-Moved taunting of failed logins to client-side

-Added byte auth pass/fail stage prior to shell/copy session start
This commit is contained in:
Russ Magee 2018-09-06 16:23:57 -07:00
parent 9ff35a69fe
commit b33e9de139
3 changed files with 39 additions and 42 deletions

View file

@ -37,7 +37,7 @@ import (
// const CSExtendedCode - extended (>255 UNIX exit status) codes // const CSExtendedCode - extended (>255 UNIX exit status) codes
// This indicate channel-related or internal errors // This indicate channel-related or internal errors
const ( const (
CSEBadAuth = 1024 // failed login CSEBadAuth = 1024 // Failed login password
CSETruncCSO // No CSOExitStatus in payload CSETruncCSO // No CSOExitStatus in payload
CSEStillOpen // Channel closed unexpectedly CSEStillOpen // Channel closed unexpectedly
CSEExecFail // cmd.Start() (exec) failed CSEExecFail // cmd.Start() (exec) failed

View file

@ -27,6 +27,7 @@ import (
hkexsh "blitter.com/go/hkexsh" hkexsh "blitter.com/go/hkexsh"
"blitter.com/go/hkexsh/hkexnet" "blitter.com/go/hkexsh/hkexnet"
"blitter.com/go/hkexsh/spinsult"
isatty "github.com/mattn/go-isatty" isatty "github.com/mattn/go-isatty"
) )
@ -163,7 +164,7 @@ func doCopyMode(conn *hkexnet.Conn, remoteDest bool, files string, rec *cmdSpec)
// an ExitStatus() method with the same signature. // an ExitStatus() method with the same signature.
if status, ok := exiterr.Sys().(syscall.WaitStatus); ok { if status, ok := exiterr.Sys().(syscall.WaitStatus); ok {
exitStatus = uint32(status.ExitStatus()) exitStatus = uint32(status.ExitStatus())
log.Printf("Exit Status: %d", exitStatus) log.Printf("Exit Status: %d", exitStatus) //#
fmt.Print(stdErrBuffer) fmt.Print(stdErrBuffer)
} }
} }
@ -285,9 +286,9 @@ func doShellMode(isInteractive bool, conn *hkexnet.Conn, oldState *hkexsh.State,
log.Println(outerr) log.Println(outerr)
fmt.Println(outerr) fmt.Println(outerr)
_ = hkexsh.Restore(int(os.Stdin.Fd()), oldState) // Best effort. _ = hkexsh.Restore(int(os.Stdin.Fd()), oldState) // Best effort.
os.Exit(254) log.Println("[Hanging up]")
os.Exit(0)
} }
log.Println("[Sent EOF]")
}() }()
} }
@ -309,6 +310,10 @@ func UsageCp() {
flag.PrintDefaults() flag.PrintDefaults()
} }
func rejectUserMsg() string {
return "Begone, " + spinsult.GetSentence() + "\r\n"
}
// hkexsh - a client for secure shell and file copy operations. // hkexsh - a client for secure shell and file copy operations.
// //
// While conforming to the basic net.Conn interface HKex.Conn has extra // While conforming to the basic net.Conn interface HKex.Conn has extra
@ -533,34 +538,35 @@ func main() {
_, err = conn.Write(rec.cmd) _, err = conn.Write(rec.cmd)
_, err = conn.Write(rec.authCookie) _, err = conn.Write(rec.authCookie)
// Set up chaffing to server // Read auth reply from server
conn.SetupChaff(chaffFreqMin, chaffFreqMax, chaffBytesMax) // enable client->server chaffing authReply := make([]byte, 1) // bool: 0 = fail, 1 = pass
if chaffEnabled { _, err = conn.Read(authReply)
conn.EnableChaff() if authReply[0] == 0 {
defer conn.DisableChaff() fmt.Fprintln(os.Stderr, rejectUserMsg())
defer conn.ShutdownChaff() rec.status = 255
}
if shellMode {
doShellMode(isInteractive, conn, oldState, rec)
} else { } else {
_, rec.status = doCopyMode(conn, pathIsDest, fileArgs, rec)
// Set up chaffing to server
conn.SetupChaff(chaffFreqMin, chaffFreqMax, chaffBytesMax) // enable client->server chaffing
if chaffEnabled {
conn.EnableChaff()
defer conn.DisableChaff()
defer conn.ShutdownChaff()
}
if shellMode {
doShellMode(isInteractive, conn, oldState, rec)
} else { // copyMode
_, rec.status = doCopyMode(conn, pathIsDest, fileArgs, rec)
}
if rec.status != 0 {
fmt.Fprintln(os.Stderr, "Remote end exited with status:", rec.status)
}
} }
if oldState != nil { if oldState != nil {
_ = hkexsh.Restore(int(os.Stdin.Fd()), oldState) // Best effort. _ = hkexsh.Restore(int(os.Stdin.Fd()), oldState) // Best effort.
} }
if rec.status != 0 {
fmt.Fprint(os.Stderr, "Remote end ")
if rec.status == hkexnet.CSEBadAuth {
// shell exit status can't hold CSEBadAuth (uint32)
rec.status = 255
fmt.Fprintln(os.Stderr, "replied: bad auth")
} else {
fmt.Fprintln(os.Stderr, "exited with status:", rec.status)
}
}
os.Exit(int(rec.status)) os.Exit(int(rec.status))
} }

View file

@ -27,7 +27,6 @@ import (
"blitter.com/go/goutmp" "blitter.com/go/goutmp"
hkexsh "blitter.com/go/hkexsh" hkexsh "blitter.com/go/hkexsh"
"blitter.com/go/hkexsh/hkexnet" "blitter.com/go/hkexsh/hkexnet"
"blitter.com/go/hkexsh/spinsult"
"github.com/kr/pty" "github.com/kr/pty"
) )
@ -324,10 +323,6 @@ func runShellAs(who string, cmd string, interactive bool, conn hkexnet.Conn, cha
return return
} }
func rejectUserMsg() string {
return "Begone, " + spinsult.GetSentence() + "\r\n"
}
// Demo of a simple server that listens and spawns goroutines for each // Demo of a simple server that listens and spawns goroutines for each
// connecting client. Note this code is identical to standard tcp // connecting client. Note this code is identical to standard tcp
// server code, save for declaring 'hkex' rather than 'net' // server code, save for declaring 'hkex' rather than 'net'
@ -454,19 +449,15 @@ func main() {
} }
runtime.GC() runtime.GC()
if !valid { // Tell client if auth was valid
if valid {
hc.Write([]byte{1})
} else {
log.Println("Invalid user", string(rec.who)) log.Println("Invalid user", string(rec.who))
hc.Write([]byte{0})
// Signal other end auth failed
rec.status = hkexnet.CSEBadAuth
hc.SetStatus(hkexnet.CSEBadAuth)
s := make([]byte, 4)
binary.BigEndian.PutUint32(s, hkexnet.CSEBadAuth)
hc.WritePacket(s, hkexnet.CSOExitStatus)
hc.Write([]byte(rejectUserMsg()))
return return
} }
log.Printf("[allowedCmds:%s]\n", allowedCmds) log.Printf("[allowedCmds:%s]\n", allowedCmds)
if rec.op[0] == 'c' { if rec.op[0] == 'c' {