mirror of
				https://github.com/k3s-io/kubernetes.git
				synced 2025-10-26 02:55:32 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			526 lines
		
	
	
		
			14 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			526 lines
		
	
	
		
			14 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright 2011 The Go Authors. All rights reserved.
 | |
| // Use of this source code is governed by a BSD-style
 | |
| // license that can be found in the LICENSE file.
 | |
| 
 | |
| package ssh
 | |
| 
 | |
| import (
 | |
| 	"bytes"
 | |
| 	"errors"
 | |
| 	"fmt"
 | |
| 	"io"
 | |
| )
 | |
| 
 | |
| type authResult int
 | |
| 
 | |
| const (
 | |
| 	authFailure authResult = iota
 | |
| 	authPartialSuccess
 | |
| 	authSuccess
 | |
| )
 | |
| 
 | |
| // clientAuthenticate authenticates with the remote server. See RFC 4252.
 | |
| func (c *connection) clientAuthenticate(config *ClientConfig) error {
 | |
| 	// initiate user auth session
 | |
| 	if err := c.transport.writePacket(Marshal(&serviceRequestMsg{serviceUserAuth})); err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	packet, err := c.transport.readPacket()
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	var serviceAccept serviceAcceptMsg
 | |
| 	if err := Unmarshal(packet, &serviceAccept); err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 
 | |
| 	// during the authentication phase the client first attempts the "none" method
 | |
| 	// then any untried methods suggested by the server.
 | |
| 	tried := make(map[string]bool)
 | |
| 	var lastMethods []string
 | |
| 
 | |
| 	sessionID := c.transport.getSessionID()
 | |
| 	for auth := AuthMethod(new(noneAuth)); auth != nil; {
 | |
| 		ok, methods, err := auth.auth(sessionID, config.User, c.transport, config.Rand)
 | |
| 		if err != nil {
 | |
| 			return err
 | |
| 		}
 | |
| 		if ok == authSuccess {
 | |
| 			// success
 | |
| 			return nil
 | |
| 		} else if ok == authFailure {
 | |
| 			tried[auth.method()] = true
 | |
| 		}
 | |
| 		if methods == nil {
 | |
| 			methods = lastMethods
 | |
| 		}
 | |
| 		lastMethods = methods
 | |
| 
 | |
| 		auth = nil
 | |
| 
 | |
| 	findNext:
 | |
| 		for _, a := range config.Auth {
 | |
| 			candidateMethod := a.method()
 | |
| 			if tried[candidateMethod] {
 | |
| 				continue
 | |
| 			}
 | |
| 			for _, meth := range methods {
 | |
| 				if meth == candidateMethod {
 | |
| 					auth = a
 | |
| 					break findNext
 | |
| 				}
 | |
| 			}
 | |
| 		}
 | |
| 	}
 | |
| 	return fmt.Errorf("ssh: unable to authenticate, attempted methods %v, no supported methods remain", keys(tried))
 | |
| }
 | |
| 
 | |
| func keys(m map[string]bool) []string {
 | |
| 	s := make([]string, 0, len(m))
 | |
| 
 | |
| 	for key := range m {
 | |
| 		s = append(s, key)
 | |
| 	}
 | |
| 	return s
 | |
| }
 | |
| 
 | |
| // An AuthMethod represents an instance of an RFC 4252 authentication method.
 | |
| type AuthMethod interface {
 | |
| 	// auth authenticates user over transport t.
 | |
| 	// Returns true if authentication is successful.
 | |
| 	// If authentication is not successful, a []string of alternative
 | |
| 	// method names is returned. If the slice is nil, it will be ignored
 | |
| 	// and the previous set of possible methods will be reused.
 | |
| 	auth(session []byte, user string, p packetConn, rand io.Reader) (authResult, []string, error)
 | |
| 
 | |
| 	// method returns the RFC 4252 method name.
 | |
| 	method() string
 | |
| }
 | |
| 
 | |
| // "none" authentication, RFC 4252 section 5.2.
 | |
| type noneAuth int
 | |
| 
 | |
| func (n *noneAuth) auth(session []byte, user string, c packetConn, rand io.Reader) (authResult, []string, error) {
 | |
| 	if err := c.writePacket(Marshal(&userAuthRequestMsg{
 | |
| 		User:    user,
 | |
| 		Service: serviceSSH,
 | |
| 		Method:  "none",
 | |
| 	})); err != nil {
 | |
| 		return authFailure, nil, err
 | |
| 	}
 | |
| 
 | |
| 	return handleAuthResponse(c)
 | |
| }
 | |
| 
 | |
| func (n *noneAuth) method() string {
 | |
| 	return "none"
 | |
| }
 | |
| 
 | |
| // passwordCallback is an AuthMethod that fetches the password through
 | |
| // a function call, e.g. by prompting the user.
