crussh 0.1.0

data/lib/crussh/server/layers/transport.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module Crussh
+  class Server
+    module Layers
+      class Transport
+        def initialize(session)
+          @session = session
+          @client_version = nil
+          @algorithms = nil
+          @session_id = nil
+          @client_kexinit_payload = nil
+          @server_kexinit_payload = nil
+        end
+
+        attr_reader :client_version, :algorithms, :session_id
+
+        def run
+          version_exchange
+          key_exchange
+        end
+
+        private
+
+        def config = @session.config
+        def socket = @session.socket
+
+        def version_exchange
+          exchange = ::Crussh::Transport::VersionExchange.new(socket, server_id: config.server_id)
+
+          @client_version = exchange.exchange
+
+          Logger.info(
+            self,
+            "Version exchange complete",
+            client_version: @client_version.software_version,
+            comments: @client_version.comments,
+          )
+        end
+
+        def key_exchange
+          kex = Kex::Exchange.new(@session)
+          kex.initial(client_version: @client_version)
+          @session_id = kex.session_id
+        end
+      end
+    end
+  end
+end

data/lib/crussh/server/layers/userauth.rb

@@ -0,0 +1,232 @@
+# frozen_string_literal: true
+
+module Crussh
+  class Server
+    module Layers
+      class Userauth
+        def initialize(session)
+          @session = session
+          @authenticated_user = nil
+          @attempts = 0
+          @first_attempt = true
+        end
+
+        attr_reader :authenticated_user
+
+        def run(task: Async::Task.current)
+          timeout = config.auth_timeout || config.connection_timeout
+
+          task.with_timeout(timeout) do
+            service_request
+            send_banner
+            authenticate
+          end
+        rescue Async::TimeoutError
+          Logger.warn(self, "Authentication timeout")
+        end
+
+        private
+
+        def config = @session.config
+        def server = @session.server
+        def session_id = @session.id
+
+        def supported_methods
+          server.auth_methods.map(&:to_s)
+        end
+
+        def service_request
+          packet = @session.read_packet
+          request = Protocol::ServiceRequest.parse(packet)
+
+          Logger.debug(self, "Service request", service: request.service_name)
+
+          unless request.service_name == "ssh-userauth"
+            raise ProtocolError, "Unknown service: #{request.service_name}"
+          end
+
+          accept = Protocol::ServiceAccept.new(service_name: "ssh-userauth")
+          @session.write_packet(accept)
+
+          Logger.debug(self, "Service accepted", service: "ssh-userauth")
+        end
+
+        def send_banner
+          banner = server.banner
+
+          return if banner.nil?
+
+          packet = Protocol::UserauthBanner.new(message: banner)
+          @session.write_packet(packet)
+          Logger.debug(self, "Banner sent")
+        end
+
+        def authenticate
+          loop do
+            packet = @session.read_packet
+            message_type = packet.getbyte(0)
+
+            case message_type
+            when Protocol::USERAUTH_REQUEST
+              handle_auth_request(packet)&.then { return }
+            when Protocol::DISCONNECT
+              Logger.debug(self, "Client disconnected during auth")
+              @session.close
+              return
+            else
+              Logger.warn(self, "Unknown message type during authentication", message_type:)
+              unimplemented = Protocol::Unimplemented.new(sequence_number: @session.last_read_sequence)
+              @session.write_packet(unimplemented)
+            end
+          end
+        end
+
+        def handle_auth_request(packet)
+          request = Protocol::UserauthRequest.parse(packet)
+
+          Logger.debug(
+            self,
+            "Auth request",
+            user: request.username,
+            service: request.service_name,
+            method: request.method_name,
+          )
+
+          result = dispatch_auth(request)
+
+          case result
+          when :success
+            handle_successful_auth(request)
+            true
+          when :pk_ok, :partial
+            nil
+          when :failure
+            handle_failed_auth(request)
+            nil
+          end
+        end
+
+        def dispatch_auth(request)
+          method = request.method_name.to_sym
+
+          result = case method
+          when :none
+            server.handle_auth(:none, request.username)
+          when :password
+            server.handle_auth(:password, request.username, request.password)
+          when :publickey
+            handle_publickey(request)
+          when :keyboard_interactive
+            Auth.reject
+          else
+            Logger.warn(self, "Unknown auth method", method: request.method_name)
+            Auth.reject
+          end
+
+          case result
+          when lambda(&:success?)
+            :success
+          when lambda(&:partial?)
+            handle_partial_success(request, result)
+            :partial
+          else
+            :failure
+          end
+        end
+
+        def handle_publickey(request)
+          pk_data = request.public_key_data
+          public_key = Keys.parse_public_blob(pk_data.key_blob)
+
+          unless pk_data.has_signature?
+            acceptable = server.handle_auth(:publickey, request.username, public_key)
+
+            if acceptable
+              pk_ok = Protocol::UserauthPkOk.new(
+                algorithm: pk_data.algorithm,
+                key_blob: pk_data.key_blob,
+              )
+              @session.write_packet(pk_ok)
+
+              Logger.debug(self, "PK_OK sent", algorithm: pk_data.algorithm)
+
+              :pk_ok
+            else
+              :failure
+            end
+          end
+
+          signed = build_signed_data(request, pk_data)
+
+          if public_key.verify(signed, pk_data.signature)
+            :success
+          else
+            :failure
+          end
+        end
+
+        def handle_successful_auth(request)
+          @authenticated_user = request.username
+          @session.write_packet(Protocol::UserauthSuccess.new)
+          server.auth_succeeded(request.username) if server.respond_to?(:auth_succeeded)
+
+          @session.enable_compression
+
+          Logger.info(
+            self,
+            "Authentication successful",
+            user: request.username,
+            method: request.method_name,
+          )
+        end
+
+        def handle_partial_success(request, result)
+          methods = result.continue_with.map(&:to_s)
+          packet = Protocol::UserauthFailure.new(
+            authentications: methods,
+            partial_success: true,
+          )
+          @session.write_packet(packet)
+        end
+
+        def handle_failed_auth(request)
+          @attempts += 1
+
+          rejection_time = if initial?(request)
+            config.auth_rejection_time_initial
+          else
+            config.auth_rejection_time
+          end
+
+          @first_attempt = false
+
+          sleep(rejection_time) if rejection_time&.positive?
+
+          packet = Protocol::UserauthFailure.new(authentications: supported_methods)
+          @session.write_packet(packet)
+
+          return if @attempts < config.max_auth_attempts
+
+          @session.disconnect(:no_more_auth_methods_available, "Too many authentication failures")
+        end
+
+        def build_signed_data(request, pk_data)
+          writer = Crussh::Transport::Writer.new
+          writer.string(session_id)
+          writer.byte(Protocol::USERAUTH_REQUEST)
+          writer.string(request.username)
+          writer.string(request.service_name)
+          writer.string("publickey")
+          writer.boolean(true)
+          writer.string(pk_data.algorithm)
+          writer.string(pk_data.key_blob)
+          writer.to_s
+        end
+
+        def initial?(request)
+          @first_attempt && request.none?
+        end
+      end
+    end
+  end
+end

