From 12403bdfb098d8118df734275c302c8c5de20ee4 Mon Sep 17 00:00:00 2001 From: Gibheer Date: Tue, 16 Feb 2016 23:01:56 +0100 Subject: allow native and ssh-keygen public key check This commit adds the possibibility to use either the native golang libraries or ssh-keygen to check public keys. The check is adjusted depending on the settings, so that only supported keys are let through. This commit also brings back the blacklist feature, which was removed in 7ef9a055886574655d9f2be70c957bc16bf30500. This allows to blacklist algorythms or keys based on the key length. This works with the native and the ssh-keygen way. Because of #2179 it also includes a way to adjust the path to ssh-keygen and the working directory for ssh-keygen. With this, sysadmins should be able to adjust the settings in a way, that SELinux is okay with it. In the worst case, they can switch to the native implementation and only loose support for ed25519 keys at the moment. There are some other places which need adjustment to utilize the parameters and the native implementation, but this sets the ground work. --- modules/setting/setting.go | 45 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 42 insertions(+), 3 deletions(-) (limited to 'modules') diff --git a/modules/setting/setting.go b/modules/setting/setting.go index d82f16dbc2..e667ee7433 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -30,9 +30,11 @@ import ( type Scheme string const ( - HTTP Scheme = "http" - HTTPS Scheme = "https" - FCGI Scheme = "fcgi" + HTTP Scheme = "http" + HTTPS Scheme = "https" + FCGI Scheme = "fcgi" + SSH_PUBLICKEY_CHECK_NATIVE = "native" + SSH_PUBLICKEY_CHECK_KEYGEN = "ssh-keygen" ) type LandingPage string @@ -66,6 +68,9 @@ var ( SSHDomain string SSHPort int SSHRootPath string + SSHPublicKeyCheck string + SSHWorkPath string + SSHKeyGenPath string OfflineMode bool DisableRouterLog bool CertFile, KeyFile string @@ -328,6 +333,29 @@ func NewContext() { if err := os.MkdirAll(SSHRootPath, 0700); err != nil { log.Fatal(4, "Fail to create '%s': %v", SSHRootPath, err) } + checkDefault := SSH_PUBLICKEY_CHECK_KEYGEN + if DisableSSH { + checkDefault = SSH_PUBLICKEY_CHECK_NATIVE + } + SSHPublicKeyCheck = sec.Key("SSH_PUBLICKEY_CHECK").MustString(checkDefault) + if SSHPublicKeyCheck != SSH_PUBLICKEY_CHECK_NATIVE && + SSHPublicKeyCheck != SSH_PUBLICKEY_CHECK_KEYGEN { + log.Fatal(4, "SSH_PUBLICKEY_CHECK must be ssh-keygen or native") + } + SSHWorkPath = sec.Key("SSH_WORK_PATH").MustString(os.TempDir()) + if !DisableSSH && (!StartSSHServer || SSHPublicKeyCheck == SSH_PUBLICKEY_CHECK_KEYGEN) { + if tmpDirStat, err := os.Stat(SSHWorkPath); err != nil || !tmpDirStat.IsDir() { + log.Fatal(4, "directory '%s' set in SSHWorkPath is not a directory: %s", SSHWorkPath, err) + } + } + SSHKeyGenPath = sec.Key("SSH_KEYGEN_PATH").MustString("") + if !DisableSSH && !StartSSHServer && + SSHKeyGenPath == "" && SSHPublicKeyCheck == SSH_PUBLICKEY_CHECK_KEYGEN { + SSHKeyGenPath, err = exec.LookPath("ssh-keygen") + if err != nil { + log.Fatal(4, "could not find ssh-keygen, maybe set DISABLE_SSH to use the internal ssh server") + } + } OfflineMode = sec.Key("OFFLINE_MODE").MustBool() DisableRouterLog = sec.Key("DISABLE_ROUTER_LOG").MustBool() StaticRootPath = sec.Key("STATIC_ROOT_PATH").MustString(workDir) @@ -459,6 +487,8 @@ var Service struct { EnableReverseProxyAuth bool EnableReverseProxyAutoRegister bool EnableCaptcha bool + EnableMinimumKeySizeCheck bool + MinimumKeySizes map[string]int } func newService() { @@ -471,6 +501,15 @@ func newService() { Service.EnableReverseProxyAuth = sec.Key("ENABLE_REVERSE_PROXY_AUTHENTICATION").MustBool() Service.EnableReverseProxyAutoRegister = sec.Key("ENABLE_REVERSE_PROXY_AUTO_REGISTRATION").MustBool() Service.EnableCaptcha = sec.Key("ENABLE_CAPTCHA").MustBool() + Service.EnableMinimumKeySizeCheck = sec.Key("ENABLE_MINIMUM_KEY_SIZE_CHECK").MustBool() + Service.MinimumKeySizes = map[string]int{} + + minimumKeySizes := Cfg.Section("service.minimum_key_sizes").Keys() + for _, key := range minimumKeySizes { + if key.MustInt() != -1 { + Service.MinimumKeySizes[strings.ToLower(key.Name())] = key.MustInt() + } + } } var logLevels = map[string]string{ -- cgit v1.2.3 From e3570ae45dc8e9f53ec5c0d3a6d5b29fb7574bdd Mon Sep 17 00:00:00 2001 From: Gibheer Date: Tue, 23 Feb 2016 15:41:44 +0100 Subject: seperate ssh constants from schema constants The contants were placed in the same section as the scheme ones, which may lead to confusion. --- modules/setting/setting.go | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'modules') diff --git a/modules/setting/setting.go b/modules/setting/setting.go index e667ee7433..25b9d8590e 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -27,14 +27,17 @@ import ( "github.com/gogits/gogs/modules/user" ) +const ( + SSH_PUBLICKEY_CHECK_NATIVE = "native" + SSH_PUBLICKEY_CHECK_KEYGEN = "ssh-keygen" +) + type Scheme string const ( - HTTP Scheme = "http" - HTTPS Scheme = "https" - FCGI Scheme = "fcgi" - SSH_PUBLICKEY_CHECK_NATIVE = "native" - SSH_PUBLICKEY_CHECK_KEYGEN = "ssh-keygen" + HTTP Scheme = "http" + HTTPS Scheme = "https" + FCGI Scheme = "fcgi" ) type LandingPage string -- cgit v1.2.3 From e721c5cf86c4d693a84bcf48d3a8a531efd24aaf Mon Sep 17 00:00:00 2001 From: Gibheer Date: Tue, 23 Feb 2016 15:43:52 +0100 Subject: use StartSSHServer instead of DisableSSH DisableSSH doesn't check the kind of ssh server to use, so that was wrong. Use StartSSHServer instead. --- modules/setting/setting.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/setting/setting.go b/modules/setting/setting.go index 25b9d8590e..f3d4349be9 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -337,7 +337,7 @@ func NewContext() { log.Fatal(4, "Fail to create '%s': %v", SSHRootPath, err) } checkDefault := SSH_PUBLICKEY_CHECK_KEYGEN - if DisableSSH { + if StartSSHServer { checkDefault = SSH_PUBLICKEY_CHECK_NATIVE } SSHPublicKeyCheck = sec.Key("SSH_PUBLICKEY_CHECK").MustString(checkDefault) -- cgit v1.2.3