tyler.durden/ssh-chat
1
0
Fork 0
mirror of https://github.com/shazow/ssh-chat.git synced 2025-07-02 03:34:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

main: Clarify passphrase shenanigans

Browse Source
This commit is contained in:
Andrey Petrov 2020-04-16 12:32:12 -04:00
parent b1bce027ad
commit 6e9705faf5
1 changed files with 28 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
cmd/ssh-chat/cmd.go
View File

@ -120,37 +120,36 @@ func main() {
if options.Whitelist != "" { if options.Whitelist != "" {
logger.Warning("Passphrase is disabled while whitelist is enabled.") logger.Warning("Passphrase is disabled while whitelist is enabled.")
} }
{ if config.KeyboardInteractiveCallback != nil {
cb := config.KeyboardInteractiveCallback fail(1, "Passphrase authentication conflicts with existing KeyboardInteractive setup.") // This should not happen
config.KeyboardInteractiveCallback = func(conn ssh.ConnMetadata, challenge ssh.KeyboardInteractiveChallenge) (*ssh.Permissions, error) {
perm, err := cb(conn, challenge)
if err != nil {
return perm, err
}
answers, err := challenge("", "", []string{"Passphrase required to connect: "}, []bool{true})
if err != nil {
return nil, err
}
if len(answers) == 1 && answers[0] == options.Passphrase {
// Success
return perm, nil
}
// It's not gonna do much but may as well throttle brute force attempts a little
time.Sleep(2 * time.Second)
return nil, errors.New("incorrect passphrase")
}
} }
{
// We also need to override the PublicKeyCallback to prevent rando pubkeys from bypassing // We use KeyboardInteractiveCallback instead of PasswordCallback to
cb := config.PublicKeyCallback // avoid preventing the client from including a pubkey in the user
config.PublicKeyCallback = func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) { // identification.
perms, err := cb(conn, key) config.KeyboardInteractiveCallback = func(conn ssh.ConnMetadata, challenge ssh.KeyboardInteractiveChallenge) (*ssh.Permissions, error) {
if err == nil { answers, err := challenge("", "", []string{"Passphrase required to connect: "}, []bool{true})
err = errors.New("passphrase authentication required") if err != nil {
} return nil, err
return perms, err
} }
if len(answers) == 1 && answers[0] == options.Passphrase {
// Success
return nil, nil
}
// It's not gonna do much but may as well throttle brute force attempts a little
time.Sleep(2 * time.Second)
return nil, errors.New("incorrect passphrase")
}
// We also need to override the PublicKeyCallback to prevent rando pubkeys from bypassing
cb := config.PublicKeyCallback
config.PublicKeyCallback = func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
perms, err := cb(conn, key)
if err == nil {
err = errors.New("passphrase authentication required")
}
return perms, err
} }
} }