Browse Source

#2179 use Go sub-repo ssh to verify public key content

for-closed-social
Unknwon 8 years ago
parent
commit
7ef9a05588
6 changed files with 13 additions and 61 deletions
  1. +1
    -1
      README.md
  2. +0
    -12
      conf/app.ini
  3. +1
    -1
      gogs.go
  4. +10
    -37
      models/ssh_key.go
  5. +0
    -9
      modules/setting/setting.go
  6. +1
    -1
      templates/.VERSION

+ 1
- 1
README.md View File

@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra
![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)
##### Current version: 0.8.21
##### Current version: 0.8.22
| Web | UI | Preview |
|:-------------:|:-------:|:-------:|

+ 0
- 12
conf/app.ini View File

@ -120,21 +120,9 @@ ENABLE_NOTIFY_MAIL = false
; More detail: https://github.com/gogits/gogs/issues/165
ENABLE_REVERSE_PROXY_AUTHENTICATION = false
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
; Do not check minimum key size with corresponding type
DISABLE_MINIMUM_KEY_SIZE_CHECK = false
; Enable captcha validation for registration
ENABLE_CAPTCHA = true
; used to filter keys which are too short
[service.minimum_key_sizes]
ED25519 = 256
ECDSA = 256
NTRU = 1087
MCE = 1702
McE = 1702
RSA = 1024
DSA = 1024
[webhook]
; Hook task queue length
QUEUE_LENGTH = 1000

+ 1
- 1
gogs.go View File

@ -17,7 +17,7 @@ import (
"github.com/gogits/gogs/modules/setting"
)
const APP_VER = "0.8.21.0114"
const APP_VER = "0.8.22.0115"
func init() {
runtime.GOMAXPROCS(runtime.NumCPU())

+ 10
- 37
models/ssh_key.go View File

@ -21,6 +21,7 @@ import (
"github.com/Unknwon/com"
"github.com/go-xorm/xorm"
"golang.org/x/crypto/ssh"
"github.com/gogits/gogs/modules/log"
"github.com/gogits/gogs/modules/process"
@ -164,48 +165,20 @@ func CheckPublicKeyString(content string) (_ string, err error) {
return "", errors.New("only a single line with a single key please")
}
// write the key to a file…
tmpFile, err := ioutil.TempFile(os.TempDir(), "keytest")
if err != nil {
return "", err
fields := strings.Fields(content)
if len(fields) < 2 {
return "", errors.New("too less fields")
}
tmpPath := tmpFile.Name()
defer os.Remove(tmpPath)
tmpFile.WriteString(content)
tmpFile.Close()
// Check if ssh-keygen recognizes its contents.
stdout, stderr, err := process.Exec("CheckPublicKeyString", "ssh-keygen", "-lf", tmpPath)
key, err := base64.StdEncoding.DecodeString(fields[1])
if err != nil {
return "", errors.New("ssh-keygen -lf: " + stderr)
} else if len(stdout) < 2 {
return "", errors.New("ssh-keygen returned not enough output to evaluate the key: " + stdout)
return "", fmt.Errorf("StdEncoding.DecodeString: %v", err)
}
// The ssh-keygen in Windows does not print key type, so no need go further.
if setting.IsWindows {
return content, nil
}
sshKeygenOutput := strings.Split(stdout, " ")
if len(sshKeygenOutput) < 4 {
return content, ErrKeyUnableVerify{stdout}
}
// Check if key type and key size match.
if !setting.Service.DisableMinimumKeySizeCheck {
keySize := com.StrTo(sshKeygenOutput[0]).MustInt()
if keySize == 0 {
return "", errors.New("cannot get key size of the given key")
}
keyType := strings.Trim(sshKeygenOutput[len(sshKeygenOutput)-1], " ()\n")
if minimumKeySize := setting.Service.MinimumKeySizes[keyType]; minimumKeySize == 0 {
return "", fmt.Errorf("unrecognized public key type: %s", keyType)
} else if keySize < minimumKeySize {
return "", fmt.Errorf("the minimum accepted size of a public key %s is %d", keyType, minimumKeySize)
}
pkey, err := ssh.ParsePublicKey([]byte(key))
if err != nil {
return "", fmt.Errorf("ParsePublicKey: %v", err)
}
log.Trace("Key type: %s", pkey.Type())
return content, nil
}

+ 0
- 9
modules/setting/setting.go View File

@ -453,8 +453,6 @@ var Service struct {
EnableNotifyMail bool
EnableReverseProxyAuth bool
EnableReverseProxyAutoRegister bool
DisableMinimumKeySizeCheck bool
MinimumKeySizes map[string]int
EnableCaptcha bool
}
@ -468,14 +466,7 @@ func newService() {
Service.EnableCacheAvatar = sec.Key("ENABLE_CACHE_AVATAR").MustBool()
Service.EnableReverseProxyAuth = sec.Key("ENABLE_REVERSE_PROXY_AUTHENTICATION").MustBool()
Service.EnableReverseProxyAutoRegister = sec.Key("ENABLE_REVERSE_PROXY_AUTO_REGISTRATION").MustBool()
Service.DisableMinimumKeySizeCheck = sec.Key("DISABLE_MINIMUM_KEY_SIZE_CHECK").MustBool()
Service.EnableCaptcha = sec.Key("ENABLE_CAPTCHA").MustBool()
minimumKeySizes := Cfg.Section("service.minimum_key_sizes").Keys()
Service.MinimumKeySizes = make(map[string]int)
for _, key := range minimumKeySizes {
Service.MinimumKeySizes[key.Name()] = key.MustInt()
}
}
var logLevels = map[string]string{

+ 1
- 1
templates/.VERSION View File

@ -1 +1 @@
0.8.21.0114
0.8.22.0115

Loading…
Cancel
Save