diff options
author | zeripath <art27@cantab.net> | 2020-12-11 22:52:38 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-12-11 23:52:38 +0100 |
commit | e46a638e8f49b007e8fa84d7970a70da935edf3b (patch) | |
tree | d3d1580265b2ed7b647c139ea4e0ae4521795d55 | |
parent | 8e0548ed4a97470e1f4c6b61e398522fd1adb860 (diff) | |
download | gitea-e46a638e8f49b007e8fa84d7970a70da935edf3b.tar.gz gitea-e46a638e8f49b007e8fa84d7970a70da935edf3b.zip |
Report permissions denied in internal SSH (#13953)
This PR standardizes reporting of permission denied from the internal ssh.
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>
-rw-r--r-- | modules/ssh/ssh.go | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/modules/ssh/ssh.go b/modules/ssh/ssh.go index 9bfa39ef42..e8ed9029ce 100644 --- a/modules/ssh/ssh.go +++ b/modules/ssh/ssh.go @@ -135,6 +135,7 @@ func sessionHandler(session ssh.Session) { func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool { if ctx.User() != setting.SSH.BuiltinServerUser { + log.Warn("Permission Denied: Invalid SSH username %s - must use %s for all git operations via ssh", ctx.User(), setting.SSH.BuiltinServerUser) return false } @@ -145,17 +146,18 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool { } // look for the exact principal + principalLoop: for _, principal := range cert.ValidPrincipals { pkey, err := models.SearchPublicKeyByContentExact(principal) if err != nil { + if models.IsErrKeyNotExist(err) { + log.Debug("Principal Rejected: Unknown Principal: %s", principal) + continue principalLoop + } log.Error("SearchPublicKeyByContentExact: %v", err) return false } - if models.IsErrKeyNotExist(err) { - continue - } - c := &gossh.CertChecker{ IsUserAuthority: func(auth gossh.PublicKey) bool { for _, k := range setting.SSH.TrustedUserCAKeysParsed { @@ -170,11 +172,14 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool { // check the CA of the cert if !c.IsUserAuthority(cert.SignatureKey) { - return false + log.Debug("Principal Rejected: Untrusted Authority Signature Fingerprint %s for Principal: %s", gossh.FingerprintSHA256(cert.SignatureKey), principal) + continue principalLoop } // validate the cert for this principal if err := c.CheckCert(principal, cert); err != nil { + // User is presenting an invalid cerficate - STOP any further processing + log.Error("Permission Denied: Invalid Certificate KeyID %s with Signature Fingerprint %s presented for Principal: %s", cert.KeyId, gossh.FingerprintSHA256(cert.SignatureKey), principal) return false } @@ -186,6 +191,10 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool { pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(gossh.MarshalAuthorizedKey(key)))) if err != nil { + if models.IsErrKeyNotExist(err) { + log.Warn("Permission Denied: Unknown public key : %s", gossh.FingerprintSHA256(key)) + return false + } log.Error("SearchPublicKeyByContent: %v Failed authentication attempt from %s", err, ctx.RemoteAddr()) return false } |