perf: 完善 ssh mfa 认证

jumpserver · Oct 7, 2023 · 2214c74 · 2214c74
1 parent 725e0b1
commit 2214c74
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 3 deletions.
diff --git a/go.mod b/go.mod
@@ -125,6 +125,6 @@ require (
 )
 
 replace (
-	github.com/gliderlabs/ssh => github.com/LeeEirc/ssh v0.1.2-0.20220323091501-23b956e1e5a8
+	github.com/gliderlabs/ssh => github.com/LeeEirc/ssh v0.1.2-0.20231007053448-a6110c0dfc4a
 	golang.org/x/crypto => github.com/LeeEirc/crypto v0.0.0-20230919154755-059031d26b68
 )
diff --git a/go.sum b/go.sum
@@ -65,8 +65,8 @@ github.com/LeeEirc/elfinder v0.0.14 h1:6ObxwIoC5zmrnKArUU5Mz++/T3lzgl1Ja0pS1Smd3
 github.com/LeeEirc/elfinder v0.0.14/go.mod h1:d1bMAAydkZSBxSN/EuQjBg6B0xcPP3boHuYEpzEHYTs=
 github.com/LeeEirc/httpsig v1.2.1 h1:GGmCc2Bug3KeCchlZHwrfyjyAnw+JlzMjKDobPypirs=
 github.com/LeeEirc/httpsig v1.2.1/go.mod h1:aoLZLXCSNDgkzsH2sGLWn3hlVbF+Voe8fCArxLt9nWA=
-github.com/LeeEirc/ssh v0.1.2-0.20220323091501-23b956e1e5a8 h1:UxED5pKJd9yel/LXEUHDn8C+pYhDogxwx7G9HZcov4w=
-github.com/LeeEirc/ssh v0.1.2-0.20220323091501-23b956e1e5a8/go.mod h1:bSl4MzlGJ2FbMCzfyuwruG2mrWY0dxE8wqWoAIhKe8k=
+github.com/LeeEirc/ssh v0.1.2-0.20231007053448-a6110c0dfc4a h1:/EdJeCK6cTaKNgftQLP9uyBL4Q86MFawU0WsK22yn2A=
+github.com/LeeEirc/ssh v0.1.2-0.20231007053448-a6110c0dfc4a/go.mod h1:O9BMs9PYwCJbftRP9O2Ig5Wd3hbLSpzhvP0bqU9EONg=
 github.com/LeeEirc/tclientlib v0.0.3-0.20230803101925-fb52a90cb08d h1:4qUSGc/34IALiDs2kBrjbCKfx7zvAt16K+gTRzNN8Fo=
 github.com/LeeEirc/tclientlib v0.0.3-0.20230803101925-fb52a90cb08d/go.mod h1:TF2v0XZYyRcZfx4NmA/EEFRkdKZLsQd8YnlhGKl1KUA=
 github.com/LeeEirc/terminalparser v0.0.0-20220328021224-de16b7643ea4 h1:Gk7m4Nu2jqVqJAJqNlTYqkiq96WkANAtB4fVi+t7Xv8=

diff --git a/pkg/auth/ssh.go b/pkg/auth/ssh.go
@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"errors"
 	"net"
 	"strings"
 
@@ -82,6 +83,12 @@ func SSHKeyboardInteractiveAuth(ctx ssh.Context, challenger gossh.KeyboardIntera
 	if value, ok := ctx.Value(ContextKeyAuthFailed).(*bool); ok && *value {
 		return ssh.AuthFailed
 	}
+	// 2 steps auth must have a partial success method
+	if val := ctx.Value(ContextKeyPartialSuccessMethod); val == nil {
+		logger.Errorf("SSH conn[%s] user %s Mfa Auth failed: not found partial success method.")
+		return ssh.AuthFailed
+	}
+
 	username := GetUsernameFromSSHCtx(ctx)
 	res = ssh.AuthFailed
 	client, ok := ctx.Value(ContextKeyClient).(*UserAuthClient)
@@ -108,6 +115,19 @@ func SSHKeyboardInteractiveAuth(ctx ssh.Context, challenger gossh.KeyboardIntera
 	return
 }
 
+func SSHAuthLogCallback(ctx ssh.Context, method string, err error) {
+	if err == nil {
+		logger.Errorf("SSH conn[%s] auth method %s success", ctx.SessionID(), method)
+		return
+	}
+	if errors.Is(err, gossh.ErrPartialSuccess) {
+		ctx.SetValue(ContextKeyPartialSuccessMethod, method)
+		logger.Infof("SSH conn[%s] auth method %s partially success", ctx.SessionID(), method)
+	} else {
+		logger.Errorf("SSH conn[%s] auth method %s failed: %s", ctx.SessionID(), method, err)
+	}
+}
+
 const (
 	ContextKeyUser   = "CONTEXT_USER"
 	ContextKeyClient = "CONTEXT_CLIENT"
@@ -117,6 +137,8 @@ const (
 	ContextKeyAuthFailed = "CONTEXT_AUTH_FAILED"
 
 	ContextKeyDirectLoginFormat = "CONTEXT_DIRECT_LOGIN_FORMAT"
+
+	ContextKeyPartialSuccessMethod = "CONTEXT_PARTIAL_SUCCESS_METHOD"
 )
 
 type DirectLoginAssetReq struct {

diff --git a/pkg/sshd/server.go b/pkg/sshd/server.go
@@ -73,6 +73,7 @@ func NewSSHServer(jmsService *service.JMService) *Server {
 		KeyboardInteractiveHandler: auth.SSHKeyboardInteractiveAuth,
 		PasswordHandler:            sshHandler.PasswordAuth,
 		PublicKeyHandler:           sshHandler.PublicKeyAuth,
+		AuthLogCallback:            auth.SSHAuthLogCallback,
 		NextAuthMethodsHandler:     func(ctx ssh.Context) []string { return []string{nextAuthMethod} },
 		HostSigners:                []ssh.Signer{singer},
 		ServerConfigCallback: func(ctx ssh.Context) *gossh.ServerConfig {