initrd/auth.go

package main

import (
	"bytes"
	"errors"

	"github.com/rs/zerolog/log"
	"golang.org/x/crypto/ssh"

	config "novit.tech/direktil/pkg/bootstrapconfig"
)

var (
	auths []config.Auth
)

func localAuth() bool {
	sec := askSecret("password")

	for _, auth := range auths {
		if auth.Password == "" {
			continue
		}

		if config.CheckPassword(auth.Password, sec) {
			log.Info().Msgf("login with auth %q", auth.Name)
			return true
		}
	}

	return false
}

func sshCheckPubkey(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
	keyBytes := key.Marshal()

	for _, auth := range auths {
		if auth.SSHKey == "" {
			continue
		}

		allowedKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(auth.SSHKey))
		if err != nil {
			log.Warn().Err(err).Str("user", auth.Name).Str("key", auth.SSHKey).Msg("SSH public key is invalid")
			return nil, err
		}

		if bytes.Equal(allowedKey.Marshal(), keyBytes) {
			log.Info().Str("user", auth.Name).Msg("ssh: accepting public key")
			return &ssh.Permissions{
				Extensions: map[string]string{
					"pubkey-fp": ssh.FingerprintSHA256(key),
				},
			}, nil
		}
	}

	return nil, errors.New("no matching public key")
}