Pass public key via auth callback permissions

Author: belak

server.go

@@ -170,7 +170,12 @@ func (srv *Server) config(ctx Context) *gossh.ServerConfig {
 		config.KeyboardInteractiveCallback = func(conn gossh.ConnMetadata, challenger gossh.KeyboardInteractiveChallenge) (*gossh.Permissions, error) {
 			resetPermissions(ctx)
 			applyConnMetadata(ctx, conn)
-			if ok := srv.KeyboardInteractiveHandler(ctx, challenger); !ok {
+			ok := srv.KeyboardInteractiveHandler(ctx, challenger)
+			err := ensureNoPKInPermissions(ctx)
+			if err != nil {
+				return ctx.Permissions().Permissions, err
+			}
+			if !ok {
 				return ctx.Permissions().Permissions, fmt.Errorf("permission denied")
 			}
 			return ctx.Permissions().Permissions, nil
@@ -302,6 +307,30 @@ func (srv *Server) HandleConn(newConn net.Conn) {
 		return
 	}
 
+	if sshConn.Permissions != nil {
+		// Now that the connection was authed, if the permissionsPublicKeyExt was
+		// attached, we need to re-parse it as a public key.
+		if keyData, ok := sshConn.Permissions.Extensions[permissionsPublicKeyExt]; ok {
+			decodedData, err := base64.StdEncoding.DecodeString(keyData)
+			if err != nil {
+				if srv.ConnectionFailedCallback != nil {
+					srv.ConnectionFailedCallback(conn, err)
+				}
+				return
+			}
+
+			key, err := gossh.ParsePublicKey(decodedData)
+			if err != nil {
+				if srv.ConnectionFailedCallback != nil {
+					srv.ConnectionFailedCallback(conn, err)
+				}
+				return
+			}
+
+			ctx.SetValue(ContextKeyPublicKey, key)
+		}
+	}
+
 	// Additionally, now that the connection was authed, we can take the
 	// permissions off of the gossh.Conn and re-attach them to the Permissions
 	// object stored in the Context.