0.0.0-20251120071335-9c06b898c109
|
||||
github.com/gokrazy/internal v0.0.0-20251209163600-c74b4e7749e8
|
||||
github.com/google/renameio/v2 v2.0.1
|
||||
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
|
||||
github.com/kr/pty v1.1.8
|
||||
github.com/pkg/sftp v1.13.5
|
||||
golang.org/x/crypto v0.45.0
|
||||
github.com/pkg/sftp v1.13.10
|
||||
golang.org/x/crypto v0.46.0
|
||||
)
|
||||
|
||||
require (
|
||||
github.com/creack/pty v1.1.18 // indirect
|
||||
github.com/antihax/optional v1.0.0 // indirect
|
||||
github.com/creack/pty v1.1.24 // indirect
|
||||
github.com/kenshaw/evdev v0.1.0 // indirect
|
||||
github.com/kr/fs v0.1.0 // indirect
|
||||
github.com/mdlayher/watchdog v0.0.0-20221003142519-49be0df7b3b5 // indirect
|
||||
github.com/spf13/pflag v1.0.5 // indirect
|
||||
golang.org/x/oauth2 v0.27.0 // indirect
|
||||
golang.org/x/sys v0.38.0 // indirect
|
||||
github.com/spf13/pflag v1.0.10 // indirect
|
||||
github.com/vishvananda/netlink v1.3.1 // indirect
|
||||
github.com/vishvananda/netns v0.0.5 // indirect
|
||||
golang.org/x/oauth2 v0.34.0 // indirect
|
||||
golang.org/x/sys v0.39.0 // indirect
|
||||
)
|
||||
|
||||
31
go.sum
31
go.sum
@@ -1,18 +1,31 @@
|
||||
github.com/antihax/optional v1.0.0 h1:xK2lYat7ZLaVVcIuj82J8kIro4V6kDe0AUDFboUCwcg=
|
||||
github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
|
||||
github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
|
||||
github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
|
||||
github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
|
||||
github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
|
||||
github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
|
||||
github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
|
||||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
||||
github.com/gokrazy/gokapi v0.0.0-20250222071133-506fdb322775 h1:f5+2UMRRbr3+e/gdWCBNn48chS/KMMljfbmlSSHfRBA=
|
||||
github.com/gokrazy/gokapi v0.0.0-20250222071133-506fdb322775/go.mod h1:q9mIV8al0wqmqFXJhKiO3SOHkL9/7Q4kIMynqUQWhgU=
|
||||
github.com/gokrazy/gokapi v0.0.0-20251205165548-0927bab199d4 h1:XFo3EqnHUbmAySp7zqms8ee/tU8bM9k+YzT7L4o5CcQ=
|
||||
github.com/gokrazy/gokapi v0.0.0-20251205165548-0927bab199d4/go.mod h1:+StofDb/2cMb7vbA2znaNolgp9SadTYeyRIFtdhH1KQ=
|
||||
github.com/gokrazy/gokrazy v0.0.0-20250222061409-bd0bb5f1d0b5 h1:VQhDGxRliP4ZTQ8+33v4VKtOpX4VzN8pA4zBMZQSSxs=
|
||||
github.com/gokrazy/gokrazy v0.0.0-20250222061409-bd0bb5f1d0b5/go.mod h1:6fAh0J7aH6o5HWSiwN6uxNlm6Rjx1BxeNMWyNBQZ6sI=
|
||||
github.com/gokrazy/gokrazy v0.0.0-20251120071335-9c06b898c109 h1:bOGq8uswYxUcDDrhr49SJFaiYBfhBkjaLZq4JXASGWE=
|
||||
github.com/gokrazy/gokrazy v0.0.0-20251120071335-9c06b898c109/go.mod h1:NtMkrFeDGnwldKLi0dLdd2ipNwoVa7TI4HTxsy7lFRg=
|
||||
github.com/gokrazy/internal v0.0.0-20251208203110-3c1aa9087c82 h1:4ghNfD9NaZLpFrqQiBF6mPVFeMYXJSky38ubVA4ic2E=
|
||||
github.com/gokrazy/internal v0.0.0-20251208203110-3c1aa9087c82/go.mod h1:dQY4EMkD4L5ZjYJ0SPtpgYbV7MIUMCxNIXiOfnZ6jP4=
|
||||
github.com/gokrazy/internal v0.0.0-20251209163600-c74b4e7749e8 h1:oDssNvynxA1AFJEEDDrFnRWwcmrRraj9BoXftZAKut4=
|
||||
github.com/gokrazy/internal v0.0.0-20251209163600-c74b4e7749e8/go.mod h1:dQY4EMkD4L5ZjYJ0SPtpgYbV7MIUMCxNIXiOfnZ6jP4=
|
||||
github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
|
||||
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
||||
github.com/google/renameio/v2 v2.0.0 h1:UifI23ZTGY8Tt29JbYFiuyIU3eX+RNFtUwefq9qAhxg=
|
||||
github.com/google/renameio/v2 v2.0.0/go.mod h1:BtmJXm5YlszgC+TD4HOEEUFgkJP3nLxehU6hfe7jRt4=
|
||||
github.com/google/renameio/v2 v2.0.1 h1:HyOM6qd9gF9sf15AvhbptGHUnaLTpEI9akAFFU3VyW0=
|
||||
github.com/google/renameio/v2 v2.0.1/go.mod h1:BtmJXm5YlszgC+TD4HOEEUFgkJP3nLxehU6hfe7jRt4=
|
||||
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
|
||||
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
|
||||
github.com/kenshaw/evdev v0.1.0 h1:wmtceEOFfilChgdNT+c/djPJ2JineVsQ0N14kGzFRUo=
|
||||
@@ -25,28 +38,46 @@ github.com/mdlayher/watchdog v0.0.0-20221003142519-49be0df7b3b5 h1:80FAK3TW5lVym
|
||||
github.com/mdlayher/watchdog v0.0.0-20221003142519-49be0df7b3b5/go.mod h1:z0QjVpjpK4jksEkffQwS3+abQ3XFTm1bnimyDzWyUk0=
|
||||
github.com/pkg/sftp v1.13.5 h1:a3RLUqkyjYRtBTZJZ1VRrKbN3zhuPLlUc3sphVz81go=
|
||||
github.com/pkg/sftp v1.13.5/go.mod h1:wHDZ0IZX6JcBYRK1TH9bcVq8G7TLpVHYIGJRFnmPfxg=
|
||||
github.com/pkg/sftp v1.13.10 h1:+5FbKNTe5Z9aspU88DPIKJ9z2KZoaGCu6Sr6kKR/5mU=
|
||||
github.com/pkg/sftp v1.13.10/go.mod h1:bJ1a7uDhrX/4OII+agvy28lzRvQrmIQuaHrcI1HbeGA=
|
||||
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
|
||||
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
|
||||
github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
|
||||
github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
