initrd/auth.go

60 lines
1.1 KiB
Go
Raw Permalink Normal View History

package main
import (
"bytes"
"errors"
2024-01-20 15:41:54 +00:00
"github.com/rs/zerolog/log"
"golang.org/x/crypto/ssh"
2022-04-04 08:29:28 +00:00
config "novit.tech/direktil/pkg/bootstrapconfig"
)
var (
auths []config.Auth
)
func localAuth() bool {
sec := askSecret("password")
for _, auth := range auths {
if auth.Password == "" {
continue
}
if config.CheckPassword(auth.Password, sec) {
2024-01-20 15:41:54 +00:00
log.Info().Msgf("login with auth %q", auth.Name)
return true
}
}
return false
}
func sshCheckPubkey(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
keyBytes := key.Marshal()
for _, auth := range auths {
if auth.SSHKey == "" {
continue
}
allowedKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(auth.SSHKey))
if err != nil {
2024-01-20 15:41:54 +00:00
log.Warn().Err(err).Str("user", auth.Name).Str("key", auth.SSHKey).Msg("SSH public key is invalid")
return nil, err
}
if bytes.Equal(allowedKey.Marshal(), keyBytes) {
2024-01-20 15:41:54 +00:00
log.Info().Str("user", auth.Name).Msg("ssh: accepting public key")
return &ssh.Permissions{
Extensions: map[string]string{
"pubkey-fp": ssh.FingerprintSHA256(key),
},
}, nil
}
}
return nil, errors.New("no matching public key")
}