You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

594 lines
18 KiB

  1. // Copyright 2011 The Go Authors. All rights reserved.
  2. // Use of this source code is governed by a BSD-style
  3. // license that can be found in the LICENSE file.
  4. package ssh
  5. import (
  6. "bytes"
  7. "errors"
  8. "fmt"
  9. "io"
  10. "net"
  11. "strings"
  12. )
  13. // The Permissions type holds fine-grained permissions that are
  14. // specific to a user or a specific authentication method for a user.
  15. // The Permissions value for a successful authentication attempt is
  16. // available in ServerConn, so it can be used to pass information from
  17. // the user-authentication phase to the application layer.
  18. type Permissions struct {
  19. // CriticalOptions indicate restrictions to the default
  20. // permissions, and are typically used in conjunction with
  21. // user certificates. The standard for SSH certificates
  22. // defines "force-command" (only allow the given command to
  23. // execute) and "source-address" (only allow connections from
  24. // the given address). The SSH package currently only enforces
  25. // the "source-address" critical option. It is up to server
  26. // implementations to enforce other critical options, such as
  27. // "force-command", by checking them after the SSH handshake
  28. // is successful. In general, SSH servers should reject
  29. // connections that specify critical options that are unknown
  30. // or not supported.
  31. CriticalOptions map[string]string
  32. // Extensions are extra functionality that the server may
  33. // offer on authenticated connections. Lack of support for an
  34. // extension does not preclude authenticating a user. Common
  35. // extensions are "permit-agent-forwarding",
  36. // "permit-X11-forwarding". The Go SSH library currently does
  37. // not act on any extension, and it is up to server
  38. // implementations to honor them. Extensions can be used to
  39. // pass data from the authentication callbacks to the server
  40. // application layer.
  41. Extensions map[string]string
  42. }
  43. // ServerConfig holds server specific configuration data.
  44. type ServerConfig struct {
  45. // Config contains configuration shared between client and server.
  46. Config
  47. hostKeys []Signer
  48. // NoClientAuth is true if clients are allowed to connect without
  49. // authenticating.
  50. NoClientAuth bool
  51. // MaxAuthTries specifies the maximum number of authentication attempts
  52. // permitted per connection. If set to a negative number, the number of
  53. // attempts are unlimited. If set to zero, the number of attempts are limited
  54. // to 6.
  55. MaxAuthTries int
  56. // PasswordCallback, if non-nil, is called when a user
  57. // attempts to authenticate using a password.
  58. PasswordCallback func(conn ConnMetadata, password []byte) (*Permissions, error)
  59. // PublicKeyCallback, if non-nil, is called when a client
  60. // offers a public key for authentication. It must return a nil error
  61. // if the given public key can be used to authenticate the
  62. // given user. For example, see CertChecker.Authenticate. A
  63. // call to this function does not guarantee that the key
  64. // offered is in fact used to authenticate. To record any data
  65. // depending on the public key, store it inside a
  66. // Permissions.Extensions entry.
  67. PublicKeyCallback func(conn ConnMetadata, key PublicKey) (*Permissions, error)
  68. // KeyboardInteractiveCallback, if non-nil, is called when
  69. // keyboard-interactive authentication is selected (RFC
  70. // 4256). The client object's Challenge function should be
  71. // used to query the user. The callback may offer multiple
  72. // Challenge rounds. To avoid information leaks, the client
  73. // should be presented a challenge even if the user is
  74. // unknown.
  75. KeyboardInteractiveCallback func(conn ConnMetadata, client KeyboardInteractiveChallenge) (*Permissions, error)
  76. // AuthLogCallback, if non-nil, is called to log all authentication
  77. // attempts.
  78. AuthLogCallback func(conn ConnMetadata, method string, err error)
  79. // ServerVersion is the version identification string to announce in
  80. // the public handshake.
  81. // If empty, a reasonable default is used.
  82. // Note that RFC 4253 section 4.2 requires that this string start with
  83. // "SSH-2.0-".
  84. ServerVersion string
  85. // BannerCallback, if present, is called and the return string is sent to
  86. // the client after key exchange completed but before authentication.
  87. BannerCallback func(conn ConnMetadata) string
  88. }
  89. // AddHostKey adds a private key as a host key. If an existing host
  90. // key exists with the same algorithm, it is overwritten. Each server
  91. // config must have at least one host key.
