Skip to content

Commit a49d0e1

Browse files
belakbelak
committed
Avoid Permissions leaking between auth callbacks
1 parent a8ecd3e commit a49d0e1

File tree

2 files changed

+12
-0
lines changed

2 files changed

+12
-0
lines changed

context.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -108,6 +108,10 @@ func newContext(srv *Server) (*sshContext, context.CancelFunc) {
108108
return ctx, cancel
109109
}
110110

111+
func resetPermissions(ctx Context) {
112+
ctx.Permissions().Permissions = &gossh.Permissions{}
113+
}
114+
111115
// this is separate from newContext because we will get ConnMetadata
112116
// at different points so it needs to be applied separately
113117
func applyConnMetadata(ctx Context, conn gossh.ConnMetadata) {

server.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -147,6 +147,7 @@ func (srv *Server) config(ctx Context) *gossh.ServerConfig {
147147
}
148148
if srv.PasswordHandler != nil {
149149
config.PasswordCallback = func(conn gossh.ConnMetadata, password []byte) (*gossh.Permissions, error) {
150+
resetPermissions(ctx)
150151
applyConnMetadata(ctx, conn)
151152
if ok := srv.PasswordHandler(ctx, string(password)); !ok {
152153
return ctx.Permissions().Permissions, fmt.Errorf("permission denied")
@@ -156,6 +157,7 @@ func (srv *Server) config(ctx Context) *gossh.ServerConfig {
156157
}
157158
if srv.PublicKeyHandler != nil {
158159
config.PublicKeyCallback = func(conn gossh.ConnMetadata, key gossh.PublicKey) (*gossh.Permissions, error) {
160+
resetPermissions(ctx)
159161
applyConnMetadata(ctx, conn)
160162
if ok := srv.PublicKeyHandler(ctx, key); !ok {
161163
return ctx.Permissions().Permissions, fmt.Errorf("permission denied")
@@ -166,6 +168,7 @@ func (srv *Server) config(ctx Context) *gossh.ServerConfig {
166168
}
167169
if srv.KeyboardInteractiveHandler != nil {
168170
config.KeyboardInteractiveCallback = func(conn gossh.ConnMetadata, challenger gossh.KeyboardInteractiveChallenge) (*gossh.Permissions, error) {
171+
resetPermissions(ctx)
169172
applyConnMetadata(ctx, conn)
170173
if ok := srv.KeyboardInteractiveHandler(ctx, challenger); !ok {
171174
return ctx.Permissions().Permissions, fmt.Errorf("permission denied")
@@ -299,6 +302,11 @@ func (srv *Server) HandleConn(newConn net.Conn) {
299302
return
300303
}
301304

305+
// Additionally, now that the connection was authed, we can take the
306+
// permissions off of the gossh.Conn and re-attach them to the Permissions
307+
// object stored in the Context.
308+
ctx.Permissions().Permissions = sshConn.Permissions
309+
302310
srv.trackConn(sshConn, true)
303311
defer srv.trackConn(sshConn, false)
304312

0 commit comments

Comments
 (0)