Added hover text and click to copy for /mkpasswd
- Added hover text and click to copy so you can now copy your hash to the clipboard. - Added default values for the configuration in case none were set for some reason. - Validate permissions from the config (something I forgot to do) - Tell the user permission denied if they don't have permission to run the command. - Added a default pseudo-user for global permissions and rules. - Updated some verbage in the config comments
This commit is contained in:
parent
40f63bdeeb
commit
e0080fb1a0
16
pom.xml
16
pom.xml
@ -34,15 +34,15 @@
|
||||
<!-- Dependencies -->
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.bukkit</groupId>
|
||||
<artifactId>bukkit</artifactId>
|
||||
<version>1.14.4-R0.1-SNAPSHOT</version>
|
||||
<groupId>org.spigotmc</groupId>
|
||||
<artifactId>spigot-api</artifactId>
|
||||
<version>1.15.2-R0.1-SNAPSHOT</version>
|
||||
</dependency>
|
||||
|
||||
<dependency>
|
||||
<groupId>org.apache.sshd</groupId>
|
||||
<artifactId>sshd-core</artifactId>
|
||||
<version>2.3.0</version>
|
||||
<version>2.4.0</version>
|
||||
<scope>compile</scope>
|
||||
<type>jar</type>
|
||||
</dependency>
|
||||
@ -50,19 +50,19 @@
|
||||
<dependency>
|
||||
<groupId>org.apache.sshd</groupId>
|
||||
<artifactId>sshd-mina</artifactId>
|
||||
<version>2.3.0</version>
|
||||
<version>2.4.0</version>
|
||||
</dependency>
|
||||
|
||||
<dependency>
|
||||
<groupId>org.apache.sshd</groupId>
|
||||
<artifactId>sshd-contrib</artifactId>
|
||||
<version>2.3.0</version>
|
||||
<version>2.4.0</version>
|
||||
</dependency>
|
||||
|
||||
<dependency>
|
||||
<groupId>org.apache.sshd</groupId>
|
||||
<artifactId>sshd-common</artifactId>
|
||||
<version>2.3.0</version>
|
||||
<version>2.4.0</version>
|
||||
<scope>compile</scope>
|
||||
<type>jar</type>
|
||||
</dependency>
|
||||
@ -70,7 +70,7 @@
|
||||
<dependency>
|
||||
<groupId>org.apache.sshd</groupId>
|
||||
<artifactId>sshd-sftp</artifactId>
|
||||
<version>2.3.0</version>
|
||||
<version>2.4.0</version>
|
||||
</dependency>
|
||||
|
||||
<dependency>
|
||||
|
@ -70,7 +70,7 @@ public class ConfigPasswordAuthenticator implements PasswordAuthenticator
|
||||
}
|
||||
|
||||
SshdPlugin.instance.getLogger().info("Failed login for " + username + " using " + HashType + "-based password authentication.");
|
||||
Integer tries = SshdPlugin.instance.getConfig().getInt("LoginRetries");
|
||||
Integer tries = SshdPlugin.instance.getConfig().getInt("LoginRetries", 3);
|
||||
|
||||
try
|
||||
{
|
||||
|
@ -2,13 +2,13 @@ package com.ryanmichela.sshd;
|
||||
|
||||
import com.ryanmichela.sshd.ConsoleCommandCompleter;
|
||||
import com.ryanmichela.sshd.ConsoleLogFormatter;
|
||||
import com.ryanmichela.sshd.PermissionUtil;
|
||||
import com.ryanmichela.sshd.FlushyOutputStream;
|
||||
import com.ryanmichela.sshd.FlushyStreamHandler;
|
||||
import com.ryanmichela.sshd.SshTerminal;
|
||||
import com.ryanmichela.sshd.SshdPlugin;
|
||||
import com.ryanmichela.sshd.StreamHandlerAppender;
|
||||
import com.ryanmichela.sshd.implementations.SSHDCommandSender;
|
||||
import com.ryanmichela.sshd.ConsoleLogFormatter;
|
||||
import jline.console.ConsoleReader;
|
||||
import org.apache.logging.log4j.LogManager;
|
||||
import org.apache.logging.log4j.core.Logger;
|
||||
@ -29,6 +29,7 @@ import java.io.InputStream;
|
||||
import java.io.OutputStream;
|
||||
import java.net.InetAddress;
|
||||
import java.util.StringTokenizer;
|
||||
import java.util.Optional;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.StreamHandler;
|
||||
|
||||
@ -100,6 +101,17 @@ public class ConsoleShellFactory implements ShellFactory
|
||||
{
|
||||
try
|
||||
{
|
||||
String username = env.getEnv().get(Environment.ENV_USER);
|
||||
Optional<String> optcred = PermissionUtil.GetCredential(username, "console");
|
||||
// They don't have access.
