server.go 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488
  1. // Copyright 2011 The Go Authors. All rights reserved.
  2. // Use of this source code is governed by a BSD-style
  3. // license that can be found in the LICENSE file.
  4. package ssh
  5. import (
  6. "bytes"
  7. "errors"
  8. "fmt"
  9. "io"
  10. "net"
  11. )
  12. // The Permissions type holds fine-grained permissions that are
  13. // specific to a user or a specific authentication method for a
  14. // user. Permissions, except for "source-address", must be enforced in
  15. // the server application layer, after successful authentication. The
  16. // Permissions are passed on in ServerConn so a server implementation
  17. // can honor them.
  18. type Permissions struct {
  19. // Critical options restrict default permissions. Common
  20. // restrictions are "source-address" and "force-command". If
  21. // the server cannot enforce the restriction, or does not
  22. // recognize it, the user should not authenticate.
  23. CriticalOptions map[string]string
  24. // Extensions are extra functionality that the server may
  25. // offer on authenticated connections. Common extensions are
  26. // "permit-agent-forwarding", "permit-X11-forwarding". Lack of
  27. // support for an extension does not preclude authenticating a
  28. // user.
  29. Extensions map[string]string
  30. }
  31. // ServerConfig holds server specific configuration data.
  32. type ServerConfig struct {
  33. // Config contains configuration shared between client and server.
  34. Config
  35. hostKeys []Signer
  36. // NoClientAuth is true if clients are allowed to connect without
  37. // authenticating.
  38. NoClientAuth bool
  39. // PasswordCallback, if non-nil, is called when a user
  40. // attempts to authenticate using a password.
  41. PasswordCallback func(conn ConnMetadata, password []byte) (*Permissions, error)
  42. // PublicKeyCallback, if non-nil, is called when a client attempts public
  43. // key authentication. It must return true if the given public key is
  44. // valid for the given user. For example, see CertChecker.Authenticate.
  45. PublicKeyCallback func(conn ConnMetadata, key PublicKey) (*Permissions, error)
  46. // KeyboardInteractiveCallback, if non-nil, is called when
  47. // keyboard-interactive authentication is selected (RFC
  48. // 4256). The client object's Challenge function should be
  49. // used to query the user. The callback may offer multiple
  50. // Challenge rounds. To avoid information leaks, the client
  51. // should be presented a challenge even if the user is
  52. // unknown.
  53. KeyboardInteractiveCallback func(conn ConnMetadata, client KeyboardInteractiveChallenge) (*Permissions, error)
  54. // AuthLogCallback, if non-nil, is called to log all authentication
  55. // attempts.
  56. AuthLogCallback func(conn ConnMetadata, method string, err error)
  57. // ServerVersion is the version identification string to announce in
  58. // the public handshake.
  59. // If empty, a reasonable default is used.
  60. // Note that RFC 4253 section 4.2 requires that this string start with
  61. // "SSH-2.0-".
  62. ServerVersion string
  63. }
  64. // AddHostKey adds a private key as a host key. If an existing host
  65. // key exists with the same algorithm, it is overwritten. Each server
  66. // config must have at least one host key.
  67. func (s *ServerConfig) AddHostKey(key Signer) {
  68. for i, k := range s.hostKeys {
  69. if k.PublicKey().Type() == key.PublicKey().Type() {
  70. s.hostKeys[i] = key
  71. return
  72. }
  73. }
  74. s.hostKeys = append(s.hostKeys, key)
  75. }
  76. // cachedPubKey contains the results of querying whether a public key is
  77. // acceptable for a user.
  78. type cachedPubKey struct {
  79. user string
  80. pubKeyData []byte
  81. result error
  82. perms *Permissions
  83. }
  84. const maxCachedPubKeys = 16
  85. // pubKeyCache caches tests for public keys. Since SSH clients
  86. // will query whether a public key is acceptable before attempting to
  87. // authenticate with it, we end up with duplicate queries for public
  88. // key validity. The cache only applies to a single ServerConn.
  89. type pubKeyCache struct {
  90. keys []cachedPubKey
  91. }
  92. // get returns the result for a given user/algo/key tuple.
  93. func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) {
  94. for _, k := range c.keys {
  95. if k.user == user && bytes.Equal(k.pubKeyData, pubKeyData) {
  96. return k, true
  97. }
  98. }
  99. return cachedPubKey{}, false
  100. }
  101. // add adds the given tuple to the cache.
