mirror of
https://github.com/go-gitea/gitea
synced 2024-12-22 16:44:26 +00:00
d1c1e3cbcc
Add more comments to explain the ssh problem, and rename `sshConn` to `sshSession`
442 lines
14 KiB
Go
442 lines
14 KiB
Go
// Copyright 2017 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package ssh
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/x509"
|
|
"encoding/pem"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net"
|
|
"os"
|
|
"os/exec"
|
|
"path/filepath"
|
|
"reflect"
|
|
"strconv"
|
|
"strings"
|
|
"sync"
|
|
"syscall"
|
|
|
|
asymkey_model "code.gitea.io/gitea/models/asymkey"
|
|
"code.gitea.io/gitea/modules/graceful"
|
|
"code.gitea.io/gitea/modules/log"
|
|
"code.gitea.io/gitea/modules/process"
|
|
"code.gitea.io/gitea/modules/setting"
|
|
"code.gitea.io/gitea/modules/util"
|
|
|
|
"github.com/gliderlabs/ssh"
|
|
gossh "golang.org/x/crypto/ssh"
|
|
)
|
|
|
|
// The ssh auth overall works like this:
|
|
// NewServerConn:
|
|
// serverHandshake+serverAuthenticate:
|
|
// PublicKeyCallback:
|
|
// PublicKeyHandler (our code):
|
|
// reset(ctx.Permissions) and set ctx.Permissions.giteaKeyID = keyID
|
|
// pubKey.Verify
|
|
// return ctx.Permissions // only reaches here, the pub key is really authenticated
|
|
// set conn.Permissions from serverAuthenticate
|
|
// sessionHandler(conn)
|
|
//
|
|
// Then sessionHandler should only use the "verified keyID" from the original ssh conn, but not the ctx one.
|
|
// Otherwise, if a user provides 2 keys A (a correct one) and B (public key matches but no private key),
|
|
// then only A succeeds to authenticate, sessionHandler will see B's keyID
|
|
//
|
|
// After x/crypto >= 0.31.0 (fix CVE-2024-45337), the PublicKeyCallback will be called again for the verified key,
|
|
// it mitigates the misuse for most cases, it's still good for us to make sure we don't rely on that mitigation
|
|
// and do not misuse the PublicKeyCallback: we should only use the verified keyID from the verified ssh conn.
|
|
|
|
const giteaPermissionExtensionKeyID = "gitea-perm-ext-key-id"
|
|
|
|
func getExitStatusFromError(err error) int {
|
|
if err == nil {
|
|
return 0
|
|
}
|
|
|
|
exitErr, ok := err.(*exec.ExitError)
|
|
if !ok {
|
|
return 1
|
|
}
|
|
|
|
waitStatus, ok := exitErr.Sys().(syscall.WaitStatus)
|
|
if !ok {
|
|
// This is a fallback and should at least let us return something useful
|
|
// when running on Windows, even if it isn't completely accurate.
|
|
if exitErr.Success() {
|
|
return 0
|
|
}
|
|
|
|
return 1
|
|
}
|
|
|
|
return waitStatus.ExitStatus()
|
|
}
|
|
|
|
// sessionPartial is the private struct from "gliderlabs/ssh/session.go"
|
|
// We need to read the original "conn" field from "ssh.Session interface" which contains the "*session pointer"
|
|
// https://github.com/gliderlabs/ssh/blob/d137aad99cd6f2d9495bfd98c755bec4e5dffb8c/session.go#L109-L113
|
|
// If upstream fixes the problem and/or changes the struct, we need to follow.
|
|
// If the struct mismatches, the builtin ssh server will fail during integration tests.
|
|
type sessionPartial struct {
|
|
sync.Mutex
|
|
gossh.Channel
|
|
conn *gossh.ServerConn
|
|
}
|
|
|
|
func ptr[T any](intf any) *T {
|
|
// https://pkg.go.dev/unsafe#Pointer
|
|
// (1) Conversion of a *T1 to Pointer to *T2.
|
|
// Provided that T2 is no larger than T1 and that the two share an equivalent memory layout,
|
|
// this conversion allows reinterpreting data of one type as data of another type.
|
|
v := reflect.ValueOf(intf)
|
|
p := v.UnsafePointer()
|
|
return (*T)(p)
|
|
}
|
|
|
|
func sessionHandler(session ssh.Session) {
|
|
// here can't use session.Permissions() because it only uses the value from ctx, which might not be the authenticated one.
|
|
// so we must use the original ssh conn, which always contains the correct (verified) keyID.