 | |
| type passwordCallback func() (password string, err error)
 | |
| 
 | |
| func (cb passwordCallback) auth(session []byte, user string, c packetConn, rand io.Reader) (authResult, []string, error) {
 | |
| 	type passwordAuthMsg struct {
 | |
| 		User     string `sshtype:"50"`
 | |
| 		Service  string
 | |
| 		Method   string
 | |
| 		Reply    bool
 | |
| 		Password string
 | |
| 	}
 | |
| 
 | |
| 	pw, err := cb()
 | |
| 	// REVIEW NOTE: is there a need to support skipping a password attempt?
 | |
| 	// The program may only find out that the user doesn't have a password
 | |
| 	// when prompting.
 | |
| 	if err != nil {
 | |
| 		return authFailure, nil, err
 | |
| 	}
 | |
| 
 | |
| 	if err := c.writePacket(Marshal(&passwordAuthMsg{
 | |
| 		User:     user,
 | |
| 		Service:  serviceSSH,
 | |
| 		Method:   cb.method(),
 | |
| 		Reply:    false,
 | |
| 		Password: pw,
 | |
| 	})); err != nil {
 | |
| 		return authFailure, nil, err
 | |
| 	}
 | |
| 
 | |
| 	return handleAuthResponse(c)
 | |
| }
 | |
| 
 | |
| func (cb passwordCallback) method() string {
 | |
| 	return "password"
 | |
| }
 | |
| 
 | |
| // Password returns an AuthMethod using the given password.
 | |
| func Password(secret string) AuthMethod {
 | |
| 	return passwordCallback(func() (string, error) { return secret, nil })
 | |
| }
 | |
| 
 | |
| // PasswordCallback returns an AuthMethod that uses a callback for
 | |
| // fetching a password.
 | |
| func PasswordCallback(prompt func() (secret string, err error)) AuthMethod {
 | |
| 	return passwordCallback(prompt)
 | |
| }
 | |
| 
 | |
| type publickeyAuthMsg struct {
 | |
| 	User    string `sshtype:"50"`
 | |
| 	Service string
 | |
| 	Method  string
 | |
| 	// HasSig indicates to the receiver packet that the auth request is signed and
 | |
| 	// should be used for authentication of the request.
 | |
| 	HasSig   bool
 | |
| 	Algoname string
 | |
| 	PubKey   []byte
 | |
| 	// Sig is tagged with "rest" so Marshal will exclude it during
 | |
| 	// validateKey
 | |
| 	Sig []byte `ssh:"rest"`
 | |
| }
 | |
| 
 | |
| // publicKeyCallback is an AuthMethod that uses a set of key
 | |
| // pairs for authentication.
 | |
| type publicKeyCallback func() ([]Signer, error)
 | |
| 
 | |
| func (cb publicKeyCallback) method() string {
 | |
| 	return "publickey"
 | |
| }
 | |
| 
 | |
| func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand io.Reader) (authResult, []string, error) {
 | |
| 	// Authentication is performed by sending an enquiry to test if a key is
 | |
| 	// acceptable to the remote. If the key is acceptable, the client will
 | |
| 	// attempt to authenticate with the valid key.  If not the client will repeat
 | |
| 	// the process with the remaining keys.
