Add user auth

Author: N2D4

ssh/README.md

@@ -21,7 +21,7 @@ To generate TLS connection certificates:
 # Client
 cd ~/.ssh
 openssl req -newkey rsa:2048 -nodes -keyout quic-conn-key.pem -x509 -days 365 -out quic-conn-certificate.pem
-# Server
+-# Server
 cd /etc/ssh
 sudo openssl req -newkey rsa:2048 -nodes -keyout quic-conn-key.pem -x509 -days 365 -out quic-conn-certificate.pem
 ```
@@ -50,7 +50,7 @@ sudo -E ./server -oPort=2200 -oAuthorizedKeysFile=./authorized_keys
 Running the client:
 ```
 cd $GOPATH/src/github.com/netsec-ethz/scion-apps/ssh/client
-./client -p 2200 1-11,[127.0.0.1]
+./client -p 2200 1-11,[127.0.0.1] -oUser=username
 ```
 
 Using SCP (make sure you've done `chmod +x ./scp.sh` first):

ssh/client/clientconfig/clientconfig.go

@@ -20,6 +20,7 @@ type ClientConfig struct {
 // Create creates a new ClientConfig with the default values.
 func Create() *ClientConfig {
 	return &ClientConfig{
+		User:        "",
 		HostAddress: "",
 		Port:        "22",
 		PasswordAuthentication: "yes",

ssh/server/ssh/authcallbacks.go

@@ -26,7 +26,11 @@ func (s *Server) PasswordAuth(c ssh.ConnMetadata, pass []byte) (*ssh.Permissions
 		return nil, fmt.Errorf("Authenticate: %s", err.Error())
 	}
 
-	return nil, nil
+	return &ssh.Permissions{
+		CriticalOptions: map[string]string{
+			"user": c.User(),
+		},
+	}, nil
 }
 
 func loadAuthorizedKeys(file string) (map[string]bool, error) {
@@ -59,8 +63,11 @@ func (s *Server) PublicKeyAuth(c ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.P
 
 	if authKeys[string(pubKey.Marshal())] {
 		return &ssh.Permissions{
-			// Record the public key used for authentication.
+			CriticalOptions: map[string]string{
+				"user": c.User(),
+			},
 			Extensions: map[string]string{
+				// Record the public key used for authentication
 				"pubkey-fp": ssh.FingerprintSHA256(pubKey),
 			},
 		}, nil

ssh/server/ssh/sessionchannel.go

@@ -5,6 +5,8 @@ import (
 	"io"
 	"os"
 	"os/exec"
+	"os/user"
+	"strconv"
 	"sync"
 	"syscall"
 	"unsafe"
@@ -39,6 +41,35 @@ func handleSession(perms *ssh.Permissions, newChannel ssh.NewChannel) {
 
 	execCmd := func(name string, arg ...string) error {
 		cmd := exec.Command(name, arg...)
+		username, ok := perms.CriticalOptions["user"]
+		var usr *user.User
+		if ok {
+			var err error
+			usr, err = user.Lookup(username)
+			if err != nil {
+				return err
+			}
+		} else {
+			usr, err = user.Current()
+			if err != nil {
+				return err
+			}
+		}
+		uid, err := strconv.ParseUint(usr.Uid, 10, 32)
+		if err != nil {
+			return err
+		}
+		gid, err := strconv.ParseUint(usr.Gid, 10, 32)
+		if err != nil {
+			return err
+		}
+		if cmd.SysProcAttr == nil {
+			cmd.SysProcAttr = &syscall.SysProcAttr{}
+		}
+		cmd.SysProcAttr.Credential = &syscall.Credential{
+			Uid: uint32(uid),
+			Gid: uint32(gid),
+		}
 		close := func() {
 			cmd.Process.Kill()
 			err := cmd.Wait()
@@ -47,20 +78,16 @@ func handleSession(perms *ssh.Permissions, newChannel ssh.NewChannel) {
 			}
 
 			tb := []byte{0, 0, 0, 0}
-			connection.SendRequest("exit-status", false, tb)
+			_, err = connection.SendRequest("exit-status", false, tb)
+			if err != nil {
+				log.Error("Error sending exit status", "error", err)
+			}
 
 			once.Do(closeConn)
 
 			log.Debug("Session closed")
 		}
 
-		var pipesWait sync.WaitGroup
-		pipesWait.Add(2)
-		go func() {
-			pipesWait.Wait()
-			close()
-		}()
-
 		if hasRequestedPty {
 			log.Debug("Creating pty...")
 			cmdf, err = pty.Start(cmd)
@@ -70,12 +97,14 @@ func handleSession(perms *ssh.Permissions, newChannel ssh.NewChannel) {
 
 			var once sync.Once
 			go func() {
-				io.Copy(connection, cmdf)
-				pipesWait.Done()
+				_, err := io.Copy(connection, cmdf)
+				log.Debug("Pty to connection copy ended", "error", err)
+				once.Do(close)
 			}()
 			go func() {
-				io.Copy(cmdf, connection)
-				pipesWait.Done()
+				_, err := io.Copy(cmdf, connection)
+				log.Debug("Connection to pty copy ended", "error", err)
+				once.Do(close)
 			}()
 
 			termLen := ptyPayload[3]
@@ -98,6 +127,13 @@ func handleSession(perms *ssh.Permissions, newChannel ssh.NewChannel) {
 			}
 
 			// we want to wait for stdout and stderr before closing connection, but don't really mind about stdin
+			var pipesWait sync.WaitGroup
+			pipesWait.Add(2)
+			go func() {
+				pipesWait.Wait()
+				close()
+			}()
+
 			go func() {
 				_, err := io.Copy(stdin, connection)
 				log.Debug("Stdin copy ended", "error", err)