third_party
/
gitea
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Report permissions denied in internal SSH (#13953)

Browse Source 
This PR standardizes reporting of permission denied from the internal ssh.

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: 6543 <6543@obermui.de>
tokarchuk/v1.17
zeripath 4 years ago committed by GitHub
parent 8e0548ed4a
commit e46a638e8f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 5 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 19
      modules/ssh/ssh.go

19
modules/ssh/ssh.go
Unescape View File

@ -135,6 +135,7 @@ func sessionHandler(session ssh.Session) {
func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
if ctx.User() != setting.SSH.BuiltinServerUser {
log.Warn("Permission Denied: Invalid SSH username %s - must use %s for all git operations via ssh", ctx.User(), setting.SSH.BuiltinServerUser)
return false
}
@ -145,17 +146,18 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
}
// look for the exact principal
principalLoop:
for _, principal := range cert.ValidPrincipals {
pkey, err := models.SearchPublicKeyByContentExact(principal)
if err != nil {
if models.IsErrKeyNotExist(err) {
log.Debug("Principal Rejected: Unknown Principal: %s", principal)
continue principalLoop
}
log.Error("SearchPublicKeyByContentExact: %v", err)
return false
}
if models.IsErrKeyNotExist(err) {
continue
}
c := &gossh.CertChecker{
IsUserAuthority: func(auth gossh.PublicKey) bool {
for _, k := range setting.SSH.TrustedUserCAKeysParsed {
@ -170,11 +172,14 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
// check the CA of the cert
if !c.IsUserAuthority(cert.SignatureKey) {
return false
log.Debug("Principal Rejected: Untrusted Authority Signature Fingerprint %s for Principal: %s", gossh.FingerprintSHA256(cert.SignatureKey), principal)
continue principalLoop
}
// validate the cert for this principal
if err := c.CheckCert(principal, cert); err != nil {
// User is presenting an invalid cerficate - STOP any further processing
log.Error("Permission Denied: Invalid Certificate KeyID %s with Signature Fingerprint %s presented for Principal: %s", cert.KeyId, gossh.FingerprintSHA256(cert.SignatureKey), principal)
return false
}
@ -186,6 +191,10 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(gossh.MarshalAuthorizedKey(key))))
if err != nil {
if models.IsErrKeyNotExist(err) {
log.Warn("Permission Denied: Unknown public key : %s", gossh.FingerprintSHA256(key))
return false
}
log.Error("SearchPublicKeyByContent: %v Failed authentication attempt from %s", err, ctx.RemoteAddr())
return false
}

Write Preview
Loading…
Cancel
Save