mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-27 10:20:39 +00:00
#2179 use Go sub-repo ssh to verify public key content
This commit is contained in:
parent
c631a4a9b9
commit
7ef9a05588
6 changed files with 14 additions and 62 deletions
|
@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra
|
||||||
|
|
||||||
![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)
|
![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)
|
||||||
|
|
||||||
##### Current version: 0.8.21
|
##### Current version: 0.8.22
|
||||||
|
|
||||||
| Web | UI | Preview |
|
| Web | UI | Preview |
|
||||||
|:-------------:|:-------:|:-------:|
|
|:-------------:|:-------:|:-------:|
|
||||||
|
|
12
conf/app.ini
12
conf/app.ini
|
@ -120,21 +120,9 @@ ENABLE_NOTIFY_MAIL = false
|
||||||
; More detail: https://github.com/gogits/gogs/issues/165
|
; More detail: https://github.com/gogits/gogs/issues/165
|
||||||
ENABLE_REVERSE_PROXY_AUTHENTICATION = false
|
ENABLE_REVERSE_PROXY_AUTHENTICATION = false
|
||||||
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
|
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
|
||||||
; Do not check minimum key size with corresponding type
|
|
||||||
DISABLE_MINIMUM_KEY_SIZE_CHECK = false
|
|
||||||
; Enable captcha validation for registration
|
; Enable captcha validation for registration
|
||||||
ENABLE_CAPTCHA = true
|
ENABLE_CAPTCHA = true
|
||||||
|
|
||||||
; used to filter keys which are too short
|
|
||||||
[service.minimum_key_sizes]
|
|
||||||
ED25519 = 256
|
|
||||||
ECDSA = 256
|
|
||||||
NTRU = 1087
|
|
||||||
MCE = 1702
|
|
||||||
McE = 1702
|
|
||||||
RSA = 1024
|
|
||||||
DSA = 1024
|
|
||||||
|
|
||||||
[webhook]
|
[webhook]
|
||||||
; Hook task queue length
|
; Hook task queue length
|
||||||
QUEUE_LENGTH = 1000
|
QUEUE_LENGTH = 1000
|
||||||
|
|
2
gogs.go
2
gogs.go
|
@ -17,7 +17,7 @@ import (
|
||||||
"github.com/gogits/gogs/modules/setting"
|
"github.com/gogits/gogs/modules/setting"
|
||||||
)
|
)
|
||||||
|
|
||||||
const APP_VER = "0.8.21.0114"
|
const APP_VER = "0.8.22.0115"
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
runtime.GOMAXPROCS(runtime.NumCPU())
|
runtime.GOMAXPROCS(runtime.NumCPU())
|
||||||
|
|
|
@ -21,6 +21,7 @@ import (
|
||||||
|
|
||||||
"github.com/Unknwon/com"
|
"github.com/Unknwon/com"
|
||||||
"github.com/go-xorm/xorm"
|
"github.com/go-xorm/xorm"
|
||||||
|
"golang.org/x/crypto/ssh"
|
||||||
|
|
||||||
"github.com/gogits/gogs/modules/log"
|
"github.com/gogits/gogs/modules/log"
|
||||||
"github.com/gogits/gogs/modules/process"
|
"github.com/gogits/gogs/modules/process"
|
||||||
|
@ -164,48 +165,20 @@ func CheckPublicKeyString(content string) (_ string, err error) {
|
||||||
return "", errors.New("only a single line with a single key please")
|
return "", errors.New("only a single line with a single key please")
|
||||||
}
|
}
|
||||||
|
|
||||||
// write the key to a file…
|
fields := strings.Fields(content)
|
||||||
tmpFile, err := ioutil.TempFile(os.TempDir(), "keytest")
|
if len(fields) < 2 {
|
||||||
|
return "", errors.New("too less fields")
|
||||||
|
}
|
||||||
|
|
||||||
|
key, err := base64.StdEncoding.DecodeString(fields[1])
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", fmt.Errorf("StdEncoding.DecodeString: %v", err)
|
||||||
}
|
}
|
||||||
tmpPath := tmpFile.Name()
|
pkey, err := ssh.ParsePublicKey([]byte(key))
|
||||||
defer os.Remove(tmpPath)
|
|
||||||
tmpFile.WriteString(content)
|
|
||||||
tmpFile.Close()
|
|
||||||
|
|
||||||
// Check if ssh-keygen recognizes its contents.
