diff options
| author | zeripath <art27@cantab.net> | 2020-12-15 08:45:13 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-12-15 08:45:13 +0000 |
| commit | 980b0df8296cdec3692482c3efdbfa68036a1114 (patch) | |
| tree | e806230b9400b4fd697f221cbf4e3297830f7370 /modules/ssh | |
| parent | f547b273478bf3f29ef51cc3f0ed55a11014f545 (diff) | |
| download | gitea-980b0df8296cdec3692482c3efdbfa68036a1114.tar.gz gitea-980b0df8296cdec3692482c3efdbfa68036a1114.zip | |
Standardise logging of failed authentication attempts in internal SSH (#13962)
Continuing on from #13953 continue to improve and standardise
logging from internal SSH.
Also updates the fail2ban setup
Signed-off-by: Andrew Thornton <art27@cantab.net>
Diffstat (limited to 'modules/ssh')
| -rw-r--r-- | modules/ssh/ssh.go | 50 |
1 files changed, 43 insertions, 7 deletions
diff --git a/modules/ssh/ssh.go b/modules/ssh/ssh.go index e8ed9029ce..4ba52d5653 100644 --- a/modules/ssh/ssh.go +++ b/modules/ssh/ssh.go @@ -134,14 +134,25 @@ func sessionHandler(session ssh.Session) { } func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool { + if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary + log.Debug("Handle Public Key: Fingerprint: %s from %s", gossh.FingerprintSHA256(key), ctx.RemoteAddr()) + } + if ctx.User() != setting.SSH.BuiltinServerUser { - log.Warn("Permission Denied: Invalid SSH username %s - must use %s for all git operations via ssh", ctx.User(), setting.SSH.BuiltinServerUser) + log.Warn("Invalid SSH username %s - must use %s for all git operations via ssh", ctx.User(), setting.SSH.BuiltinServerUser) + log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr()) return false } // check if we have a certificate if cert, ok := key.(*gossh.Certificate); ok { + if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary + log.Debug("Handle Certificate: %s Fingerprint: %s is a certificate", ctx.RemoteAddr(), gossh.FingerprintSHA256(key)) + } + if len(setting.SSH.TrustedUserCAKeys) == 0 { + log.Warn("Certificate Rejected: No trusted certificate authorities for this server") + log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr()) return false } @@ -151,7 +162,7 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool { pkey, err := models.SearchPublicKeyByContentExact(principal) if err != nil { if models.IsErrKeyNotExist(err) { - log.Debug("Principal Rejected: Unknown Principal: %s", principal) + log.Debug("Principal Rejected: %s Unknown Principal: %s", ctx.RemoteAddr(), principal) continue principalLoop } log.Error("SearchPublicKeyByContentExact: %v", err) @@ -172,33 +183,58 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool { // check the CA of the cert if !c.IsUserAuthority(cert.SignatureKey) { - log.Debug("Principal Rejected: Untrusted Authority Signature Fingerprint %s for Principal: %s", gossh.FingerprintSHA256(cert.SignatureKey), principal) + if log.IsDebug() { + log.Debug("Principal Rejected: %s Untrusted Authority Signature Fingerprint %s for Principal: %s", ctx.RemoteAddr(), gossh.FingerprintSHA256(cert.SignatureKey), principal) + } continue principalLoop } // validate the cert for this principal if err := c.CheckCert(principal, cert); err != nil { - // User is presenting an invalid cerficate - STOP any further processing - log.Error("Permission Denied: Invalid Certificate KeyID %s with Signature Fingerprint %s presented for Principal: %s", cert.KeyId, gossh.FingerprintSHA256(cert.SignatureKey), principal) + // User is presenting an invalid certificate - STOP any further processing + if log.IsError() { + log.Error("Invalid Certificate KeyID %s with Signature Fingerprint %s presented for Principal: %s from %s", cert.KeyId, gossh.FingerprintSHA256(cert.SignatureKey), principal, ctx.RemoteAddr()) + } + log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr()) + return false } + if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary + log.Debug("Successfully authenticated: %s Certificate Fingerprint: %s Principal: %s", ctx.RemoteAddr(), gossh.FingerprintSHA256(key), principal) + } ctx.SetValue(giteaKeyID, pkey.ID) return true } + + if log.IsWarn() { + log.Warn("From %s Fingerprint: %s is a certificate, but no valid principals found", ctx.RemoteAddr(), gossh.FingerprintSHA256(key)) + log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr()) + } + return false + } + + if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary + log.Debug("Handle Public Key: %s Fingerprint: %s is not a certificate", ctx.RemoteAddr(), gossh.FingerprintSHA256(key)) } pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(gossh.MarshalAuthorizedKey(key)))) if err != nil { if models.IsErrKeyNotExist(err) { - log.Warn("Permission Denied: Unknown public key : %s", gossh.FingerprintSHA256(key)) + if log.IsWarn() { + log.Warn("Unknown public key: %s from %s", gossh.FingerprintSHA256(key), ctx.RemoteAddr()) + log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr()) + } return false } - log.Error("SearchPublicKeyByContent: %v Failed authentication attempt from %s", err, ctx.RemoteAddr()) + log.Error("SearchPublicKeyByContent: %v", err) return false } + if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if necessary + log.Debug("Successfully authenticated: %s Public Key Fingerprint: %s", ctx.RemoteAddr(), gossh.FingerprintSHA256(key)) + } ctx.SetValue(giteaKeyID, pkey.ID) return true |