|
||||
if (optcred.isPresent() && !optcred.get().contains("R"))
|
||||
{
|
||||
cs.close(true);
|
||||
return;
|
||||
}
|
||||
else
|
||||
SshdPlugin.instance.getLogger().warning("There is no $default pseudo-user under credential, allowing unrestricted access...");
|
||||
|
||||
this.ConsoleReader = new ConsoleReader(in, new FlushyOutputStream(out), new SshTerminal());
|
||||
this.ConsoleReader.setExpandEvents(true);
|
||||
this.ConsoleReader.addCompleter(new ConsoleCommandCompleter());
|
||||
@ -110,14 +122,15 @@ public class ConsoleShellFactory implements ShellFactory
|
||||
((Logger)LogManager.getRootLogger()).addAppender(this.streamHandlerAppender);
|
||||
|
||||
this.environment = env;
|
||||
this.Username = env.getEnv().get(Environment.ENV_USER);
|
||||
this.Username = username;
|
||||
this.SshdCommandSender = new SSHDCommandSender();
|
||||
this.SshdCommandSender.console = this;
|
||||
thread = new Thread(this, "SSHD ConsoleShell " + this.Username);
|
||||
thread = new Thread(this, "SSHD ConsoleShell " + username);
|
||||
thread.start();
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
throw new IOException("Error starting shell", e);
|
||||
}
|
||||
}
|
||||
@ -129,7 +142,7 @@ public class ConsoleShellFactory implements ShellFactory
|
||||
{
|
||||
try
|
||||
{
|
||||
if (!SshdPlugin.instance.getConfig().getString("Mode").equals("RPC"))
|
||||
if (!SshdPlugin.instance.getConfig().getString("Mode", "DEFAULT").equals("RPC"))
|
||||
printPreamble(this.ConsoleReader);
|
||||
while (true)
|
||||
{
|
||||
@ -153,11 +166,15 @@ public class ConsoleShellFactory implements ShellFactory
|
||||
}
|
||||
// Hide the mkpasswd command input from other users.
|
||||
Boolean mkpasswd = command.split(" ")[0].equals("mkpasswd");
|
||||
Optional<String> optcred = PermissionUtil.GetCredential(this.Username, "console");
|
||||
|
||||
if (optcred.isPresent() && !optcred.get().contains("W"))
|
||||
continue;
|
||||
|
||||
Bukkit.getScheduler().runTask(
|
||||
SshdPlugin.instance, () ->
|
||||
{
|
||||
if (SshdPlugin.instance.getConfig().getString("Mode").equals("RPC") && command.startsWith("rpc"))
|
||||
if (SshdPlugin.instance.getConfig().getString("Mode", "DEFAULT").equals("RPC") && command.startsWith("rpc"))
|
||||
{
|
||||
// NO ECHO NO PREAMBLE AND SHIT
|
||||
String cmd = command.substring("rpc".length() + 1, command.length());
|
||||
|
@ -7,6 +7,11 @@ import org.bukkit.entity.Player;
|
||||
|
||||
import java.util.Arrays;
|
||||
|
||||
import net.md_5.bungee.api.chat.ClickEvent;
|
||||
import net.md_5.bungee.api.chat.ComponentBuilder;
|
||||
import net.md_5.bungee.api.chat.HoverEvent;
|
||||
import net.md_5.bungee.api.chat.TextComponent;
|
||||
|
||||
import com.ryanmichela.sshd.Cryptography;
|
||||
import com.ryanmichela.sshd.SshdPlugin;
|
||||
|
||||
@ -30,10 +35,6 @@ class MkpasswdCommand implements CommandExecutor
|
||||
@Override
|
||||
public boolean onCommand(CommandSender sender, Command command, String label, String[] args)
|
||||
{
|
||||
// If we're not mkpasswd, just fuck off.
