From 8c71f5de349d05b0f5025237cad3314902a01cbe Mon Sep 17 00:00:00 2001
From: h5on1 <h5on1@macmini>
Date: Tue, 20 Aug 2024 12:50:29 +0800
Subject: [PATCH 1/2] add public key support

---
 cmd/root.go | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/cmd/root.go b/cmd/root.go
index 96c7afb..ad35051 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -11,6 +11,7 @@ import (
 	"os"
 	"strconv"
 	"strings"
+	"bufio"
 )
 
 type flagType struct {
@@ -21,6 +22,7 @@ type flagType struct {
 	sshUnixSocket string
 	sshShell      string
 	sshUsers      []string
+	sshAuthKeys   []string
 
 	allowTcpipForward       bool
 	allowDirectTcpip        bool
@@ -81,6 +83,7 @@ For example, specifying --allow-direct-tcpip and --allow-execute allows only the
 	rootCmd.PersistentFlags().StringVarP(&flag.sshShell, "shell", "", "", "Shell")
 	//rootCmd.PersistentFlags().StringVar(&flag.dnsServer, "dns-server", "", "DNS server (e.g. 1.1.1.1:53)")
 	rootCmd.PersistentFlags().StringArrayVarP(&flag.sshUsers, "user", "u", nil, `SSH user name (e.g. "john:mypass")`)
+	rootCmd.PersistentFlags().StringArrayVarP(&flag.sshAuthKeys, "keys", "k", nil, "SSH authorized keys")
 
 	// Permission flags
 	rootCmd.PersistentFlags().BoolVarP(&flag.allowTcpipForward, "allow-tcpip-forward", "", false, "client can use remote forwarding (ssh -R)")
@@ -130,13 +133,28 @@ func rootRunEWithExtra(cmd *cobra.Command, args []string, flag *flagType, allPer
 		}
 		sshUsers = append(sshUsers, sshUser{name: splits[0], password: splits[1]})
 	}
-	if len(sshUsers) == 0 {
-		return fmt.Errorf(`No user specified
-e.g. --user "john:mypass"
-e.g. --user "john:"`)
+
+	authorizedKeys := make(map[string]bool)
+	for _, k := range flag.sshAuthKeys {
+		hand, err := os.Open(k)
+		if err != nil { continue }
+		scanner := bufio.NewScanner(hand)
+		for scanner.Scan() {
+			key := scanner.Text()
+			pub, _, _, _, err := ssh.ParseAuthorizedKey([]byte(key))
+			if err != nil { continue }
+			authorizedKeys[string(ssh.FingerprintSHA256(pub))] = true
+		}
 	}
+
 	// (base: https://gist.github.com/jpillora/b480fde82bff51a06238)
 	sshConfig := &ssh.ServerConfig{
+        PublicKeyCallback: func(metadata ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
+            if authorizedKeys[string(ssh.FingerprintSHA256(key))] {
+                return nil, nil
+            }
+            return nil, fmt.Errorf("public key rejected for %q", metadata.User())
+        },
 		//Define a function to run when a client attempts a password login
 		PasswordCallback: func(metadata ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
 			for _, user := range sshUsers {

From b738f048c57119fe311761b8bf6788b4b7f7ebc0 Mon Sep 17 00:00:00 2001
From: kaala <kaala@users.noreply.github.com>
Date: Tue, 20 Aug 2024 12:59:25 +0800
Subject: [PATCH 2/2] Update release.yml

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 01cd3a0..6be54d1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,4 +22,4 @@ jobs:
           version: v1.19.2
           args: release --rm-dist
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}