bdy 1.9.17-dev → 1.9.19-dev
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/distTs/package.json +1 -1
- package/distTs/src/agent.js +2 -2
- package/distTs/src/api/buddy.js +1 -1
- package/distTs/src/server/ssh.js +56 -12
- package/distTs/src/tunnel.js +0 -3
- package/package.json +1 -1
package/distTs/package.json
CHANGED
package/distTs/src/agent.js
CHANGED
|
@@ -217,13 +217,13 @@ class Agent extends events_1.default {
|
|
|
217
217
|
const tunnel = tt.find((tunnel) => data.id === tunnel.id);
|
|
218
218
|
if (!tunnel) {
|
|
219
219
|
this.addTunnel(new tunnel_js_1.default({
|
|
220
|
+
...data,
|
|
221
|
+
sshHostKey,
|
|
220
222
|
agent: {
|
|
221
223
|
id: this.id,
|
|
222
224
|
host: this.host,
|
|
223
225
|
token: this.token
|
|
224
226
|
},
|
|
225
|
-
...data,
|
|
226
|
-
sshHostKey,
|
|
227
227
|
}));
|
|
228
228
|
}
|
|
229
229
|
else if (tunnel.hasChanged(data)) {
|
package/distTs/src/api/buddy.js
CHANGED
|
@@ -118,9 +118,9 @@ class ApiBuddyClass {
|
|
|
118
118
|
});
|
|
119
119
|
logger_js_1.default.info((0, texts_js_1.LOG_TUNNEL_REGISTERED)(config.id));
|
|
120
120
|
return new tunnel_js_1.default({
|
|
121
|
-
agent: { id: agentId, host, token },
|
|
122
121
|
...config,
|
|
123
122
|
sshHostKey,
|
|
123
|
+
agent: { id: agentId, host, token },
|
|
124
124
|
});
|
|
125
125
|
}
|
|
126
126
|
async removeTunnel(agentId, tunnelId, host, token) {
|
package/distTs/src/server/ssh.js
CHANGED
|
@@ -6,6 +6,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
6
6
|
const events_1 = __importDefault(require("events"));
|
|
7
7
|
const ssh2_1 = __importDefault(require("ssh2"));
|
|
8
8
|
const logger_js_1 = __importDefault(require("../logger.js"));
|
|
9
|
+
const crypto_1 = require("crypto");
|
|
9
10
|
const child_process_1 = require("child_process");
|
|
10
11
|
const sftp_1 = __importDefault(require("./sftp"));
|
|
11
12
|
const buddy_1 = __importDefault(require("../api/buddy"));
|
|
@@ -31,27 +32,70 @@ class ServerSsh extends events_1.default {
|
|
|
31
32
|
handleSshTunnel(stream) {
|
|
32
33
|
this.server.injectSocket(stream);
|
|
33
34
|
}
|
|
35
|
+
checkValueSafe(input, allowed) {
|
|
36
|
+
const autoReject = input.length !== allowed.length;
|
|
37
|
+
if (autoReject)
|
|
38
|
+
allowed = input;
|
|
39
|
+
const isMatch = (0, crypto_1.timingSafeEqual)(input, allowed);
|
|
40
|
+
return (!autoReject && isMatch);
|
|
41
|
+
}
|
|
42
|
+
async verifyKey(ctx) {
|
|
43
|
+
try {
|
|
44
|
+
logger_js_1.default.info('1');
|
|
45
|
+
const { keys } = await buddy_1.default.fetchAgentKeys(this.agent.id, this.agent.host, this.agent.token);
|
|
46
|
+
for (let i = 0; i < keys.length; i += 1) {
|
|
47
|
+
logger_js_1.default.info('2');
|
|
48
|
+
const publicKey = ssh2_1.default.utils.parseKey(keys[i]);
|
|
49
|
+
if (ctx.key.algo !== publicKey.type)
|
|
50
|
+
continue;
|
|
51
|
+
logger_js_1.default.info('3');
|
|
52
|
+
if (!this.checkValueSafe(ctx.key.data, publicKey.getPublicSSH()))
|
|
53
|
+
continue;
|
|
54
|
+
logger_js_1.default.info('4');
|
|
55
|
+
if (ctx.signature && !publicKey.verify(ctx.blob, ctx.signature))
|
|
56
|
+
continue;
|
|
57
|
+
logger_js_1.default.info('5');
|
|
58
|
+
return true;
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
catch (err) {
|
|
62
|
+
logger_js_1.default.info('6');
|
|
63
|
+
logger_js_1.default.info(err);
|
|
64
|
+
// do nothing
|
|
65
|
+
}
|
|
66
|
+
logger_js_1.default.info('7');
|
|
67
|
+
return false;
|
|
68
|
+
}
|
|
34
69
|
processClient(client) {
|
|
35
70
|
client.setNoDelay();
|
|
36
71
|
client.on('authentication', async (ctx) => {
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
const keys = await buddy_1.default.fetchAgentKeys(this.agent.id, this.agent.host, this.agent.token);
|
|
41
|
-
// todo handle keys
|
|
42
|
-
logger_js_1.default.info(keys);
|
|
43
|
-
ctx.reject(['password']);
|
|
72
|
+
const allowed = ['publickey', 'password'];
|
|
73
|
+
if (!allowed.includes(ctx.method)) {
|
|
74
|
+
ctx.reject(allowed);
|
|
44
75
|
return;
|
|
45
76
|
}
|
|
46
|
-
if (ctx.
|
|
47
|
-
ctx.
|
|
77
|
+
if (ctx.method === 'password') {
|
|
78
|
+
if (!this.checkValueSafe(Buffer.from(ctx.username), Buffer.from(this.login))) {
|
|
79
|
+
ctx.reject();
|
|
80
|
+
return;
|
|
81
|
+
}
|
|
82
|
+
if (!this.checkValueSafe(Buffer.from(ctx.password), Buffer.from(this.password))) {
|
|
83
|
+
ctx.reject();
|
|
84
|
+
return;
|
|
85
|
+
}
|
|
86
|
+
ctx.accept();
|
|
48
87
|
return;
|
|
49
88
|
}
|
|
50
|
-
if (ctx.
|
|
51
|
-
|
|
89
|
+
if (ctx.method === 'publickey') {
|
|
90
|
+
const verified = await this.verifyKey(ctx);
|
|
91
|
+
if (!verified) {
|
|
92
|
+
ctx.reject();
|
|
93
|
+
return;
|
|
94
|
+
}
|
|
95
|
+
ctx.accept();
|
|
52
96
|
return;
|
|
53
97
|
}
|
|
54
|
-
ctx.
|
|
98
|
+
ctx.reject();
|
|
55
99
|
});
|
|
56
100
|
client.on('close', () => {
|
|
57
101
|
client.removeAllListeners();
|
package/distTs/src/tunnel.js
CHANGED
|
@@ -26,9 +26,6 @@ class Tunnel extends events_1.default {
|
|
|
26
26
|
if (!sshHostKey)
|
|
27
27
|
sshHostKey = (0, utils_js_1.createSshHostKey)();
|
|
28
28
|
this.agent = agent;
|
|
29
|
-
// todo remove
|
|
30
|
-
logger_js_1.default.info(this.agent);
|
|
31
|
-
logger_js_1.default.trace();
|
|
32
29
|
this.id = id;
|
|
33
30
|
this.sshHostKey = sshHostKey;
|
|
34
31
|
this.create({
|