|
||||
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||
github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
|
||||
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
|
||||
github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
|
||||
github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
|
||||
github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
|
||||
github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
|
||||
github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
|
||||
golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
|
||||
golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
|
||||
golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
|
||||
golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
|
||||
golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
|
||||
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
|
||||
golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
|
||||
golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
|
||||
golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
|
||||
golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
|
||||
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
|
||||
golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
|
||||
golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
|
||||
golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
|
||||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
||||
golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
|
||||
golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
|
||||
golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
|
||||
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
|
||||
61
ssh.go
61
ssh.go
@@ -2,16 +2,19 @@ package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"log"
|
||||
"net"
|
||||
"os"
|
||||
"os/exec"
|
||||
"path"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
"syscall"
|
||||
"time"
|
||||
"unsafe"
|
||||
|
||||
"github.com/gokrazy/gokrazy"
|
||||
@@ -21,11 +24,15 @@ import (
|
||||
"golang.org/x/crypto/ssh"
|
||||
)
|
||||
|
||||
func handleChannel(newChan ssh.NewChannel) {
|
||||
func handleChannel(newChan ssh.NewChannel, conn *ssh.ServerConn) {
|
||||
switch t := newChan.ChannelType(); t {
|
||||
case "session":
|
||||
handleSession(newChan)
|
||||
handleSession(newChan, conn)
|
||||
case "direct-tcpip":
|
||||
if _, portForwardDenied := conn.Permissions.Extensions["no-port-forwarding"]; portForwardDenied {
|
||||
newChan.Reject(ssh.Prohibited, "port forwarding is disabled. For you in particular :-P")
|
||||
return
|
||||
}
|
||||
handleTCPIP(newChan)
|
||||
default:
|
||||
newChan.Reject(ssh.UnknownChannelType, fmt.Sprintf("unknown channel type: %q", t))
|
||||
@@ -112,7 +119,7 @@ func handleTCPIP(newChan ssh.NewChannel) {
|
||||
}()
|
||||
}
|
||||
|
||||
func handleSession(newChannel ssh.NewChannel) {
|
||||
func handleSession(newChannel ssh.NewChannel, conn *ssh.ServerConn) {
|
||||
channel, requests, err := newChannel.Accept()
|
||||
if err != nil {
|
||||
log.Printf("Could not accept channel (%s)", err)
|
||||
@@ -120,12 +127,12 @@ func handleSession(newChannel ssh.NewChannel) {
|
||||
}
|
||||
|
||||
// Sessions have out-of-band requests such as "shell", "pty-req" and "env"
|
||||
go func(channel ssh.Channel, requests <-chan *ssh.Request) {
|
||||
go func(channel ssh.Channel, requests <-chan *ssh.Request, conn *ssh.ServerConn) {
|
||||
ctx, canc := context.WithCancel(context.Background())
|
||||
defer canc()
|
||||
s := session{channel: channel}
|
||||
for req := range requests {
|
||||
if err := s.request(ctx, req); err != nil {
|
||||
if err := s.request(ctx, req, conn); err != nil {
|
||||
log.Printf("request(%q): %v", req.Type, err)
|
||||
errmsg := []byte(err.Error())
|
||||
// Append a trailing newline; the error message is
|
||||
@@ -139,7 +146,7 @@ func handleSession(newChannel ssh.NewChannel) {
|
||||
}
|
||||
}
|
||||
log.Printf("requests exhausted")
|
||||
}(channel, requests)
|
||||
}(channel, requests, conn)
|
||||
}
|
||||
|
||||
func expandPath(env []string) []string {
|
||||
@@ -214,34 +221,52 @@ type exitStatus struct {
|
||||
Status uint32
|
||||
}
|
||||
|
||||
func shellWorks(shell string) bool {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 200*time.Millisecond)
|
||||
defer cancel()
|
||||
cmd := exec.CommandContext(ctx, shell, "-c", "exit 58")
|
||||
cmd.Run()
|
||||
return cmd.ProcessState != nil && cmd.ProcessState.ExitCode() == 58
|
||||
}
|
||||
|
||||
func findShell() string {
|
||||
if _, err := os.Stat(wellKnownBusybox); err == nil {
|
||||
// Install busybox to /bin to provide the typical userspace utilities
|
||||
// in standard locations (makes Emacs TRAMP work, for example).
