git_clone/handy-sshd
1
0
Fork 0
mirror of https://github.com/nwtgck/handy-sshd.git synced 2025-06-08 15:13:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

add public key support

Browse source
This commit is contained in:
h5on1 2024-08-20 12:50:29 +08:00
parent 71493a7895
commit 8c71f5de34
1 changed files with 22 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
cmd/root.go
View file

@ -11,6 +11,7 @@ import (
"os" "os"
"strconv" "strconv"
"strings" "strings"
"bufio"
) )
type flagType struct { type flagType struct {
@ -21,6 +22,7 @@ type flagType struct {
sshUnixSocket string sshUnixSocket string
sshShell string sshShell string
sshUsers []string sshUsers []string
sshAuthKeys []string
allowTcpipForward bool allowTcpipForward bool
allowDirectTcpip bool allowDirectTcpip bool
@ -81,6 +83,7 @@ For example, specifying --allow-direct-tcpip and --allow-execute allows only the
rootCmd.PersistentFlags().StringVarP(&flag.sshShell, "shell", "", "", "Shell") rootCmd.PersistentFlags().StringVarP(&flag.sshShell, "shell", "", "", "Shell")
//rootCmd.PersistentFlags().StringVar(&flag.dnsServer, "dns-server", "", "DNS server (e.g. 1.1.1.1:53)") //rootCmd.PersistentFlags().StringVar(&flag.dnsServer, "dns-server", "", "DNS server (e.g. 1.1.1.1:53)")
rootCmd.PersistentFlags().StringArrayVarP(&flag.sshUsers, "user", "u", nil, `SSH user name (e.g. "john:mypass")`) rootCmd.PersistentFlags().StringArrayVarP(&flag.sshUsers, "user", "u", nil, `SSH user name (e.g. "john:mypass")`)
rootCmd.PersistentFlags().StringArrayVarP(&flag.sshAuthKeys, "keys", "k", nil, "SSH authorized keys")
// Permission flags // Permission flags
rootCmd.PersistentFlags().BoolVarP(&flag.allowTcpipForward, "allow-tcpip-forward", "", false, "client can use remote forwarding (ssh -R)") rootCmd.PersistentFlags().BoolVarP(&flag.allowTcpipForward, "allow-tcpip-forward", "", false, "client can use remote forwarding (ssh -R)")
@ -130,13 +133,28 @@ func rootRunEWithExtra(cmd *cobra.Command, args []string, flag *flagType, allPer
} }
sshUsers = append(sshUsers, sshUser{name: splits[0], password: splits[1]}) sshUsers = append(sshUsers, sshUser{name: splits[0], password: splits[1]})
} }
if len(sshUsers) == 0 {
return fmt.Errorf(`No user specified authorizedKeys := make(map[string]bool)
e.g. --user "john:mypass" for _, k := range flag.sshAuthKeys {
e.g. --user "john:"`) hand, err := os.Open(k)
if err != nil { continue }
scanner := bufio.NewScanner(hand)
for scanner.Scan() {
key := scanner.Text()
pub, _, _, _, err := ssh.ParseAuthorizedKey([]byte(key))
if err != nil { continue }
authorizedKeys[string(ssh.FingerprintSHA256(pub))] = true
} }
}
// (base: https://gist.github.com/jpillora/b480fde82bff51a06238) // (base: https://gist.github.com/jpillora/b480fde82bff51a06238)
sshConfig := &ssh.ServerConfig{ sshConfig := &ssh.ServerConfig{
PublicKeyCallback: func(metadata ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
if authorizedKeys[string(ssh.FingerprintSHA256(key))] {
return nil, nil
}
return nil, fmt.Errorf("public key rejected for %q", metadata.User())
},
//Define a function to run when a client attempts a password login //Define a function to run when a client attempts a password login
PasswordCallback: func(metadata ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) { PasswordCallback: func(metadata ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
for _, user := range sshUsers { for _, user := range sshUsers {