|
|
sshSession := ptr[sessionPartial](session)
|
|
keyID := sshSession.conn.Permissions.Extensions[giteaPermissionExtensionKeyID]
|
|
|
|
command := session.RawCommand()
|
|
|
|
log.Trace("SSH: Payload: %v", command)
|
|
|
|
args := []string{"--config=" + setting.CustomConf, "serv", "key-" + keyID}
|
|
log.Trace("SSH: Arguments: %v", args)
|
|
|
|
ctx, cancel := context.WithCancel(session.Context())
|
|
defer cancel()
|
|
|
|
gitProtocol := ""
|
|
for _, env := range session.Environ() {
|
|
if strings.HasPrefix(env, "GIT_PROTOCOL=") {
|
|
_, gitProtocol, _ = strings.Cut(env, "=")
|
|
break
|
|
}
|
|
}
|
|
|
|
cmd := exec.CommandContext(ctx, setting.AppPath, args...)
|
|
cmd.Env = append(
|
|
os.Environ(),
|
|
"SSH_ORIGINAL_COMMAND="+command,
|
|
"SKIP_MINWINSVC=1",
|
|
"GIT_PROTOCOL="+gitProtocol,
|
|
)
|
|
|
|
stdout, err := cmd.StdoutPipe()
|
|
if err != nil {
|
|
log.Error("SSH: StdoutPipe: %v", err)
|
|
return
|
|
}
|
|
defer stdout.Close()
|
|
|
|
stderr, err := cmd.StderrPipe()
|
|
if err != nil {
|
|
log.Error("SSH: StderrPipe: %v", err)
|
|
return
|
|
}
|
|
defer stderr.Close()
|
|
|
|
stdin, err := cmd.StdinPipe()
|
|
if err != nil {
|
|
log.Error("SSH: StdinPipe: %v", err)
|
|
return
|
|
}
|
|
defer stdin.Close()
|
|
|
|
process.SetSysProcAttribute(cmd)
|
|
|
|
wg := &sync.WaitGroup{}
|
|
wg.Add(2)
|
|
|
|
if err = cmd.Start(); err != nil {
|
|
log.Error("SSH: Start: %v", err)
|
|
return
|
|
}
|
|
|
|
go func() {
|
|
defer stdin.Close()
|
|
if _, err := io.Copy(stdin, session); err != nil {
|
|
log.Error("Failed to write session to stdin. %s", err)
|
|
}
|
|
}()
|
|
|
|
go func() {
|
|
defer wg.Done()
|
|
defer stdout.Close()
|
|
if _, err := io.Copy(session, stdout); err != nil {
|
|
log.Error("Failed to write stdout to session. %s", err)
|
|
}
|
|
}()
|
|
|
|
go func() {
|
|
defer wg.Done()
|
|
defer stderr.Close()
|
|
if _, err := io.Copy(session.Stderr(), stderr); err != nil {
|
|
log.Error("Failed to write stderr to session. %s", err)
|
|
}
|
|
}()
|
|
|
|
// Ensure all the output has been written before we wait on the command
|
|
// to exit.
|
|
wg.Wait()
|
|
|
|
// Wait for the command to exit and log any errors we get
|
|
err = cmd.Wait()
|
|
if err != nil {
|
|
// Cannot use errors.Is here because ExitError doesn't implement Is
|
|
// Thus errors.Is will do equality test NOT type comparison
|
|
if _, ok := err.(*exec.ExitError); !ok {
|
|
log.Error("SSH: Wait: %v", err)
|
|
}
|
|
}
|
|
|
|
if err := session.Exit(getExitStatusFromError(err)); err != nil && !errors.Is(err, io.EOF) {
|
|
log.Error("Session failed to exit. %s", err)
|
|
}
|
|
}
|
|
|
|
func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
|
|
// The publicKeyHandler (PublicKeyCallback) only helps to provide the candidate keys to authenticate,
|
|
// It does NOT really verify here, so we could only record the related information here.