|
||||
if (!label.equalsIgnoreCase("mkpasswd"))
|
||||
return false;
|
||||
|
||||
String algoritm, password;
|
||||
try
|
||||
{
|
||||
@ -77,7 +78,11 @@ class MkpasswdCommand implements CommandExecutor
|
||||
return true;
|
||||
}
|
||||
|
||||
sender.sendMessage("\u00A79Your Hash: " + hash + "\u00A7r");
|
||||
TextComponent msg = new TextComponent("\u00A79Your Hash: " + hash + "\u00A7r");
|
||||
msg.setClickEvent(new ClickEvent(ClickEvent.Action.COPY_TO_CLIPBOARD, hash));
|
||||
msg.setHoverEvent(new HoverEvent(HoverEvent.Action.SHOW_TEXT, new ComponentBuilder("Click to copy the hash!").create()));
|
||||
|
||||
sender.spigot().sendMessage(msg);
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
@ -86,6 +91,8 @@ class MkpasswdCommand implements CommandExecutor
|
||||
sender.sendMessage("\u00A7cAn error occured. Please check console for details.\u00A7r");
|
||||
}
|
||||
}
|
||||
else
|
||||
sender.sendMessage("\u00A7cPermission Denied.\u00A7r");
|
||||
|
||||
return true;
|
||||
}
|
||||
|
23
src/main/java/com/ryanmichela/sshd/PermissionUtil.java
Normal file
23
src/main/java/com/ryanmichela/sshd/PermissionUtil.java
Normal file
@ -0,0 +1,23 @@
|
||||
package com.ryanmichela.sshd;
|
||||
|
||||
import java.util.Optional;
|
||||
|
||||
import com.ryanmichela.sshd.SshdPlugin;
|
||||
|
||||
public class PermissionUtil
|
||||
{
|
||||
public static Optional<String> GetCredential(String username, String credential)
|
||||
{
|
||||
String Default = SshdPlugin.instance.getConfig().getString("Credentials.$default." + credential);
|
||||
String cred = SshdPlugin.instance.getConfig().getString("Credentials." + username + "." + credential, Default);
|
||||
|
||||
if (cred == null)
|
||||
return Optional.empty();
|
||||
|
||||
else if (cred.isEmpty())
|
||||
return Optional.empty();
|
||||
|
||||
else
|
||||
return Optional.of(cred);
|
||||
}
|
||||
};
|
@ -27,7 +27,7 @@ public class PublicKeyAuthenticator implements PublickeyAuthenticator
|
||||
{
|
||||
byte[] keyBytes = key.getEncoded();
|
||||
File keyFile = new File(authorizedKeysDir, username);
|
||||
Integer tries = SshdPlugin.instance.getConfig().getInt("LoginRetries");
|
||||
Integer tries = SshdPlugin.instance.getConfig().getInt("LoginRetries", 3);
|
||||
|
||||
if (keyFile.exists())
|
||||
{
|
||||
@ -68,7 +68,8 @@ public class PublicKeyAuthenticator implements PublickeyAuthenticator
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
SshdPlugin.instance.getLogger().severe("Failed to process public key " + keyFile.getAbsolutePath() + " " + e.getMessage());
|
||||
e.printStackTrace();
|
||||
SshdPlugin.instance.getLogger().severe("Failed to process public key " + keyFile.getAbsolutePath());
|
||||
}
|
||||
}
|
||||
else
|
||||
|
@ -92,11 +92,12 @@ public class SshdPlugin extends JavaPlugin
|
||||
sshd.setPasswordAuthenticator(new ConfigPasswordAuthenticator());
|
||||
sshd.setPublickeyAuthenticator(new PublicKeyAuthenticator(authorizedKeys));
|
||||
|
||||
if (getConfig().getBoolean("EnableSFTP"))
|
||||
if (getConfig().getBoolean("EnableSFTP", false))
|
||||
{
|
||||
// Handle access control for SFTP.
