wangwei
/
aiforge
Not watched
1
0
Fork 0
Code
Releases 128 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
Tree: 44f67d1920
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '44f67d1920'
${ noResults }
aiforge/modules/ssh/ssh.go

329 lines
9.1 kB
Raw Blame History 

  1. // Copyright 2017 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package ssh

  6. 

  7. import (

  8. 	"bytes"

  9. 	"crypto/rand"

  10. 	"crypto/rsa"

  11. 	"crypto/x509"

  12. 	"encoding/pem"

  13. 	"fmt"

  14. 	"io"

  15. 	"os"

  16. 	"os/exec"

  17. 	"path/filepath"

  18. 	"strings"

  19. 	"sync"

  20. 	"syscall"

  21. 

  22. 	"code.gitea.io/gitea/models"

  23. 	"code.gitea.io/gitea/modules/log"

  24. 	"code.gitea.io/gitea/modules/setting"

  25. 	"code.gitea.io/gitea/modules/util"

  26. 

  27. 	"github.com/gliderlabs/ssh"

  28. 	gossh "golang.org/x/crypto/ssh"

  29. )

  30. 

  31. type contextKey string

  32. 

  33. const giteaKeyID = contextKey("gitea-key-id")

  34. 

  35. func getExitStatusFromError(err error) int {

  36. 	if err == nil {

  37. 		return 0

  38. 	}

  39. 

  40. 	exitErr, ok := err.(*exec.ExitError)

  41. 	if !ok {

  42. 		return 1

  43. 	}

  44. 

  45. 	waitStatus, ok := exitErr.Sys().(syscall.WaitStatus)

  46. 	if !ok {

  47. 		// This is a fallback and should at least let us return something useful

  48. 		// when running on Windows, even if it isn't completely accurate.

  49. 		if exitErr.Success() {

  50. 			return 0

  51. 		}

  52. 

  53. 		return 1

  54. 	}

  55. 

  56. 	return waitStatus.ExitStatus()

  57. }

  58. 

  59. func sessionHandler(session ssh.Session) {

  60. 	keyID := fmt.Sprintf("%d", session.Context().Value(giteaKeyID).(int64))

  61. 

  62. 	command := session.RawCommand()

  63. 

  64. 	log.Trace("SSH: Payload: %v", command)

  65. 

  66. 	args := []string{"serv", "key-" + keyID, "--config=" + setting.CustomConf}

  67. 	log.Trace("SSH: Arguments: %v", args)

  68. 	cmd := exec.Command(setting.AppPath, args...)

  69. 	cmd.Env = append(

  70. 		os.Environ(),

  71. 		"SSH_ORIGINAL_COMMAND="+command,

  72. 		"SKIP_MINWINSVC=1",

  73. 	)

  74. 

  75. 	stdout, err := cmd.StdoutPipe()

  76. 	if err != nil {

  77. 		log.Error("SSH: StdoutPipe: %v", err)

  78. 		return

  79. 	}

  80. 	stderr, err := cmd.StderrPipe()

  81. 	if err != nil {

  82. 		log.Error("SSH: StderrPipe: %v", err)

  83. 		return

  84. 	}

  85. 	stdin, err := cmd.StdinPipe()

  86. 	if err != nil {

  87. 		log.Error("SSH: StdinPipe: %v", err)

  88. 		return

  89. 	}

  90. 

  91. 	wg := &sync.WaitGroup{}

  92. 	wg.Add(2)

  93. 

  94. 	if err = cmd.Start(); err != nil {

  95. 		log.Error("SSH: Start: %v", err)

  96. 		return

  97. 	}

  98. 

  99. 	go func() {

  100. 		defer stdin.Close()

  101. 		if _, err := io.Copy(stdin, session); err != nil {

  102. 			log.Error("Failed to write session to stdin. %s", err)

  103. 		}

  104. 	}()

  105. 

  106. 	go func() {

  107. 		defer wg.Done()

  108. 		if _, err := io.Copy(session, stdout); err != nil {

  109. 			log.Error("Failed to write stdout to session. %s", err)

  110. 		}

  111. 	}()

  112. 

  113. 	go func() {

  114. 		defer wg.Done()

  115. 		if _, err := io.Copy(session.Stderr(), stderr); err != nil {

  116. 			log.Error("Failed to write stderr to session. %s", err)

  117. 		}

  118. 	}()

  119. 

