Compare commits
12 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
ee280f1deb | ||
|
355c10c1e4 | ||
|
04933c153b | ||
|
f1344f1a82 | ||
|
d874af85db | ||
|
54b6033392 | ||
|
10a2ffc0a7 | ||
|
ede1cdc76f | ||
|
9e98287172 | ||
|
6653466ca8 | ||
|
f54a736353 | ||
|
d3360f0fd9 |
17
cmd/root.go
17
cmd/root.go
|
@ -9,11 +9,13 @@ import (
|
|||
"net/http"
|
||||
_ "net/http/pprof"
|
||||
"os"
|
||||
"os/signal"
|
||||
"path"
|
||||
"path/filepath"
|
||||
"runtime"
|
||||
"strconv"
|
||||
"strings"
|
||||
"syscall"
|
||||
"time"
|
||||
|
||||
"github.com/NYTimes/logrotate"
|
||||
|
@ -28,6 +30,7 @@ import (
|
|||
|
||||
"github.com/pterodactyl/wings/config"
|
||||
"github.com/pterodactyl/wings/environment"
|
||||
"github.com/pterodactyl/wings/internal/notify"
|
||||
"github.com/pterodactyl/wings/loggers/cli"
|
||||
"github.com/pterodactyl/wings/remote"
|
||||
"github.com/pterodactyl/wings/router"
|
||||
|
@ -324,6 +327,7 @@ func rootCmdRun(cmd *cobra.Command, _ []string) {
|
|||
}
|
||||
|
||||
// Check if the server should run with TLS but using autocert.
|
||||
go func(s *http.Server, api config.ApiConfiguration, sys config.SystemConfiguration, autotls bool, tlshostname string) {
|
||||
if autotls {
|
||||
m := autocert.Manager{
|
||||
Prompt: autocert.AcceptTOS,
|
||||
|
@ -362,6 +366,19 @@ func rootCmdRun(cmd *cobra.Command, _ []string) {
|
|||
if err := s.ListenAndServe(); err != nil {
|
||||
log.WithField("error", err).Fatal("failed to configure HTTP server")
|
||||
}
|
||||
}(s, api, sys, autotls, tlshostname)
|
||||
|
||||
if err := notify.Readiness(); err != nil {
|
||||
log.WithField("error", err).Error("failed to notify systemd of readiness state")
|
||||
}
|
||||
|
||||
c := make(chan os.Signal, 1)
|
||||
signal.Notify(c, syscall.SIGINT, syscall.SIGTERM)
|
||||
<-c
|
||||
|
||||
if err := notify.Stopping(); err != nil {
|
||||
log.WithField("error", err).Error("failed to notify systemd of stopping state")
|
||||
}
|
||||
}
|
||||
|
||||
// Reads the configuration from the disk and then sets up the global singleton
|
||||
|
|
19
internal/notify/notify.go
Normal file
19
internal/notify/notify.go
Normal file
|
@ -0,0 +1,19 @@
|
|||
// Package notify handles notifying the operating system of the program's state.
|
||||
//
|
||||
// For linux based operating systems, this is done through the systemd socket
|
||||
// set by "NOTIFY_SOCKET" environment variable.
|
||||
//
|
||||
// Currently, no other operating systems are supported.
