From 3707680021de040472cd792131a8df42902d08ba Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Wed, 18 Sep 2013 16:40:21 +0200 Subject: also print out SSH_AUTH_SOCK in debug mode --- ssh-agent-filter.C | 3 +++ 1 file changed, 3 insertions(+) (limited to 'ssh-agent-filter.C') diff --git a/ssh-agent-filter.C b/ssh-agent-filter.C index a5ff38e..f5f9f08 100644 --- a/ssh-agent-filter.C +++ b/ssh-agent-filter.C @@ -362,6 +362,9 @@ int main (int const argc, char const * const * const argv) { dup2(devnull, 1); dup2(devnull, 2); close(devnull); + } else { + std::cout << "copy this to another terminal:" << std::endl; + std::cout << "SSH_AUTH_SOCK='" << path.native() << "'; export SSH_AUTH_SOCK;" << std::endl; } signal(SIGINT, sighandler); -- cgit v1.2.3 From 59f0ba5eb0a1a4c9bcada66bfe3cf1780e268aff Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Wed, 18 Sep 2013 16:43:22 +0200 Subject: add one missing exception activation --- ssh-agent-filter.C | 1 + 1 file changed, 1 insertion(+) (limited to 'ssh-agent-filter.C') diff --git a/ssh-agent-filter.C b/ssh-agent-filter.C index f5f9f08..733e12d 100644 --- a/ssh-agent-filter.C +++ b/ssh-agent-filter.C @@ -242,6 +242,7 @@ rfc4251string handle_request (rfc4251string const & r) { // temp to test key filtering when signing //return agent_answer; std::istringstream agent_answer_iss{agent_answer}; + agent_answer_iss.exceptions(std::ios::badbit | std::ios::failbit); rfc4251byte answer_code; rfc4251uint32 keycount; agent_answer_iss >> answer_code >> keycount; -- cgit v1.2.3 From 4b2644c5cf45bb0775e777667aa5a54b9cd6bef8 Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Sun, 22 Sep 2013 23:23:11 +0200 Subject: add CLOEXEC flag to sockets SOCK_CLOEXEC is currently only available on linux >= 2.6.27 so fcntl is used as a fallback. --- ssh-agent-filter.C | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'ssh-agent-filter.C') diff --git a/ssh-agent-filter.C b/ssh-agent-filter.C index 733e12d..8d87d0b 100644 --- a/ssh-agent-filter.C +++ b/ssh-agent-filter.C @@ -49,6 +49,9 @@ namespace fs = boost::filesystem; #include "ssh-agent.h" #include "version.h" +#ifndef SOCK_CLOEXEC +#define SOCK_CLOEXEC 0 +#endif std::vector allowed_b64; std::vector allowed_md5; @@ -88,10 +91,14 @@ int make_upstream_agent_conn () { exit(EX_UNAVAILABLE); } - if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) { + if ((sock = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0)) == -1) { perror("socket"); exit(EX_UNAVAILABLE); } + if (fcntl(sock, F_SETFD, fcntl(sock, F_GETFD) | FD_CLOEXEC)) { + perror("fcntl"); + exit(EX_UNAVAILABLE); + } addr.sun_family = AF_UNIX; @@ -114,10 +121,14 @@ int make_listen_sock () { int sock; struct sockaddr_un addr; - if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) { + if ((sock = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0)) == -1) { perror("socket"); exit(EX_UNAVAILABLE); } + if (fcntl(sock, F_SETFD, fcntl(sock, F_GETFD) | FD_CLOEXEC)) { + perror("fcntl"); + exit(EX_UNAVAILABLE); + } addr.sun_family = AF_UNIX; -- cgit v1.2.3 From 48ae39cf004d22c0cf96703e382dec41304c3280 Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Sun, 22 Sep 2013 23:26:20 +0200 Subject: add confirmation via ssh-askpass --- ssh-agent-filter.C | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'ssh-agent-filter.C') diff --git a/ssh-agent-filter.C b/ssh-agent-filter.C index 8d87d0b..75759d7 100644 --- a/ssh-agent-filter.C +++ b/ssh-agent-filter.C @@ -37,9 +37,11 @@ namespace fs = boost::filesystem; #include #include #include +#include #include #include #include +#include #include #include #include @@ -234,6 +236,27 @@ void setup_filters () { } } +bool confirm (std::string const & question) { + char const * sap; + if (!(sap = getenv("SSH_ASKPASS"))) + sap = "ssh-askpass"; + pid_t pid = fork(); + if (pid < 0) + throw std::runtime_error("fork()"); + if (pid == 0) { + // child + char const * args[3] = { sap, question.c_str(), nullptr }; + // see execvp(3p) for cast rationale + execvp(sap, const_cast(args)); + perror("exec"); + exit(EX_UNAVAILABLE); + } else { + // parent + int status; + return waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 0; + } +} + rfc4251string handle_request (rfc4251string const & r) { std::istringstream request{r}; std::ostringstream answer; -- cgit v1.2.3 From cf11590789a66485623ed11508ae137e2b78a96d Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Wed, 9 Oct 2013 18:15:57 +0200 Subject: add cmdline options for