|
||||
SftpSubsystemFactory.Builder builder = new SftpSubsystemFactory.Builder();
|
||||
builder.addSftpEventListener(new SimpleAccessControlSftpEventListener() {
|
||||
builder.addSftpEventListener(new SimpleAccessControlSftpEventListener()
|
||||
{
|
||||
protected boolean isAccessAllowed(ServerSession session, String remote, Path localpath)
|
||||
{
|
||||
try
|
||||
@ -140,10 +141,11 @@ public class SshdPlugin extends JavaPlugin
|
||||
{
|
||||
try
|
||||
{
|
||||
boolean defaultbool = getConfig().getBoolean("Credentials.$default.sftp.enabled", false);
|
||||
ConfigurationSection UsernameNamespace = getConfig().getConfigurationSection("Credentials." + session.getUsername() + ".sftp");
|
||||
|
||||
// They don't have SFTP enabled so deny them.
|
||||
if (UsernameNamespace == null || !UsernameNamespace.getBoolean("enabled"))
|
||||
if (UsernameNamespace == null || !UsernameNamespace.getBoolean("enabled", defaultbool))
|
||||
return false;
|
||||
|
||||
// Check a list of files against a path trying to be accessed.
|
||||
@ -165,7 +167,7 @@ public class SshdPlugin extends JavaPlugin
|
||||
}
|
||||
}
|
||||
|
||||
return UsernameNamespace.getString("default").equalsIgnoreCase("allow");
|
||||
return UsernameNamespace.getString("default", "deny").equalsIgnoreCase("allow");
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
|
@ -171,4 +171,8 @@ public class SSHDCommandSender implements ConsoleCommandSender, CommandSender
|
||||
return Bukkit.getServer();
|
||||
}
|
||||
|
||||
public CommandSender.Spigot spigot()
|
||||
{
|
||||
return ((CommandSender)this).spigot();
|
||||
}
|
||||
}
|
||||
|
@ -1,9 +1,8 @@
|
||||
# The IP addresses(s) the SSH server will listen on. Use a comma separated list for multiple addresses.
|
||||
# Leave as "all" for all addresses.
|
||||
ListenAddress: all
|
||||
# The port the SSH server will listen on. Note that anything above 1024 will require you to run
|
||||
# the whole minecraft server with elevated privileges, this is not recommended and you should
|
||||
# use iptables to route packets from a lower port.
|
||||
# The port the SSH server will listen on. Note that anything *below* 1024 will require you to run
|
||||
# the whole minecraft server with elevated privileges (NOT RECOMMENDED).
|
||||
Port: 1025
|
||||
|
||||
# Operational mode. Don't touch if you don't know what you're doing. Can be either DEFAULT or RPC
|
||||
@ -37,8 +36,26 @@ PasswordType: bcrypt
|
||||
|
||||
# Associate each username with a password hash (or the password if the PasswordType is set to PLAIN)
|
||||
Credentials:
|
||||
# Username (should match SSH key if using key-based authentication)
|
||||
justasic:
|
||||
# The defaults for any user who does not have a specific section.
|
||||
# Specific user permissions override the $default pseudo-user.
|
||||
$default:
|
||||
# Whether they can read or write to the console
|
||||
console: RW
|
||||
# SFTP access for anyone.
|
||||
sftp:
|
||||
# Whether sftp is allowed at all.
|
||||
enabled: true
|
||||
# Whether to allow or deny by default
|
||||
default: allow
|
||||
# specific rules for directories
|
||||
rules:
|
||||
# Deny the SSHD config folder by default as an example.
|
||||
"*SSHD/*":
|
||||
readable: false
|
||||
writeable: false
|
||||
|
||||
# Username (should match SSH key if using key-based authentication)
|
||||
justasic:
|
||||
# Password hash from /mkpasswd command
|
||||
password: $2a$10$Oqk83FrypRrMF35EDeoQDuidJOQEWBE0joEQ7MJFi/Oeg26wQ3fm2
|
||||
# Whether they can read, write, or have read/write permissions to console.
|
||||
@ -47,7 +64,7 @@ Credentials:
|
||||
sftp:
|
||||
# Whether SFTP is enabled for this user.
|
||||
enabled: true
|
||||
# Whether to deny by default or allow by default
|
||||
# Whether to deny access by default or allow access by default
|
||||
default: allow
|
||||
# Rules regarding their SFTP access.
|
||||
# These rules are relative to the server root.
|
||||
|
Loading…
Reference in New Issue
Block a user