use CertChecker for public key auth

tls
fangdingjun 6 years ago
parent 911c955dd9
commit e821ce6ecb

@ -3,6 +3,7 @@ package main
import ( import (
"bytes" "bytes"
"crypto/tls" "crypto/tls"
"errors"
"flag" "flag"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
@ -69,21 +70,34 @@ func main() {
}, },
PublicKeyCallback: func(c ssh.ConnMetadata, k ssh.PublicKey) (*ssh.Permissions, error) { PublicKeyCallback: func(c ssh.ConnMetadata, k ssh.PublicKey) (*ssh.Permissions, error) {
checker := &ssh.CertChecker{
IsUserAuthority: func(k ssh.PublicKey) bool {
if u, err := conf.getUser(c.User()); err == nil { if u, err := conf.getUser(c.User()); err == nil {
for _, pk := range u.publicKeys { for _, pk := range u.publicKeys {
if k.Type() == pk.Type() && bytes.Compare(k.Marshal(), pk.Marshal()) == 0 { if k.Type() == pk.Type() &&
return nil, nil bytes.Compare(k.Marshal(), pk.Marshal()) == 0 {
return true
} }
} }
} }
return nil, fmt.Errorf("publickey reject for user %s", c.User()) return false
},
}
checker.UserKeyFallback = func(c1 ssh.ConnMetadata, k1 ssh.PublicKey) (*ssh.Permissions, error) {
log.Debug("user key fallback")
if checker.IsUserAuthority(k1) {
return nil, nil
}
return nil, errors.New("public not acceptable")
}
return checker.Authenticate(c, k)
}, },
// auth log // auth log
AuthLogCallback: func(c ssh.ConnMetadata, method string, err error) { AuthLogCallback: func(c ssh.ConnMetadata, method string, err error) {
if err != nil { if err != nil {
log.Errorf("%s", err.Error()) log.Debugf("%s", err.Error())
log.Errorf("%s auth failed for %s from %s", method, c.User(), c.RemoteAddr()) log.Debugf("%s auth failed for %s from %s", method, c.User(), c.RemoteAddr())
} else { } else {
log.Debugf("Accepted %s for user %s from %s", method, c.User(), c.RemoteAddr()) log.Debugf("Accepted %s for user %s from %s", method, c.User(), c.RemoteAddr())
} }

Loading…
Cancel
Save