confirmation --- ssh-agent-filter.C | 55 +++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 46 insertions(+), 9 deletions(-) (limited to 'ssh-agent-filter.C') diff --git a/ssh-agent-filter.C b/ssh-agent-filter.C index 75759d7..b094b2c 100644 --- a/ssh-agent-filter.C +++ b/ssh-agent-filter.C @@ -58,8 +58,14 @@ namespace fs = boost::filesystem; std::vector allowed_b64; std::vector allowed_md5; std::vector allowed_comment; +std::vector confirmed_b64; +std::vector confirmed_md5; +std::vector confirmed_comment; std::set allowed_pubkeys; +std::map confirmed_pubkeys; bool debug{false}; +bool all_confirmed{false}; +std::string saf_name; fs::path path; @@ -157,12 +163,17 @@ int make_listen_sock () { void parse_cmdline (int const argc, char const * const * const argv) { po::options_description opts{"OPTIONS"}; opts.add_options() - ("comment,c", po::value(&allowed_comment), "key specified by comment") - ("debug,d", po::bool_switch(&debug), "show some debug info, don't fork") - ("fingerprint,fp,f", po::value(&allowed_md5), "key specified by pubkey's hex-encoded md5 fingerprint") - ("help,h", "print this help message") - ("key,k", po::value(&allowed_b64), "key specified by base64-encoded pubkey") - ("version,V", "print version information") + ("all-confirmed,A", po::bool_switch(&all_confirmed),"allow all other keys with confirmation") + ("comment,c", po::value(&allowed_comment), "key specified by comment") + ("comment-confirmed,C", po::value(&confirmed_comment), "key specified by comment, with confirmation") + ("debug,d", po::bool_switch(&debug), "show some debug info, don't fork") + ("fingerprint,fp,f", po::value(&allowed_md5), "key specified by pubkey's hex-encoded md5 fingerprint") + ("fingerprint-confirmed,F", po::value(&confirmed_md5), "key specified by pubkey's hex-encoded md5 fingerprint, with confirmation") + ("help,h", "print this help message") + ("key,k", po::value(&allowed_b64), "key specified by base64-encoded pubkey") + ("key-confirmed,K", po::value(&confirmed_b64), "key specified by base64-encoded pubkey, with confirmation") + ("name,n", po::value(&saf_name), "name for this instance of ssh-agent-filter, for confirmation puposes") + ("version,V", "print version information") ; po::variables_map config; store(parse_command_line(argc, argv, opts), config); @@ -219,19 +230,45 @@ void setup_filters () { std::string comm(comment); if (debug) std::clog << comm << std::endl; + bool allow{false}; + if (std::count(allowed_b64.begin(), allowed_b64.end(), b64)) { - allowed_pubkeys.insert(key); + allow = true; if (debug) std::clog << "key allowed by equal base64 representation" << std::endl; } if (std::count(allowed_md5.begin(), allowed_md5.end(), md5)) { - allowed_pubkeys.insert(key); + allow = true; if (debug) std::clog << "key allowed by matching md5 fingerprint" << std::endl; } if (std::count(allowed_comment.begin(), allowed_comment.end(), comm)) { - allowed_pubkeys.insert(key); + allow = true; if (debug) std::clog << "key allowed by matching comment" << std::endl; } + if (allow) allowed_pubkeys.insert(std::move(key)); + else { + bool confirm{false}; + + if (std::count(confirmed_b64.begin(), confirmed_b64.end(), b64)) { + confirm = true; + if (debug) std::clog << "key allowed with confirmation by equal base64 representation" << std::endl; + } + if (std::count(confirmed_md5.begin(), confirmed_md5.end(), md5)) { + confirm = true; + if (debug) std::clog << "key allowed with confirmation by matching md5 fingerprint" << std::endl; + } + if (std::count(confirmed_comment.begin(), confirmed_comment.end(), comm)) { + confirm = true; + if (debug) std::clog << "key allowed with confirmation by matching comment" << std::endl; + } + if (all_confirmed) { + confirm = true; + if (debug) std::clog << "key allowed with confirmation by catch-all (-A)" << std::endl; + } + + if (confirm) confirmed_pubkeys.emplace(std::move(key), comment); + } + if (debug) std::clog << std::endl; } } -- cgit v1.2.3 From be10d6a2c1b646ce3cc67bab2896dd3720a80e64 Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Wed, 9 Oct 2013 20:18:07 +0200 Subject: improve inserting into (allow|confirm)ed_pubkeys --- ssh-agent-filter.C | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'ssh-agent-filter.C') diff --git a/ssh-agent-filter.C b/ssh-agent-filter.C index b094b2c..16d6f03 100644 --- a/ssh-agent-filter.C +++ b/ssh-agent-filter.C @@ -245,7 +245,7 @@ void setup_filters () { if (debug) std::clog << "key allowed by matching