|
||||
package notify
|
||||
|
||||
func Readiness() error {
|
||||
return readiness()
|
||||
}
|
||||
|
||||
func Reloading() error {
|
||||
return reloading()
|
||||
}
|
||||
|
||||
func Stopping() error {
|
||||
return stopping()
|
||||
}
|
48
internal/notify/notify_linux.go
Normal file
48
internal/notify/notify_linux.go
Normal file
|
@ -0,0 +1,48 @@
|
|||
package notify
|
||||
|
||||
import (
|
||||
"io"
|
||||
"net"
|
||||
"os"
|
||||
"strings"
|
||||
)
|
||||
|
||||
func notify(path string, r io.Reader) error {
|
||||
s := &net.UnixAddr{
|
||||
Name: path,
|
||||
Net: "unixgram",
|
||||
}
|
||||
c, err := net.DialUnix(s.Net, nil, s)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer c.Close()
|
||||
|
||||
if _, err := io.Copy(c, r); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func socketNotify(payload string) error {
|
||||
v, ok := os.LookupEnv("NOTIFY_SOCKET")
|
||||
if !ok || v == "" {
|
||||
return nil
|
||||
}
|
||||
if err := notify(v, strings.NewReader(payload)); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func readiness() error {
|
||||
return socketNotify("READY=1")
|
||||
}
|
||||
|
||||
func reloading() error {
|
||||
return socketNotify("RELOADING=1")
|
||||
}
|
||||
|
||||
func stopping() error {
|
||||
return socketNotify("STOPPING=1")
|
||||
}
|
16
internal/notify/notify_other.go
Normal file
16
internal/notify/notify_other.go
Normal file
|
@ -0,0 +1,16 @@
|
|||
//go:build !linux
|
||||
// +build !linux
|
||||
|
||||
package notify
|
||||
|
||||
func readiness() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func reloading() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func stopping() error {
|
||||
return nil
|
||||
}
|
|
@ -71,6 +71,7 @@ type SftpAuthRequest struct {
|
|||
IP string `json:"ip"`
|
||||
SessionID []byte `json:"session_id"`
|
||||
ClientVersion []byte `json:"client_version"`
|
||||
Type string `json:"type"`
|
||||
}
|
||||
|
||||
// SftpAuthResponse is returned by the Panel when a pair of SFTP credentials
|
||||
|
@ -78,8 +79,8 @@ type SftpAuthRequest struct {
|
|||
// matched as well as the permissions that are assigned to the authenticated
|
||||
// user for the SFTP subsystem.
|
||||
type SftpAuthResponse struct {
|
||||
SSHKeys []string `json:"ssh_keys"`
|
||||
Server string `json:"server"`
|
||||
Token string `json:"token"`
|
||||
Permissions []string `json:"permissions"`
|
||||
}
|
||||
|
||||
|
|
|
@ -164,6 +164,5 @@ func (h *Handler) listenForServerEvents(ctx context.Context) error {
|
|||
if err != nil {
|
||||
return errors.WithStack(err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -125,7 +125,7 @@ func (h *Handler) Filewrite(request *sftp.Request) (io.WriterAt, error) {
|
|||
return f, nil
|
||||
}
|
||||
|
||||
// Filecmd hander for basic SFTP system calls related to files, but not anything to do with reading
|
||||
// Filecmd handler for basic SFTP system calls related to files, but not anything to do with reading
|
||||
// or writing to those files.
|
||||
func (h *Handler) Filecmd(request *sftp.Request) error {
|
||||
if h.ro {
|
||||
|
|
252
sftp/server.go
252
sftp/server.go
|
@ -1,11 +1,17 @@
|
|||
package sftp
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"crypto/ecdsa"
|
||||
"crypto/ed25519"
|
||||
"crypto/elliptic"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net"
|
||||
"os"
|
||||
"path"
|
||||
|
@ -16,7 +22,6 @@ import (
|
|||
"emperror.dev/errors"
|
||||
"github.com/apex/log"
|
||||
"github.com/pkg/sftp"
|
||||
"golang.org/x/crypto/ed25519"
|
||||
"golang.org/x/crypto/ssh"
|
||||
|
||||
"github.com/pterodactyl/wings/config"
|
||||
|
@ -51,18 +56,7 @@ func New(m *server.Manager) *SFTPServer {
|
|||
// SFTP connections. This will automatically generate an ED25519 key if one does
|
||||
// not already exist on the system for host key verification purposes.