  92. func (s *ServerConfig) AddHostKey(key Signer) {
  93. for i, k := range s.hostKeys {
  94. if k.PublicKey().Type() == key.PublicKey().Type() {
  95. s.hostKeys[i] = key
  96. return
  97. }
  98. }
  99. s.hostKeys = append(s.hostKeys, key)
  100. }
  101. // cachedPubKey contains the results of querying whether a public key is
  102. // acceptable for a user.
  103. type cachedPubKey struct {
  104. user string
  105. pubKeyData []byte
  106. result error
  107. perms *Permissions
  108. }
  109. const maxCachedPubKeys = 16
  110. // pubKeyCache caches tests for public keys. Since SSH clients
  111. // will query whether a public key is acceptable before attempting to
  112. // authenticate with it, we end up with duplicate queries for public
  113. // key validity. The cache only applies to a single ServerConn.
  114. type pubKeyCache struct {
  115. keys []cachedPubKey
  116. }
  117. // get returns the result for a given user/algo/key tuple.
  118. func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) {
  119. for _, k := range c.keys {
  120. if k.user == user && bytes.Equal(k.pubKeyData, pubKeyData) {
  121. return k, true
  122. }
  123. }
  124. return cachedPubKey{}, false
  125. }
  126. // add adds the given tuple to the cache.
  127. func (c *pubKeyCache) add(candidate cachedPubKey) {
  128. if len(c.keys) < maxCachedPubKeys {
  129. c.keys = append(c.keys, candidate)
  130. }
  131. }
  132. // ServerConn is an authenticated SSH connection, as seen from the
  133. // server
  134. type ServerConn struct {
  135. Conn
  136. // If the succeeding authentication callback returned a
  137. // non-nil Permissions pointer, it is stored here.
  138. Permissions *Permissions
  139. }
  140. // NewServerConn starts a new SSH server with c as the underlying
  141. // transport. It starts with a handshake and, if the handshake is
  142. // unsuccessful, it closes the connection and returns an error. The
  143. // Request and NewChannel channels must be serviced, or the connection
  144. // will hang.
  145. //
  146. // The returned error may be of type *ServerAuthError for
  147. // authentication errors.
  148. func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewChannel, <-chan *Request, error) {
  149. fullConf := *config
  150. fullConf.SetDefaults()
  151. if fullConf.MaxAuthTries == 0 {
  152. fullConf.MaxAuthTries = 6
  153. }
  154. s := &connection{
  155. sshConn: sshConn{conn: c},
  156. }
  157. perms, err := s.serverHandshake(&fullConf)
  158. if err != nil {
  159. c.Close()
  160. return nil, nil, nil, err
  161. }
  162. return &ServerConn{s, perms}, s.mux.incomingChannels, s.mux.incomingRequests, nil
  163. }
  164. // signAndMarshal signs the data with the appropriate algorithm,
  165. // and serializes the result in SSH wire format.
  166. func signAndMarshal(k Signer, rand io.Reader, data []byte) ([]byte, error) {
  167. sig, err := k.Sign(rand, data)
  168. if err != nil {
  169. return nil, err
  170. }
  171. return Marshal(sig), nil
  172. }
  173. // handshake performs key exchange and user authentication.
  174. func (s *connection) serverHandshake(config *ServerConfig) (*Permissions, error) {
  175. if len(config.hostKeys) == 0 {
  176. return nil, errors.New("ssh: server has no host keys")
  177. }
  178. if !config.NoClientAuth && config.PasswordCallback == nil && config.PublicKeyCallback == nil && config.KeyboardInteractiveCallback == nil {
  179. return nil, errors.New("ssh: no authentication methods configured but NoClientAuth is also false")
  180. }
  181. if config.ServerVersion != "" {
  182. s.serverVersion = []byte(config.ServerVersion)
  183. } else {
  184. s.serverVersion = []byte(packageVersion)
  185. }
  186. var err error
  187. s.clientVersion, err = exchangeVersions(s.sshConn.conn, s.serverVersion)
  188. if err != nil {
  189. return nil, err
  190. }
  191. tr := newTransport(s.sshConn.conn, config.Rand, false /* not client */)
  192. s.transport = newServerTransport(tr, s.clientVersion, s.serverVersion, config)
  193. if err := s.transport.waitSession(); err != nil {
  194. return nil, err
  195. }
  196. // We just did the key change, so the session ID is established.
