Implemented IP whitelisting
This commit is contained in:
Ryan Michela
parent
f9a3ddec43
commit
cac1ed8697
2
pom.xml
2
pom.xml
@ -6,7 +6,7 @@
|
||||
|
||||
<groupId>com.ryanmichela</groupId>
|
||||
<artifactId>SSHD</artifactId>
|
||||
<version>1.1</version>
|
||||
<version>1.2</version>
|
||||
<url>http://dev.bukkit.org/server-mods/sshd/</url>
|
||||
|
||||
<!-- Repositories -->
|
||||
|
||||
142
src/main/java/com/ryanmichela/sshd/CidrUtils.java
Normal file
142
src/main/java/com/ryanmichela/sshd/CidrUtils.java
Normal file
@ -0,0 +1,142 @@
|
||||
/*
|
||||
* The MIT License
|
||||
*
|
||||
* Copyright (c) 2013 Edin Dazdarevic (edin.dazdarevic@gmail.com)
|
||||
|
||||
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
* of this software and associated documentation files (the "Software"), to deal
|
||||
* in the Software without restriction, including without limitation the rights
|
||||
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
* copies of the Software, and to permit persons to whom the Software is
|
||||
* furnished to do so, subject to the following conditions:
|
||||
|
||||
* The above copyright notice and this permission notice shall be included in
|
||||
* all copies or substantial portions of the Software.
|
||||
|
||||
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
* THE SOFTWARE.
|
||||
*
|
||||
* */
|
||||
|
||||
package com.ryanmichela.sshd;
|
||||
|
||||
import java.math.BigInteger;
|
||||
import java.net.InetAddress;
|
||||
import java.net.UnknownHostException;
|
||||
import java.nio.ByteBuffer;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* A class that enables to get an IP range from CIDR specification. It supports
|
||||
* both IPv4 and IPv6.
|
||||
*/
|
||||
public class CIDRUtils {
|
||||
private final String cidr;
|
||||
|
||||
private InetAddress inetAddress;
|
||||
private InetAddress startAddress;
|
||||
private InetAddress endAddress;
|
||||
private final int prefixLength;
|
||||
|
||||
|
||||
public CIDRUtils(String cidr) throws UnknownHostException {
|
||||
|
||||
this.cidr = cidr;
|
||||
|
||||
/* split CIDR to address and prefix part */
|
||||
if (this.cidr.contains("/")) {
|
||||
int index = this.cidr.indexOf("/");
|
||||
String addressPart = this.cidr.substring(0, index);
|
||||
String networkPart = this.cidr.substring(index + 1);
|
||||
|
||||
inetAddress = InetAddress.getByName(addressPart);
|
||||
prefixLength = Integer.parseInt(networkPart);
|
||||
|
||||
calculate();
|
||||
} else {
|
||||
throw new IllegalArgumentException("not an valid CIDR format!");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
private void calculate() throws UnknownHostException {
|
||||
|
||||
ByteBuffer maskBuffer;
|
||||
int targetSize;
|
||||
if (inetAddress.getAddress().length == 4) {
|
||||
maskBuffer =
|
||||
ByteBuffer
|
||||
.allocate(4)
|
||||
.putInt(-1);
|
||||
targetSize = 4;
|
||||
} else {
|
||||
maskBuffer = ByteBuffer.allocate(16)
|
||||
.putLong(-1L)
|
||||
.putLong(-1L);
|
||||
targetSize = 16;
|
||||
}
|
||||
|
||||
BigInteger mask = (new BigInteger(1, maskBuffer.array())).not().shiftRight(prefixLength);
|
||||
|
||||
ByteBuffer buffer = ByteBuffer.wrap(inetAddress.getAddress());
|
||||
BigInteger ipVal = new BigInteger(1, buffer.array());
|
||||
|
||||
BigInteger startIp = ipVal.and(mask);
|
||||
BigInteger endIp = startIp.add(mask.not());
|
||||
|
||||
byte[] startIpArr = toBytes(startIp.toByteArray(), targetSize);
|
||||
byte[] endIpArr = toBytes(endIp.toByteArray(), targetSize);
|
||||
|
||||
this.startAddress = InetAddress.getByAddress(startIpArr);
|
||||
this.endAddress = InetAddress.getByAddress(endIpArr);
|
||||
|
||||
}
|
||||
|
||||
private byte[] toBytes(byte[] array, int targetSize) {
|
||||
int counter = 0;
|
||||
List<Byte> newArr = new ArrayList<Byte>();
|
||||
while (counter < targetSize && (array.length - 1 - counter >= 0)) {
|
||||
newArr.add(0, array[array.length - 1 - counter]);
|
||||
counter++;
|
||||
}
|
||||
|
||||
int size = newArr.size();
|
||||
for (int i = 0; i < (targetSize - size); i++) {
|
||||
|
||||
newArr.add(0, (byte) 0);
|
||||
}
|
||||
|
||||
byte[] ret = new byte[newArr.size()];
|
||||
for (int i = 0; i < newArr.size(); i++) {
|
||||
ret[i] = newArr.get(i);
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
public String getNetworkAddress() {
|
||||
|
||||
return this.startAddress.getHostAddress();
|
||||
}
|
||||
|
||||
public String getBroadcastAddress() {
|
||||
return this.endAddress.getHostAddress();
|
||||
}
|
||||
|
||||
public boolean isInRange(String ipAddress) throws UnknownHostException {
|
||||
InetAddress address = InetAddress.getByName(ipAddress);
|
||||
BigInteger start = new BigInteger(1, this.startAddress.getAddress());
|
||||
