diff options
Diffstat (limited to 'ssh-agent-filter.C')
-rw-r--r-- | ssh-agent-filter.C | 126 |
1 files changed, 62 insertions, 64 deletions
diff --git a/ssh-agent-filter.C b/ssh-agent-filter.C index faa31f9..4d9b2ba 100644 --- a/ssh-agent-filter.C +++ b/ssh-agent-filter.C @@ -1,7 +1,7 @@ /* * ssh-agent-filter.C -- filtering proxy for ssh-agent meant to be forwarded to untrusted servers * - * Copyright (C) 2013-2014 Timo Weingärtner <timo@tiwe.de> + * Copyright (C) 2013-2015 Timo Weingärtner <timo@tiwe.de> * * This file is part of ssh-agent-filter. * @@ -56,10 +56,8 @@ using std::system_category; #include <utility> using std::pair; -using std::move; #include <algorithm> -using std::count; #include <thread> #include <mutex> @@ -83,7 +81,7 @@ using std::lock_guard; #include <nettle/base64.h> #include <nettle/base16.h> -#include "rfc4251.h" +#include "rfc4251.H" #include "ssh-agent.h" #include "version.h" @@ -97,8 +95,8 @@ vector<string> allowed_comment; vector<string> confirmed_b64; vector<string> confirmed_md5; vector<string> confirmed_comment; -std::set<rfc4251string> allowed_pubkeys; -std::map<rfc4251string, string> confirmed_pubkeys; +std::set<rfc4251::string> allowed_pubkeys; +std::map<rfc4251::string, string> confirmed_pubkeys; bool debug{false}; bool all_confirmed{false}; string saf_name; @@ -237,17 +235,17 @@ void setup_filters () { io::stream<io::file_descriptor> agent{make_upstream_agent_conn(), io::close_handle}; arm(agent); - agent << rfc4251string{string{SSH2_AGENTC_REQUEST_IDENTITIES}}; - rfc4251string answer{agent}; + agent << rfc4251::string{string{SSH2_AGENTC_REQUEST_IDENTITIES}}; + rfc4251::string answer{agent}; io::stream<io::array_source> answer_iss{answer.data(), answer.size()}; arm(answer_iss); - rfc4251byte resp_code{answer_iss}; + rfc4251::byte resp_code{answer_iss}; if (resp_code != SSH2_AGENT_IDENTITIES_ANSWER) throw runtime_error{"unexpected answer from ssh-agent"}; - rfc4251uint32 keycount{answer_iss}; + rfc4251::uint32 keycount{answer_iss}; for (uint32_t i = keycount; i; --i) { - rfc4251string key{answer_iss}; - rfc4251string comment{answer_iss}; + rfc4251::string key{answer_iss}; + rfc4251::string comment{answer_iss}; auto b64 = base64_encode(key); if (debug) clog << b64 << endl; @@ -260,32 +258,32 @@ void setup_filters () { bool allow{false}; - if (count(allowed_b64.begin(), allowed_b64.end(), b64)) { + if (std::count(allowed_b64.begin(), allowed_b64.end(), b64)) { allow = true; if (debug) clog << "key allowed by equal base64 representation" << endl; } - if (count(allowed_md5.begin(), allowed_md5.end(), md5)) { + if (std::count(allowed_md5.begin(), allowed_md5.end(), md5)) { allow = true; if (debug) clog << "key allowed by matching md5 fingerprint" << endl; } - if (count(allowed_comment.begin(), allowed_comment.end(), comm)) { + if (std::count(allowed_comment.begin(), allowed_comment.end(), comm)) { allow = true; if (debug) clog << "key allowed by matching comment" << endl; } - if (allow) allowed_pubkeys.emplace(move(key)); + if (allow) allowed_pubkeys.emplace(std::move(key)); else { bool confirm{false}; - if (count(confirmed_b64.begin(), confirmed_b64.end(), b64)) { + if (std::count(confirmed_b64.begin(), confirmed_b64.end(), b64)) { confirm = true; if (debug) clog << "key allowed with confirmation by equal base64 representation" << endl; } - if (count(confirmed_md5.begin(), confirmed_md5.end(), md5)) { + if (std::count(confirmed_md5.begin(), confirmed_md5.end(), md5)) { confirm = true; if (debug) clog << "key