aboutsummaryrefslogtreecommitdiff
path: root/bastion
diff options
context:
space:
mode:
Diffstat (limited to 'bastion')
-rw-r--r--bastion/CMakeLists.txt2
-rw-r--r--bastion/bastion.conf.example.in25
-rw-r--r--bastion/client.c52
-rw-r--r--bastion/main.c3
-rw-r--r--bastion/proxy.c5
-rw-r--r--bastion/session.c12
-rw-r--r--bastion/state.c12
7 files changed, 53 insertions, 58 deletions
diff --git a/bastion/CMakeLists.txt b/bastion/CMakeLists.txt
index 298cfe7..9fd4212 100644
--- a/bastion/CMakeLists.txt
+++ b/bastion/CMakeLists.txt
@@ -7,7 +7,7 @@ target_link_libraries(bastion common)
if (${SESSION_RECORDING})
target_link_libraries(bastion libtty)
endif()
-target_link_libraries(bastion bz2 config lzma mysqlclient ssh z)
+target_link_libraries(bastion bz2 config lzma ssh z)
install(TARGETS bastion DESTINATION bin)
diff --git a/bastion/bastion.conf.example.in b/bastion/bastion.conf.example.in
new file mode 100644
index 0000000..34ac9b4
--- /dev/null
+++ b/bastion/bastion.conf.example.in
@@ -0,0 +1,25 @@
+port = 2222;
+
+keys:
+{
+ dsa = "@CMAKE_INSTALL_PREFIX@/etc/bastion/ssh_host_dsa_key";
+ rsa = "@CMAKE_INSTALL_PREFIX@/etc/bastion/ssh_host_rsa_key";
+ ecdsa = "@CMAKE_INSTALL_PREFIX@/etc/bastion/ssh_host_ecdsa_key";
+};
+
+session_recording:
+{
+ path = "@CMAKE_INSTALL_PREFIX@/var/log/bastion/$d/$h/$u/$i.gz"; # $d : date in iso format, $h : hostname, $u : username : $i session id
+};
+
+hostkeys = (
+ { name = "default", path = "id_rsa_default" }
+);
+
+users = (
+ { name = "julien", public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMdBAFjENiPMTtq90GT3+NZ68nfGxQiRExaYYnLzm1ecmulCvsuA4AOpeLY6f+FWe+ludiw7nhrXzssDdsKBy0QL+XQyvjjjW4X+k9MYhP1gAWXEOGJnjJ/1ovEsMt++6fLyNKLUTA46kErbEehDs22r+rIiEKatrn0BNrJcRI94H44oEL1/ImzVam0cSBL0tPiaJxe60sBs7M76zfyFtVdMGkeuBpS7ee+FLA58fsS3/sEZmkas8MT0QdvZz1y/66MknXYbIaqDSOUACXGF4yVKpogLRRJ1SgNo1Ujo/U3VOR1O4CiQczsZOcbSdjgl0x3fJb7BaIxrZy9iW2I7G/L/chfTvRws+x1s1y5FNZOOiXMCdZjhgLaRwb6p5gMsMVn9sJbhDjmejcAkBKQDkzbvxxhfVkH225FoVXA9YF0msWLyOEyZQYbA8autLDJsAOT5RDfw/G82DQBufAPEBR/bPby0Hl5kjqW75bpSVxDvzmKwt3EpITg9iuYEhvYZ/Zq5qC1UJ54ZfOvaf0PsTUzFePty6ve/JzfxCV1XgFQ+B8l4NSz11loDfNXSUngf7lL4qu5X4aN6WmLFO1YbyFlfpvt3K1CekJmWVeE5mV9EFTUJ4ParVWRGiA4W+zaCOsHgRkcGkp4eYGyWW8gOR/lVxYU2IFl9mbMrC9bkdRbQ==" }
+);
+
+hosts = (
+ { name = "myth", address = "myth", user = "root", hostkey = "default", public_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNmO4zkfz1RvWdKGRX8AEP4FrwDkW4EnBoU/GNm6Ooe" }
+);
diff --git a/bastion/client.c b/bastion/client.c
index fc11bb6..543603f 100644
--- a/bastion/client.c
+++ b/bastion/client.c
@@ -3,7 +3,7 @@
#include <stdlib.h>
#include "common/config.h"
-#include "common/mysql.h"
+#include "common/data.h"
#include "client.h"
#ifdef SESSION_RECORDING
#include "recording.h"
@@ -88,16 +88,10 @@ struct client_channel_data_struct* client_dial(ssh_event event, struct proxy_cha
cdata->client_channel_cb = NULL;
/* First we try to add the private key that the server will accept */
- struct db_host_info * info = db_get_host_info(hostname);
+ struct data_host_info * info = data_get_host_info(hostname);
if (info == NULL)
goto host_info_clean;
- ssh_key privkey = NULL;
- if (ssh_pki_import_privkey_base64(info->privkeytxt, NULL, NULL, NULL, &privkey) != SSH_OK) {