  102. func (c *pubKeyCache) add(candidate cachedPubKey) {
  103. if len(c.keys) < maxCachedPubKeys {
  104. c.keys = append(c.keys, candidate)
  105. }
  106. }
  107. // ServerConn is an authenticated SSH connection, as seen from the
  108. // server
  109. type ServerConn struct {
  110. Conn
  111. // If the succeeding authentication callback returned a
  112. // non-nil Permissions pointer, it is stored here.
  113. Permissions *Permissions
  114. }
  115. // NewServerConn starts a new SSH server with c as the underlying
  116. // transport. It starts with a handshake and, if the handshake is
  117. // unsuccessful, it closes the connection and returns an error. The
  118. // Request and NewChannel channels must be serviced, or the connection
  119. // will hang.
  120. func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewChannel, <-chan *Request, error) {
  121. fullConf := *config
  122. fullConf.SetDefaults()
  123. s := &connection{
  124. sshConn: sshConn{conn: c},
  125. }
  126. perms, err := s.serverHandshake(&fullConf)
  127. if err != nil {
  128. c.Close()
  129. return nil, nil, nil, err
  130. }
  131. return &ServerConn{s, perms}, s.mux.incomingChannels, s.mux.incomingRequests, nil
  132. }
  133. // signAndMarshal signs the data with the appropriate algorithm,
  134. // and serializes the result in SSH wire format.
  135. func signAndMarshal(k Signer, rand io.Reader, data []byte) ([]byte, error) {
  136. sig, err := k.Sign(rand, data)
  137. if err != nil {
  138. return nil, err
  139. }
  140. return Marshal(sig), nil
  141. }
  142. // handshake performs key exchange and user authentication.
  143. func (s *connection) serverHandshake(config *ServerConfig) (*Permissions, error) {
  144. if len(config.hostKeys) == 0 {
  145. return nil, errors.New("ssh: server has no host keys")
  146. }
  147. if !config.NoClientAuth && config.PasswordCallback == nil && config.PublicKeyCallback == nil && config.KeyboardInteractiveCallback == nil {
  148. return nil, errors.New("ssh: no authentication methods configured but NoClientAuth is also false")
  149. }
  150. if config.ServerVersion != "" {
  151. s.serverVersion = []byte(config.ServerVersion)
  152. } else {
  153. s.serverVersion = []byte(packageVersion)
  154. }
  155. var err error
  156. s.clientVersion, err = exchangeVersions(s.sshConn.conn, s.serverVersion)
  157. if err != nil {
  158. return nil, err
  159. }
  160. tr := newTransport(s.sshConn.conn, config.Rand, false /* not client */)
  161. s.transport = newServerTransport(tr, s.clientVersion, s.serverVersion, config)
  162. if err := s.transport.requestInitialKeyChange(); err != nil {
  163. return nil, err
  164. }
  165. // We just did the key change, so the session ID is established.
  166. s.sessionID = s.transport.getSessionID()
  167. var packet []byte
  168. if packet, err = s.transport.readPacket(); err != nil {
  169. return nil, err
  170. }
  171. var serviceRequest serviceRequestMsg
  172. if err = Unmarshal(packet, &serviceRequest); err != nil {
  173. return nil, err
  174. }
  175. if serviceRequest.Service != serviceUserAuth {
  176. return nil, errors.New("ssh: requested service '" + serviceRequest.Service + "' before authenticating")
  177. }
  178. serviceAccept := serviceAcceptMsg{
  179. Service: serviceUserAuth,
  180. }
  181. if err := s.transport.writePacket(Marshal(&serviceAccept)); err != nil {
  182. return nil, err
  183. }
  184. perms, err := s.serverAuthenticate(config)
  185. if err != nil {
  186. return nil, err
  187. }
  188. s.mux = newMux(s.transport)
  189. return perms, err
  190. }
  191. func isAcceptableAlgo(algo string) bool {
  192. switch algo {
  193. case KeyAlgoRSA, KeyAlgoDSA, KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521, KeyAlgoED25519,
  194. CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01, CertAlgoECDSA384v01, CertAlgoECDSA521v01:
  195. return true
  196. }
  197. return false
  198. }
  199. func checkSourceAddress(addr net.Addr, sourceAddr string) error {
  200. if addr == nil {
