initrd/auth.go
2022-04-04 10:29:28 +02:00

60 lines
1.1 KiB
Go

package main
import (
"bytes"
"errors"
"log"
"golang.org/x/crypto/ssh"
config "novit.tech/direktil/pkg/bootstrapconfig"
)
var (
auths []config.Auth
)
func localAuth() bool {
sec := askSecret("password")
for _, auth := range auths {
if auth.Password == "" {
continue
}
if config.CheckPassword(auth.Password, sec) {
log.Printf("login with auth %q", auth.Name)
return true
}
}
return false
}
func sshCheckPubkey(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
keyBytes := key.Marshal()
for _, auth := range auths {
if auth.SSHKey == "" {
continue
}
allowedKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(auth.SSHKey))
if err != nil {
log.Printf("SSH pubkey for %q invalid: %v", auth.Name, auth.SSHKey)
return nil, err
}
if bytes.Equal(allowedKey.Marshal(), keyBytes) {
log.Print("ssh: accepting public key for ", auth.Name)
return &ssh.Permissions{
Extensions: map[string]string{
"pubkey-fp": ssh.FingerprintSHA256(key),
},
}, nil
}
}
return nil, errors.New("no matching public key")
}