|
|
// After authentication (Verify), the "Permissions" will be assigned to the ssh conn,
|
|
// then we can use it in the "session handler"
|
|
|
|
// first, reset the ctx permissions (just like https://github.com/gliderlabs/ssh/pull/243 does)
|
|
// it shouldn't be reused across different ssh conn (sessions), each pub key should have its own "Permissions"
|
|
ctx.Permissions().Permissions = &gossh.Permissions{}
|
|
setPermExt := func(keyID int64) {
|
|
ctx.Permissions().Permissions.Extensions = map[string]string{
|
|
giteaPermissionExtensionKeyID: fmt.Sprint(keyID),
|
|
}
|
|
}
|
|
|
|
if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary
|
|
log.Debug("Handle Public Key: Fingerprint: %s from %s", gossh.FingerprintSHA256(key), ctx.RemoteAddr())
|
|
}
|
|
|
|
if ctx.User() != setting.SSH.BuiltinServerUser {
|
|
log.Warn("Invalid SSH username %s - must use %s for all git operations via ssh", ctx.User(), setting.SSH.BuiltinServerUser)
|
|
log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
|
|
return false
|
|
}
|
|
|
|
// check if we have a certificate
|
|
if cert, ok := key.(*gossh.Certificate); ok {
|
|
if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary
|
|
log.Debug("Handle Certificate: %s Fingerprint: %s is a certificate", ctx.RemoteAddr(), gossh.FingerprintSHA256(key))
|
|
}
|
|
|
|
if len(setting.SSH.TrustedUserCAKeys) == 0 {
|
|
log.Warn("Certificate Rejected: No trusted certificate authorities for this server")
|
|
log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
|
|
return false
|
|
}
|
|
|
|
if cert.CertType != gossh.UserCert {
|
|
log.Warn("Certificate Rejected: Not a user certificate")
|
|
log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
|
|
return false
|
|
}
|
|
|
|
// look for the exact principal
|
|
principalLoop:
|
|
for _, principal := range cert.ValidPrincipals {
|
|
pkey, err := asymkey_model.SearchPublicKeyByContentExact(ctx, principal)
|
|
if err != nil {
|
|
if asymkey_model.IsErrKeyNotExist(err) {
|
|
log.Debug("Principal Rejected: %s Unknown Principal: %s", ctx.RemoteAddr(), principal)
|
|
continue principalLoop
|
|
}
|
|
log.Error("SearchPublicKeyByContentExact: %v", err)
|
|
return false
|
|
}
|
|
|
|
c := &gossh.CertChecker{
|
|
IsUserAuthority: func(auth gossh.PublicKey) bool {
|
|
marshaled := auth.Marshal()
|
|
for _, k := range setting.SSH.TrustedUserCAKeysParsed {
|
|
if bytes.Equal(marshaled, k.Marshal()) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
},
|
|
}
|
|
|
|
// check the CA of the cert
|
|
if !c.IsUserAuthority(cert.SignatureKey) {
|
|
if log.IsDebug() {
|
|
log.Debug("Principal Rejected: %s Untrusted Authority Signature Fingerprint %s for Principal: %s", ctx.RemoteAddr(), gossh.FingerprintSHA256(cert.SignatureKey), principal)
|
|
}
|
|
continue principalLoop
|
|
}
|
|
|
|
// validate the cert for this principal
|
|
if err := c.CheckCert(principal, cert); err != nil {
|
|
// User is presenting an invalid certificate - STOP any further processing
|
|
log.Error("Invalid Certificate KeyID %s with Signature Fingerprint %s presented for Principal: %s from %s", cert.KeyId, gossh.FingerprintSHA256(cert.SignatureKey), principal, ctx.RemoteAddr())
|
|
log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
|
|
|
|
return false
|
|
}
|
|
|
|
if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary
|
|
log.Debug("Successfully authenticated: %s Certificate Fingerprint: %s Principal: %s", ctx.RemoteAddr(), gossh.FingerprintSHA256(key), principal)
|
|
}
|
|
setPermExt(pkey.ID)
|
|
return true
|
|
}
|
|
|
|
log.Warn("From %s Fingerprint: %s is a certificate, but no valid principals found", ctx.RemoteAddr(), gossh.FingerprintSHA256(key))
|
|
log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
|
|
return false
|
|
}
|
|
|
|
if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary
|
|
log.Debug("Handle Public Key: %s Fingerprint: %s is not a certificate", ctx.RemoteAddr(), gossh.FingerprintSHA256(key))
|
|
}
|
|
|
|
pkey, err := asymkey_model.SearchPublicKeyByContent(ctx, strings.TrimSpace(string(gossh.MarshalAuthorizedKey(key))))
|
|
if err != nil {
|
|
if asymkey_model.IsErrKeyNotExist(err) {
|
|
log.Warn("Unknown public key: %s from %s", gossh.FingerprintSHA256(key), ctx.RemoteAddr())
|
|
log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
|
|
return false
|
|
}
|
|
log.Error("SearchPublicKeyByContent: %v", err)
|
|
return false
|
|
}
|
|
|
|
if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary
|
|
log.Debug("Successfully authenticated: %s Public Key Fingerprint: %s", ctx.RemoteAddr(), gossh.FingerprintSHA256(key))
|
|
}
|
|
setPermExt(pkey.ID)
|
|
return true
|
|
}
|
|
|
|
// sshConnectionFailed logs a failed connection
|
|
// - this mainly exists to give a nice function name in logging
|
|
func sshConnectionFailed(conn net.Conn, err error) {
|
|
// Log the underlying error with a specific message
|
|
log.Warn("Failed connection from %s with error: %v", conn.RemoteAddr(), err)
|
|
// Log with the standard failed authentication from message for simpler fail2ban configuration
|
|
log.Warn("Failed authentication attempt from %s", conn.RemoteAddr())
|
|
}
|
|
|
|
// Listen starts a SSH server listens on given port.