data/lib/crussh/server/request_rule.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+module Crussh
+  class Server
+    class RequestRule
+      class << self
+        def accept(only: nil, except: nil, if: nil, unless: nil, &block)
+          new(
+            allow: true,
+            only: only,
+            except: except,
+            if: binding.local_variable_get(:if),
+            unless: binding.local_variable_get(:unless),
+            &block
+          )
+        end
+
+        def reject
+          new(allow: false, only: nil, except: nil, if: nil, unless: nil, &block)
+        end
+      end
+
+      def initialize(allow: true, only: nil, except: nil, if: nil, unless: nil, &block)
+        @allow = allow
+        @only = only
+        @except = except
+        @if = binding.local_variable_get(:if)
+        @unless = binding.local_variable_get(:unless)
+        @block = block
+      end
+
+      attr_reader :allow, :only, :except, :if, :unless, :block
+
+      def allowed?(channel, **params)
+        return false unless allow
+
+        if only
+          value = params[:name] || params[:term]
+          return false unless matches_patterns?(only, value)
+        end
+
+        if except
+          value = params[:name] || params[:term]
+          return false if matches_patterns?(except, value)
+        end
+
+        return false if self.if && !self.if.call(channel, **params)
+        return false if self.unless&.call(channel, **params)
+        return block.call(channel, **params) if block
+
+        true
+      end
+
+      private
+
+      def matches_patterns?(patterns, value)
+        return true if value.nil?
+
+        Array(patterns).any? do |pattern|
+          case pattern
+          when Regexp
+            pattern.match?(value)
+          when String
+            if pattern.include?("*")
+              File.fnmatch?(pattern, value)
+            else
+              pattern == value
+            end
+          else
+            pattern == value
+          end
+        end
+      end
+    end
+  end
+end

