diff options
Diffstat (limited to 'bastion')
-rw-r--r-- | bastion/CMakeLists.txt | 2 | ||||
-rw-r--r-- | bastion/bastion.conf.example.in | 25 | ||||
-rw-r--r-- | bastion/client.c | 52 | ||||
-rw-r--r-- | bastion/main.c | 3 | ||||
-rw-r--r-- | bastion/proxy.c | 5 | ||||
-rw-r--r-- | bastion/session.c | 12 | ||||
-rw-r--r-- | bastion/state.c | 12 |
7 files changed, 53 insertions, 58 deletions
diff --git a/bastion/CMakeLists.txt b/bastion/CMakeLists.txt index 298cfe7..9fd4212 100644 --- a/bastion/CMakeLists.txt +++ b/bastion/CMakeLists.txt @@ -7,7 +7,7 @@ target_link_libraries(bastion common) if (${SESSION_RECORDING}) target_link_libraries(bastion libtty) endif() -target_link_libraries(bastion bz2 config lzma mysqlclient ssh z) +target_link_libraries(bastion bz2 config lzma ssh z) install(TARGETS bastion DESTINATION bin) diff --git a/bastion/bastion.conf.example.in b/bastion/bastion.conf.example.in new file mode 100644 index 0000000..34ac9b4 --- /dev/null +++ b/bastion/bastion.conf.example.in @@ -0,0 +1,25 @@ +port = 2222; + +keys: +{ + dsa = "@CMAKE_INSTALL_PREFIX@/etc/bastion/ssh_host_dsa_key"; + rsa = "@CMAKE_INSTALL_PREFIX@/etc/bastion/ssh_host_rsa_key"; + ecdsa = "@CMAKE_INSTALL_PREFIX@/etc/bastion/ssh_host_ecdsa_key"; +}; + +session_recording: +{ + path = "@CMAKE_INSTALL_PREFIX@/var/log/bastion/$d/$h/$u/$i.gz"; # $d : date in iso format, $h : hostname, $u : username : $i session id +}; + +hostkeys = ( + { name = "default", path = "id_rsa_default" } +); + +users = ( + { name = "julien", public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMdBAFjENiPMTtq90GT3+NZ68nfGxQiRExaYYnLzm1ecmulCvsuA4AOpeLY6f+FWe+ludiw7nhrXzssDdsKBy0QL+XQyvjjjW4X+k9MYhP1gAWXEOGJnjJ/1ovEsMt++6fLyNKLUTA46kErbEehDs22r+rIiEKatrn0BNrJcRI94H44oEL1/ImzVam0cSBL0tPiaJxe60sBs7M76zfyFtVdMGkeuBpS7ee+FLA58fsS3/sEZmkas8MT0QdvZz1y/66MknXYbIaqDSOUACXGF4yVKpogLRRJ1SgNo1Ujo/U3VOR1O4CiQczsZOcbSdjgl0x3fJb7BaIxrZy9iW2I7G/L/chfTvRws+x1s1y5FNZOOiXMCdZjhgLaRwb6p5gMsMVn9sJbhDjmejcAkBKQDkzbvxxhfVkH225FoVXA9YF0msWLyOEyZQYbA8autLDJsAOT5RDfw/G82DQBufAPEBR/bPby0Hl5kjqW75bpSVxDvzmKwt3EpITg9iuYEhvYZ/Zq5qC1UJ54ZfOvaf0PsTUzFePty6ve/JzfxCV1XgFQ+B8l4NSz11loDfNXSUngf7lL4qu5X4aN6WmLFO1YbyFlfpvt3K1CekJmWVeE5mV9EFTUJ4ParVWRGiA4W+zaCOsHgRkcGkp4eYGyWW8gOR/lVxYU2IFl9mbMrC9bkdRbQ==" } +); + +hosts = ( + { name = "myth", address = "myth", user = "root", hostkey = "default", public_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNmO4zkfz1RvWdKGRX8AEP4FrwDkW4EnBoU/GNm6Ooe" } +); diff --git a/bastion/client.c b/bastion/client.c index fc11bb6..543603f 100644 --- a/bastion/client.c +++ b/bastion/client.c @@ -3,7 +3,7 @@ #include <stdlib.h> #include "common/config.h" -#include "common/mysql.h" +#include "common/data.h" #include "client.h" #ifdef SESSION_RECORDING #include "recording.h" @@ -88,16 +88,10 @@ struct client_channel_data_struct* client_dial(ssh_event event, struct proxy_cha cdata->client_channel_cb = NULL; /* First we try to add the private key that the server will accept */ - struct db_host_info * info = db_get_host_info(hostname); + struct data_host_info * info = data_get_host_info(hostname); if (info == NULL) goto host_info_clean; - ssh_key privkey = NULL; - if (ssh_pki_import_privkey_base64(info->privkeytxt, NULL, NULL, NULL, &privkey) != SSH_OK) { - printf("Error importing private key"); - goto privkey_clean; - } - /* We try to connect to the remote server */ printf("Connecting to %s\n", hostname); cdata->my_session = ssh_new(); @@ -116,34 +110,26 @@ struct client_channel_data_struct* client_dial(ssh_event event, struct proxy_cha /* We now validate the remote server's public key */ ssh_key server_pub_key = NULL; - unsigned char * hash = NULL; - size_t hlen; - char * hexa = NULL; if (ssh_get_server_publickey(cdata->my_session, &server_pub_key) != SSH_OK) { fprintf(stderr, "Error getting server publickey: %s\n", ssh_get_error(cdata->my_session)); goto pubkey_clean; } - if (ssh_get_publickey_hash(server_pub_key, SSH_PUBLICKEY_HASH_SHA1, &hash, &hlen) != SSH_OK) { - fprintf(stderr, "Error getting publickey hash: %s\n", ssh_get_error(cdata->my_session)); - goto pubkey_hash_clean; + char *pubkeystr = NULL; + if (ssh_pki_export_pubkey_base64(server_pub_key, &pubkeystr) != SSH_OK) { + fprintf(stderr, "Got invalid public key from server attempt, this shouldn't happen.\n"); + goto pubkey_clean; } - hexa = ssh_get_hexa(hash, hlen); - if (strlen(info->hostkeyhash) > 0) { - if (strcmp(hexa, info->hostkeyhash) != 0) { - fprintf(stderr, "Error invalid host key for %s\n", hostname); - goto pubkey_hexa_clean; - } - } else { - // TODO we got a broken sshportal record, we need to fix it but only - // after we completed the migration from sshportal - //db_set_host_publickey_hash(hostname, hexa); + if (strcmp(info->pubkey, pubkeystr) != 0) { + fprintf(stderr, "Error : public key of server %s doesn't match.\n", hostname); + fprintf(stderr, "got : %s\n", pubkeystr); + fprintf(stderr, "exp : %s\n", info->pubkey); + goto pubkey_clean; } - ssh_string_free_char(hexa); - ssh_clean_pubkey_hash(&hash); + free(pubkeystr); ssh_key_free(server_pub_key); /* With the server checked, we can authenticate */ - if(ssh_userauth_publickey(cdata->my_session, NULL, privkey) == SSH_AUTH_SUCCESS){ + if(ssh_userauth_publickey(cdata->my_session, NULL, info->key) == SSH_AUTH_SUCCESS){ printf("Authentication success\n"); } else { printf("Error private key was rejected\n"); @@ -186,25 +172,19 @@ struct client_channel_data_struct* client_dial(ssh_event event, struct proxy_cha } #endif - ssh_key_free(privkey); - db_free_host_info(info); + free(info); return cdata; channel_clean: ssh_channel_free(cdata->my_channel); goto session_clean; -pubkey_hexa_clean: - ssh_string_free_char(hexa); -pubkey_hash_clean: - ssh_clean_pubkey_hash(&hash); pubkey_clean: + free(pubkeystr); ssh_key_free(server_pub_key); session_clean: ssh_disconnect(cdata->my_session); ssh_free(cdata->my_session); - db_free_host_info(info); -privkey_clean: - ssh_key_free(privkey); + free(info); host_info_clean: free(cdata); return NULL; diff --git a/bastion/main.c b/bastion/main.c index 4f93652..d4fb321 100644 --- a/bastion/main.c +++ b/bastion/main.c @@ -5,7 +5,6 @@ #include <sys/wait.h> #include "common/config.h" -#include "common/mysql.h" #include "session.h" #include "state.h" @@ -28,7 +27,6 @@ __attribute__((noreturn)) static void sigint_handler(int signo) state_clean(); config_clean(); ssh_finalize(); - db_clean(); exit(0); } @@ -145,6 +143,5 @@ int main() ssh_bind_free(sshbind); config_clean(); ssh_finalize(); - db_clean(); return 0; } diff --git a/bastion/proxy.c b/bastion/proxy.c index f608d31..0cf3675 100644 --- a/bastion/proxy.c +++ b/bastion/proxy.c @@ -2,7 +2,6 @@ #include <stdio.h> #include <stdlib.h> -#include "common/mysql.h" #include "client.h" #include "proxy.h" #include "state.h" @@ -202,8 +201,8 @@ void handle_proxy_session(ssh_event event, ssh_session session, ssh_channel my_c ssh_callbacks_init(&channel_cb); ssh_set_channel_callbacks(my_channel, &channel_cb); - db_clean(); // we close the mysql connection before the main loop, as to not waste ressources - + // TODO gather what is required from data and config so that we can free + // those and not waste resources do { /* Poll the main event which takes care of the sessions and channels */ if (ssh_event_dopoll(event, -1) == SSH_ERROR) { diff --git a/bastion/session.c b/bastion/session.c index f86fe44..4c38389 100644 --- a/bastion/session.c +++ b/bastion/session.c @@ -9,7 +9,7 @@ #include <sys/wait.h> #include "common/config.h" -#include "common/mysql.h" +#include "common/data.h" #include "proxy.h" #include "session.h" #include "state.h" @@ -31,19 +31,19 @@ static int auth_pubkey(ssh_session session, const char *user, ssh_key pubkey, ch // TODO check for an invite - char * bastion_username = db_get_username_from_pubkey(pubkey); + const char * bastion_username = data_get_username_from_pubkey(pubkey); if (bastion_username != NULL) { sdata->authenticated = 1; if (state_set_ssh_destination(user) != 0) return SSH_ERROR; // TODO check access rights and host configs state_set_bastion_username(bastion_username); - unsigned long long session_id = db_init_session_and_get_id(user, bastion_username); - state_set_session_id(session_id); - free(bastion_username); + //TODO Find out how to keep session id in a spool or something - probably with the state.c and state.h stuff + //unsigned long long session_id = data_init_session_and_get_id(user, bastion_username); + //state_set_session_id(session_id); + state_set_session_id(0); return SSH_AUTH_SUCCESS; } else { - free(bastion_username); sdata->auth_attempts++; return SSH_AUTH_DENIED; } diff --git a/bastion/state.c b/bastion/state.c index 6784c0a..347e7ba 100644 --- a/bastion/state.c +++ b/bastion/state.c @@ -8,7 +8,7 @@ struct state { unsigned long long session_id; char * destination; - char * bastion_username; + const char * bastion_username; }; static struct state state = {0}; @@ -26,7 +26,7 @@ state_set_ssh_destination(const char * name) return 2; } state.destination = malloc(len+1); - strncpy(state.destination, name, len+1); + strcpy(state.destination, name); return 0; } @@ -42,13 +42,7 @@ state_set_bastion_username(const char * name) fprintf(stderr, "BUG found, attempting to overwrite state.bastion_username that has already been set\n"); return 1; } - size_t len = strnlen(name, MAX_USERNAME_LENGTH + 1); - if (len >= MAX_USERNAME_LENGTH + 1) { - fprintf(stderr, "Username too long, max length is %d.\n", MAX_USERNAME_LENGTH); - return 1; - } - state.bastion_username = malloc(len+1); - strncpy(state.bastion_username, name, len+1); + state.bastion_username = name; return 0; } |