mirror of
https://gogs.blitter.com/RLabs/xs
synced 2024-08-14 10:26:42 +00:00
Got client hangup working again. Security scrub auth vars.
This commit is contained in:
parent
925e83bbba
commit
c5498642fc
4 changed files with 33 additions and 20 deletions
11
hkexauth.go
11
hkexauth.go
|
@ -28,9 +28,6 @@ func AuthUser(username string, auth string, fname string) (valid bool, allowedCm
|
||||||
}
|
}
|
||||||
r := csv.NewReader(bytes.NewReader(b))
|
r := csv.NewReader(bytes.NewReader(b))
|
||||||
|
|
||||||
b = nil
|
|
||||||
runtime.GC() // Paranoia and prob. not effective; kill authFile in b[]
|
|
||||||
|
|
||||||
r.Comma = ':'
|
r.Comma = ':'
|
||||||
r.Comment = '#'
|
r.Comment = '#'
|
||||||
r.FieldsPerRecord = 4 // username:salt:authCookie:disallowedCmdList (a,b,...)
|
r.FieldsPerRecord = 4 // username:salt:authCookie:disallowedCmdList (a,b,...)
|
||||||
|
@ -51,5 +48,13 @@ func AuthUser(username string, auth string, fname string) (valid bool, allowedCm
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
// Security scrub
|
||||||
|
for i := range b {
|
||||||
|
b[i] = 0
|
||||||
|
}
|
||||||
|
b = nil
|
||||||
|
r = nil
|
||||||
|
runtime.GC()
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
21
hkexnet.go
21
hkexnet.go
|
@ -319,8 +319,6 @@ func (hl HKExListener) Accept() (hc Conn, err error) {
|
||||||
// See go doc io.Reader
|
// See go doc io.Reader
|
||||||
func (c Conn) Read(b []byte) (n int, err error) {
|
func (c Conn) Read(b []byte) (n int, err error) {
|
||||||
//log.Printf("[Decrypting...]\r\n")
|
//log.Printf("[Decrypting...]\r\n")
|
||||||
log.Printf("Read() requests %d bytes\n", len(b))
|
|
||||||
|
|
||||||
for {
|
for {
|
||||||
//log.Printf("c.dBuf.Len(): %d\n", c.dBuf.Len())
|
//log.Printf("c.dBuf.Len(): %d\n", c.dBuf.Len())
|
||||||
if c.dBuf.Len() > 0 /* len(b) */ {
|
if c.dBuf.Len() > 0 /* len(b) */ {
|
||||||
|
@ -349,7 +347,6 @@ func (c Conn) Read(b []byte) (n int, err error) {
|
||||||
log.Println("unexpected Read() err:", err)
|
log.Println("unexpected Read() err:", err)
|
||||||
} else {
|
} else {
|
||||||
log.Println("[Client hung up]")
|
log.Println("[Client hung up]")
|
||||||
// TODO: Stop chaff if active
|
|
||||||
}
|
}
|
||||||
return 0, err
|
return 0, err
|
||||||
}
|
}
|
||||||
|
@ -536,15 +533,15 @@ func (c *Conn) chaffHelper(szMax int) {
|
||||||
|
|
||||||
// hkexsh.Copy() is a modified version of io.Copy()
|
// hkexsh.Copy() is a modified version of io.Copy()
|
||||||
func Copy(dst io.Writer, src io.Reader) (written int64, err error) {
|
func Copy(dst io.Writer, src io.Reader) (written int64, err error) {
|
||||||
// // If the reader has a WriteTo method, use it to do the copy.
|
// If the reader has a WriteTo method, use it to do the copy.
|
||||||
// // Avoids an allocation and a copy.
|
// Avoids an allocation and a copy.
|
||||||
// if wt, ok := src.(io.WriterTo); ok {
|
if wt, ok := src.(io.WriterTo); ok {
|
||||||
// return wt.WriteTo(dst)
|
return wt.WriteTo(dst)
|
||||||
// }
|
}
|
||||||
// // Similarly, if the writer has a ReadFrom method, use it to do the copy.
|
// Similarly, if the writer has a ReadFrom method, use it to do the copy.
