bdy 1.9.18-dev → 1.9.20-dev
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/distTs/package.json +1 -1
- package/distTs/src/server/ssh.js +57 -12
- package/package.json +1 -1
package/distTs/package.json
CHANGED
package/distTs/src/server/ssh.js
CHANGED
|
@@ -6,6 +6,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
6
6
|
const events_1 = __importDefault(require("events"));
|
|
7
7
|
const ssh2_1 = __importDefault(require("ssh2"));
|
|
8
8
|
const logger_js_1 = __importDefault(require("../logger.js"));
|
|
9
|
+
const crypto_1 = require("crypto");
|
|
9
10
|
const child_process_1 = require("child_process");
|
|
10
11
|
const sftp_1 = __importDefault(require("./sftp"));
|
|
11
12
|
const buddy_1 = __importDefault(require("../api/buddy"));
|
|
@@ -31,27 +32,71 @@ class ServerSsh extends events_1.default {
|
|
|
31
32
|
handleSshTunnel(stream) {
|
|
32
33
|
this.server.injectSocket(stream);
|
|
33
34
|
}
|
|
35
|
+
checkValueSafe(input, allowed) {
|
|
36
|
+
const autoReject = input.length !== allowed.length;
|
|
37
|
+
if (autoReject)
|
|
38
|
+
allowed = input;
|
|
39
|
+
const isMatch = (0, crypto_1.timingSafeEqual)(input, allowed);
|
|
40
|
+
return (!autoReject && isMatch);
|
|
41
|
+
}
|
|
42
|
+
async verifyKey(ctx) {
|
|
43
|
+
try {
|
|
44
|
+
logger_js_1.default.info('1');
|
|
45
|
+
const { keys } = await buddy_1.default.fetchAgentKeys(this.agent.id, this.agent.host, this.agent.token);
|
|
46
|
+
for (let i = 0; i < keys.length; i += 1) {
|
|
47
|
+
logger_js_1.default.info('2');
|
|
48
|
+
const publicKey = ssh2_1.default.utils.parseKey(keys[i]);
|
|
49
|
+
if (ctx.key.algo !== publicKey.type)
|
|
50
|
+
continue;
|
|
51
|
+
logger_js_1.default.info('3');
|
|
52
|
+
if (!this.checkValueSafe(ctx.key.data, publicKey.getPublicSSH()))
|
|
53
|
+
continue;
|
|
54
|
+
logger_js_1.default.info('4');
|
|
55
|
+
if (ctx.signature && !publicKey.verify(ctx.blob, ctx.signature))
|
|
56
|
+
continue;
|
|
57
|
+
logger_js_1.default.info('5');
|
|
58
|
+
return true;
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
catch (err) {
|
|
62
|
+
logger_js_1.default.info('6');
|
|
63
|
+
logger_js_1.default.info(err);
|
|
64
|
+
// do nothing
|
|
65
|
+
}
|
|
66
|
+
logger_js_1.default.info('7');
|
|
67
|
+
return false;
|
|
68
|
+
}
|
|
34
69
|
processClient(client) {
|
|
35
70
|
client.setNoDelay();
|
|
36
71
|
client.on('authentication', async (ctx) => {
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
const keys = await buddy_1.default.fetchAgentKeys(this.agent.id, this.agent.host, this.agent.token);
|
|
41
|
-
// todo handle keys
|
|
42
|
-
logger_js_1.default.info(keys);
|
|
43
|
-
ctx.reject(['password']);
|
|
72
|
+
const allowed = ['publickey', 'password'];
|
|
73
|
+
if (!allowed.includes(ctx.method)) {
|
|
74
|
+
ctx.reject(allowed);
|
|
44
75
|
return;
|
|
45
76
|
}
|
|
46
|
-
if (ctx.
|
|
47
|
-
ctx.
|
|
77
|
+
if (ctx.method === 'password') {
|
|
78
|
+
if (!this.checkValueSafe(Buffer.from(ctx.username), Buffer.from(this.login))) {
|
|
79
|
+
ctx.reject();
|
|
80
|
+
return;
|
|
81
|
+
}
|
|
82
|
+
if (!this.checkValueSafe(Buffer.from(ctx.password), Buffer.from(this.password))) {
|
|
83
|
+
ctx.reject();
|
|
84
|
+
return;
|
|
85
|
+
}
|
|
86
|
+
ctx.accept();
|
|
48
87
|
return;
|
|
49
88
|
}
|
|
50
|
-
if (ctx.
|
|
51
|
-
|
|
89
|
+
if (ctx.method === 'publickey') {
|
|
90
|
+
const verified = await this.verifyKey(ctx);
|
|
91
|
+
console.log('verified', verified);
|
|
92
|
+
if (!verified) {
|
|
93
|
+
ctx.reject();
|
|
94
|
+
return;
|
|
95
|
+
}
|
|
96
|
+
ctx.accept();
|
|
52
97
|
return;
|
|
53
98
|
}
|
|
54
|
-
ctx.
|
|
99
|
+
ctx.reject();
|
|
55
100
|
});
|
|
56
101
|
client.on('close', () => {
|
|
57
102
|
client.removeAllListeners();
|