  201. return errors.New("ssh: no address known for client, but source-address match required")
  202. }
  203. tcpAddr, ok := addr.(*net.TCPAddr)
  204. if !ok {
  205. return fmt.Errorf("ssh: remote address %v is not an TCP address when checking source-address match", addr)
  206. }
  207. if allowedIP := net.ParseIP(sourceAddr); allowedIP != nil {
  208. if allowedIP.Equal(tcpAddr.IP) {
  209. return nil
  210. }
  211. } else {
  212. _, ipNet, err := net.ParseCIDR(sourceAddr)
  213. if err != nil {
  214. return fmt.Errorf("ssh: error parsing source-address restriction %q: %v", sourceAddr, err)
  215. }
  216. if ipNet.Contains(tcpAddr.IP) {
  217. return nil
  218. }
  219. }
  220. return fmt.Errorf("ssh: remote address %v is not allowed because of source-address restriction", addr)
  221. }
  222. func (s *connection) serverAuthenticate(config *ServerConfig) (*Permissions, error) {
  223. var err error
  224. var cache pubKeyCache
  225. var perms *Permissions
  226. userAuthLoop:
  227. for {
  228. var userAuthReq userAuthRequestMsg
  229. if packet, err := s.transport.readPacket(); err != nil {
  230. return nil, err
  231. } else if err = Unmarshal(packet, &userAuthReq); err != nil {
  232. return nil, err
  233. }
  234. if userAuthReq.Service != serviceSSH {
  235. return nil, errors.New("ssh: client attempted to negotiate for unknown service: " + userAuthReq.Service)
  236. }
  237. s.user = userAuthReq.User
  238. perms = nil
  239. authErr := errors.New("no auth passed yet")
  240. switch userAuthReq.Method {
  241. case "none":
  242. if config.NoClientAuth {
  243. authErr = nil
  244. }
  245. case "password":
  246. if config.PasswordCallback == nil {
  247. authErr = errors.New("ssh: password auth not configured")
  248. break
  249. }
  250. payload := userAuthReq.Payload
  251. if len(payload) < 1 || payload[0] != 0 {
  252. return nil, parseError(msgUserAuthRequest)
  253. }
  254. payload = payload[1:]
  255. password, payload, ok := parseString(payload)
  256. if !ok || len(payload) > 0 {
  257. return nil, parseError(msgUserAuthRequest)
  258. }
  259. perms, authErr = config.PasswordCallback(s, password)
  260. case "keyboard-interactive":
  261. if config.KeyboardInteractiveCallback == nil {
  262. authErr = errors.New("ssh: keyboard-interactive auth not configubred")
  263. break
  264. }
  265. prompter := &sshClientKeyboardInteractive{s}
  266. perms, authErr = config.KeyboardInteractiveCallback(s, prompter.Challenge)
  267. case "publickey":
  268. if config.PublicKeyCallback == nil {
  269. authErr = errors.New("ssh: publickey auth not configured")
  270. break
  271. }
  272. payload := userAuthReq.Payload
  273. if len(payload) < 1 {
  274. return nil, parseError(msgUserAuthRequest)
  275. }
  276. isQuery := payload[0] == 0
  277. payload = payload[1:]
  278. algoBytes, payload, ok := parseString(payload)
  279. if !ok {
  280. return nil, parseError(msgUserAuthRequest)
  281. }
  282. algo := string(algoBytes)
  283. if !isAcceptableAlgo(algo) {
  284. authErr = fmt.Errorf("ssh: algorithm %q not accepted", algo)
  285. break
  286. }
  287. pubKeyData, payload, ok := parseString(payload)
  288. if !ok {
  289. return nil, parseError(msgUserAuthRequest)
  290. }
  291. pubKey, err := ParsePublicKey(pubKeyData)
  292. if err != nil {
  293. return nil, err
  294. }
  295. candidate, ok := cache.get(s.user, pubKeyData)
  296. if !ok {
  297. candidate.user = s.user
  298. candidate.pubKeyData = pubKeyData
  299. candidate.perms, candidate.result = config.PublicKeyCallback(s, pubKey)
  300. if candidate.result == nil && candidate.perms != nil && candidate.perms.CriticalOptions != nil && candidate.perms.CriticalOptions[sourceAddressCriticalOption] != "" {
  301. candidate.result = checkSourceAddress(
  302. s.RemoteAddr(),
  303. candidate.perms.CriticalOptions[sourceAddressCriticalOption])
  304. }
  305. cache.add(candidate)
  306. }
  307. if isQuery {
  308. // The client can query if the given public key
  309. // would be okay.
