mirrors
/
gitea
spegling av https://github.com/go-gitea/gitea.git
Bevaka 1
Stjärnmärk 0
Förgrening 0
Kod Ärenden 0 Släpp 211 Wiki Aktiviteter
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.
10275 Incheckningar
17 Grenar
Träd: 9066d09c57
Grenar Taggar
${ item.name }
Skapa branchen ${ searchTerm }
från '9066d09c57'
${ noResults }
gitea/modules/ssh/ssh.go

ssh.go 6.1KB
Blame Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279 
  1. // Copyright 2017 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package ssh

  6. 

  7. import (

  8. 	"bytes"

  9. 	"crypto/rand"

  10. 	"crypto/rsa"

  11. 	"crypto/x509"

  12. 	"encoding/pem"

  13. 	"fmt"

  14. 	"io"

  15. 	"os"

  16. 	"os/exec"

  17. 	"path/filepath"

  18. 	"strings"

  19. 	"sync"

  20. 	"syscall"

  21. 

  22. 	"code.gitea.io/gitea/models"

  23. 	"code.gitea.io/gitea/modules/log"

  24. 	"code.gitea.io/gitea/modules/setting"

  25. 

  26. 	"github.com/gliderlabs/ssh"

  27. 	"github.com/unknwon/com"

  28. 	gossh "golang.org/x/crypto/ssh"

  29. )

  30. 

  31. type contextKey string

  32. 

  33. const giteaKeyID = contextKey("gitea-key-id")

  34. 

  35. func getExitStatusFromError(err error) int {

  36. 	if err == nil {

  37. 		return 0

  38. 	}

  39. 

  40. 	exitErr, ok := err.(*exec.ExitError)

  41. 	if !ok {

  42. 		return 1

  43. 	}

  44. 

  45. 	waitStatus, ok := exitErr.Sys().(syscall.WaitStatus)

  46. 	if !ok {

  47. 		// This is a fallback and should at least let us return something useful

  48. 		// when running on Windows, even if it isn't completely accurate.

  49. 		if exitErr.Success() {

  50. 			return 0

  51. 		}

  52. 

  53. 		return 1

  54. 	}

  55. 

  56. 	return waitStatus.ExitStatus()

  57. }

  58. 

  59. func sessionHandler(session ssh.Session) {

  60. 	keyID := session.Context().Value(giteaKeyID).(int64)

  61. 

  62. 	command := session.RawCommand()

  63. 

  64. 	log.Trace("SSH: Payload: %v", command)

  65. 

  66. 	args := []string{"serv", "key-" + com.ToStr(keyID), "--config=" + setting.CustomConf}

  67. 	log.Trace("SSH: Arguments: %v", args)

  68. 	cmd := exec.Command(setting.AppPath, args...)

  69. 	cmd.Env = append(

  70. 		os.Environ(),

  71. 		"SSH_ORIGINAL_COMMAND="+command,

  72. 		"SKIP_MINWINSVC=1",

  73. 	)

  74. 

  75. 	stdout, err := cmd.StdoutPipe()

  76. 	if err != nil {

  77. 		log.Error("SSH: StdoutPipe: %v", err)

  78. 		return

  79. 	}

  80. 	stderr, err := cmd.StderrPipe()

  81. 	if err != nil {

  82. 		log.Error("SSH: StderrPipe: %v", err)

  83. 		return

  84. 	}

  85. 	stdin, err := cmd.StdinPipe()

  86. 	if err != nil {

  87. 		log.Error("SSH: StdinPipe: %v", err)

  88. 		return

  89. 	}

  90. 

  91. 	wg := &sync.WaitGroup{}

  92. 	wg.Add(2)

  93. 

  94. 	if err = cmd.Start(); err != nil {

  95. 		log.Error("SSH: Start: %v", err)

  96. 		return

  97. 	}

  98. 

  99. 	go func() {

  100. 		defer stdin.Close()

  101. 		if _, err := io.Copy(stdin, session); err != nil {

  102. 			log.Error("Failed to write session to stdin. %s", err)

  103. 		}

  104. 	}()

  105. 

  106. 	go func() {

  107. 		defer wg.Done()

  108. 		if _, err := io.Copy(session, stdout); err != nil {

  109. 			log.Error("Failed to write stdout to session. %s", err)

  110. 		}

  111. 	}()

  112. 

  113. 	go func() {

  114. 		defer wg.Done()

  115. 		if _, err := io.Copy(session.Stderr(), stderr); err != nil {

  116. 			log.Error("Failed to write stderr to session. %s", err)

  117. 		}

  118. 	}()

  119. 

  120. 	// Ensure all the output has been written before we wait on the command

  121. 	// to exit.

  122. 	wg.Wait()

  123. 

  124. 	// Wait for the command to exit and log any errors we get

  125. 	err = cmd.Wait()

  126. 	if err != nil {

  127. 		log.Error("SSH: Wait: %v", err)

  128. 	}

  129. 

  130. 	if err := session.Exit(getExitStatusFromError(err)); err != nil {

  131. 		log.Error("Session failed to exit. %s", err)

  132. 	}

  133. }

  134. 

  135. func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {

  136. 	if ctx.User() != setting.SSH.BuiltinServerUser {

  137. 		return false

  138. 	}

  139. 

