Add support for authorized_keys files.

Each user can have a set of authorized keys for public key authentication. This is better to support as it lets us use different algorithms and not just RSA. In the age of security, it's good to have variety. I also added additional libraries to support ed25519-based public keys. I updated the SSH libraries so any upstream bug fixes are applied, fixed some warnings and a few other things.
2019-10-02 19:14:56 -07:00
parent dc76da9ac1
commit 0458179597
10 changed files with 378 additions and 250 deletions
--- a/src/main/java/com/ryanmichela/sshd/PublicKeyAuthenticator.java
+++ b/src/main/java/com/ryanmichela/sshd/PublicKeyAuthenticator.java
@@ -1,54 +1,85 @@
 package com.ryanmichela.sshd;

 import org.apache.commons.lang.ArrayUtils;
+import org.apache.sshd.common.config.keys.AuthorizedKeyEntry;
+import org.apache.sshd.common.config.keys.PublicKeyEntryResolver;
 import org.apache.sshd.server.auth.pubkey.PublickeyAuthenticator;
 import org.apache.sshd.server.session.ServerSession;

 import java.io.File;
+import java.util.List;
 import java.io.FileReader;
 import java.security.PublicKey;

 /**
 * Copyright 2013 Ryan Michela
 */
-public class PublicKeyAuthenticator implements PublickeyAuthenticator {
+public class PublicKeyAuthenticator implements PublickeyAuthenticator
+{

-    private File authorizedKeysDir;
+  private File authorizedKeysDir;

-    public PublicKeyAuthenticator(File authorizedKeysDir) {
-        this.authorizedKeysDir = authorizedKeysDir;
-    }
+  public PublicKeyAuthenticator(File authorizedKeysDir) { this.authorizedKeysDir = authorizedKeysDir; }

-    @Override
-    public boolean authenticate(String username, PublicKey key, ServerSession session) {
-        byte[] keyBytes = key.getEncoded();
-        File keyFile = new File(authorizedKeysDir, username);
+	@Override public boolean authenticate(String username, PublicKey key, ServerSession session)
+	{
+		byte[] keyBytes = key.getEncoded();
+		File keyFile	= new File(authorizedKeysDir, username);

-        if (keyFile.exists()) {
-            try {
+		if (keyFile.exists())
+		{
+			try
+            {
+                List<AuthorizedKeyEntry> pklist = AuthorizedKeyEntry.readAuthorizedKeys(keyFile.toPath());
+                
+                PublickeyAuthenticator auth = PublickeyAuthenticator.fromAuthorizedEntries(username, session, pklist,
+                        PublicKeyEntryResolver.IGNORING);

-                FileReader fr = new FileReader(keyFile);
-                PemDecoder pd = new PemDecoder(fr);
-                PublicKey k = pd.getPemBytes();
-                pd.close();
+				boolean accepted = auth.authenticate(username, key, session);

-                if (k != null) {
-                    if (ArrayUtils.isEquals(key.getEncoded(), k.getEncoded())) {
-                        return true;
-                    }
-                } else {
-                    SshdPlugin.instance.getLogger().severe("Failed to parse PEM file. " + keyFile.getAbsolutePath());
+                if (accepted)
+                {
+					SshdPlugin.instance.getLogger().info(
+						username + " successfully authenticated via SSH session using key file " + keyFile.getAbsolutePath());
+				}
+                else
+                {
+					SshdPlugin.instance.getLogger().info(
+						username + " failed authentication via SSH session using key file " + keyFile.getAbsolutePath());
+				}
+                return accepted;
+				/*
+
+				FileReader  fr = new FileReader(keyFile);
+				PemDecoder  pd = new PemDecoder(fr);
+				PublicKey k  = pd.getPemBytes();
+				pd.close();
+
+				if (k != null)
+				{
+					if (ArrayUtils.isEquals(key.getEncoded(), k.getEncoded()))
+					{
+						return true;
+					}
+				}
+				else
+				{
+					SshdPlugin.instance.getLogger().severe("Failed to parse PEM file. " + keyFile.getAbsolutePath());
                }
-            } catch (Exception e) {
-                SshdPlugin.instance.getLogger()
-                        .severe("Failed to process public key " + keyFile.getAbsolutePath() + ". " + e.getMessage());
-            }
-        } else {
-            SshdPlugin.instance.getLogger().warning("Could not locate public key for " + username +
-                                                    ". Make sure the user's key is named the same as their user name " +
-                                                    "without a file extension.");
-        }
+                */
+			}
+			catch (Exception e)
+			{
+				SshdPlugin.instance.getLogger().severe("Failed to process public key " + keyFile.getAbsolutePath() + " " + e.getMessage());
+			}
+		}
+		else
+		{
+			SshdPlugin.instance.getLogger().warning("Could not locate public key for " + username
+													+ ". Make sure the user's key is named the same as their user name "
+													+ "without a file extension.");
+		}

-        return false;
-    }
+		return false;
+	}
 }