data/lib/crussh/server/session.rb

@@ -0,0 +1,192 @@
+# frozen_string_literal: true
+
+module Crussh
+  class Server
+    class Session
+      def initialize(socket, server:)
+        @socket = socket
+        @server = server
+
+        @packet_stream = Transport::PacketStream.new(socket, max_packet_size: config.max_packet_size)
+
+        @bytes_read = 0
+        @bytes_written = 0
+        @last_kex_time = Time.now
+        @algorithms = nil
+
+        @heartbeat = nil
+
+        @strict_kex = false
+      end
+
+      attr_reader :client_version, :socket, :server, :user, :id
+      attr_accessor :algorithms
+      attr_writer :strict_kex
+
+      def config = @server.config
+      def strict_kex? = @strict_kex
+
+      def start
+        transport = run_layer(Layers::Transport)
+        @id = transport.session_id
+
+        userauth = run_layer(Layers::Userauth)
+        @user = userauth.authenticated_user
+
+        @server.gatekeeper.authenticate!
+
+        start_heartbeat
+
+        run_layer(Layers::Connection)
+
+        Logger.info(self, "Session established", user: @user)
+      rescue NegotiationError => e
+        Logger.error(self, "Negotation Error", e)
+        disconnect(:key_exchange_failed, e.message)
+      rescue ProtocolError => e
+        Logger.error(self, "Protocol Error", e)
+        disconnect(:protocol_error, e.message)
+      rescue IOError, Errno::EPIPE, Errno::ECONNRESET, ConnectionClosed => e
+        Logger.debug(self, "Connection closed", reason: e.class.name)
+      rescue StandardError => e
+        Logger.error(self, "Internal Server Error", e)
+        disconnect(:by_application, "Internal error")
+      ensure
+        stop_heartbeat
+        close
+      end
+
+      def disconnect(reason, description = "")
+        message = Protocol::Disconnect.build(reason, description)
+        write_raw_packet(message)
+        stop_heartbeat
+        close
+      end
+
+      def close
+        return if socket.closed?
+
+        @socket.close
+      rescue StandardError => e
+        Logger.error(self, "Error", e)
+      end
+
+      def read_packet
+        start_rekey if rekey?
+
+        @heartbeat&.record_activity!
+
+        loop do
+          packet = read_raw_packet
+          message_type = packet.getbyte(0)
+
+          case message_type
+          when Protocol::IGNORE, Protocol::EXT_INFO
+            next
+          when Protocol::DEBUG
+            message = Protocol::Debug.parse(packet)
+            Logger.debug(self, "Client debug", message: message.message) if message.always_display?
+            next
+          when Protocol::PING
+            pong(packet)
+            next
+          when Protocol::KEXINIT
+            rekey(packet)
+            next
+          else
+            @bytes_read += packet.bytesize
+            return packet
+          end
+        end
+      end
+
+      def write_packet(message)
+        start_rekey if rekey?
+
+        data = message.serialize
+        @bytes_written += data.bytesize
+        @packet_stream.write(data)
+      end
+
+      def read_raw_packet = @packet_stream.read
+      def write_raw_packet(message) = @packet_stream.write(message.serialize)
+
+      def enable_encryption(...) = @packet_stream.enable_encryption(...)
+
+      def enable_compression
+        return if @algorithms.nil?
+
+        c2s = @algorithms.compression_client_to_server
+        s2c = @algorithms.compression_server_to_client
+
+        return if c2s == Compression::NONE && s2c == Compression::NONE
+
+        read_compressor = Compression.from_name(c2s)
+        write_compressor = Compression.from_name(s2c)
+
+        @packet_stream.enable_compression(read_compressor, write_compressor)
+        Logger.info(self, "Compression enabled", send: s2c, recv: c2s)
+      end
+
+      def last_read_sequence = @packet_stream.last_read_sequence
+      def reset_sequence = @packet_stream.reset_sequence
+      def sequence_wrapped? = @packet_stream.sequence_wrapped?
+
+      private
+
+      def rekey?
+        limits = config.limits
+
+        limits.over?(read: @bytes_read, written: @bytes_written, time: @last_kex_time)
+      end
+
+      def start_rekey
+        Logger.info(self, "Initiating rekey to client")
+
+        kex = Kex::Exchange.new(self)
+        kex.start_rekey
+        reset_rekey_tracking
+      end
+
+      def pong(packet)
+        ping = Protocol::Ping.parse(packet)
+        pong = Protocol::Pong.new(data: ping.data)
+
+        write_packet(pong)
+      end
+
+      def rekey(client_kexinit_payload)
+        Logger.info(self, "Client initiated rekey")
+
+        kex = Kex::Exchange.new(self)
+        kex.rekey(client_kexinit_payload: client_kexinit_payload)
+
+        Logger.info(self, "Rekey complete")
+      end
+
+      def reset_rekey_tracking
+        @bytes_read = 0
+        @bytes_written = 0
+        @last_kex_time = Time.now
+      end
+
+      def start_heartbeat
+        return if config.keepalive_interval.nil?
+
+        @heartbeat = Heartbeat.new(self, interval: config.keepalive_interval, max: config.keepalive_max)
+
+        @heartbeat.start
+      end
+
+      def stop_heartbeat
+        @heartbeat&.stop
+      end
+
+      def run_layer(layer)
+        instance = layer.new(self)
+        instance.run
+        instance
+      end
+    end
+  end
+end