allowed with confirmation by matching md5 fingerprint" << endl; } - if (count(confirmed_comment.begin(), confirmed_comment.end(), comm)) { + if (std::count(confirmed_comment.begin(), confirmed_comment.end(), comm)) { confirm = true; if (debug) clog << "key allowed with confirmation by matching comment" << endl; } @@ -294,7 +292,7 @@ void setup_filters () { if (debug) clog << "key allowed with confirmation by catch-all (-A)" << endl; } - if (confirm) confirmed_pubkeys.emplace(move(key), move(comm)); + if (confirm) confirmed_pubkeys.emplace(std::move(key), std::move(comm)); } if (debug) clog << endl; @@ -325,19 +323,19 @@ bool confirm (string const & question) { } } -bool dissect_auth_data_ssh (rfc4251string const & data, string & request_description) try { +bool dissect_auth_data_ssh (rfc4251::string const & data, string & request_description) try { io::stream<io::array_source> datastream{data.data(), data.size()}; arm(datastream); // Format specified in RFC 4252 Section 7 - rfc4251string session_identifier{datastream}; - rfc4251byte requesttype{datastream}; - rfc4251string username{datastream}; - rfc4251string servicename{datastream}; - rfc4251string publickeystring{datastream}; - rfc4251bool shouldbetrue{datastream}; - rfc4251string publickeyalgorithm{datastream}; - rfc4251string publickey{datastream}; + rfc4251::string session_identifier{datastream}; + rfc4251::byte requesttype{datastream}; + rfc4251::string username{datastream}; + rfc4251::string servicename{datastream}; + rfc4251::string publickeystring{datastream}; + rfc4251::boolean shouldbetrue{datastream}; + rfc4251::string publickeyalgorithm{datastream}; + rfc4251::string publickey{datastream}; request_description = "The request is for an ssh connection as user '" + string{username} + "' with service name '" + string{servicename} + "'."; @@ -346,17 +344,17 @@ bool dissect_auth_data_ssh (rfc4251string const & data, string & request_descrip io::stream<io::array_source> idstream{session_identifier.data(), session_identifier.size()}; arm(idstream); - rfc4251uint32 type{idstream}; + rfc4251::uint32 type{idstream}; if (type == 101) { // PAM_SSH_AGENT_AUTH_REQUESTv1 - rfc4251string cookie{idstream}; - rfc4251string user{idstream}; - rfc4251string ruser{idstream}; - rfc4251string pam_service{idstream}; - rfc4251string pwd{idstream}; - rfc4251string action{idstream}; - rfc4251string hostname{idstream}; - rfc4251uint64 timestamp{idstream}; + rfc4251::string cookie{idstream}; + rfc4251::string user{idstream}; + rfc4251::string ruser{idstream}; + rfc4251::string pam_service{idstream}; + rfc4251::string pwd{idstream}; + rfc4251::string action{idstream}; + rfc4251::string hostname{idstream}; + rfc4251::uint64 timestamp{idstream}; string singleuser{user}; if (user != ruser) @@ -369,12 +367,12 @@ bool dissect_auth_data_ssh (rfc4251string const & data, string & request_descrip io::stream<io::array_source> actionstream{action.data(), action.size()}; arm(actionstream); - rfc4251uint32 argc{actionstream}; + rfc4251::uint32 argc{actionstream}; if (argc) { additional += " to run"; for (uint32_t i = argc; i; --i) { - rfc4251string argv{actionstream}; + rfc4251::string argv{actionstream}; additional += ' ' + string{argv}; } } @@ -395,45 +393,45 @@ bool dissect_auth_data_ssh (rfc4251string const & data, string & request_descrip return false; } -rfc4251string handle_request (rfc4251string const & r) { +rfc4251::string handle_request (rfc4251::string const & r) { io::stream<io::array_source> request{r.data(), r.size()}; - rfc4251string