comment" << std::endl; } - if (allow) allowed_pubkeys.insert(std::move(key)); + if (allow) allowed_pubkeys.emplace(std::move(key)); else { bool confirm{false}; @@ -266,7 +266,7 @@ void setup_filters () { if (debug) std::clog << "key allowed with confirmation by catch-all (-A)" << std::endl; } - if (confirm) confirmed_pubkeys.emplace(std::move(key), comment); + if (confirm) confirmed_pubkeys.emplace(std::move(key), std::move(comm)); } if (debug) std::clog << std::endl; -- cgit v1.2.3 From 4bea277b6a2efd93321e5d6a0d96c87eb4d4e7c5 Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Fri, 11 Oct 2013 11:51:42 +0200 Subject: add confirmed key operations normal ssh authentications get dissected to allow the user a more informed decision. --- ssh-agent-filter.C | 52 +++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 49 insertions(+), 3 deletions(-) (limited to 'ssh-agent-filter.C') diff --git a/ssh-agent-filter.C b/ssh-agent-filter.C index 16d6f03..426c300 100644 --- a/ssh-agent-filter.C +++ b/ssh-agent-filter.C @@ -294,6 +294,27 @@ bool confirm (std::string const & question) { } } +bool dissect_auth_data_ssh (rfc4251string const & data, std::string & request_description) try { + std::istringstream datastream{data}; + datastream.exceptions(std::ios::badbit | std::ios::failbit); + + // Format specified in RFC 4252 Section 7 + rfc4251string session_identifier; datastream >> session_identifier; + rfc4251byte requesttype; datastream >> requesttype; + rfc4251string username; datastream >> username; + rfc4251string servicename; datastream >> servicename; + rfc4251string publickeystring; datastream >> publickeystring; + rfc4251bool shouldbetrue; datastream >> shouldbetrue; + rfc4251string publickeyalgorithm; datastream >> publickeyalgorithm; + rfc4251string publickey; datastream >> publickey; + + request_description = "The request is for an ssh connection as user '" + std::string{username} + "' with service name '" + std::string{servicename} + "'."; + + return true; +} catch (...) { + return false; +} + rfc4251string handle_request (rfc4251string const & r) { std::istringstream request{r}; std::ostringstream answer; @@ -324,7 +345,7 @@ rfc4251string handle_request (rfc4251string const & r) { rfc4251string key; rfc4251string comment; agent_answer_iss >> key >> comment; - if (allowed_pubkeys.count(key)) + if (allowed_pubkeys.count(key) or confirmed_pubkeys.count(key)) keys.emplace_back(std::move(key), std::move(comment)); } answer << answer_code << rfc4251uint32{static_cast(keys.size())}; @@ -335,8 +356,33 @@ rfc4251string handle_request (rfc4251string const & r) { case SSH2_AGENTC_SIGN_REQUEST: { rfc4251string key; - request >> key; - if (allowed_pubkeys.count(key)) { + rfc4251string data; + rfc4251uint32 flags; + request >> key >> data >> flags; + bool allow{false}; + + if (allowed_pubkeys.count(key)) + allow = true; + else { + auto it = confirmed_pubkeys.find(key); + if (it != confirmed_pubkeys.end()) { + std::string request_description; + bool dissect_ok{false}; + if (!dissect_ok) + dissect_ok = dissect_auth_data_ssh(data, request_description); + if (!dissect_ok) + request_description = "The request format is unknown."; + + std::string question = "Something behind the ssh-agent-filter"; + if (saf_name.length()) + question += " named " + saf_name; + question += " requested use of the key named '" + it->second + "'.\n"; + question += request_description; + allow = confirm(question); + } + } + + if (allow) { __gnu_cxx::stdio_filebuf agent_filebuf{make_upstream_agent_conn(), std::ios::in | std::ios::out}; std::iostream agent{&agent_filebuf}; agent.exceptions(std::ios::badbit | std::ios::failbit); -- cgit v1.2.3 From fad26b644eef6883810203a1bd143180484ff8fb Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Wed, 23 Oct 2013 21:24:15 +0200 Subject: add quotes around ssh-agent-filter's name --- ssh-agent-filter.C | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'ssh-agent-filter.C') diff --git a/ssh-agent-filter.C b/ssh-agent-filter.C index 426c300..dd1b508 100644 --- a/ssh-agent-filter.C +++ b/ssh-agent-filter.C @@ -375,7 +375,7 @@ rfc4251string handle_request (rfc4251string const & r) { std::string question = "Something behind the ssh-agent-filter"; if (saf_name.length()) - question += " named " + saf_name; + question += " named '" + saf_name + "'"; question += " requested use of the key named '" + it->second + "'.\n"; question += request_description; allow = confirm(question); -- cgit v1.2.3