  197. s.sessionID = s.transport.getSessionID()
  198. var packet []byte
  199. if packet, err = s.transport.readPacket(); err != nil {
  200. return nil, err
  201. }
  202. var serviceRequest serviceRequestMsg
  203. if err = Unmarshal(packet, &serviceRequest); err != nil {
  204. return nil, err
  205. }
  206. if serviceRequest.Service != serviceUserAuth {
  207. return nil, errors.New("ssh: requested service '" + serviceRequest.Service + "' before authenticating")
  208. }
  209. serviceAccept := serviceAcceptMsg{
  210. Service: serviceUserAuth,
  211. }
  212. if err := s.transport.writePacket(Marshal(&serviceAccept)); err != nil {
  213. return nil, err
  214. }
  215. perms, err := s.serverAuthenticate(config)
  216. if err != nil {
  217. return nil, err
  218. }
  219. s.mux = newMux(s.transport)
  220. return perms, err
  221. }
  222. func isAcceptableAlgo(algo string) bool {
  223. switch algo {
  224. case KeyAlgoRSA, KeyAlgoDSA, KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521, KeyAlgoED25519,
  225. CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01, CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01:
  226. return true
  227. }
  228. return false
  229. }
  230. func checkSourceAddress(addr net.Addr, sourceAddrs string) error {
  231. if addr == nil {
  232. return errors.New("ssh: no address known for client, but source-address match required")
  233. }
  234. tcpAddr, ok := addr.(*net.TCPAddr)
  235. if !ok {
  236. return fmt.Errorf("ssh: remote address %v is not an TCP address when checking source-address match", addr)
  237. }
  238. for _, sourceAddr := range strings.Split(sourceAddrs, ",") {
  239. if allowedIP := net.ParseIP(sourceAddr); allowedIP != nil {
  240. if allowedIP.Equal(tcpAddr.IP) {
  241. return nil
  242. }
  243. } else {
  244. _, ipNet, err := net.ParseCIDR(sourceAddr)
  245. if err != nil {
  246. return fmt.Errorf("ssh: error parsing source-address restriction %q: %v", sourceAddr, err)
  247. }
  248. if ipNet.Contains(tcpAddr.IP) {
  249. return nil
  250. }
  251. }
  252. }
  253. return fmt.Errorf("ssh: remote address %v is not allowed because of source-address restriction", addr)
  254. }
  255. // ServerAuthError represents server authentication errors and is
  256. // sometimes returned by NewServerConn. It appends any authentication
  257. // errors that may occur, and is returned if all of the authentication
  258. // methods provided by the user failed to authenticate.
  259. type ServerAuthError struct {
  260. // Errors contains authentication errors returned by the authentication
  261. // callback methods. The first entry is typically ErrNoAuth.
  262. Errors []error
  263. }
  264. func (l ServerAuthError) Error() string {
  265. var errs []string
  266. for _, err := range l.Errors {
  267. errs = append(errs, err.Error())
  268. }
  269. return "[" + strings.Join(errs, ", ") + "]"
  270. }
  271. // ErrNoAuth is the error value returned if no
  272. // authentication method has been passed yet. This happens as a normal
  273. // part of the authentication loop, since the client first tries
  274. // 'none' authentication to discover available methods.
  275. // It is returned in ServerAuthError.Errors from NewServerConn.