|
|
func Listen(host string, port int, ciphers, keyExchanges, macs []string) {
|
|
srv := ssh.Server{
|
|
Addr: net.JoinHostPort(host, strconv.Itoa(port)),
|
|
PublicKeyHandler: publicKeyHandler,
|
|
Handler: sessionHandler,
|
|
ServerConfigCallback: func(ctx ssh.Context) *gossh.ServerConfig {
|
|
config := &gossh.ServerConfig{}
|
|
config.KeyExchanges = keyExchanges
|
|
config.MACs = macs
|
|
config.Ciphers = ciphers
|
|
return config
|
|
},
|
|
ConnectionFailedCallback: sshConnectionFailed,
|
|
// We need to explicitly disable the PtyCallback so text displays
|
|
// properly.
|
|
PtyCallback: func(ctx ssh.Context, pty ssh.Pty) bool {
|
|
return false
|
|
},
|
|
}
|
|
|
|
keys := make([]string, 0, len(setting.SSH.ServerHostKeys))
|
|
for _, key := range setting.SSH.ServerHostKeys {
|
|
isExist, err := util.IsExist(key)
|
|
if err != nil {
|
|
log.Fatal("Unable to check if %s exists. Error: %v", setting.SSH.ServerHostKeys, err)
|
|
}
|
|
if isExist {
|
|
keys = append(keys, key)
|
|
}
|
|
}
|
|
|
|
if len(keys) == 0 {
|
|
filePath := filepath.Dir(setting.SSH.ServerHostKeys[0])
|
|
|
|
if err := os.MkdirAll(filePath, os.ModePerm); err != nil {
|
|
log.Error("Failed to create dir %s: %v", filePath, err)
|
|
}
|
|
|
|
err := GenKeyPair(setting.SSH.ServerHostKeys[0])
|
|
if err != nil {
|
|
log.Fatal("Failed to generate private key: %v", err)
|
|
}
|
|
log.Trace("New private key is generated: %s", setting.SSH.ServerHostKeys[0])
|
|
keys = append(keys, setting.SSH.ServerHostKeys[0])
|
|
}
|
|
|
|
for _, key := range keys {
|
|
log.Info("Adding SSH host key: %s", key)
|
|
err := srv.SetOption(ssh.HostKeyFile(key))
|
|
if err != nil {
|
|
log.Error("Failed to set Host Key. %s", err)
|
|
}
|
|
}
|
|
|
|
go func() {
|
|
_, _, finished := process.GetManager().AddTypedContext(graceful.GetManager().HammerContext(), "Service: Built-in SSH server", process.SystemProcessType, true)
|
|
defer finished()
|
|
listen(&srv)
|
|
}()
|
|
}
|
|
|
|
// GenKeyPair make a pair of public and private keys for SSH access.
|
|
// Public key is encoded in the format for inclusion in an OpenSSH authorized_keys file.
|
|
// Private Key generated is PEM encoded
|
|
func GenKeyPair(keyPath string) error {
|
|
privateKey, err := rsa.GenerateKey(rand.Reader, 4096)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
privateKeyPEM := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)}
|
|
f, err := os.OpenFile(keyPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer func() {
|
|
if err = f.Close(); err != nil {
|
|
log.Error("Close: %v", err)
|
|
}
|
|
}()
|
|
|
|
if err := pem.Encode(f, privateKeyPEM); err != nil {
|
|
return err
|
|
}
|
|
|
|
// generate public key
|
|
pub, err := gossh.NewPublicKey(&privateKey.PublicKey)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
public := gossh.MarshalAuthorizedKey(pub)
|
|
p, err := os.OpenFile(keyPath+".pub", os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer func() {
|
|
if err = p.Close(); err != nil {
|
|
log.Error("Close: %v", err)
|
|
}
|
|
}()
|
|
_, err = p.Write(public)
|
|
return err
|
|
}
|