summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2020-12-11 22:52:38 +0000
committerGitHub <noreply@github.com>2020-12-11 23:52:38 +0100
commite46a638e8f49b007e8fa84d7970a70da935edf3b (patch)
treed3d1580265b2ed7b647c139ea4e0ae4521795d55
parent8e0548ed4a97470e1f4c6b61e398522fd1adb860 (diff)
downloadgitea-e46a638e8f49b007e8fa84d7970a70da935edf3b.tar.gz
gitea-e46a638e8f49b007e8fa84d7970a70da935edf3b.zip
Report permissions denied in internal SSH (#13953)
This PR standardizes reporting of permission denied from the internal ssh. Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de>
-rw-r--r--modules/ssh/ssh.go19
1 files changed, 14 insertions, 5 deletions
diff --git a/modules/ssh/ssh.go b/modules/ssh/ssh.go
index 9bfa39ef42..e8ed9029ce 100644
--- a/modules/ssh/ssh.go
+++ b/modules/ssh/ssh.go
@@ -135,6 +135,7 @@ func sessionHandler(session ssh.Session) {
func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
if ctx.User() != setting.SSH.BuiltinServerUser {
+ log.Warn("Permission Denied: Invalid SSH username %s - must use %s for all git operations via ssh", ctx.User(), setting.SSH.BuiltinServerUser)
return false
}
@@ -145,17 +146,18 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
}
// look for the exact principal
+ principalLoop:
for _, principal := range cert.ValidPrincipals {
pkey, err := models.SearchPublicKeyByContentExact(principal)
if err != nil {
+ if models.IsErrKeyNotExist(err) {
+ log.Debug("Principal Rejected: Unknown Principal: %s", principal)
+ continue principalLoop
+ }
log.Error("SearchPublicKeyByContentExact: %v", err)
return false
}
- if models.IsErrKeyNotExist(err) {
- continue
- }
-
c := &gossh.CertChecker{
IsUserAuthority: func(auth gossh.PublicKey) bool {
for _, k := range setting.SSH.TrustedUserCAKeysParsed {
@@ -170,11 +172,14 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
// check the CA of the cert
if !c.IsUserAuthority(cert.SignatureKey) {
- return false
+ log.Debug("Principal Rejected: Untrusted Authority Signature Fingerprint %s for Principal: %s", gossh.FingerprintSHA256(cert.SignatureKey), principal)
+ continue principalLoop
}
// validate the cert for this principal
if err := c.CheckCert(principal, cert); err != nil {
+ // User is presenting an invalid cerficate - STOP any further processing
+ log.Error("Permission Denied: Invalid Certificate KeyID %s with Signature Fingerprint %s presented for Principal: %s", cert.KeyId, gossh.FingerprintSHA256(cert.SignatureKey), principal)
return false
}
@@ -186,6 +191,10 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(gossh.MarshalAuthorizedKey(key))))
if err != nil {
+ if models.IsErrKeyNotExist(err) {
+ log.Warn("Permission Denied: Unknown public key : %s", gossh.FingerprintSHA256(key))
+ return false
+ }
log.Error("SearchPublicKeyByContent: %v Failed authentication attempt from %s", err, ctx.RemoteAddr())
return false
}