  276. var ErrNoAuth = errors.New("ssh: no auth passed yet")
  277. func (s *connection) serverAuthenticate(config *ServerConfig) (*Permissions, error) {
  278. sessionID := s.transport.getSessionID()
  279. var cache pubKeyCache
  280. var perms *Permissions
  281. authFailures := 0
  282. var authErrs []error
  283. var displayedBanner bool
  284. userAuthLoop:
  285. for {
  286. if authFailures >= config.MaxAuthTries && config.MaxAuthTries > 0 {
  287. discMsg := &disconnectMsg{
  288. Reason: 2,
  289. Message: "too many authentication failures",
  290. }
  291. if err := s.transport.writePacket(Marshal(discMsg)); err != nil {
  292. return nil, err
  293. }
  294. return nil, discMsg
  295. }
  296. var userAuthReq userAuthRequestMsg
  297. if packet, err := s.transport.readPacket(); err != nil {
  298. if err == io.EOF {
  299. return nil, &ServerAuthError{Errors: authErrs}
  300. }
  301. return nil, err
  302. } else if err = Unmarshal(packet, &userAuthReq); err != nil {
  303. return nil, err
  304. }
  305. if userAuthReq.Service != serviceSSH {
  306. return nil, errors.New("ssh: client attempted to negotiate for unknown service: " + userAuthReq.Service)
  307. }
  308. s.user = userAuthReq.User
  309. if !displayedBanner && config.BannerCallback != nil {
  310. displayedBanner = true
  311. msg := config.BannerCallback(s)
  312. if msg != "" {
  313. bannerMsg := &userAuthBannerMsg{
  314. Message: msg,
  315. }
  316. if err := s.transport.writePacket(Marshal(bannerMsg)); err != nil {
  317. return nil, err
  318. }
  319. }
  320. }
  321. perms = nil
  322. authErr := ErrNoAuth
  323. switch userAuthReq.Method {
  324. case "none":
  325. if config.NoClientAuth {
  326. authErr = nil
  327. }
  328. // allow initial attempt of 'none' without penalty
  329. if authFailures == 0 {
  330. authFailures--
  331. }
  332. case "password":
  333. if config.PasswordCallback == nil {
  334. authErr = errors.New("ssh: password auth not configured")
  335. break
  336. }
  337. payload := userAuthReq.Payload
  338. if len(payload) < 1 || payload[0] != 0 {
  339. return nil, parseError(msgUserAuthRequest)
  340. }
  341. payload = payload[1:]
  342. password, payload, ok := parseString(payload)
  343. if !ok || len(payload) > 0 {
  344. return nil, parseError(msgUserAuthRequest)
  345. }
  346. perms, authErr = config.PasswordCallback(s, password)
  347. case "keyboard-interactive":
  348. if config.KeyboardInteractiveCallback == nil {
  349. authErr = errors.New("ssh: keyboard-interactive auth not configured")
  350. break
  351. }
  352. prompter := &sshClientKeyboardInteractive{s}
  353. perms, authErr = config.KeyboardInteractiveCallback(s, prompter.Challenge)
  354. case "publickey":
  355. if config.PublicKeyCallback == nil {
  356. authErr = errors.New("ssh: publickey auth not configured")
  357. break
  358. }
  359. payload := userAuthReq.Payload
  360. if len(payload) < 1 {
  361. return nil, parseError(msgUserAuthRequest)
  362. }
  363. isQuery := payload[0] == 0
  364. payload = payload[1:]
  365. algoBytes, payload, ok := parseString(payload)
  366. if !ok {
  367. return nil, parseError(msgUserAuthRequest)
  368. }
  369. algo := string(algoBytes)
  370. if !isAcceptableAlgo(algo) {
  371. authErr = fmt.Errorf("ssh: algorithm %q not accepted", algo)
  372. break
  373. }
  374. pubKeyData, payload, ok := parseString(payload)
  375. if !ok {
  376. return nil, parseError(msgUserAuthRequest)
  377. }
  378. pubKey, err := ParsePublicKey(pubKeyData)
  379. if err != nil {
  380. return nil, err
  381. }
  382. candidate, ok := cache.get(s.user, pubKeyData)
  383. if !ok {
  384. candidate.user = s.user
  385. candidate.pubKeyData = pubKeyData
  386. candidate.perms, candidate.result = config.PublicKeyCallback(s, pubKey)
  387. if candidate.result == nil && candidate.perms != nil && candidate.perms.CriticalOptions != nil && candidate.perms.CriticalOptions[sourceAddressCriticalOption] != "" {
  388. candidate.result = checkSourceAddress(
  389. s.RemoteAddr(),
  390. candidate.perms.CriticalOptions[sourceAddressCriticalOption])
  391. }
  392. cache.add(candidate)
  393. }
  394. if isQuery {
  395. // The client can query if the given public key
  396. // would be okay.
