summaryrefslogtreecommitdiffstats
path: root/vendor/github.com/shazow/ssh-chat
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/shazow/ssh-chat')
-rw-r--r--vendor/github.com/shazow/ssh-chat/internal/sanitize/sanitize.go28
-rw-r--r--vendor/github.com/shazow/ssh-chat/sshd/auth.go11
2 files changed, 34 insertions, 5 deletions
diff --git a/vendor/github.com/shazow/ssh-chat/internal/sanitize/sanitize.go b/vendor/github.com/shazow/ssh-chat/internal/sanitize/sanitize.go
new file mode 100644
index 00000000..ed532c97
--- /dev/null
+++ b/vendor/github.com/shazow/ssh-chat/internal/sanitize/sanitize.go
@@ -0,0 +1,28 @@
+package sanitize
+
+import "regexp"
+
+var reStripName = regexp.MustCompile("[^\\w.-]")
+
+const maxLength = 16
+
+// Name returns a name with only allowed characters and a reasonable length
+func Name(s string) string {
+ s = reStripName.ReplaceAllString(s, "")
+ nameLength := maxLength
+ if len(s) <= maxLength {
+ nameLength = len(s)
+ }
+ s = s[:nameLength]
+ return s
+}
+
+var reStripData = regexp.MustCompile("[^[:ascii:]]|[[:cntrl:]]")
+
+// Data returns a string with only allowed characters for client-provided metadata inputs.
+func Data(s string, maxlen int) string {
+ if len(s) > maxlen {
+ s = s[:maxlen]
+ }
+ return reStripData.ReplaceAllString(s, "")
+}
diff --git a/vendor/github.com/shazow/ssh-chat/sshd/auth.go b/vendor/github.com/shazow/ssh-chat/sshd/auth.go
index 2fc86fa8..afa7271a 100644
--- a/vendor/github.com/shazow/ssh-chat/sshd/auth.go
+++ b/vendor/github.com/shazow/ssh-chat/sshd/auth.go
@@ -6,6 +6,7 @@ import (
"errors"
"net"
+ "github.com/shazow/ssh-chat/internal/sanitize"
"golang.org/x/crypto/ssh"
)
@@ -13,8 +14,8 @@ import (
type Auth interface {
// Whether to allow connections without a public key.
AllowAnonymous() bool
- // Given address and public key, return if the connection should be permitted.
- Check(net.Addr, ssh.PublicKey) (bool, error)
+ // Given address and public key and client agent string, returns nil if the connection should be allowed.
+ Check(net.Addr, ssh.PublicKey, string) error
}
// MakeAuth makes an ssh.ServerConfig which performs authentication against an Auth implementation.
@@ -23,8 +24,8 @@ func MakeAuth(auth Auth) *ssh.ServerConfig {
NoClientAuth: false,
// Auth-related things should be constant-time to avoid timing attacks.
PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
- ok, err := auth.Check(conn.RemoteAddr(), key)
- if !ok {
+ err := auth.Check(conn.RemoteAddr(), key, sanitize.Data(string(conn.ClientVersion()), 64))
+ if err != nil {
return nil, err
}
perm := &ssh.Permissions{Extensions: map[string]string{
@@ -36,7 +37,7 @@ func MakeAuth(auth Auth) *ssh.ServerConfig {
if !auth.AllowAnonymous() {
return nil, errors.New("public key authentication required")
}
- _, err := auth.Check(conn.RemoteAddr(), nil)
+ err := auth.Check(conn.RemoteAddr(), nil, sanitize.Data(string(conn.ClientVersion()), 64))
return nil, err
},
}