  120. 	// Ensure all the output has been written before we wait on the command

  121. 	// to exit.

  122. 	wg.Wait()

  123. 

  124. 	// Wait for the command to exit and log any errors we get

  125. 	err = cmd.Wait()

  126. 	if err != nil {

  127. 		log.Error("SSH: Wait: %v", err)

  128. 	}

  129. 

  130. 	if err := session.Exit(getExitStatusFromError(err)); err != nil {

  131. 		log.Error("Session failed to exit. %s", err)

  132. 	}

  133. }

  134. 

  135. func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {

  136. 	if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary

  137. 		log.Debug("Handle Public Key: Fingerprint: %s from %s", gossh.FingerprintSHA256(key), ctx.RemoteAddr())

  138. 	}

  139. 

  140. 	if ctx.User() != setting.SSH.BuiltinServerUser {

  141. 		log.Warn("Invalid SSH username %s - must use %s for all git operations via ssh", ctx.User(), setting.SSH.BuiltinServerUser)

  142. 		log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())

  143. 		return false

  144. 	}

  145. 

  146. 	// check if we have a certificate

  147. 	if cert, ok := key.(*gossh.Certificate); ok {

  148. 		if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary

  149. 			log.Debug("Handle Certificate: %s Fingerprint: %s is a certificate", ctx.RemoteAddr(), gossh.FingerprintSHA256(key))

  150. 		}

  151. 

  152. 		if len(setting.SSH.TrustedUserCAKeys) == 0 {

  153. 			log.Warn("Certificate Rejected: No trusted certificate authorities for this server")

  154. 			log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())

  155. 			return false

  156. 		}

  157. 

  158. 		// look for the exact principal

  159. 	principalLoop:

  160. 		for _, principal := range cert.ValidPrincipals {

  161. 			pkey, err := models.SearchPublicKeyByContentExact(principal)

  162. 			if err != nil {

  163. 				if models.IsErrKeyNotExist(err) {

  164. 					log.Debug("Principal Rejected: %s Unknown Principal: %s", ctx.RemoteAddr(), principal)

  165. 					continue principalLoop

  166. 				}

  167. 				log.Error("SearchPublicKeyByContentExact: %v", err)

  168. 				return false

  169. 			}

  170. 

  171. 			c := &gossh.CertChecker{

  172. 				IsUserAuthority: func(auth gossh.PublicKey) bool {

  173. 					for _, k := range setting.SSH.TrustedUserCAKeysParsed {

  174. 						if bytes.Equal(auth.Marshal(), k.Marshal()) {

  175. 							return true

  176. 						}

  177. 					}

  178. 

  179. 					return false

  180. 				},

  181. 			}

  182. 

  183. 			// check the CA of the cert

  184. 			if !c.IsUserAuthority(cert.SignatureKey) {

  185. 				if log.IsDebug() {

  186. 					log.Debug("Principal Rejected: %s Untrusted Authority Signature Fingerprint %s for Principal: %s", ctx.RemoteAddr(), gossh.FingerprintSHA256(cert.SignatureKey), principal)

  187. 				}

  188. 				continue principalLoop

  189. 			}

  190. 

  191. 			// validate the cert for this principal

  192. 			if err := c.CheckCert(principal, cert); err != nil {

  193. 				// User is presenting an invalid certificate - STOP any further processing

  194. 				if log.IsError() {

  195. 					log.Error("Invalid Certificate KeyID %s with Signature Fingerprint %s presented for Principal: %s from %s", cert.KeyId, gossh.FingerprintSHA256(cert.SignatureKey), principal, ctx.RemoteAddr())

  196. 				}

  197. 				log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())

  198. 

  199. 				return false

  200. 			}

  201. 

  202. 			if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary

  203. 				log.Debug("Successfully authenticated: %s Certificate Fingerprint: %s Principal: %s", ctx.RemoteAddr(), gossh.FingerprintSHA256(key), principal)

  204. 			}

  205. 			ctx.SetValue(giteaKeyID, pkey.ID)

  206. 

  207. 			return true

  208. 		}

  209. 

  210. 		if log.IsWarn() {

  211. 			log.Warn("From %s Fingerprint: %s is a certificate, but no valid principals found", ctx.RemoteAddr(), gossh.FingerprintSHA256(key))

  212. 			log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())

  213. 		}

  214. 		return false

  215. 	}

  216. 