- printf("Error importing private key");
- goto privkey_clean;
- }
-
/* We try to connect to the remote server */
printf("Connecting to %s\n", hostname);
cdata->my_session = ssh_new();
@@ -116,34 +110,26 @@ struct client_channel_data_struct* client_dial(ssh_event event, struct proxy_cha
/* We now validate the remote server's public key */
ssh_key server_pub_key = NULL;
- unsigned char * hash = NULL;
- size_t hlen;
- char * hexa = NULL;
if (ssh_get_server_publickey(cdata->my_session, &server_pub_key) != SSH_OK) {
fprintf(stderr, "Error getting server publickey: %s\n", ssh_get_error(cdata->my_session));
goto pubkey_clean;
}
- if (ssh_get_publickey_hash(server_pub_key, SSH_PUBLICKEY_HASH_SHA1, &hash, &hlen) != SSH_OK) {
- fprintf(stderr, "Error getting publickey hash: %s\n", ssh_get_error(cdata->my_session));
- goto pubkey_hash_clean;
+ char *pubkeystr = NULL;
+ if (ssh_pki_export_pubkey_base64(server_pub_key, &pubkeystr) != SSH_OK) {
+ fprintf(stderr, "Got invalid public key from server attempt, this shouldn't happen.\n");
+ goto pubkey_clean;
}
- hexa = ssh_get_hexa(hash, hlen);
- if (strlen(info->hostkeyhash) > 0) {
- if (strcmp(hexa, info->hostkeyhash) != 0) {
- fprintf(stderr, "Error invalid host key for %s\n", hostname);
- goto pubkey_hexa_clean;
- }
- } else {
- // TODO we got a broken sshportal record, we need to fix it but only
- // after we completed the migration from sshportal
- //db_set_host_publickey_hash(hostname, hexa);
+ if (strcmp(info->pubkey, pubkeystr) != 0) {
+ fprintf(stderr, "Error : public key of server %s doesn't match.\n", hostname);
+ fprintf(stderr, "got : %s\n", pubkeystr);
+ fprintf(stderr, "exp : %s\n", info->pubkey);
+ goto pubkey_clean;
}
- ssh_string_free_char(hexa);
- ssh_clean_pubkey_hash(&hash);
+ free(pubkeystr);
ssh_key_free(server_pub_key);
/* With the server checked, we can authenticate */
- if(ssh_userauth_publickey(cdata->my_session, NULL, privkey) == SSH_AUTH_SUCCESS){
+ if(ssh_userauth_publickey(cdata->my_session, NULL, info->key) == SSH_AUTH_SUCCESS){
printf("Authentication success\n");
} else {
printf("Error private key was rejected\n");
@@ -186,25 +172,19 @@ struct client_channel_data_struct* client_dial(ssh_event event, struct proxy_cha
}
#endif
- ssh_key_free(privkey);
- db_free_host_info(info);
+ free(info);
return cdata;
channel_clean:
ssh_channel_free(cdata->my_channel);
goto session_clean;
-pubkey_hexa_clean:
- ssh_string_free_char(hexa);
-pubkey_hash_clean:
- ssh_clean_pubkey_hash(&hash);
pubkey_clean:
+ free(pubkeystr);
ssh_key_free(server_pub_key);
session_clean:
ssh_disconnect(cdata->my_session);
ssh_free(cdata->my_session);
- db_free_host_info(info);
-privkey_clean:
- ssh_key_free(privkey);
+ free(info);
host_info_clean:
free(cdata);
return NULL;
diff --git a/bastion/main.c b/bastion/main.c
index 4f93652..d4fb321 100644
--- a/bastion/main.c
+++ b/bastion/main.c
@@ -5,7 +5,6 @@
#include <sys/wait.h>
#include "common/config.h"
-#include "common/mysql.h"
#include "session.h"
#include "state.h"
@@ -28,7 +27,6 @@ __attribute__((noreturn)) static void sigint_handler(int signo)
state_clean();
config_clean();
ssh_finalize();
- db_clean();
exit(0);
}