  310. if len(payload) > 0 {
  311. return nil, parseError(msgUserAuthRequest)
  312. }
  313. if candidate.result == nil {
  314. okMsg := userAuthPubKeyOkMsg{
  315. Algo: algo,
  316. PubKey: pubKeyData,
  317. }
  318. if err = s.transport.writePacket(Marshal(&okMsg)); err != nil {
  319. return nil, err
  320. }
  321. continue userAuthLoop
  322. }
  323. authErr = candidate.result
  324. } else {
  325. sig, payload, ok := parseSignature(payload)
  326. if !ok || len(payload) > 0 {
  327. return nil, parseError(msgUserAuthRequest)
  328. }
  329. // Ensure the public key algo and signature algo
  330. // are supported. Compare the private key
  331. // algorithm name that corresponds to algo with
  332. // sig.Format. This is usually the same, but
  333. // for certs, the names differ.
  334. if !isAcceptableAlgo(sig.Format) {
  335. break
  336. }
  337. signedData := buildDataSignedForAuth(s.transport.getSessionID(), userAuthReq, algoBytes, pubKeyData)
  338. if err := pubKey.Verify(signedData, sig); err != nil {
  339. return nil, err
  340. }
  341. authErr = candidate.result
  342. perms = candidate.perms
  343. }
  344. default:
  345. authErr = fmt.Errorf("ssh: unknown method %q", userAuthReq.Method)
  346. }
  347. if config.AuthLogCallback != nil {
  348. config.AuthLogCallback(s, userAuthReq.Method, authErr)
  349. }
  350. if authErr == nil {
  351. break userAuthLoop
  352. }
  353. var failureMsg userAuthFailureMsg
  354. if config.PasswordCallback != nil {
  355. failureMsg.Methods = append(failureMsg.Methods, "password")
  356. }
  357. if config.PublicKeyCallback != nil {
  358. failureMsg.Methods = append(failureMsg.Methods, "publickey")
  359. }
  360. if config.KeyboardInteractiveCallback != nil {
  361. failureMsg.Methods = append(failureMsg.Methods, "keyboard-interactive")
  362. }
  363. if len(failureMsg.Methods) == 0 {
  364. return nil, errors.New("ssh: no authentication methods configured but NoClientAuth is also false")
  365. }
  366. if err = s.transport.writePacket(Marshal(&failureMsg)); err != nil {
  367. return nil, err
  368. }
  369. }
  370. if err = s.transport.writePacket([]byte{msgUserAuthSuccess}); err != nil {
  371. return nil, err
  372. }
  373. return perms, nil
  374. }
  375. // sshClientKeyboardInteractive implements a ClientKeyboardInteractive by
  376. // asking the client on the other side of a ServerConn.
  377. type sshClientKeyboardInteractive struct {
  378. *connection
  379. }
  380. func (c *sshClientKeyboardInteractive) Challenge(user, instruction string, questions []string, echos []bool) (answers []string, err error) {
  381. if len(questions) != len(echos) {
  382. return nil, errors.New("ssh: echos and questions must have equal length")
  383. }
  384. var prompts []byte
  385. for i := range questions {
  386. prompts = appendString(prompts, questions[i])
  387. prompts = appendBool(prompts, echos[i])
  388. }
  389. if err := c.transport.writePacket(Marshal(&userAuthInfoRequestMsg{
  390. Instruction: instruction,
  391. NumPrompts: uint32(len(questions)),
  392. Prompts: prompts,
  393. })); err != nil {
  394. return nil, err
  395. }
  396. packet, err := c.transport.readPacket()
  397. if err != nil {
  398. return nil, err
  399. }
  400. if packet[0] != msgUserAuthInfoResponse {
  401. return nil, unexpectedMessageError(msgUserAuthInfoResponse, packet[0])
  402. }
  403. packet = packet[1:]
  404. n, packet, ok := parseUint32(packet)
  405. if !ok || int(n) != len(questions) {
  406. return nil, parseError(msgUserAuthInfoResponse)
  407. }
  408. for i := uint32(0); i < n; i++ {
  409. ans, rest, ok := parseString(packet)
  410. if !ok {
  411. return nil, parseError(msgUserAuthInfoResponse)
  412. }
  413. answers = append(answers, string(ans))
  414. packet = rest
  415. }
  416. if len(packet) != 0 {
  417. return nil, errors.New("ssh: junk at end of message")
  418. }
  419. return answers, nil
  420. }