 | |
| 
 | |
| 	signers, err := cb()
 | |
| 	if err != nil {
 | |
| 		return authFailure, nil, err
 | |
| 	}
 | |
| 	var methods []string
 | |
| 	for _, signer := range signers {
 | |
| 		ok, err := validateKey(signer.PublicKey(), user, c)
 | |
| 		if err != nil {
 | |
| 			return authFailure, nil, err
 | |
| 		}
 | |
| 		if !ok {
 | |
| 			continue
 | |
| 		}
 | |
| 
 | |
| 		pub := signer.PublicKey()
 | |
| 		pubKey := pub.Marshal()
 | |
| 		sign, err := signer.Sign(rand, buildDataSignedForAuth(session, userAuthRequestMsg{
 | |
| 			User:    user,
 | |
| 			Service: serviceSSH,
 | |
| 			Method:  cb.method(),
 | |
| 		}, []byte(pub.Type()), pubKey))
 | |
| 		if err != nil {
 | |
| 			return authFailure, nil, err
 | |
| 		}
 | |
| 
 | |
| 		// manually wrap the serialized signature in a string
 | |
| 		s := Marshal(sign)
 | |
| 		sig := make([]byte, stringLength(len(s)))
 | |
| 		marshalString(sig, s)
 | |
| 		msg := publickeyAuthMsg{
 | |
| 			User:     user,
 | |
| 			Service:  serviceSSH,
 | |
| 			Method:   cb.method(),
 | |
| 			HasSig:   true,
 | |
| 			Algoname: pub.Type(),
 | |
| 			PubKey:   pubKey,
 | |
| 			Sig:      sig,
 | |
| 		}
 | |
| 		p := Marshal(&msg)
 | |
| 		if err := c.writePacket(p); err != nil {
 | |
| 			return authFailure, nil, err
 | |
| 		}
 | |
| 		var success authResult
 | |
| 		success, methods, err = handleAuthResponse(c)
 | |
| 		if err != nil {
 | |
| 			return authFailure, nil, err
 | |
| 		}
 | |
| 
 | |
| 		// If authentication succeeds or the list of available methods does not
 | |
| 		// contain the "publickey" method, do not attempt to authenticate with any
 | |
| 		// other keys.  According to RFC 4252 Section 7, the latter can occur when
 | |
| 		// additional authentication methods are required.
 | |
| 		if success == authSuccess || !containsMethod(methods, cb.method()) {
 | |
| 			return success, methods, err
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return authFailure, methods, nil
 | |
| }
 | |
| 
 | |
| func containsMethod(methods []string, method string) bool {
 | |
| 	for _, m := range methods {
 | |
| 		if m == method {
 | |
| 			return true
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return false
 | |
| }
 | |
| 
 | |
| // validateKey validates the key provided is acceptable to the server.
 | |
| func validateKey(key PublicKey, user string, c packetConn) (bool, error) {
 | |
| 	pubKey := key.Marshal()
 | |
| 	msg := publickeyAuthMsg{
 | |
| 		User:     user,
 | |
| 		Service:  serviceSSH,
 | |
| 		Method:   "publickey",
 | |
| 		HasSig:   false,
 | |
| 		Algoname: key.Type(),
 | |
| 		PubKey:   pubKey,
 | |
| 	}
 | |
| 	if err := c.writePacket(Marshal(&msg)); err != nil {
 | |
| 		return false, err
 | |
| 	}
 | |
| 
 | |
| 	return confirmKeyAck(key, c)
 | |
| }
 | |
| 
 | |
| func confirmKeyAck(key PublicKey, c packetConn) (bool, error) {
 | |
| 	pubKey := key.Marshal()
 | |
| 	algoname := key.Type()
 | |
| 
 | |
| 	for {
 | |
| 		packet, err := c.readPacket()
 | |
| 		if err != nil {
 | |
| 			return false, err
 | |
| 		}
 | |
| 		switch packet[0] {
 | |
| 		case msgUserAuthBanner:
 | |
| 			if err := handleBannerResponse(c, packet); err != nil {
 | |
| 				return false, err
 | |
| 			}
 | |
| 		case msgUserAuthPubKeyOk:
 | |
| 			var msg userAuthPubKeyOkMsg
 | |
| 			if err := Unmarshal(packet, &msg); err != nil {
 | |
| 				return false, err
 | |
| 			}
 | |
| 			if msg.Algo != algoname || !bytes.Equal(msg.PubKey, pubKey) {
 | |
| 				return false, nil
 | |
| 			}
 | |
| 			return true, nil
 | |
| 		case msgUserAuthFailure:
 | |
| 			return false, nil
 | |
| 		default:
 | |
| 			return false, unexpectedMessageError(msgUserAuthSuccess, packet[0])
 | |
| 		}
 | |
| 	}
 | |
| }
 | |
| 
 | |
| // PublicKeys returns an AuthMethod that uses the given key
 | |
| // pairs.
 | |
| func PublicKeys(signers ...Signer) AuthMethod {
 | |
| 	return publicKeyCallback(func() ([]Signer, error) { return signers, nil })
 | |
| }
 | |
| 
 | |
| // PublicKeysCallback returns an AuthMethod that runs the given
 | |
| // function to obtain a list of key pairs.
 | |
| func PublicKeysCallback(getSigners func() (signers []Signer, err error)) AuthMethod {
 | |
| 	return publicKeyCallback(getSigners)
 | |
| }
 | |
| 
 | |
| // handleAuthResponse returns whether the preceding authentication request succeeded
 | |
| // along with a list of remaining authentication methods to try next and
 | |
| // an error if an unexpected response was received.