BigInteger end = new BigInteger(1, this.endAddress.getAddress());
|
||||
BigInteger target = new BigInteger(1, address.getAddress());
|
||||
|
||||
int st = start.compareTo(target);
|
||||
int te = target.compareTo(end);
|
||||
|
||||
return (st == -1 || st == 0) && (te == -1 || te == 0);
|
||||
}
|
||||
}
|
||||
@ -9,11 +9,13 @@ import java.util.Map;
|
||||
/**
|
||||
* Copyright 2013 Ryan Michela
|
||||
*/
|
||||
public class ConfigPasswordAuthenticator implements PasswordAuthenticator {
|
||||
public class ConfigPasswordAuthenticator extends IpFilteredAuthenticator implements PasswordAuthenticator {
|
||||
private Map<String, Integer> failCounts = new HashMap<String, Integer>();
|
||||
|
||||
@Override
|
||||
public boolean authenticate(String username, String password, ServerSession serverSession) {
|
||||
if (!ipAddressIsApproved(serverSession)) return false;
|
||||
|
||||
if (SshdPlugin.instance.getConfig().getString("credentials." + username).equals(password)) {
|
||||
failCounts.put(username, 0);
|
||||
return true;
|
||||
|
||||
@ -0,0 +1,28 @@
|
||||
package com.ryanmichela.sshd;
|
||||
|
||||
import org.apache.sshd.server.session.ServerSession;
|
||||
|
||||
import java.net.InetSocketAddress;
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* Copyright 2014 Ryan Michela
|
||||
*/
|
||||
public class IpFilteredAuthenticator {
|
||||
private NetworkAddressValidator addressValidator;
|
||||
|
||||
public IpFilteredAuthenticator() {
|
||||
List<String> whitelist = SshdPlugin.instance.getConfig().getStringList("whitelist");
|
||||
if (whitelist.size() > 0) {
|
||||
addressValidator = new NetworkAddressValidator(whitelist);
|
||||
}
|
||||
}
|
||||
|
||||
public boolean ipAddressIsApproved(ServerSession serverSession) {
|
||||
if (addressValidator != null) {
|
||||
String ip = ((InetSocketAddress)serverSession.getIoSession().getRemoteAddress()).getAddress().getHostAddress();
|
||||
return addressValidator.isApproved(ip);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,42 @@
|
||||
package com.ryanmichela.sshd;
|
||||
|
||||
/**
|
||||
* Copyright 2014 Ryan Michela
|
||||
*/
|
||||
|
||||
import java.net.UnknownHostException;
|
||||
import java.util.List;
|
||||
|
||||
public class NetworkAddressValidator {
|
||||
|
||||
private CIDRUtils[] approvedAddressList = null;
|
||||
|
||||
public NetworkAddressValidator(List<String> approvedAddressList) {
|
||||
this.approvedAddressList = new CIDRUtils[approvedAddressList.size()];
|
||||
for (int i = 0; i < approvedAddressList.size(); i++) {
|
||||
String whitelistEntry = approvedAddressList.get(i);
|
||||
try {
|
||||
if (approvedAddressList.get(i).indexOf("/") > 0) {
|
||||
this.approvedAddressList[i] = new CIDRUtils(whitelistEntry);
|
||||
} else {
|
||||
this.approvedAddressList[i] = new CIDRUtils(whitelistEntry + "/32");
|
||||
}
|
||||
} catch (UnknownHostException e) {
|
||||
SshdPlugin.instance.getLogger().severe(whitelistEntry + " is not a valid IPv4 or IPv6 address or CIDR formatted address.");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public boolean isApproved(String ipAddress) {
|
||||
try {
|
||||
for (CIDRUtils approvedAddress : approvedAddressList) {
|
||||
if (approvedAddress.isInRange(ipAddress)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
} catch (UnknownHostException e) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -11,7 +11,7 @@ import java.security.PublicKey;
|
||||
/**
|
||||
* Copyright 2013 Ryan Michela
|
||||
*/
|
||||
public class PublicKeyAuthenticator implements PublickeyAuthenticator {
|
||||
public class PublicKeyAuthenticator extends IpFilteredAuthenticator implements PublickeyAuthenticator {
|
||||
private File authorizedKeysDir;
|
||||
|
||||
public PublicKeyAuthenticator(File authorizedKeysDir) {
|
||||
@ -20,6 +20,8 @@ public class PublicKeyAuthenticator implements PublickeyAuthenticator {
|
||||
|
||||
@Override
|
||||
public boolean authenticate(String username, PublicKey key, ServerSession session) {
|
||||
if (!ipAddressIsApproved(session)) return false;
|
||||
|
||||
byte[] keyBytes = key.getEncoded();
|
||||
File keyFile = new File(authorizedKeysDir, username);
|
||||
|
||||
|
||||
@ -10,3 +10,10 @@ port: 22
|
||||
credentials:
|
||||
# user1: password1
|
||||
# user2: password2
|
||||
|
||||
# To enable the IP whitelist, add more lines below. Whitelist entries can be expressed
|
||||
# in CIDR notation (ip address/mask) for whitelisting a range of IP addresses.
|
||||
whitelist:
|
||||
# - ::1/128
|
||||
# - 127.0.0.0/8
|
||||
# - 192.168.0.0/16
|
||||
@ -1,4 +1,4 @@
|
||||
name: SSHD
|
||||
version: "1.1"
|
||||
version: "1.2"
|
||||
author: Ryan Michela
|
||||
main: com.ryanmichela.sshd.SshdPlugin
|
||||
Loading…
Reference in New Issue
Block a user