  217. 	if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary

  218. 		log.Debug("Handle Public Key: %s Fingerprint: %s is not a certificate", ctx.RemoteAddr(), gossh.FingerprintSHA256(key))

  219. 	}

  220. 

  221. 	pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(gossh.MarshalAuthorizedKey(key))))

  222. 	if err != nil {

  223. 		if models.IsErrKeyNotExist(err) {

  224. 			if log.IsWarn() {

  225. 				log.Warn("Unknown public key: %s from %s", gossh.FingerprintSHA256(key), ctx.RemoteAddr())

  226. 				log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())

  227. 			}

  228. 			return false

  229. 		}

  230. 		log.Error("SearchPublicKeyByContent: %v", err)

  231. 		return false

  232. 	}

  233. 

  234. 	if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary

  235. 		log.Debug("Successfully authenticated: %s Public Key Fingerprint: %s", ctx.RemoteAddr(), gossh.FingerprintSHA256(key))

  236. 	}

  237. 	ctx.SetValue(giteaKeyID, pkey.ID)

  238. 

  239. 	return true

  240. }

  241. 

  242. // Listen starts a SSH server listens on given port.

  243. func Listen(host string, port int, ciphers []string, keyExchanges []string, macs []string) {

  244. 	// TODO: Handle ciphers, keyExchanges, and macs

  245. 

  246. 	srv := ssh.Server{

  247. 		Addr:             fmt.Sprintf("%s:%d", host, port),

  248. 		PublicKeyHandler: publicKeyHandler,

  249. 		Handler:          sessionHandler,

  250. 

  251. 		// We need to explicitly disable the PtyCallback so text displays

  252. 		// properly.

  253. 		PtyCallback: func(ctx ssh.Context, pty ssh.Pty) bool {

  254. 			return false

  255. 		},

  256. 	}

  257. 

  258. 	keyPath := filepath.Join(setting.AppDataPath, "ssh/gogs.rsa")

  259. 	isExist, err := util.IsExist(keyPath)

  260. 	if err != nil {

  261. 		log.Fatal("Unable to check if %s exists. Error: %v", keyPath, err)

  262. 	}

  263. 	if !isExist {

  264. 		filePath := filepath.Dir(keyPath)

  265. 

  266. 		if err := os.MkdirAll(filePath, os.ModePerm); err != nil {

  267. 			log.Error("Failed to create dir %s: %v", filePath, err)

  268. 		}

  269. 

  270. 		err := GenKeyPair(keyPath)

  271. 		if err != nil {

  272. 			log.Fatal("Failed to generate private key: %v", err)

  273. 		}

  274. 		log.Trace("New private key is generated: %s", keyPath)

  275. 	}

  276. 

  277. 	err = srv.SetOption(ssh.HostKeyFile(keyPath))

  278. 	if err != nil {

  279. 		log.Error("Failed to set Host Key. %s", err)

  280. 	}

  281. 

  282. 	go listen(&srv)

  283. 

  284. }

  285. 

  286. // GenKeyPair make a pair of public and private keys for SSH access.

  287. // Public key is encoded in the format for inclusion in an OpenSSH authorized_keys file.

  288. // Private Key generated is PEM encoded

  289. func GenKeyPair(keyPath string) error {

  290. 	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)

  291. 	if err != nil {

  292. 		return err

  293. 	}

  294. 

  295. 	privateKeyPEM := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)}

  296. 	f, err := os.OpenFile(keyPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)

  297. 	if err != nil {

  298. 		return err

  299. 	}

  300. 	defer func() {

  301. 		if err = f.Close(); err != nil {

  302. 			log.Error("Close: %v", err)

  303. 		}

  304. 	}()

  305. 

  306. 	if err := pem.Encode(f, privateKeyPEM); err != nil {

  307. 		return err

  308. 	}

  309. 

  310. 	// generate public key

  311. 	pub, err := gossh.NewPublicKey(&privateKey.PublicKey)

  312. 	if err != nil {

  313. 		return err

  314. 	}

  315. 

  316. 	public := gossh.MarshalAuthorizedKey(pub)

  317. 	p, err := os.OpenFile(keyPath+".pub", os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)

  318. 	if err != nil {

  319. 		return err

  320. 	}

  321. 	defer func() {

  322. 		if err = p.Close(); err != nil {

  323. 			log.Error("Close: %v", err)

  324. 		}

  325. 	}()

  326. 	_, err = p.Write(public)

  327. 	return err

  328. }