 | |
| func handleAuthResponse(c packetConn) (authResult, []string, error) {
 | |
| 	for {
 | |
| 		packet, err := c.readPacket()
 | |
| 		if err != nil {
 | |
| 			return authFailure, nil, err
 | |
| 		}
 | |
| 
 | |
| 		switch packet[0] {
 | |
| 		case msgUserAuthBanner:
 | |
| 			if err := handleBannerResponse(c, packet); err != nil {
 | |
| 				return authFailure, nil, err
 | |
| 			}
 | |
| 		case msgUserAuthFailure:
 | |
| 			var msg userAuthFailureMsg
 | |
| 			if err := Unmarshal(packet, &msg); err != nil {
 | |
| 				return authFailure, nil, err
 | |
| 			}
 | |
| 			if msg.PartialSuccess {
 | |
| 				return authPartialSuccess, msg.Methods, nil
 | |
| 			}
 | |
| 			return authFailure, msg.Methods, nil
 | |
| 		case msgUserAuthSuccess:
 | |
| 			return authSuccess, nil, nil
 | |
| 		default:
 | |
| 			return authFailure, nil, unexpectedMessageError(msgUserAuthSuccess, packet[0])
 | |
| 		}
 | |
| 	}
 | |
| }
 | |
| 
 | |
| func handleBannerResponse(c packetConn, packet []byte) error {
 | |
| 	var msg userAuthBannerMsg
 | |
| 	if err := Unmarshal(packet, &msg); err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 
 | |
| 	transport, ok := c.(*handshakeTransport)
 | |
| 	if !ok {
 | |
| 		return nil
 | |
| 	}
 | |
| 
 | |
| 	if transport.bannerCallback != nil {
 | |
| 		return transport.bannerCallback(msg.Message)
 | |
| 	}
 | |
| 
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // KeyboardInteractiveChallenge should print questions, optionally
 | |
| // disabling echoing (e.g. for passwords), and return all the answers.
 | |
| // Challenge may be called multiple times in a single session. After
 | |
| // successful authentication, the server may send a challenge with no
 | |
| // questions, for which the user and instruction messages should be
 | |
| // printed.  RFC 4256 section 3.3 details how the UI should behave for
 | |
| // both CLI and GUI environments.
 | |
| type KeyboardInteractiveChallenge func(user, instruction string, questions []string, echos []bool) (answers []string, err error)
 | |
| 
 | |
| // KeyboardInteractive returns an AuthMethod using a prompt/response
 | |
| // sequence controlled by the server.
 | |
| func KeyboardInteractive(challenge KeyboardInteractiveChallenge) AuthMethod {
 | |
| 	return challenge
 | |
| }
 | |
| 
 | |
| func (cb KeyboardInteractiveChallenge) method() string {
 | |
| 	return "keyboard-interactive"
 | |
| }
 | |
| 
 | |
| func (cb KeyboardInteractiveChallenge) auth(session []byte, user string, c packetConn, rand io.Reader) (authResult, []string, error) {
 | |
| 	type initiateMsg struct {
 | |
| 		User       string `sshtype:"50"`
 | |
| 		Service    string
 | |
| 		Method     string
 | |
| 		Language   string
 | |
| 		Submethods string
 | |
| 	}
 | |
| 
 | |
| 	if err := c.writePacket(Marshal(&initiateMsg{
 | |
| 		User:    user,
 | |
| 		Service: serviceSSH,
 | |
| 		Method:  "keyboard-interactive",
 | |
| 	})); err != nil {
 | |
| 		return authFailure, nil, err
 | |
| 	}
 | |
| 
 | |
| 	for {
 | |
| 		packet, err := c.readPacket()
 | |
| 		if err != nil {
 | |
| 			return authFailure, nil, err
 | |
| 		}
 | |
| 
 | |
| 		// like handleAuthResponse, but with less options.
 | |
| 		switch packet[0] {
 | |
| 		case msgUserAuthBanner:
 | |
| 			if err := handleBannerResponse(c, packet); err != nil {
 | |
| 				return authFailure, nil, err
 | |
| 			}
 | |
| 			continue
 | |
| 		case msgUserAuthInfoRequest:
 | |
| 			// OK
 | |
| 		case msgUserAuthFailure:
 | |
| 			var msg userAuthFailureMsg
 | |
| 			if err := Unmarshal(packet, &msg); err != nil {
 | |
| 				return authFailure, nil, err
 | |
| 			}
 | |
| 			if msg.PartialSuccess {
 | |
| 				return authPartialSuccess, msg.Methods, nil
 | |
| 			}
 | |
| 			return authFailure, msg.Methods, nil
 | |
| 		case msgUserAuthSuccess:
 | |
| 			return authSuccess, nil, nil
 | |
| 		default:
 | |
| 			return authFailure, nil, unexpectedMessageError(msgUserAuthInfoRequest, packet[0])
 | |
| 		}
 | |
| 
 | |
| 		var msg userAuthInfoRequestMsg
 | |
| 		if err := Unmarshal(packet, &msg); err != nil {
 | |
| 			return authFailure, nil, err
 | |
| 		}
 | |
| 
 | |
| 		// Manually unpack the prompt/echo pairs.
