Skip to content

Report permissions denied in internal SSH #13953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Dec 11, 2020
Merged

Report permissions denied in internal SSH #13953

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
78e68af
Report permissions denied in internal SSH
zeripath Dec 11, 2020
ac00e72
Merge branch 'master' into properly-report-permission-denied-in-ssh
6543 Dec 11, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 14 additions & 5 deletions modules/ssh/ssh.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,7 @@ func sessionHandler(session ssh.Session) {

func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
if ctx.User() != setting.SSH.BuiltinServerUser {
log.Warn("Permission Denied: Invalid SSH username %s - must use %s for all git operations via ssh", ctx.User(), setting.SSH.BuiltinServerUser)
return false
}

Expand All @@ -145,17 +146,18 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
}

// look for the exact principal
principalLoop:
for _, principal := range cert.ValidPrincipals {
pkey, err := models.SearchPublicKeyByContentExact(principal)
if err != nil {
if models.IsErrKeyNotExist(err) {
log.Debug("Principal Rejected: Unknown Principal: %s", principal)
continue principalLoop
}
log.Error("SearchPublicKeyByContentExact: %v", err)
return false
}

if models.IsErrKeyNotExist(err) {
continue
}

c := &gossh.CertChecker{
IsUserAuthority: func(auth gossh.PublicKey) bool {
for _, k := range setting.SSH.TrustedUserCAKeysParsed {
Expand All @@ -170,11 +172,14 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {

// check the CA of the cert
if !c.IsUserAuthority(cert.SignatureKey) {
return false
log.Debug("Principal Rejected: Untrusted Authority Signature Fingerprint %s for Principal: %s", gossh.FingerprintSHA256(cert.SignatureKey), principal)
continue principalLoop
}

// validate the cert for this principal
if err := c.CheckCert(principal, cert); err != nil {
// User is presenting an invalid cerficate - STOP any further processing
log.Error("Permission Denied: Invalid Certificate KeyID %s with Signature Fingerprint %s presented for Principal: %s", cert.KeyId, gossh.FingerprintSHA256(cert.SignatureKey), principal)
return false
}

Expand All @@ -186,6 +191,10 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {

pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(gossh.MarshalAuthorizedKey(key))))
if err != nil {
if models.IsErrKeyNotExist(err) {
log.Warn("Permission Denied: Unknown public key : %s", gossh.FingerprintSHA256(key))
return false
}
log.Error("SearchPublicKeyByContent: %v Failed authentication attempt from %s", err, ctx.RemoteAddr())
return false
}
Expand Down