|
||||
if err := installBusybox(); err != nil {
|
||||
log.Printf("installing busybox failed: %v", err)
|
||||
// fallthrough
|
||||
} else {
|
||||
return "/bin/sh" // available after installation
|
||||
// fallthrough, we don't return /bin/sh as we read /etc/passwd
|
||||
}
|
||||
}
|
||||
if path, err := exec.LookPath("sh"); err == nil {
|
||||
if _, err := exec.LookPath(shell); path.IsAbs(shell) && shellWorks(shell) && err == nil {
|
||||
return shell
|
||||
}
|
||||
if path, err := exec.LookPath("bash"); shellWorks(path) && err == nil {
|
||||
return path
|
||||
}
|
||||
if path, err := exec.LookPath("sh"); shellWorks(path) && err == nil {
|
||||
return path
|
||||
}
|
||||
const wellKnownSerialShell = "/tmp/serial-busybox/ash"
|
||||
if _, err := os.Stat(wellKnownSerialShell); err == nil {
|
||||
if _, err := exec.LookPath(wellKnownSerialShell); err == nil {
|
||||
return wellKnownSerialShell
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (s *session) request(ctx context.Context, req *ssh.Request) error {
|
||||
func (s *session) request(ctx context.Context, req *ssh.Request, conn *ssh.ServerConn) error {
|
||||
switch req.Type {
|
||||
case "pty-req":
|
||||
if _, portForwardDenied := conn.Permissions.Extensions["no-pty"]; portForwardDenied {
|
||||
return errors.New("Pseudo-Terminal is disabled. For you in particular :-P")
|
||||
}
|
||||
var r ptyreq
|
||||
if err := ssh.Unmarshal(req.Payload, &r); err != nil {
|
||||
return err
|
||||
}
|
||||
if r.TERM != "" {
|
||||
s.env = append(s.env, fmt.Sprintf("TERM=%s", r.TERM))
|
||||
}
|
||||
|
||||
var err error
|
||||
s.ptyf, s.ttyf, err = pty.Open()
|
||||
@@ -290,12 +315,12 @@ func (s *session) request(ctx context.Context, req *ssh.Request) error {
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer srv.Close()
|
||||
|
||||
exitCode := uint32(0)
|
||||
if err := srv.Serve(); err != nil {
|
||||
log.Printf("(sftp.Server).Serve(): %v", err)
|
||||
if err == io.EOF {
|
||||
defer srv.Close()
|
||||
log.Printf("sftp client exited session")
|
||||
} else {
|
||||
exitCode = 1
|
||||
@@ -355,21 +380,25 @@ func (s *session) request(ctx context.Context, req *ssh.Request) error {
|
||||
|
||||
// Ensure the $HOME directory exists so that shell history works without
|
||||
// any extra steps.
|
||||
if err := os.MkdirAll("/perm/home", 0755); err != nil {
|
||||
if err := os.MkdirAll(home, 0755); err != nil {
|
||||
// TODO: Suppress -EROFS
|
||||
log.Print(err)
|
||||
}
|
||||
|
||||
var cmd *exec.Cmd
|
||||
if shell := findShell(); shell != "" {
|
||||
cmd = exec.CommandContext(ctx, shell, "-c", r.Command)
|
||||
if len(cmdline) == 0 || (len(cmdline) == 1 && cmdline[0] == "sh") {
|
||||
cmd = exec.CommandContext(ctx, shell, "-l")
|
||||
} else {
|
||||
cmd = exec.CommandContext(ctx, shell, "-c", r.Command)
|
||||
}
|
||||
} else {
|
||||
cmd = exec.CommandContext(ctx, cmdline[0], cmdline[1:]...)
|
||||
}
|
||||
log.Printf("Starting cmd %q", cmd.Args)
|
||||
env := expandPath(s.env)
|
||||
env = append(env,
|
||||
"HOME=/perm/home",
|
||||
"HOME="+home,
|
||||
"TMPDIR=/tmp")
|
||||
cmd.Env = env
|
||||
cmd.SysProcAttr = &syscall.SysProcAttr{}
|
||||
|
||||
Reference in New Issue
Block a user