From b33e9de139ac9482b8518df47c4ee4ac234d33db Mon Sep 17 00:00:00 2001 From: Russ Magee Date: Thu, 6 Sep 2018 16:23:57 -0700 Subject: [PATCH] -Moved taunting of failed logins to client-side -Added byte auth pass/fail stage prior to shell/copy session start --- hkexnet/hkexnet.go | 2 +- hkexsh/hkexsh.go | 58 +++++++++++++++++++++++++--------------------- hkexshd/hkexshd.go | 21 +++++------------ 3 files changed, 39 insertions(+), 42 deletions(-) diff --git a/hkexnet/hkexnet.go b/hkexnet/hkexnet.go index f88e5d8..15dedd4 100644 --- a/hkexnet/hkexnet.go +++ b/hkexnet/hkexnet.go @@ -37,7 +37,7 @@ import ( // const CSExtendedCode - extended (>255 UNIX exit status) codes // This indicate channel-related or internal errors const ( - CSEBadAuth = 1024 // failed login + CSEBadAuth = 1024 // Failed login password CSETruncCSO // No CSOExitStatus in payload CSEStillOpen // Channel closed unexpectedly CSEExecFail // cmd.Start() (exec) failed diff --git a/hkexsh/hkexsh.go b/hkexsh/hkexsh.go index 1e04624..4e42f86 100755 --- a/hkexsh/hkexsh.go +++ b/hkexsh/hkexsh.go @@ -27,6 +27,7 @@ import ( hkexsh "blitter.com/go/hkexsh" "blitter.com/go/hkexsh/hkexnet" + "blitter.com/go/hkexsh/spinsult" isatty "github.com/mattn/go-isatty" ) @@ -163,7 +164,7 @@ func doCopyMode(conn *hkexnet.Conn, remoteDest bool, files string, rec *cmdSpec) // an ExitStatus() method with the same signature. if status, ok := exiterr.Sys().(syscall.WaitStatus); ok { exitStatus = uint32(status.ExitStatus()) - log.Printf("Exit Status: %d", exitStatus) + log.Printf("Exit Status: %d", exitStatus) //# fmt.Print(stdErrBuffer) } } @@ -285,9 +286,9 @@ func doShellMode(isInteractive bool, conn *hkexnet.Conn, oldState *hkexsh.State, log.Println(outerr) fmt.Println(outerr) _ = hkexsh.Restore(int(os.Stdin.Fd()), oldState) // Best effort. - os.Exit(254) + log.Println("[Hanging up]") + os.Exit(0) } - log.Println("[Sent EOF]") }() } @@ -309,6 +310,10 @@ func UsageCp() { flag.PrintDefaults() } +func rejectUserMsg() string { + return "Begone, " + spinsult.GetSentence() + "\r\n" +} + // hkexsh - a client for secure shell and file copy operations. // // While conforming to the basic net.Conn interface HKex.Conn has extra @@ -533,34 +538,35 @@ func main() { _, err = conn.Write(rec.cmd) _, err = conn.Write(rec.authCookie) - // Set up chaffing to server - conn.SetupChaff(chaffFreqMin, chaffFreqMax, chaffBytesMax) // enable client->server chaffing - if chaffEnabled { - conn.EnableChaff() - defer conn.DisableChaff() - defer conn.ShutdownChaff() - } - - if shellMode { - doShellMode(isInteractive, conn, oldState, rec) + // Read auth reply from server + authReply := make([]byte, 1) // bool: 0 = fail, 1 = pass + _, err = conn.Read(authReply) + if authReply[0] == 0 { + fmt.Fprintln(os.Stderr, rejectUserMsg()) + rec.status = 255 } else { - _, rec.status = doCopyMode(conn, pathIsDest, fileArgs, rec) + + // Set up chaffing to server + conn.SetupChaff(chaffFreqMin, chaffFreqMax, chaffBytesMax) // enable client->server chaffing + if chaffEnabled { + conn.EnableChaff() + defer conn.DisableChaff() + defer conn.ShutdownChaff() + } + + if shellMode { + doShellMode(isInteractive, conn, oldState, rec) + } else { // copyMode + _, rec.status = doCopyMode(conn, pathIsDest, fileArgs, rec) + } + + if rec.status != 0 { + fmt.Fprintln(os.Stderr, "Remote end exited with status:", rec.status) + } } if oldState != nil { _ = hkexsh.Restore(int(os.Stdin.Fd()), oldState) // Best effort. } - - if rec.status != 0 { - fmt.Fprint(os.Stderr, "Remote end ") - if rec.status == hkexnet.CSEBadAuth { - // shell exit status can't hold CSEBadAuth (uint32) - rec.status = 255 - fmt.Fprintln(os.Stderr, "replied: bad auth") - } else { - fmt.Fprintln(os.Stderr, "exited with status:", rec.status) - } - - } os.Exit(int(rec.status)) } diff --git a/hkexshd/hkexshd.go b/hkexshd/hkexshd.go index b9c8000..aa26764 100755 --- a/hkexshd/hkexshd.go +++ b/hkexshd/hkexshd.go @@ -27,7 +27,6 @@ import ( "blitter.com/go/goutmp" hkexsh "blitter.com/go/hkexsh" "blitter.com/go/hkexsh/hkexnet" - "blitter.com/go/hkexsh/spinsult" "github.com/kr/pty" ) @@ -324,10 +323,6 @@ func runShellAs(who string, cmd string, interactive bool, conn hkexnet.Conn, cha return } -func rejectUserMsg() string { - return "Begone, " + spinsult.GetSentence() + "\r\n" -} - // Demo of a simple server that listens and spawns goroutines for each // connecting client. Note this code is identical to standard tcp // server code, save for declaring 'hkex' rather than 'net' @@ -454,19 +449,15 @@ func main() { } runtime.GC() - if !valid { + // Tell client if auth was valid + if valid { + hc.Write([]byte{1}) + } else { log.Println("Invalid user", string(rec.who)) - - // Signal other end auth failed - rec.status = hkexnet.CSEBadAuth - hc.SetStatus(hkexnet.CSEBadAuth) - s := make([]byte, 4) - binary.BigEndian.PutUint32(s, hkexnet.CSEBadAuth) - hc.WritePacket(s, hkexnet.CSOExitStatus) - - hc.Write([]byte(rejectUserMsg())) + hc.Write([]byte{0}) return } + log.Printf("[allowedCmds:%s]\n", allowedCmds) if rec.op[0] == 'c' {