ret; + rfc4251::string ret; io::stream<io::back_insert_device<vector<char>>> answer{ret.value}; arm(request); arm(answer); - rfc4251byte request_code{request}; + rfc4251::byte request_code{request}; switch (request_code) { case SSH2_AGENTC_REQUEST_IDENTITIES: { io::stream<io::file_descriptor> agent{make_upstream_agent_conn(), io::close_handle}; arm(agent); - agent << rfc4251string{string{SSH2_AGENTC_REQUEST_IDENTITIES}}; + agent << rfc4251::string{string{SSH2_AGENTC_REQUEST_IDENTITIES}}; // temp to test key filtering when signing - //return rfc4251string{agent}; - rfc4251string agent_answer{agent}; + //return rfc4251::string{agent}; + rfc4251::string agent_answer{agent}; io::stream<io::array_source> agent_answer_iss{agent_answer.data(), agent_answer.size()}; arm(agent_answer_iss); - rfc4251byte answer_code{agent_answer_iss}; - rfc4251uint32 keycount{agent_answer_iss}; + rfc4251::byte answer_code{agent_answer_iss}; + rfc4251::uint32 keycount{agent_answer_iss}; if (answer_code != SSH2_AGENT_IDENTITIES_ANSWER) throw runtime_error{"unexpected answer from ssh-agent"}; - vector<pair<rfc4251string, rfc4251string>> keys; + vector<pair<rfc4251::string, rfc4251::string>> keys; for (uint32_t i = keycount; i; --i) { - rfc4251string key{agent_answer_iss}; - rfc4251string comment{agent_answer_iss}; + rfc4251::string key{agent_answer_iss}; + rfc4251::string comment{agent_answer_iss}; if (allowed_pubkeys.count(key) or confirmed_pubkeys.count(key)) - keys.emplace_back(move(key), move(comment)); + keys.emplace_back(std::move(key), std::move(comment)); } - answer << answer_code << rfc4251uint32{static_cast<uint32_t>(keys.size())}; + answer << answer_code << rfc4251::uint32{static_cast<uint32_t>(keys.size())}; for (auto const & k : keys) answer << k.first << k.second; } break; case SSH2_AGENTC_SIGN_REQUEST: { - rfc4251string key{request}; - rfc4251string data{request}; - rfc4251uint32 flags{request}; + rfc4251::string key{request}; + rfc4251::string data{request}; + rfc4251::uint32 flags{request}; bool allow{false}; if (allowed_pubkeys.count(key)) @@ -460,21 +458,21 @@ rfc4251string handle_request (rfc4251string const & r) { if (allow) { io::stream<io::file_descriptor> agent{make_upstream_agent_conn(), io::close_handle}; arm(agent); - rfc4251string agent_answer; + rfc4251::string agent_answer; agent << r; - return rfc4251string{agent}; + return rfc4251::string{agent}; } else - answer << rfc4251byte{SSH_AGENT_FAILURE}; + answer << rfc4251::byte{SSH_AGENT_FAILURE}; } break; case SSH_AGENTC_REQUEST_RSA_IDENTITIES: - answer << rfc4251byte{SSH_AGENT_RSA_IDENTITIES_ANSWER}; + answer << rfc4251::byte{SSH_AGENT_RSA_IDENTITIES_ANSWER}; // we got no SSHv1 keys - answer << rfc4251uint32{0}; + answer << rfc4251::uint32{0}; break; case SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES: - answer << rfc4251byte{SSH_AGENT_SUCCESS}; + answer << rfc4251::byte{SSH_AGENT_SUCCESS}; break; case SSH_AGENTC_RSA_CHALLENGE: case SSH_AGENTC_ADD_RSA_IDENTITY: @@ -490,7 +488,7 @@ rfc4251string handle_request (rfc4251string const & r) { case SSH_AGENTC_UNLOCK: case SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED: default: - answer << rfc4251byte{SSH_AGENT_FAILURE}; + answer << rfc4251::byte{SSH_AGENT_FAILURE}; break; } @@ -503,7 +501,7 @@ void handle_client (int const sock) try { arm(client); for (;;) - client << handle_request(rfc4251string{client}) << flush; + client << handle_request(rfc4251::string{client}) << flush; } catch (...) { } |