|
||||
func (c *SFTPServer) Run() error {
|
||||
if _, err := os.Stat(c.PrivateKeyPath()); os.IsNotExist(err) {
|
||||
if err := c.generateED25519PrivateKey(); err != nil {
|
||||
return err
|
||||
}
|
||||
} else if err != nil {
|
||||
return errors.Wrap(err, "sftp: could not stat private key file")
|
||||
}
|
||||
pb, err := os.ReadFile(c.PrivateKeyPath())
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "sftp: could not read private key file")
|
||||
}
|
||||
private, err := ssh.ParsePrivateKey(pb)
|
||||
keys, err := c.loadPrivateKeys()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -71,17 +65,19 @@ func (c *SFTPServer) Run() error {
|
|||
NoClientAuth: false,
|
||||
MaxAuthTries: 6,
|
||||
PasswordCallback: c.passwordCallback,
|
||||
PublicKeyCallback: c.publicKeyCallback,
|
||||
}
|
||||
|
||||
for _, k := range keys {
|
||||
conf.AddHostKey(k)
|
||||
}
|
||||
conf.AddHostKey(private)
|
||||
|
||||
listener, err := net.Listen("tcp", c.Listen)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
public := string(ssh.MarshalAuthorizedKey(private.PublicKey()))
|
||||
log.WithField("listen", c.Listen).WithField("public_key", strings.Trim(public, "\n")).Info("sftp server listening for connections")
|
||||
|
||||
log.WithField("listen", c.Listen).Info("sftp server listening for connections")
|
||||
for {
|
||||
if conn, _ := listener.Accept(); conn != nil {
|
||||
go func(conn net.Conn) {
|
||||
|
@ -107,7 +103,7 @@ func (c *SFTPServer) AcceptInbound(conn net.Conn, config *ssh.ServerConfig) {
|
|||
// If its not a session channel we just move on because its not something we
|
||||
// know how to handle at this point.
|
||||
if ch.ChannelType() != "session" {
|
||||
ch.Reject(ssh.UnknownChannelType, "unknown channel type")
|
||||
_ = ch.Reject(ssh.UnknownChannelType, "unknown channel type")
|
||||
continue
|
||||
}
|
||||
|
||||
|
@ -121,7 +117,7 @@ func (c *SFTPServer) AcceptInbound(conn net.Conn, config *ssh.ServerConfig) {
|
|||
// Channels have a type that is dependent on the protocol. For SFTP
|
||||
// this is "subsystem" with a payload that (should) be "sftp". Discard
|
||||
// anything else we receive ("pty", "shell", etc)
|
||||
req.Reply(req.Type == "subsystem" && string(req.Payload[4:]) == "sftp", nil)
|
||||
_ = req.Reply(req.Type == "subsystem" && string(req.Payload[4:]) == "sftp", nil)
|
||||
}
|
||||
}(requests)
|
||||
|
||||
|
@ -139,6 +135,7 @@ func (c *SFTPServer) AcceptInbound(conn net.Conn, config *ssh.ServerConfig) {
|
|||
return s.ID() == uuid
|
||||
})
|
||||
if srv == nil {
|
||||
_ = conn.Close()
|
||||
continue
|
||||
}
|
||||
|
||||
|
@ -146,37 +143,160 @@ func (c *SFTPServer) AcceptInbound(conn net.Conn, config *ssh.ServerConfig) {
|
|||
// them access to the underlying filesystem.
|
||||
handler := sftp.NewRequestServer(channel, NewHandler(sconn, srv).Handlers())
|
||||
if err := handler.Serve(); err == io.EOF {
|
||||
handler.Close()
|
||||
_ = handler.Close()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Generates a new ED25519 private key that is used for host authentication when
|
||||
// a user connects to the SFTP server.
