| skipped 22 lines |
23 | 23 | | type Options struct { |
24 | 24 | | AllowList []*net.IPNet |
25 | 25 | | DenyList []*net.IPNet |
| 26 | + | Comment string |
26 | 27 | | } |
27 | 28 | | |
28 | 29 | | func readPubKeys(path string) (m map[string]Options, err error) { |
| skipped 11 lines |
40 | 41 | | continue |
41 | 42 | | } |
42 | 43 | | |
43 | | - | pubKey, _, options, _, err := ssh.ParseAuthorizedKey(key) |
| 44 | + | pubKey, comment, options, _, err := ssh.ParseAuthorizedKey(key) |
44 | 45 | | if err != nil { |
45 | 46 | | return m, fmt.Errorf("unable to parse public key. %s line %d. Reason: %s", path, i+1, err) |
46 | 47 | | } |
47 | 48 | | |
48 | 49 | | var opts Options |
| 50 | + | opts.Comment = comment |
| 51 | + | |
49 | 52 | | for _, o := range options { |
50 | 53 | | parts := strings.Split(o, "=") |
51 | 54 | | if len(parts) == 2 && parts[0] == "from" { |
| skipped 133 lines |
185 | 188 | | log.Println("Reloading authorized_controllee_keys failed: ", err) |
186 | 189 | | } |
187 | 190 | | |
188 | | - | var clientType string |
189 | | - | |
190 | 191 | | remoteIp := getIP(conn.RemoteAddr().String()) |
191 | 192 | | |
192 | 193 | | if remoteIp == nil { |
| skipped 2 lines |
195 | 196 | | |
196 | 197 | | //If insecure mode, then any unknown client will be connected as a controllable client. |
197 | 198 | | //The server effectively ignores channel requests from controllable clients. |
| 199 | + | |
198 | 200 | | if opt, ok := authorizedKeysMap[string(ssh.MarshalAuthorizedKey(key))]; ok { |
199 | | - | clientType = "user" |
200 | 201 | | |
201 | 202 | | for _, deny := range opt.DenyList { |
202 | 203 | | if deny.Contains(remoteIp) { |
| skipped 13 lines |
216 | 217 | | return nil, fmt.Errorf("not authorized %q (not on allow list)", conn.User()) |
217 | 218 | | } |
218 | 219 | | |
219 | | - | } else if _, ok := authorizedControllees[string(ssh.MarshalAuthorizedKey(key))]; insecure || ok { |
220 | | - | clientType = "client" |
221 | | - | } else { |
222 | | - | return nil, fmt.Errorf("not authorized %q, potentially you might want to enabled -insecure mode", conn.User()) |
| 220 | + | return &ssh.Permissions{ |
| 221 | + | // Record the public key used for authentication. |
| 222 | + | Extensions: map[string]string{ |
| 223 | + | "comment": opt.Comment, |
| 224 | + | "pubkey-fp": internal.FingerprintSHA1Hex(key), |
| 225 | + | "type": "user", |
| 226 | + | }, |
| 227 | + | }, nil |
| 228 | + | |
223 | 229 | | } |
224 | 230 | | |
225 | | - | return &ssh.Permissions{ |
226 | | - | // Record the public key used for authentication. |
227 | | - | Extensions: map[string]string{ |
228 | | - | "pubkey-fp": internal.FingerprintSHA1Hex(key), |
229 | | - | "type": clientType, |
230 | | - | }, |
231 | | - | }, nil |
| 231 | + | if opt, ok := authorizedControllees[string(ssh.MarshalAuthorizedKey(key))]; insecure || ok { |
232 | 232 | | |
| 233 | + | return &ssh.Permissions{ |
| 234 | + | // Record the public key used for authentication. |
| 235 | + | Extensions: map[string]string{ |
| 236 | + | "comment": opt.Comment, |
| 237 | + | "pubkey-fp": internal.FingerprintSHA1Hex(key), |
| 238 | + | "type": "client", |
| 239 | + | }, |
| 240 | + | }, nil |
| 241 | + | } |
| 242 | + | |
| 243 | + | return nil, fmt.Errorf("not authorized %q, potentially you might want to enabled -insecure mode", conn.User()) |
233 | 244 | | }, |
234 | 245 | | } |
235 | 246 | | |
| skipped 128 lines |