commit
c68d3fd2da
@ -0,0 +1,21 @@ |
|||||||
|
Motivation |
||||||
|
========== |
||||||
|
|
||||||
|
sshd implementation in Go, for the sole purpose of restricting the ports that |
||||||
|
clients can request using direct-tcpip. |
||||||
|
|
||||||
|
OpenSSH refuses to merge patches to support this, but there is a fork of OpenSSH |
||||||
|
with patches that achieve something similar to this. [1] |
||||||
|
|
||||||
|
|
||||||
|
[1] https://github.com/antonyantony/openssh |
||||||
|
|
||||||
|
authorized_keys format |
||||||
|
====================== |
||||||
|
|
||||||
|
Same as OpenSSH authorized_keys format. |
||||||
|
Comment field contains the ports that are allowed to be forwarded, comma |
||||||
|
separated:: |
||||||
|
|
||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHPWEWu85yECrbmtL38wlFua3tBSqxTekCX/aU+dku+w 3333,3334 |
||||||
|
|
@ -0,0 +1,2 @@ |
|||||||
|
* Make sure to not run this as root (setuid doesn't work well), so use NET capabilities |
||||||
|
* Check assertions and TODOs. |
@ -0,0 +1,208 @@ |
|||||||
|
package main |
||||||
|
|
||||||
|
// Copyright:
|
||||||
|
// Merlijn B. W. Wajer <merlijn@wizzup.org>
|
||||||
|
// (C) 2017
|
||||||
|
|
||||||
|
// Trivial parts taken from:
|
||||||
|
// * https://blog.gopheracademy.com/advent-2015/ssh-server-in-go/
|
||||||
|
// * https://github.com/tg123/sshpiper/commit/9db468b52dfc2cbe936efb7bef0fd5b88e0c1649
|
||||||
|
|
||||||
|
import ( |
||||||
|
"fmt" |
||||||
|
"io" |
||||||
|
"io/ioutil" |
||||||
|
"log" |
||||||
|
"net" |
||||||
|
"strconv" |
||||||
|
"strings" |
||||||
|
"sync" |
||||||
|
|
||||||
|
"golang.org/x/crypto/ssh" |
||||||
|
) |
||||||
|
|
||||||
|
var ( |
||||||
|
authorisedKeys map[string]string |
||||||
|
) |
||||||
|
|
||||||
|
func main() { |
||||||
|
config := &ssh.ServerConfig{ |
||||||
|
PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) { |
||||||
|
if ports, found := authorisedKeys[string(key.Marshal())]; found { |
||||||
|
return &ssh.Permissions{ |
||||||
|
CriticalOptions: map[string]string{"ports": ports}, |
||||||
|
}, nil |
||||||
|
} |
||||||
|
|
||||||
|
return nil, fmt.Errorf("Unknown public key\n") |
||||||
|
}, |
||||||
|
} |
||||||
|
|
||||||
|
privateBytes, err := ioutil.ReadFile("id_ed25519") |
||||||
|
//privateBytes, err := ioutil.ReadFile("id_rsa")
|
||||||
|
if err != nil { |
||||||
|
log.Fatal("Failed to load private key (./id_rsa)") |
||||||
|
} |
||||||
|
|
||||||
|
private, err := ssh.ParsePrivateKey(privateBytes) |
||||||
|
if err != nil { |
||||||
|
log.Fatal("Failed to parse private key") |
||||||
|
} |
||||||
|
|
||||||
|
config.AddHostKey(private) |
||||||
|
loadKeys() |
||||||
|
|
||||||
|
listener, err := net.Listen("tcp", "0.0.0.0:2200") |
||||||
|
if err != nil { |
||||||
|
log.Fatalf("Failed to listen on 2200 (%s)", err) |
||||||
|
} |
||||||
|
|
||||||
|
// Accept all connections
|
||||||
|
log.Print("Listening on 2200...") |
||||||
|
for { |
||||||
|
tcpConn, err := listener.Accept() |
||||||
|
if err != nil { |
||||||
|
log.Printf("Failed to accept incoming connection (%s)", err) |
||||||
|
continue |
||||||
|
} |
||||||
|
// Before use, a handshake must be performed on the incoming net.Conn.