  140. 	// check if we have a certificate

  141. 	if cert, ok := key.(*gossh.Certificate); ok {

  142. 		if len(setting.SSH.TrustedUserCAKeys) == 0 {

  143. 			return false

  144. 		}

  145. 

  146. 		// look for the exact principal

  147. 		for _, principal := range cert.ValidPrincipals {

  148. 			pkey, err := models.SearchPublicKeyByContentExact(principal)

  149. 			if err != nil {

  150. 				log.Error("SearchPublicKeyByContentExact: %v", err)

  151. 				return false

  152. 			}

  153. 

  154. 			if models.IsErrKeyNotExist(err) {

  155. 				continue

  156. 			}

  157. 

  158. 			c := &gossh.CertChecker{

  159. 				IsUserAuthority: func(auth gossh.PublicKey) bool {

  160. 					for _, k := range setting.SSH.TrustedUserCAKeysParsed {

  161. 						if bytes.Equal(auth.Marshal(), k.Marshal()) {

  162. 							return true

  163. 						}

  164. 					}

  165. 

  166. 					return false

  167. 				},

  168. 			}

  169. 

  170. 			// check the CA of the cert

  171. 			if !c.IsUserAuthority(cert.SignatureKey) {

  172. 				return false

  173. 			}

  174. 

  175. 			// validate the cert for this principal

  176. 			if err := c.CheckCert(principal, cert); err != nil {

  177. 				return false

  178. 			}

  179. 

  180. 			ctx.SetValue(giteaKeyID, pkey.ID)

  181. 

  182. 			return true

  183. 		}

  184. 	}

  185. 

  186. 	pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(gossh.MarshalAuthorizedKey(key))))

  187. 	if err != nil {

  188. 		log.Error("SearchPublicKeyByContent: %v", err)

  189. 		return false

  190. 	}

  191. 

  192. 	ctx.SetValue(giteaKeyID, pkey.ID)

  193. 

  194. 	return true

  195. }

  196. 

  197. // Listen starts a SSH server listens on given port.

  198. func Listen(host string, port int, ciphers []string, keyExchanges []string, macs []string) {

  199. 	// TODO: Handle ciphers, keyExchanges, and macs

  200. 

  201. 	srv := ssh.Server{

  202. 		Addr:             fmt.Sprintf("%s:%d", host, port),

  203. 		PublicKeyHandler: publicKeyHandler,

  204. 		Handler:          sessionHandler,

  205. 

  206. 		// We need to explicitly disable the PtyCallback so text displays

  207. 		// properly.

  208. 		PtyCallback: func(ctx ssh.Context, pty ssh.Pty) bool {

  209. 			return false

  210. 		},

  211. 	}

  212. 

  213. 	keyPath := filepath.Join(setting.AppDataPath, "ssh/gogs.rsa")

  214. 	if !com.IsExist(keyPath) {

  215. 		filePath := filepath.Dir(keyPath)

  216. 

  217. 		if err := os.MkdirAll(filePath, os.ModePerm); err != nil {

  218. 			log.Error("Failed to create dir %s: %v", filePath, err)

  219. 		}

  220. 

  221. 		err := GenKeyPair(keyPath)

  222. 		if err != nil {

  223. 			log.Fatal("Failed to generate private key: %v", err)

  224. 		}

  225. 		log.Trace("New private key is generated: %s", keyPath)

  226. 	}

  227. 

  228. 	err := srv.SetOption(ssh.HostKeyFile(keyPath))

  229. 	if err != nil {

  230. 		log.Error("Failed to set Host Key. %s", err)

  231. 	}

  232. 

  233. 	go listen(&srv)

  234. 

  235. }

  236. 

  237. // GenKeyPair make a pair of public and private keys for SSH access.

  238. // Public key is encoded in the format for inclusion in an OpenSSH authorized_keys file.

  239. // Private Key generated is PEM encoded

  240. func GenKeyPair(keyPath string) error {

  241. 	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)

  242. 	if err != nil {

  243. 		return err

  244. 	}

  245. 

  246. 	privateKeyPEM := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)}

  247. 	f, err := os.OpenFile(keyPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)

  248. 	if err != nil {

  249. 		return err

  250. 	}

  251. 	defer func() {

  252. 		if err = f.Close(); err != nil {

  253. 			log.Error("Close: %v", err)

  254. 		}

  255. 	}()

  256. 

  257. 	if err := pem.Encode(f, privateKeyPEM); err != nil {

  258. 		return err

  259. 	}

  260. 

  261. 	// generate public key

  262. 	pub, err := gossh.NewPublicKey(&privateKey.PublicKey)

  263. 	if err != nil {

  264. 		return err

  265. 	}

  266. 

  267. 	public := gossh.MarshalAuthorizedKey(pub)

  268. 	p, err := os.OpenFile(keyPath+".pub", os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)

  269. 	if err != nil {

  270. 		return err

  271. 	}

  272. 	defer func() {

  273. 		if err = p.Close(); err != nil {

  274. 			log.Error("Close: %v", err)

  275. 		}

  276. 	}()

  277. 	_, err = p.Write(public)

  278. 	return err

  279. }