Skip to content

Commit

Permalink
Ensure users do not accidentally set the PK extension
Browse files Browse the repository at this point in the history
  • Loading branch information
@belak
belak committed Dec 12, 2024
1 parent 80d8371 commit f2f61f2
Showing 1 changed file with 20 additions and 2 deletions.
22 changes: 20 additions & 2 deletions server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,14 @@ var DefaultChannelHandlers = map[string]ChannelHandler{

var permissionsPublicKeyExt = "gliderlabs/ssh.PublicKey"

func ensureNoPKInPermissions(ctx Context) error {
if _, ok := ctx.Permissions().Permissions.Extensions[permissionsPublicKeyExt]; ok {
return errors.New("misconfigured server: public key incorrectly set")
}

return nil
}

// Server defines parameters for running an SSH server. The zero value for
// Server is a valid configuration. When both PasswordHandler and
// PublicKeyHandler are nil, no client authentication is performed.
Expand Down Expand Up @@ -152,7 +160,12 @@ func (srv *Server) config(ctx Context) *gossh.ServerConfig {
config.PasswordCallback = func(conn gossh.ConnMetadata, password []byte) (*gossh.Permissions, error) {
resetPermissions(ctx)
applyConnMetadata(ctx, conn)
if ok := srv.PasswordHandler(ctx, string(password)); !ok {
err := ensureNoPKInPermissions(ctx)
if err != nil {
return ctx.Permissions().Permissions, err
}
ok := srv.PasswordHandler(ctx, string(password))
if !ok {
return ctx.Permissions().Permissions, fmt.Errorf("permission denied")
}
return ctx.Permissions().Permissions, nil
Expand All @@ -162,7 +175,12 @@ func (srv *Server) config(ctx Context) *gossh.ServerConfig {
config.PublicKeyCallback = func(conn gossh.ConnMetadata, key gossh.PublicKey) (*gossh.Permissions, error) {
resetPermissions(ctx)
applyConnMetadata(ctx, conn)
if ok := srv.PublicKeyHandler(ctx, key); !ok {
err := ensureNoPKInPermissions(ctx)
if err != nil {
return ctx.Permissions().Permissions, err
}
ok := srv.PublicKeyHandler(ctx, key)
if !ok {
return ctx.Permissions().Permissions, fmt.Errorf("permission denied")
}

Expand Down

0 comments on commit f2f61f2

Please sign in to comment.