Report permissions denied in internal SSH (#13953)
This PR standardizes reporting of permission denied from the internal ssh. Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de>
This commit is contained in:
parent
8e0548ed4a
commit
e46a638e8f
1 changed files with 14 additions and 5 deletions
|
@ -135,6 +135,7 @@ func sessionHandler(session ssh.Session) {
|
||||||
|
|
||||||
func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
|
func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
|
||||||
if ctx.User() != setting.SSH.BuiltinServerUser {
|
if ctx.User() != setting.SSH.BuiltinServerUser {
|
||||||
|
log.Warn("Permission Denied: Invalid SSH username %s - must use %s for all git operations via ssh", ctx.User(), setting.SSH.BuiltinServerUser)
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -145,17 +146,18 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
|
||||||
}
|
}
|
||||||
|
|
||||||
// look for the exact principal
|
// look for the exact principal
|
||||||
|
principalLoop:
|
||||||
for _, principal := range cert.ValidPrincipals {
|
for _, principal := range cert.ValidPrincipals {
|
||||||
pkey, err := models.SearchPublicKeyByContentExact(principal)
|
pkey, err := models.SearchPublicKeyByContentExact(principal)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
if models.IsErrKeyNotExist(err) {
|
||||||
|
log.Debug("Principal Rejected: Unknown Principal: %s", principal)
|
||||||
|
continue principalLoop
|
||||||
|
}
|
||||||
log.Error("SearchPublicKeyByContentExact: %v", err)
|
log.Error("SearchPublicKeyByContentExact: %v", err)
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
if models.IsErrKeyNotExist(err) {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
c := &gossh.CertChecker{
|
c := &gossh.CertChecker{
|
||||||
IsUserAuthority: func(auth gossh.PublicKey) bool {
|
IsUserAuthority: func(auth gossh.PublicKey) bool {
|
||||||
for _, k := range setting.SSH.TrustedUserCAKeysParsed {
|
for _, k := range setting.SSH.TrustedUserCAKeysParsed {
|
||||||
|
@ -170,11 +172,14 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
|
||||||
|
|
||||||
// check the CA of the cert
|
// check the CA of the cert
|
||||||
if !c.IsUserAuthority(cert.SignatureKey) {
|
if !c.IsUserAuthority(cert.SignatureKey) {
|
||||||
return false
|
log.Debug("Principal Rejected: Untrusted Authority Signature Fingerprint %s for Principal: %s", gossh.FingerprintSHA256(cert.SignatureKey), principal)
|
||||||
|
continue principalLoop
|
||||||
}
|
}
|
||||||
|
|
||||||
// validate the cert for this principal
|
// validate the cert for this principal
|
||||||
if err := c.CheckCert(principal, cert); err != nil {
|
if err := c.CheckCert(principal, cert); err != nil {
|
||||||
|
// User is presenting an invalid cerficate - STOP any further processing
|
||||||
|
log.Error("Permission Denied: Invalid Certificate KeyID %s with Signature Fingerprint %s presented for Principal: %s", cert.KeyId, gossh.FingerprintSHA256(cert.SignatureKey), principal)
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -186,6 +191,10 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
|
||||||
|
|
||||||
pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(gossh.MarshalAuthorizedKey(key))))
|
pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(gossh.MarshalAuthorizedKey(key))))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
if models.IsErrKeyNotExist(err) {
|
||||||
|
log.Warn("Permission Denied: Unknown public key : %s", gossh.FingerprintSHA256(key))
|
||||||
|
return false
|
||||||
|
}
|
||||||
log.Error("SearchPublicKeyByContent: %v Failed authentication attempt from %s", err, ctx.RemoteAddr())
|
log.Error("SearchPublicKeyByContent: %v Failed authentication attempt from %s", err, ctx.RemoteAddr())
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
Reference in a new issue