|
||||
func (c *SFTPServer) generateED25519PrivateKey() error {
|
||||
_, priv, err := ed25519.GenerateKey(rand.Reader)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "sftp: failed to generate ED25519 private key")
|
||||
func (c *SFTPServer) loadPrivateKeys() ([]ssh.Signer, error) {
|
||||
if _, err := os.Stat(path.Join(c.BasePath, ".sftp/id_rsa")); err != nil {
|
||||
if !os.IsNotExist(err) {
|
||||
return nil, err
|
||||
}
|
||||
if err := os.MkdirAll(path.Dir(c.PrivateKeyPath()), 0o755); err != nil {
|
||||
return errors.Wrap(err, "sftp: could not create internal sftp data directory")
|
||||
|
||||
if err := c.generateRSAPrivateKey(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
o, err := os.OpenFile(c.PrivateKeyPath(), os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
|
||||
}
|
||||
rsaBytes, err := ioutil.ReadFile(path.Join(c.BasePath, ".sftp/id_rsa"))
|
||||
if err != nil {
|
||||
return errors.WithStack(err)
|
||||
return nil, errors.Wrap(err, "sftp/server: could not read private key file")
|
||||
}
|
||||
rsaPrivateKey, err := ssh.ParsePrivateKey(rsaBytes)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if _, err := os.Stat(path.Join(c.BasePath, ".sftp/id_ecdsa")); err != nil {
|
||||
if !os.IsNotExist(err) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if err := c.generateECDSAPrivateKey(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
ecdsaBytes, err := ioutil.ReadFile(path.Join(c.BasePath, ".sftp/id_ecdsa"))
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "sftp/server: could not read private key file")
|
||||
}
|
||||
ecdsaPrivateKey, err := ssh.ParsePrivateKey(ecdsaBytes)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if _, err := os.Stat(path.Join(c.BasePath, ".sftp/id_ed25519")); err != nil {
|
||||
if !os.IsNotExist(err) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if err := c.generateEd25519PrivateKey(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
ed25519Bytes, err := ioutil.ReadFile(path.Join(c.BasePath, ".sftp/id_ed25519"))
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "sftp/server: could not read private key file")
|
||||
}
|
||||
ed25519PrivateKey, err := ssh.ParsePrivateKey(ed25519Bytes)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return []ssh.Signer{
|
||||
rsaPrivateKey,
|
||||
ecdsaPrivateKey,
|
||||
ed25519PrivateKey,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// generateRSAPrivateKey generates a RSA-4096 private key that will be used by the SFTP server.
|
||||
func (c *SFTPServer) generateRSAPrivateKey() error {
|
||||
key, err := rsa.GenerateKey(rand.Reader, 4096)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := os.MkdirAll(path.Dir(c.PrivateKeyPath("rsa")), 0o755); err != nil {
|
||||
return errors.Wrap(err, "sftp/server: could not create .sftp directory")
|
||||
}
|
||||
o, err := os.OpenFile(c.PrivateKeyPath("rsa"), os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer o.Close()
|
||||
|
||||
b, err := x509.MarshalPKCS8PrivateKey(priv)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "sftp: failed to marshal private key into bytes")
|
||||
}
|
||||
if err := pem.Encode(o, &pem.Block{Type: "PRIVATE KEY", Bytes: b}); err != nil {
|
||||
return errors.Wrap(err, "sftp: failed to write ED25519 private key to disk")
|
||||
if err := pem.Encode(o, &pem.Block{
|
||||
Type: "RSA PRIVATE KEY",
|
||||
Bytes: x509.MarshalPKCS1PrivateKey(key),
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// generateECDSAPrivateKey generates a ECDSA-P256 private key that will be used by the SFTP server.
|
||||
func (c *SFTPServer) generateECDSAPrivateKey() error {
|
||||
key, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := os.MkdirAll(path.Dir(c.PrivateKeyPath("ecdsa")), 0o755); err != nil {
|
||||
return errors.Wrap(err, "sftp/server: could not create .sftp directory")
|
||||
}
|
||||
o, err := os.OpenFile(c.PrivateKeyPath("ecdsa"), os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer o.Close()
|
||||
|
||||
privBytes, err := x509.MarshalPKCS8PrivateKey(key)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := pem.Encode(o, &pem.Block{
|
||||
Type: "PRIVATE KEY",
|
||||
Bytes: privBytes,
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// generateEd25519PrivateKey generates an ed25519 private key that will be used by the SFTP server.
|
||||
func (c *SFTPServer) generateEd25519PrivateKey() error {
|
||||
_, key, err := ed25519.GenerateKey(rand.Reader)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := os.MkdirAll(path.Dir(c.PrivateKeyPath("ed25519")), 0o755); err != nil {
|
||||
return errors.Wrap(err, "sftp/server: could not create .sftp directory")
|
||||
}
|
||||
o, err := os.OpenFile(c.PrivateKeyPath("ed25519"), os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer o.Close()
|
||||
|
||||
privBytes, err := x509.MarshalPKCS8PrivateKey(key)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := pem.Encode(o, &pem.Block{
|
||||
Type: "PRIVATE KEY",
|
||||
Bytes: privBytes,
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// PrivateKeyPath returns the path the host private key for this server instance.