|
|
||||||
stdout, stderr, err := process.Exec("CheckPublicKeyString", "ssh-keygen", "-lf", tmpPath)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", errors.New("ssh-keygen -lf: " + stderr)
|
return "", fmt.Errorf("ParsePublicKey: %v", err)
|
||||||
} else if len(stdout) < 2 {
|
|
||||||
return "", errors.New("ssh-keygen returned not enough output to evaluate the key: " + stdout)
|
|
||||||
}
|
|
||||||
|
|
||||||
// The ssh-keygen in Windows does not print key type, so no need go further.
|
|
||||||
if setting.IsWindows {
|
|
||||||
return content, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
sshKeygenOutput := strings.Split(stdout, " ")
|
|
||||||
if len(sshKeygenOutput) < 4 {
|
|
||||||
return content, ErrKeyUnableVerify{stdout}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Check if key type and key size match.
|
|
||||||
if !setting.Service.DisableMinimumKeySizeCheck {
|
|
||||||
keySize := com.StrTo(sshKeygenOutput[0]).MustInt()
|
|
||||||
if keySize == 0 {
|
|
||||||
return "", errors.New("cannot get key size of the given key")
|
|
||||||
}
|
|
||||||
|
|
||||||
keyType := strings.Trim(sshKeygenOutput[len(sshKeygenOutput)-1], " ()\n")
|
|
||||||
if minimumKeySize := setting.Service.MinimumKeySizes[keyType]; minimumKeySize == 0 {
|
|
||||||
return "", fmt.Errorf("unrecognized public key type: %s", keyType)
|
|
||||||
} else if keySize < minimumKeySize {
|
|
||||||
return "", fmt.Errorf("the minimum accepted size of a public key %s is %d", keyType, minimumKeySize)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
log.Trace("Key type: %s", pkey.Type())
|
||||||
|
|
||||||
return content, nil
|
return content, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -453,8 +453,6 @@ var Service struct {
|
||||||
EnableNotifyMail bool
|
EnableNotifyMail bool
|
||||||
EnableReverseProxyAuth bool
|
EnableReverseProxyAuth bool
|
||||||
EnableReverseProxyAutoRegister bool
|
EnableReverseProxyAutoRegister bool
|
||||||
DisableMinimumKeySizeCheck bool
|
|
||||||
MinimumKeySizes map[string]int
|
|
||||||
EnableCaptcha bool
|
EnableCaptcha bool
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -468,14 +466,7 @@ func newService() {
|
||||||
Service.EnableCacheAvatar = sec.Key("ENABLE_CACHE_AVATAR").MustBool()
|
Service.EnableCacheAvatar = sec.Key("ENABLE_CACHE_AVATAR").MustBool()
|
||||||
Service.EnableReverseProxyAuth = sec.Key("ENABLE_REVERSE_PROXY_AUTHENTICATION").MustBool()
|
Service.EnableReverseProxyAuth = sec.Key("ENABLE_REVERSE_PROXY_AUTHENTICATION").MustBool()
|
||||||
Service.EnableReverseProxyAutoRegister = sec.Key("ENABLE_REVERSE_PROXY_AUTO_REGISTRATION").MustBool()
|
Service.EnableReverseProxyAutoRegister = sec.Key("ENABLE_REVERSE_PROXY_AUTO_REGISTRATION").MustBool()
|
||||||
Service.DisableMinimumKeySizeCheck = sec.Key("DISABLE_MINIMUM_KEY_SIZE_CHECK").MustBool()
|
|
||||||
Service.EnableCaptcha = sec.Key("ENABLE_CAPTCHA").MustBool()
|
Service.EnableCaptcha = sec.Key("ENABLE_CAPTCHA").MustBool()
|
||||||
|
|
||||||
minimumKeySizes := Cfg.Section("service.minimum_key_sizes").Keys()
|
|
||||||
Service.MinimumKeySizes = make(map[string]int)
|
|
||||||
for _, key := range minimumKeySizes {
|
|
||||||
Service.MinimumKeySizes[key.Name()] = key.MustInt()
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
var logLevels = map[string]string{
|
var logLevels = map[string]string{
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
0.8.21.0114
|
0.8.22.0115
|
Loading…
Reference in a new issue