|
||||||
|
sshConn, chans, reqs, err := ssh.NewServerConn(tcpConn, config) |
||||||
|
if err != nil { |
||||||
|
log.Printf("Failed to handshake (%s)", err) |
||||||
|
continue |
||||||
|
} |
||||||
|
|
||||||
|
allowedPorts := sshConn.Permissions.CriticalOptions["ports"] |
||||||
|
|
||||||
|
log.Printf("Connection from %s (%s). Allowed ports: %s", sshConn.RemoteAddr(), sshConn.ClientVersion(), allowedPorts) |
||||||
|
|
||||||
|
// Parsing a second time should not error
|
||||||
|
ports, _ := parsePorts(allowedPorts) |
||||||
|
|
||||||
|
// Discard all global out-of-band Requests
|
||||||
|
go ssh.DiscardRequests(reqs) |
||||||
|
// Accept all channels
|
||||||
|
go handleChannels(chans, ports) |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
func handleChannels(chans <-chan ssh.NewChannel, ports []uint32) { |
||||||
|
for c := range chans { |
||||||
|
go handleChannel(c, ports) |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
/* RFC4254 7.2 */ |
||||||
|
type directTCPPayload struct { |
||||||
|
Addr string |
||||||
|
Port uint32 |
||||||
|
OriginAddr string |
||||||
|
OriginPort uint32 |
||||||
|
} |
||||||
|
|
||||||
|
func handleChannel(newChannel ssh.NewChannel, ports []uint32) { |
||||||
|
log.Println("Channel type:", newChannel.ChannelType()) |
||||||
|
if t := newChannel.ChannelType(); t != "direct-tcpip" { |
||||||
|
newChannel.Reject(ssh.Prohibited, fmt.Sprintf("Only \"direct-tcpip\" is accepted")) |
||||||
|
return |
||||||
|
} |
||||||
|
|
||||||
|
var payload directTCPPayload |
||||||
|
if err := ssh.Unmarshal(newChannel.ExtraData(), &payload); err != nil { |
||||||
|
log.Printf("Could not unmarshal extra data: %s\n", err) |
||||||
|
|
||||||
|
newChannel.Reject(ssh.Prohibited, fmt.Sprintf("Bad payload")) |
||||||
|
return |
||||||
|
} |
||||||
|
|
||||||
|
//log.Println("Got payload: %v", payload)
|
||||||
|
if payload.Addr != "localhost" { |
||||||
|
newChannel.Reject(ssh.Prohibited, fmt.Sprintf("Bad addr")) |
||||||
|
return |
||||||
|
} |
||||||
|
|
||||||
|
ok := false |
||||||
|
for _, port := range ports { |
||||||
|
if payload.Port == port { |
||||||
|
ok = true |
||||||
|
break |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
if !ok { |
||||||
|
newChannel.Reject(ssh.Prohibited, fmt.Sprintf("Bad port")) |
||||||
|
return |
||||||
|
} |
||||||
|
|
||||||
|
// At this point, we have the opportunity to reject the client's
|
||||||
|
// request for another logical connection
|
||||||
|
connection, requests, err := newChannel.Accept() |
||||||
|
_ = requests // TODO: Think we can just ignore these
|
||||||
|
if err != nil { |
||||||
|
log.Printf("Could not accept channel (%s)", err) |
||||||
|
return |
||||||
|
} |
||||||
|
|
||||||
|
addr := fmt.Sprintf("%s:%d", payload.Addr, payload.Port) |
||||||
|
log.Println("Going to dial:", addr) |
||||||
|
|
||||||
|
rconn, err := net.Dial("tcp", addr) |
||||||
|
if err != nil { |
||||||
|
log.Printf("Could not dial remote (%s)", err) |
||||||
|
connection.Close() |
||||||
|
return |
||||||
|
} |
||||||
|
|
||||||
|
close := func() { |
||||||
|
connection.Close() |
||||||
|
rconn.Close() |
||||||
|
log.Printf("Session closed") |
||||||
|
} |
||||||
|
|
||||||
|
var once sync.Once |
||||||
|
go func() { |
||||||
|
io.Copy(connection, rconn) |
||||||
|
once.Do(close) |
||||||
|
}() |
||||||
|
go func() { |
||||||
|
io.Copy(rconn, connection) |
||||||
|
once.Do(close) |
||||||
|
}() |
||||||
|
} |
||||||
|
|
||||||
|
func parsePorts(portstr string) (p []uint32, err error) { |
||||||
|
ports := strings.Split(portstr, ",") |
||||||
|
for _, port := range ports { |
||||||
|
port, err := strconv.ParseUint(port, 10, 32) |
||||||
|
if err != nil { |
||||||
|
return p, err |
||||||
|
} |
||||||
|
p = append(p, uint32(port)) |
||||||
|
} |
||||||
|
return |
||||||
|
} |
||||||
|
|
||||||
|
func loadKeys() { |
||||||
|
authorisedKeys = map[string]string{} |
||||||
|
authorisedKeysBytes, err := ioutil.ReadFile("authorized_keys") |
||||||
|
if err != nil { |
||||||
|
log.Fatal("Cannot load authorised keys") |
||||||
|
} |
||||||
|
|
||||||
|
for len(authorisedKeysBytes) > 0 { |
||||||
|
pubkey, ports, _, rest, err := ssh.ParseAuthorizedKey(authorisedKeysBytes) |
||||||
|
|
||||||
|
if err != nil { |
||||||
|
log.Fatal(err) |
||||||
|
} |
||||||
|
|
||||||
|
_, err = parsePorts(ports) |
||||||
|
|
||||||
|
if err != nil { |
||||||
|
log.Fatal(err) |
||||||
|
} |
||||||
|
|
||||||
|
authorisedKeys[string(pubkey.Marshal())] = ports |
||||||
|
authorisedKeysBytes = rest |
||||||
|
} |
||||||
|
} |
Loading…
Reference in new issue