 | |
| 		rest := msg.Prompts
 | |
| 		var prompts []string
 | |
| 		var echos []bool
 | |
| 		for i := 0; i < int(msg.NumPrompts); i++ {
 | |
| 			prompt, r, ok := parseString(rest)
 | |
| 			if !ok || len(r) == 0 {
 | |
| 				return authFailure, nil, errors.New("ssh: prompt format error")
 | |
| 			}
 | |
| 			prompts = append(prompts, string(prompt))
 | |
| 			echos = append(echos, r[0] != 0)
 | |
| 			rest = r[1:]
 | |
| 		}
 | |
| 
 | |
| 		if len(rest) != 0 {
 | |
| 			return authFailure, nil, errors.New("ssh: extra data following keyboard-interactive pairs")
 | |
| 		}
 | |
| 
 | |
| 		answers, err := cb(msg.User, msg.Instruction, prompts, echos)
 | |
| 		if err != nil {
 | |
| 			return authFailure, nil, err
 | |
| 		}
 | |
| 
 | |
| 		if len(answers) != len(prompts) {
 | |
| 			return authFailure, nil, errors.New("ssh: not enough answers from keyboard-interactive callback")
 | |
| 		}
 | |
| 		responseLength := 1 + 4
 | |
| 		for _, a := range answers {
 | |
| 			responseLength += stringLength(len(a))
 | |
| 		}
 | |
| 		serialized := make([]byte, responseLength)
 | |
| 		p := serialized
 | |
| 		p[0] = msgUserAuthInfoResponse
 | |
| 		p = p[1:]
 | |
| 		p = marshalUint32(p, uint32(len(answers)))
 | |
| 		for _, a := range answers {
 | |
| 			p = marshalString(p, []byte(a))
 | |
| 		}
 | |
| 
 | |
| 		if err := c.writePacket(serialized); err != nil {
 | |
| 			return authFailure, nil, err
 | |
| 		}
 | |
| 	}
 | |
| }
 | |
| 
 | |
| type retryableAuthMethod struct {
 | |
| 	authMethod AuthMethod
 | |
| 	maxTries   int
 | |
| }
 | |
| 
 | |
| func (r *retryableAuthMethod) auth(session []byte, user string, c packetConn, rand io.Reader) (ok authResult, methods []string, err error) {
 | |
| 	for i := 0; r.maxTries <= 0 || i < r.maxTries; i++ {
 | |
| 		ok, methods, err = r.authMethod.auth(session, user, c, rand)
 | |
| 		if ok != authFailure || err != nil { // either success, partial success or error terminate
 | |
| 			return ok, methods, err
 | |
| 		}
 | |
| 	}
 | |
| 	return ok, methods, err
 | |
| }
 | |
| 
 | |
| func (r *retryableAuthMethod) method() string {
 | |
| 	return r.authMethod.method()
 | |
| }
 | |
| 
 | |
| // RetryableAuthMethod is a decorator for other auth methods enabling them to
 | |
| // be retried up to maxTries before considering that AuthMethod itself failed.
 | |
| // If maxTries is <= 0, will retry indefinitely
 | |
| //
 | |
| // This is useful for interactive clients using challenge/response type
 | |
| // authentication (e.g. Keyboard-Interactive, Password, etc) where the user
 | |
| // could mistype their response resulting in the server issuing a
 | |
| // SSH_MSG_USERAUTH_FAILURE (rfc4252 #8 [password] and rfc4256 #3.4
 | |
| // [keyboard-interactive]); Without this decorator, the non-retryable
 | |
| // AuthMethod would be removed from future consideration, and never tried again
 | |
| // (and so the user would never be able to retry their entry).
 | |
| func RetryableAuthMethod(auth AuthMethod, maxTries int) AuthMethod {
 | |
| 	return &retryableAuthMethod{authMethod: auth, maxTries: maxTries}
 | |
| }
 |