  397. if len(payload) > 0 {
  398. return nil, parseError(msgUserAuthRequest)
  399. }
  400. if candidate.result == nil {
  401. okMsg := userAuthPubKeyOkMsg{
  402. Algo: algo,
  403. PubKey: pubKeyData,
  404. }
  405. if err = s.transport.writePacket(Marshal(&okMsg)); err != nil {
  406. return nil, err
  407. }
  408. continue userAuthLoop
  409. }
  410. authErr = candidate.result
  411. } else {
  412. sig, payload, ok := parseSignature(payload)
  413. if !ok || len(payload) > 0 {
  414. return nil, parseError(msgUserAuthRequest)
  415. }
  416. // Ensure the public key algo and signature algo
  417. // are supported. Compare the private key
  418. // algorithm name that corresponds to algo with
  419. // sig.Format. This is usually the same, but
  420. // for certs, the names differ.
  421. if !isAcceptableAlgo(sig.Format) {
  422. authErr = fmt.Errorf("ssh: algorithm %q not accepted", sig.Format)
  423. break
  424. }
  425. signedData := buildDataSignedForAuth(sessionID, userAuthReq, algoBytes, pubKeyData)
  426. if err := pubKey.Verify(signedData, sig); err != nil {
  427. return nil, err
  428. }
  429. authErr = candidate.result
  430. perms = candidate.perms
  431. }
  432. default:
  433. authErr = fmt.Errorf("ssh: unknown method %q", userAuthReq.Method)
  434. }
  435. authErrs = append(authErrs, authErr)
  436. if config.AuthLogCallback != nil {
  437. config.AuthLogCallback(s, userAuthReq.Method, authErr)
  438. }
  439. if authErr == nil {
  440. break userAuthLoop
  441. }
  442. authFailures++
  443. var failureMsg userAuthFailureMsg
  444. if config.PasswordCallback != nil {
  445. failureMsg.Methods = append(failureMsg.Methods, "password")
  446. }
  447. if config.PublicKeyCallback != nil {
  448. failureMsg.Methods = append(failureMsg.Methods, "publickey")
  449. }
  450. if config.KeyboardInteractiveCallback != nil {
  451. failureMsg.Methods = append(failureMsg.Methods, "keyboard-interactive")
  452. }
  453. if len(failureMsg.Methods) == 0 {
  454. return nil, errors.New("ssh: no authentication methods configured but NoClientAuth is also false")
  455. }
  456. if err := s.transport.writePacket(Marshal(&failureMsg)); err != nil {
  457. return nil, err
  458. }
  459. }
  460. if err := s.transport.writePacket([]byte{msgUserAuthSuccess}); err != nil {
  461. return nil, err
  462. }
  463. return perms, nil
  464. }
  465. // sshClientKeyboardInteractive implements a ClientKeyboardInteractive by
  466. // asking the client on the other side of a ServerConn.
  467. type sshClientKeyboardInteractive struct {
  468. *connection
  469. }
  470. func (c *sshClientKeyboardInteractive) Challenge(user, instruction string, questions []string, echos []bool) (answers []string, err error) {
  471. if len(questions) != len(echos) {
  472. return nil, errors.New("ssh: echos and questions must have equal length")
  473. }
  474. var prompts []byte
  475. for i := range questions {
  476. prompts = appendString(prompts, questions[i])
  477. prompts = appendBool(prompts, echos[i])
  478. }
  479. if err := c.transport.writePacket(Marshal(&userAuthInfoRequestMsg{
  480. Instruction: instruction,
  481. NumPrompts: uint32(len(questions)),
  482. Prompts: prompts,
  483. })); err != nil {
  484. return nil, err
  485. }
  486. packet, err := c.transport.readPacket()
  487. if err != nil {
  488. return nil, err
  489. }
  490. if packet[0] != msgUserAuthInfoResponse {
  491. return nil, unexpectedMessageError(msgUserAuthInfoResponse, packet[0])
  492. }
  493. packet = packet[1:]
  494. n, packet, ok := parseUint32(packet)
  495. if !ok || int(n) != len(questions) {
  496. return nil, parseError(msgUserAuthInfoResponse)
  497. }
  498. for i := uint32(0); i < n; i++ {
  499. ans, rest, ok := parseString(packet)
  500. if !ok {
  501. return nil, parseError(msgUserAuthInfoResponse)
  502. }
  503. answers = append(answers, string(ans))
  504. packet = rest
  505. }
  506. if len(packet) != 0 {
  507. return nil, errors.New("ssh: junk at end of message")
  508. }
  509. return answers, nil
  510. }