Merge pull request #1406 from rwincey/ssh_cert_auth

Added ssh certificate auth to ssh module
BishopFox · Sep 17, 2023 · 1ca6c76 · 1ca6c76
2 parents ad2be94 + aaaed91
commit 1ca6c76
Show file tree

Hide file tree

Showing 6 changed files with 272 additions and 232 deletions.
diff --git a/client/command/commands.go b/client/command/commands.go
@@ -1295,6 +1295,7 @@ func BindCommands(con *console.SliverConsoleClient) {
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 			f.Uint("p", "port", 22, "SSH port")
 			f.String("i", "private-key", "", "path to private key file")
+			f.String("u", "signed-user-cert", "", "path to user signed certificate (certificate based auth)")
 			f.String("P", "password", "", "SSH user password")
 			f.String("l", "login", "", "username to use to connect")
 			f.Bool("s", "skip-loot", false, "skip the prompt to use loot credentials")

diff --git a/client/command/exec/ssh.go b/client/command/exec/ssh.go
@@ -35,8 +35,9 @@ import (
 // SSHCmd - A built-in SSH client command for the remote system (doesn't shell out)
 func SSHCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	var (
-		privKey []byte
-		err     error
+		privKey       []byte
+		signeUserCert []byte
+		err           error
 	)
 	session := con.ActiveTarget.GetSessionInteractive()
 	if session == nil {
@@ -59,6 +60,15 @@ func SSHCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	}
 	password := ctx.Flags.String("password")
 
+	signeUserCertPath := ctx.Flags.String("signed-user-cert")
+	if signeUserCertPath != "" {
+		signeUserCert, err = os.ReadFile(signeUserCertPath)
+		if err != nil {
+			con.PrintErrorf("%s\n", err)
+			return
+		}
+	}
+
 	hostname := ctx.Args.String("hostname")
 	command := ctx.Args.StringList("command")
 	kerberosRealm := ctx.Flags.String("kerberos-realm")
@@ -87,16 +97,17 @@ func SSHCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	}
 
 	sshCmd, err := con.Rpc.RunSSHCommand(context.Background(), &sliverpb.SSHCommandReq{
-		Username: username,
-		Hostname: hostname,
-		Port:     uint32(port),
-		PrivKey:  privKey,
-		Password: password,
-		Command:  strings.Join(command, " "),
-		Realm:    kerberosRealm,
-		Krb5Conf: kerberosConfig,
-		Keytab:   kerberosKeytab,
-		Request:  con.ActiveTarget.Request(ctx),
+		Username:       username,
+		Hostname:       hostname,
+		Port:           uint32(port),
+		PrivKey:        privKey,
+		Password:       password,
+		Command:        strings.Join(command, " "),
+		Realm:          kerberosRealm,
+		Krb5Conf:       kerberosConfig,
+		Keytab:         kerberosKeytab,
+		Request:        con.ActiveTarget.Request(ctx),
+		SignedUserCert: signeUserCert,
 	})
 	if err != nil {
 		con.PrintErrorf("%s\n", err)

diff --git a/implant/sliver/handlers/rpc-handlers.go b/implant/sliver/handlers/rpc-handlers.go
@@ -295,6 +295,7 @@ func runSSHCommandHandler(data []byte, resp RPCResponse) {
 		commandReq.Username,
 		commandReq.Password,
 		commandReq.PrivKey,
+		commandReq.SignedUserCert,
 		commandReq.Krb5Conf,
 		commandReq.Keytab,
 		commandReq.Realm,

diff --git a/implant/sliver/shell/ssh/ssh.go b/implant/sliver/shell/ssh/ssh.go
@@ -17,7 +17,7 @@ import (
 	"golang.org/x/crypto/ssh/agent"
 )
 
-func getClient(host string, port uint16, username string, password string, privKey []byte, krb5conf string, keytab []byte, realm string) (*ssh.Client, error) {
+func getClient(host string, port uint16, username string, password string, privKey []byte, signedUserCert []byte, krb5conf string, keytab []byte, realm string) (*ssh.Client, error) {
 	var authMethods []ssh.AuthMethod
 	if password != "" {
 		// Try password auth first
@@ -28,6 +28,22 @@ func getClient(host string, port uint16, username string, password string, privK
 		if err != nil {
 			return nil, err
 		}
+		// If certificate based auth add signed public key
+		if len(signedUserCert) != 0 {
+			cert, _, _, _, err := ssh.ParseAuthorizedKey(signedUserCert)
+			if err != nil {
+				return nil, err
+			}
+
+			// create a signer using both the certificate and the private key:
+			certSigner, err := ssh.NewCertSigner(cert.(*ssh.Certificate), signer)
+			if err != nil {
+				return nil, err
+			}
+			//Update signer
+			signer = certSigner
+		}
+
 		authMethods = append(authMethods, ssh.PublicKeys(signer))
 	} else if krb5conf != "" && keytab != nil && realm != "" {
 		// Then try kerberos auth
@@ -74,12 +90,12 @@ func getClient(host string, port uint16, username string, password string, privK
 }
 
 // RunSSHCommand - SSH to a host and execute a command
-func RunSSHCommand(host string, port uint16, username string, password string, privKey []byte, krb5conf string, keytab []byte, realm string, command string) (string, string, error) {
+func RunSSHCommand(host string, port uint16, username string, password string, privKey []byte, signedUserCert []byte, krb5conf string, keytab []byte, realm string, command string) (string, string, error) {
 	var (
 		stdout bytes.Buffer
 		stderr bytes.Buffer
 	)
-	sshc, err := getClient(host, port, username, password, privKey, krb5conf, keytab, realm)
+	sshc, err := getClient(host, port, username, password, privKey, signedUserCert, krb5conf, keytab, realm)
 	if err != nil {
 		return "", "", err
 	}