@@ -145,6 +143,5 @@ int main()
ssh_bind_free(sshbind);
config_clean();
ssh_finalize();
- db_clean();
return 0;
}
diff --git a/bastion/proxy.c b/bastion/proxy.c
index f608d31..0cf3675 100644
--- a/bastion/proxy.c
+++ b/bastion/proxy.c
@@ -2,7 +2,6 @@
#include <stdio.h>
#include <stdlib.h>
-#include "common/mysql.h"
#include "client.h"
#include "proxy.h"
#include "state.h"
@@ -202,8 +201,8 @@ void handle_proxy_session(ssh_event event, ssh_session session, ssh_channel my_c
ssh_callbacks_init(&channel_cb);
ssh_set_channel_callbacks(my_channel, &channel_cb);
- db_clean(); // we close the mysql connection before the main loop, as to not waste ressources
-
+ // TODO gather what is required from data and config so that we can free
+ // those and not waste resources
do {
/* Poll the main event which takes care of the sessions and channels */
if (ssh_event_dopoll(event, -1) == SSH_ERROR) {
diff --git a/bastion/session.c b/bastion/session.c
index f86fe44..4c38389 100644
--- a/bastion/session.c
+++ b/bastion/session.c
@@ -9,7 +9,7 @@
#include <sys/wait.h>
#include "common/config.h"
-#include "common/mysql.h"
+#include "common/data.h"
#include "proxy.h"
#include "session.h"
#include "state.h"
@@ -31,19 +31,19 @@ static int auth_pubkey(ssh_session session, const char *user, ssh_key pubkey, ch
// TODO check for an invite
- char * bastion_username = db_get_username_from_pubkey(pubkey);
+ const char * bastion_username = data_get_username_from_pubkey(pubkey);
if (bastion_username != NULL) {
sdata->authenticated = 1;
if (state_set_ssh_destination(user) != 0)
return SSH_ERROR;
// TODO check access rights and host configs
state_set_bastion_username(bastion_username);
- unsigned long long session_id = db_init_session_and_get_id(user, bastion_username);
- state_set_session_id(session_id);
- free(bastion_username);
+ //TODO Find out how to keep session id in a spool or something - probably with the state.c and state.h stuff
+ //unsigned long long session_id = data_init_session_and_get_id(user, bastion_username);
+ //state_set_session_id(session_id);
+ state_set_session_id(0);
return SSH_AUTH_SUCCESS;
} else {
- free(bastion_username);
sdata->auth_attempts++;
return SSH_AUTH_DENIED;
}
diff --git a/bastion/state.c b/bastion/state.c
index 6784c0a..347e7ba 100644
--- a/bastion/state.c
+++ b/bastion/state.c
@@ -8,7 +8,7 @@
struct state {
unsigned long long session_id;
char * destination;
- char * bastion_username;
+ const char * bastion_username;
};
static struct state state = {0};
@@ -26,7 +26,7 @@ state_set_ssh_destination(const char * name)
return 2;
}
state.destination = malloc(len+1);
- strncpy(state.destination, name, len+1);
+ strcpy(state.destination, name);
return 0;
}
@@ -42,13 +42,7 @@ state_set_bastion_username(const char * name)
fprintf(stderr, "BUG found, attempting to overwrite state.bastion_username that has already been set\n");
return 1;
}
- size_t len = strnlen(name, MAX_USERNAME_LENGTH + 1);
- if (len >= MAX_USERNAME_LENGTH + 1) {
- fprintf(stderr, "Username too long, max length is %d.\n", MAX_USERNAME_LENGTH);
- return 1;
- }
- state.bastion_username = malloc(len+1);
- strncpy(state.bastion_username, name, len+1);
+ state.bastion_username = name;
return 0;
}