aboutsummaryrefslogblamecommitdiffstats
path: root/plumbing/transport/ssh/auth_method.go
blob: 84dfe14d96a5ea33646f78d786518b58f6d2fc8b (plain) (tree) 
0bb17cd



c22467e


cd435d9

0bb17cd

373e597

0fa6f26


570d0e5


0bb17cd

c22467e


0bb17cd

0fa6f26

c22467e

0bb17cd


373e597


cd435d9


0bb17cd




c22467e

0bb17cd

570d0e5

0bb17cd


















570d0e5

0bb17cd





















570d0e5

0bb17cd






















570d0e5

0bb17cd

















373e597

0bb17cd



570d0e5

0bb17cd


c22467e
















373e597









c22467e



373e597





c22467e

373e597


0bb17cd




















570d0e5

0bb17cd


373e597



45bdbcb








5bed3e8


cd435d9






0fa6f26

cd435d9

0fa6f26



45bdbcb

0fa6f26



570d0e5

373e597















570d0e5












































































1
2
3

4
5

6

7

8

9
10

11
12

13

14
15

16

17

18

19
20

21
22

23
24

25
26
27
28

29

30

31

32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

50

51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

72

73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

95

96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112

113

114
115
116

117

118
119

120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135

136
137
138
139
140
141
142
143
144

145
146
147

148
149
150
151
152

153

154
155

156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175

176

177
178

179
180
181

182
183
184
185
186
187
188
189

190
191

192
193
194
195
196
197

198

199

200
201
202

203

204
205
206

207

208
209
210
211
212
213
214
215
216
217
218
219
220
221
222

223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298



           

                      
                
             
                   

             

                       
 

                                                     
                                 
                                       
                                            

 

                             

                                                                               



                                                                  
                            
                                        
                                                      

















                                                                     
                      




















                                                                                      
                      





















                                                                  
                      
















                                                                         
                                                                 


                         
                      

 















                                                                                       








                                                                          


                                                                                




                                              
                                                   

 



















                                                                  
                      

 


                                                                               







                                                                                     

         





                                                   
                       
                                                                                


                                   
                            


                                                        
 














                                                                           











































































                                                                                                                    
package ssh

import (
	"crypto/x509"
	"encoding/pem"
	"errors"
	"fmt"
	"io/ioutil"
	"net"
	"os"
	"os/user"
	"path/filepath"

	"gopkg.in/src-d/go-git.v4/plumbing/transport"

	"golang.org/x/crypto/ssh"
	"golang.org/x/crypto/ssh/agent"
	"golang.org/x/crypto/ssh/knownhosts"
)

const DefaultUsername = "git"

var ErrEmptySSHAgentAddr = errors.New("SSH_AUTH_SOCK env variable is required")

// AuthMethod is the interface all auth methods for the ssh client
// must implement. The clientConfig method returns the ssh client
// configuration needed to establish an ssh connection.
type AuthMethod interface {
	transport.AuthMethod
	clientConfig() *ssh.ClientConfig
	hostKeyCallback() (ssh.HostKeyCallback, error)
}

// The names of the AuthMethod implementations. To be returned by the
// Name() method. Most git servers only allow PublicKeysName and
// PublicKeysCallbackName.
const (
	KeyboardInteractiveName = "ssh-keyboard-interactive"
	PasswordName            = "ssh-password"
	PasswordCallbackName    = "ssh-password-callback"
	PublicKeysName          = "ssh-public-keys"
	PublicKeysCallbackName  = "ssh-public-key-callback"
)

// KeyboardInteractive implements AuthMethod by using a
// prompt/response sequence controlled by the server.
type KeyboardInteractive struct {
	User      string
	Challenge ssh.KeyboardInteractiveChallenge
	baseAuthMethod
}

func (a *KeyboardInteractive) Name() string {
	return KeyboardInteractiveName
}

func (a *KeyboardInteractive) String() string {
	return fmt.Sprintf("user: %s, name: %s", a.User, a.Name())
}

func (a *KeyboardInteractive) clientConfig() *ssh.ClientConfig {
	return &ssh.ClientConfig{
		User: a.User,
		Auth: []ssh.AuthMethod{ssh.KeyboardInteractiveChallenge(a.Challenge)},
	}
}

// Password implements AuthMethod by using the given password.
type Password struct {
	User string
	Pass string
	baseAuthMethod
}

func (a *Password) Name() string {
	return PasswordName
}

func (a *Password) String() string {
	return fmt.Sprintf("user: %s, name: %s", a.User, a.Name())
}

func (a *Password) clientConfig() *ssh.ClientConfig {
	return &ssh.ClientConfig{
		User: a.User,
		Auth: []ssh.AuthMethod{ssh.Password(a.Pass)},
	}
}

// PasswordCallback implements AuthMethod by using a callback
// to fetch the password.
type PasswordCallback struct {
	User     string
	Callback func() (pass string, err error)
	baseAuthMethod
}

func (a *PasswordCallback) Name() string {
	return PasswordCallbackName
}

func (a *PasswordCallback) String() string {
	return fmt.Sprintf("user: %s, name: %s", a.User, a.Name())
}

func (a *PasswordCallback) clientConfig() *ssh.ClientConfig {
	return &ssh.ClientConfig{
		User: a.User,
		Auth: []ssh.AuthMethod{ssh.PasswordCallback(a.Callback)},
	}
}

// PublicKeys implements AuthMethod by using the given key pairs.
type PublicKeys struct {
	User   string
	Signer ssh.Signer
	baseAuthMethod
}

