#2179 use Go sub-repo ssh to verify public key content

pull/197/head
Unknwon 9 years ago
parent c631a4a9b9
commit 7ef9a05588
  1. 2
      README.md
  2. 12
      conf/app.ini
  3. 2
      gogs.go
  4. 47
      models/ssh_key.go
  5. 9
      modules/setting/setting.go
  6. 2
      templates/.VERSION

@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra
![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)
##### Current version: 0.8.21
##### Current version: 0.8.22
| Web | UI | Preview |
|:-------------:|:-------:|:-------:|

@ -120,21 +120,9 @@ ENABLE_NOTIFY_MAIL = false
; More detail: https://github.com/gogits/gogs/issues/165
ENABLE_REVERSE_PROXY_AUTHENTICATION = false
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
; Do not check minimum key size with corresponding type
DISABLE_MINIMUM_KEY_SIZE_CHECK = false
; Enable captcha validation for registration
ENABLE_CAPTCHA = true
; used to filter keys which are too short
[service.minimum_key_sizes]
ED25519 = 256
ECDSA = 256
NTRU = 1087
MCE = 1702
McE = 1702
RSA = 1024
DSA = 1024
[webhook]
; Hook task queue length
QUEUE_LENGTH = 1000

@ -17,7 +17,7 @@ import (
"github.com/gogits/gogs/modules/setting"
)
const APP_VER = "0.8.21.0114"
const APP_VER = "0.8.22.0115"
func init() {
runtime.GOMAXPROCS(runtime.NumCPU())

@ -21,6 +21,7 @@ import (
"github.com/Unknwon/com"
"github.com/go-xorm/xorm"
"golang.org/x/crypto/ssh"
"github.com/gogits/gogs/modules/log"
"github.com/gogits/gogs/modules/process"
@ -164,48 +165,20 @@ func CheckPublicKeyString(content string) (_ string, err error) {
return "", errors.New("only a single line with a single key please")
}
// write the key to a file…
tmpFile, err := ioutil.TempFile(os.TempDir(), "keytest")
if err != nil {
return "", err
fields := strings.Fields(content)
if len(fields) < 2 {
return "", errors.New("too less fields")
}
tmpPath := tmpFile.Name()
defer os.Remove(tmpPath)
tmpFile.WriteString(content)
tmpFile.Close()
// Check if ssh-keygen recognizes its contents.
stdout, stderr, err := process.Exec("CheckPublicKeyString", "ssh-keygen", "-lf", tmpPath)
key, err := base64.StdEncoding.DecodeString(fields[1])
if err != nil {
return "", errors.New("ssh-keygen -lf: " + stderr)
} else if len(stdout) < 2 {
return "", errors.New("ssh-keygen returned not enough output to evaluate the key: " + stdout)
return "", fmt.Errorf("StdEncoding.DecodeString: %v", err)
}
// The ssh-keygen in Windows does not print key type, so no need go further.
if setting.IsWindows {
return content, nil
}
sshKeygenOutput := strings.Split(stdout, " ")
if len(sshKeygenOutput) < 4 {
return content, ErrKeyUnableVerify{stdout}
}
// Check if key type and key size match.
if !setting.Service.DisableMinimumKeySizeCheck {
keySize := com.StrTo(sshKeygenOutput[0]).MustInt()
if keySize == 0 {
return "", errors.New("cannot get key size of the given key")
}
keyType := strings.Trim(sshKeygenOutput[len(sshKeygenOutput)-1], " ()\n")
if minimumKeySize := setting.Service.MinimumKeySizes[keyType]; minimumKeySize == 0 {
return "", fmt.Errorf("unrecognized public key type: %s", keyType)
} else if keySize < minimumKeySize {
return "", fmt.Errorf("the minimum accepted size of a public key %s is %d", keyType, minimumKeySize)
}
pkey, err := ssh.ParsePublicKey([]byte(key))
if err != nil {
return "", fmt.Errorf("ParsePublicKey: %v", err)
}
log.Trace("Key type: %s", pkey.Type())
return content, nil
}

@ -453,8 +453,6 @@ var Service struct {
EnableNotifyMail bool
EnableReverseProxyAuth bool
EnableReverseProxyAutoRegister bool
DisableMinimumKeySizeCheck bool
MinimumKeySizes map[string]int
EnableCaptcha bool
}
@ -468,14 +466,7 @@ func newService() {
Service.EnableCacheAvatar = sec.Key("ENABLE_CACHE_AVATAR").MustBool()
Service.EnableReverseProxyAuth = sec.Key("ENABLE_REVERSE_PROXY_AUTHENTICATION").MustBool()
Service.EnableReverseProxyAutoRegister = sec.Key("ENABLE_REVERSE_PROXY_AUTO_REGISTRATION").MustBool()
Service.DisableMinimumKeySizeCheck = sec.Key("DISABLE_MINIMUM_KEY_SIZE_CHECK").MustBool()
Service.EnableCaptcha = sec.Key("ENABLE_CAPTCHA").MustBool()
minimumKeySizes := Cfg.Section("service.minimum_key_sizes").Keys()
Service.MinimumKeySizes = make(map[string]int)
for _, key := range minimumKeySizes {
Service.MinimumKeySizes[key.Name()] = key.MustInt()
}
}
var logLevels = map[string]string{

@ -1 +1 @@
0.8.21.0114
0.8.22.0115
Loading…
Cancel
Save