2022-03-08 10:45:56 +00:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"errors"
|
|
|
|
|
2024-01-20 15:41:54 +00:00
|
|
|
"github.com/rs/zerolog/log"
|
2022-03-08 10:45:56 +00:00
|
|
|
"golang.org/x/crypto/ssh"
|
2022-04-04 08:29:28 +00:00
|
|
|
|
|
|
|
config "novit.tech/direktil/pkg/bootstrapconfig"
|
2022-03-08 10:45:56 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
auths []config.Auth
|
|
|
|
)
|
|
|
|
|
|
|
|
func localAuth() bool {
|
|
|
|
sec := askSecret("password")
|
|
|
|
|
|
|
|
for _, auth := range auths {
|
|
|
|
if auth.Password == "" {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
if config.CheckPassword(auth.Password, sec) {
|
2024-01-20 15:41:54 +00:00
|
|
|
log.Info().Msgf("login with auth %q", auth.Name)
|
2022-03-08 10:45:56 +00:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
func sshCheckPubkey(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
|
|
|
|
keyBytes := key.Marshal()
|
|
|
|
|
|
|
|
for _, auth := range auths {
|
|
|
|
if auth.SSHKey == "" {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
allowedKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(auth.SSHKey))
|
|
|
|
if err != nil {
|
2024-01-20 15:41:54 +00:00
|
|
|
log.Warn().Err(err).Str("user", auth.Name).Str("key", auth.SSHKey).Msg("SSH public key is invalid")
|
2022-03-08 10:45:56 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if bytes.Equal(allowedKey.Marshal(), keyBytes) {
|
2024-01-20 15:41:54 +00:00
|
|
|
log.Info().Str("user", auth.Name).Msg("ssh: accepting public key")
|
2022-03-08 10:45:56 +00:00
|
|
|
return &ssh.Permissions{
|
|
|
|
Extensions: map[string]string{
|
|
|
|
"pubkey-fp": ssh.FingerprintSHA256(key),
|
|
|
|
},
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil, errors.New("no matching public key")
|
|
|
|
}
|