// NewPublicKeys returns a PublicKeys from a PEM encoded private key. An
// encryption password should be given if the pemBytes contains a password
// encrypted PEM block otherwise password should be empty. It supports RSA
// (PKCS#1), DSA (OpenSSL), and ECDSA private keys.
func NewPublicKeys(user string, pemBytes []byte, password string) (AuthMethod, error) {
	block, _ := pem.Decode(pemBytes)
	if x509.IsEncryptedPEMBlock(block) {
		key, err := x509.DecryptPEMBlock(block, []byte(password))
		if err != nil {
			return nil, err
		}

		block = &pem.Block{Type: block.Type, Bytes: key}
		pemBytes = pem.EncodeToMemory(block)
	}

	signer, err := ssh.ParsePrivateKey(pemBytes)
	if err != nil {
		return nil, err
	}

	return &PublicKeys{User: user, Signer: signer}, nil
}

// NewPublicKeysFromFile returns a PublicKeys from a file containing a PEM
// encoded private key. An encryption password should be given if the pemBytes
// contains a password encrypted PEM block otherwise password should be empty.
func NewPublicKeysFromFile(user, pemFile, password string) (AuthMethod, error) {
	bytes, err := ioutil.ReadFile(pemFile)
	if err != nil {
		return nil, err
	}

	return NewPublicKeys(user, bytes, password)
}

func (a *PublicKeys) Name() string {
	return PublicKeysName
}

func (a *PublicKeys) String() string {
	return fmt.Sprintf("user: %s, name: %s", a.User, a.Name())
}

func (a *PublicKeys) clientConfig() *ssh.ClientConfig {
	return &ssh.ClientConfig{
		User: a.User,
		Auth: []ssh.AuthMethod{ssh.PublicKeys(a.Signer)},
	}
}

// PublicKeysCallback implements AuthMethod by asking a
// ssh.agent.Agent to act as a signer.
type PublicKeysCallback struct {
	User     string
	Callback func() (signers []ssh.Signer, err error)
	baseAuthMethod
}

// NewSSHAgentAuth returns a PublicKeysCallback based on a SSH agent, it opens
// a pipe with the SSH agent and uses the pipe as the implementer of the public
// key callback function.
func NewSSHAgentAuth(u string) (AuthMethod, error) {
	if u == "" {
		usr, err := user.Current()
		if err != nil {
			return nil, fmt.Errorf("error getting current user: %q", err)
		}

		u = usr.Username
	}

	sshAgentAddr := os.Getenv("SSH_AUTH_SOCK")
	if sshAgentAddr == "" {
		return nil, ErrEmptySSHAgentAddr
	}

	pipe, err := net.Dial("unix", sshAgentAddr)
	if err != nil {
		return nil, fmt.Errorf("error connecting to SSH agent: %q", err)
	}

	return &PublicKeysCallback{
		User:     u,
		Callback: agent.NewClient(pipe).Signers,
	}, nil
}

func (a *PublicKeysCallback) Name() string {
	return PublicKeysCallbackName
}

func (a *PublicKeysCallback) String() string {
	return fmt.Sprintf("user: %s, name: %s", a.User, a.Name())
}

func (a *PublicKeysCallback) clientConfig() *ssh.ClientConfig {
	return &ssh.ClientConfig{
		User: a.User,
		Auth: []ssh.AuthMethod{ssh.PublicKeysCallback(a.Callback)},
	}
}

// NewKnownHostsCallback returns ssh.HostKeyCallback based on a file based on a
// know_hosts file. http://man.openbsd.org/sshd#SSH_KNOWN_HOSTS_FILE_FORMAT
//
// If files is empty, the list of files will be read from the SSH_KNOWN_HOSTS
// environment variable, example:
//   /home/foo/custom_known_hosts_file:/etc/custom_known/hosts_file
//
// If SSH_KNOWN_HOSTS is not set the following file locations will be used:
//   ~/.ssh/known_hosts
//   /etc/ssh/ssh_known_hosts
func NewKnownHostsCallback(files ...string) (ssh.HostKeyCallback, error) {
	files, err := getDefaultKnownHostsFiles()
	if err != nil {
		return nil, err
	}

	files, err = filterKnownHostsFiles(files...)
	if err != nil {
		return nil, err
	}

	return knownhosts.New(files...)
}

func getDefaultKnownHostsFiles() ([]string, error) {
	files := filepath.SplitList(os.Getenv("SSH_KNOWN_HOSTS"))
	if len(files) != 0 {
		return files, nil
	}

	user, err := user.Current()
	if err != nil {
		return nil, err
	}

	return []string{
		filepath.Join(user.HomeDir, "/.ssh/known_hosts"),
		"/etc/ssh/ssh_known_hosts",
	}, nil
}

func filterKnownHostsFiles(files ...string) ([]string, error) {
	var out []string
	for _, file := range files {
		_, err := os.Stat(file)
		if err == nil {
			out = append(out, file)
			continue
		}

		if !os.IsNotExist(err) {
			return nil, err
		}
	}

	if len(out) == 0 {
		return nil, fmt.Errorf("unable to find any valid know_hosts file, set SSH_KNOWN_HOSTS env variable")
	}

	return out, nil
}

type baseAuthMethod struct {
	// HostKeyCallback is the function type used for verifying server keys.
	// If nil default callback will be create using NewKnownHostsHostKeyCallback
	// without argument.
	HostKeyCallback ssh.HostKeyCallback
}

func (m *baseAuthMethod) hostKeyCallback() (ssh.HostKeyCallback, error) {
	if m.HostKeyCallback == nil {
		return NewKnownHostsCallback()
	}

	return m.HostKeyCallback, nil
}
generated by cgit (git 2.34.1) at 2024-09-21 05:41:35 +0000