|
||||
func (c *SFTPServer) PrivateKeyPath(name string) string {
|
||||
return path.Join(c.BasePath, ".sftp", "id_"+name)
|
||||
}
|
||||
|
||||
// A function capable of validating user credentials with the Panel API.
|
||||
func (c *SFTPServer) passwordCallback(conn ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
|
||||
request := remote.SftpAuthRequest{
|
||||
|
@ -185,6 +305,7 @@ func (c *SFTPServer) passwordCallback(conn ssh.ConnMetadata, pass []byte) (*ssh.
|
|||
IP: conn.RemoteAddr().String(),
|
||||
SessionID: conn.SessionID(),
|
||||
ClientVersion: conn.ClientVersion(),
|
||||
Type: "password",
|
||||
}
|
||||
|
||||
logger := log.WithFields(log.Fields{"subsystem": "sftp", "username": conn.User(), "ip": conn.RemoteAddr().String()})
|
||||
|
@ -195,6 +316,11 @@ func (c *SFTPServer) passwordCallback(conn ssh.ConnMetadata, pass []byte) (*ssh.
|
|||
return nil, &remote.SftpInvalidCredentialsError{}
|
||||
}
|
||||
|
||||
if len(pass) < 1 {
|
||||
logger.Warn("failed to validate user credentials (invalid format)")
|
||||
return nil, &remote.SftpInvalidCredentialsError{}
|
||||
}
|
||||
|
||||
resp, err := c.manager.Client().ValidateSftpCredentials(context.Background(), request)
|
||||
if err != nil {
|
||||
if _, ok := err.(*remote.SftpInvalidCredentialsError); ok {
|
||||
|
@ -217,7 +343,55 @@ func (c *SFTPServer) passwordCallback(conn ssh.ConnMetadata, pass []byte) (*ssh.
|
|||
return sshPerm, nil
|
||||
}
|
||||
|
||||
// PrivateKeyPath returns the path the host private key for this server instance.
|
||||
func (c *SFTPServer) PrivateKeyPath() string {
|
||||
return path.Join(c.BasePath, ".sftp/id_ed25519")
|
||||
func (c *SFTPServer) publicKeyCallback(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
|
||||
request := remote.SftpAuthRequest{
|
||||
User: conn.User(),
|
||||
Pass: "KEKW",
|
||||
IP: conn.RemoteAddr().String(),
|
||||
SessionID: conn.SessionID(),
|
||||
ClientVersion: conn.ClientVersion(),
|
||||
Type: "publicKey",
|
||||
}
|
||||
|
||||
logger := log.WithFields(log.Fields{"subsystem": "sftp", "username": conn.User(), "ip": conn.RemoteAddr().String()})
|
||||
logger.Debug("validating public key for SFTP connection")
|
||||
|
||||
if !validUsernameRegexp.MatchString(request.User) {
|
||||
logger.Warn("failed to validate user credentials (invalid format)")
|
||||
return nil, &remote.SftpInvalidCredentialsError{}
|
||||
}
|
||||
|
||||
resp, err := c.manager.Client().ValidateSftpCredentials(context.Background(), request)
|
||||
if err != nil {
|
||||
if _, ok := err.(*remote.SftpInvalidCredentialsError); ok {
|
||||
logger.Warn("failed to validate user credentials (invalid username or password)")
|
||||
} else {
|
||||
logger.WithField("error", err).Error("encountered an error while trying to validate user credentials")
|
||||
}
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if len(resp.SSHKeys) < 1 {
|
||||
return nil, &remote.SftpInvalidCredentialsError{}
|
||||
}
|
||||
|
||||
for _, k := range resp.SSHKeys {
|
||||
storedPublicKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(k))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if !bytes.Equal(key.Marshal(), storedPublicKey.Marshal()) {
|
||||
continue
|
||||
}
|
||||
|
||||
return &ssh.Permissions{
|
||||
Extensions: map[string]string{
|
||||
"uuid": resp.Server,
|
||||
"user": conn.User(),
|
||||
"permissions": strings.Join(resp.Permissions, ","),
|
||||
},
|
||||
}, nil
|
||||
}
|
||||
return nil, &remote.SftpInvalidCredentialsError{}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user