|
||||||
// if rt, ok := dst.(io.ReaderFrom); ok {
|
if rt, ok := dst.(io.ReaderFrom); ok {
|
||||||
// return rt.ReadFrom(src)
|
return rt.ReadFrom(src)
|
||||||
// }
|
}
|
||||||
|
|
||||||
buf := make([]byte, 32*1024)
|
buf := make([]byte, 32*1024)
|
||||||
for {
|
for {
|
||||||
|
|
|
@ -17,6 +17,7 @@ import (
|
||||||
"os/exec"
|
"os/exec"
|
||||||
"os/signal"
|
"os/signal"
|
||||||
"os/user"
|
"os/user"
|
||||||
|
"runtime"
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
"syscall"
|
"syscall"
|
||||||
|
@ -79,7 +80,7 @@ func main() {
|
||||||
flag.StringVar(&server, "s", "localhost:2000", "server hostname/address[:port]")
|
flag.StringVar(&server, "s", "localhost:2000", "server hostname/address[:port]")
|
||||||
flag.StringVar(&cmdStr, "x", "", "command to run (default empty - interactive shell)")
|
flag.StringVar(&cmdStr, "x", "", "command to run (default empty - interactive shell)")
|
||||||
flag.StringVar(&altUser, "u", "", "specify alternate user")
|
flag.StringVar(&altUser, "u", "", "specify alternate user")
|
||||||
flag.StringVar(&authCookie, "a", "", "auth cookie (MultiCheese3999(tm) 2FA cookie")
|
flag.StringVar(&authCookie, "a", "", "auth cookie")
|
||||||
flag.BoolVar(&dbg, "d", false, "debug logging")
|
flag.BoolVar(&dbg, "d", false, "debug logging")
|
||||||
flag.Parse()
|
flag.Parse()
|
||||||
|
|
||||||
|
@ -145,6 +146,9 @@ func main() {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
authCookie = string(ab)
|
authCookie = string(ab)
|
||||||
|
// Security scrub
|
||||||
|
ab = nil
|
||||||
|
runtime.GC()
|
||||||
}
|
}
|
||||||
|
|
||||||
rec := &cmdSpec{
|
rec := &cmdSpec{
|
||||||
|
@ -187,8 +191,10 @@ func main() {
|
||||||
}
|
}
|
||||||
|
|
||||||
if isInteractive {
|
if isInteractive {
|
||||||
log.Println("[Got EOF]")
|
log.Println("[* Got EOF *]")
|
||||||
wg.Done() // server hung up, close WaitGroup to exit client
|
_ = hkexsh.Restore(int(os.Stdin.Fd()), oldState) // Best effort.
|
||||||
|
wg.Done()
|
||||||
|
os.Exit(0)
|
||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
|
|
||||||
|
@ -236,8 +242,6 @@ func main() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
log.Println("[Sent EOF]")
|
log.Println("[Sent EOF]")
|
||||||
//FIXME: regression circa. April 30 2018 on 'exit' from client,
|
|
||||||
//fixme: Enter/RETURN required prior to actua client exit
|
|
||||||
wg.Done() // client hung up, close WaitGroup to exit client
|
wg.Done() // client hung up, close WaitGroup to exit client
|
||||||
}()
|
}()
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,6 +16,7 @@ import (
|
||||||
"os"
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
"os/user"
|
"os/user"
|
||||||
|
"runtime"
|
||||||
"syscall"
|
"syscall"
|
||||||
|
|
||||||
hkexsh "blitter.com/go/hkexsh"
|
hkexsh "blitter.com/go/hkexsh"
|
||||||
|
@ -246,6 +247,12 @@ func main() {
|
||||||
rec.op[0], string(rec.who), string(rec.cmd))
|
rec.op[0], string(rec.who), string(rec.cmd))
|
||||||
|
|
||||||
valid, allowedCmds := hkexsh.AuthUser(string(rec.who), string(rec.authCookie), "/etc/hkexsh.passwd")
|
valid, allowedCmds := hkexsh.AuthUser(string(rec.who), string(rec.authCookie), "/etc/hkexsh.passwd")
|
||||||
|
// Security scrub
|
||||||
|
for i := range rec.authCookie {
|
||||||
|
rec.authCookie[i] = 0
|
||||||
|
}
|
||||||
|
runtime.GC()
|
||||||
|
|
||||||
if !valid {
|
if !valid {
|
||||||
log.Println("Invalid user", string(rec.who))
|
log.Println("Invalid user", string(rec.who))
|
||||||
c.Write([]byte(rejectUserMsg()))
|
c.Write([]byte(rejectUserMsg()))
|
||||||
|
|
Loading…
Reference in a new issue