mirror of
https://github.com/SagerNet/sing-box.git
synced 2024-11-25 10:01:30 +00:00
Add SSH outbound host key validation
This commit is contained in:
parent
687b4509df
commit
df3a982141
|
@ -12,6 +12,9 @@
|
||||||
"private_key": "",
|
"private_key": "",
|
||||||
"private_key_path": "$HOME/.ssh/id_rsa",
|
"private_key_path": "$HOME/.ssh/id_rsa",
|
||||||
"private_key_passphrase": "",
|
"private_key_passphrase": "",
|
||||||
|
"host_key": [
|
||||||
|
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdH..."
|
||||||
|
],
|
||||||
"host_key_algorithms": [],
|
"host_key_algorithms": [],
|
||||||
"client_version": "SSH-2.0-OpenSSH_7.4p1",
|
"client_version": "SSH-2.0-OpenSSH_7.4p1",
|
||||||
|
|
||||||
|
@ -51,6 +54,10 @@ Private key path.
|
||||||
|
|
||||||
Private key passphrase.
|
Private key passphrase.
|
||||||
|
|
||||||
|
#### host_key
|
||||||
|
|
||||||
|
Host key. Accept any if empty.
|
||||||
|
|
||||||
#### host_key_algorithms
|
#### host_key_algorithms
|
||||||
|
|
||||||
Host key algorithms.
|
Host key algorithms.
|
||||||
|
|
|
@ -12,6 +12,9 @@
|
||||||
"private_key": "",
|
"private_key": "",
|
||||||
"private_key_path": "$HOME/.ssh/id_rsa",
|
"private_key_path": "$HOME/.ssh/id_rsa",
|
||||||
"private_key_passphrase": "",
|
"private_key_passphrase": "",
|
||||||
|
"host_key": [
|
||||||
|
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdH..."
|
||||||
|
],
|
||||||
"host_key_algorithms": [],
|
"host_key_algorithms": [],
|
||||||
"client_version": "SSH-2.0-OpenSSH_7.4p1",
|
"client_version": "SSH-2.0-OpenSSH_7.4p1",
|
||||||
|
|
||||||
|
@ -51,6 +54,10 @@ SSH 用户, 默认使用 root。
|
||||||
|
|
||||||
密钥密码。
|
密钥密码。
|
||||||
|
|
||||||
|
#### host_key
|
||||||
|
|
||||||
|
主机密钥,留空接受所有。
|
||||||
|
|
||||||
#### host_key_algorithms
|
#### host_key_algorithms
|
||||||
|
|
||||||
主机密钥算法。
|
主机密钥算法。
|
||||||
|
|
|
@ -8,6 +8,7 @@ type SSHOutboundOptions struct {
|
||||||
PrivateKey string `json:"private_key,omitempty"`
|
PrivateKey string `json:"private_key,omitempty"`
|
||||||
PrivateKeyPath string `json:"private_key_path,omitempty"`
|
PrivateKeyPath string `json:"private_key_path,omitempty"`
|
||||||
PrivateKeyPassphrase string `json:"private_key_passphrase,omitempty"`
|
PrivateKeyPassphrase string `json:"private_key_passphrase,omitempty"`
|
||||||
|
HostKey Listable[string] `json:"host_key,omitempty"`
|
||||||
HostKeyAlgorithms Listable[string] `json:"host_key_algorithms,omitempty"`
|
HostKeyAlgorithms Listable[string] `json:"host_key_algorithms,omitempty"`
|
||||||
ClientVersion string `json:"client_version,omitempty"`
|
ClientVersion string `json:"client_version,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,9 @@
|
||||||
package outbound
|
package outbound
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"bytes"
|
||||||
"context"
|
"context"
|
||||||
|
"encoding/base64"
|
||||||
"math/rand"
|
"math/rand"
|
||||||
"net"
|
"net"
|
||||||
"os"
|
"os"
|
||||||
|
@ -32,6 +34,7 @@ type SSH struct {
|
||||||
dialer N.Dialer
|
dialer N.Dialer
|
||||||
serverAddr M.Socksaddr
|
serverAddr M.Socksaddr
|
||||||
user string
|
user string
|
||||||
|
hostKey []ssh.PublicKey
|
||||||
hostKeyAlgorithms []string
|
hostKeyAlgorithms []string
|
||||||
clientVersion string
|
clientVersion string
|
||||||
authMethod []ssh.AuthMethod
|
authMethod []ssh.AuthMethod
|
||||||
|
@ -91,6 +94,15 @@ func NewSSH(ctx context.Context, router adapter.Router, logger log.ContextLogger
|
||||||
}
|
}
|
||||||
outbound.authMethod = append(outbound.authMethod, ssh.PublicKeys(signer))
|
outbound.authMethod = append(outbound.authMethod, ssh.PublicKeys(signer))
|
||||||
}
|
}
|
||||||
|
if len(options.HostKey) > 0 {
|
||||||
|
for _, hostKey := range options.HostKey {
|
||||||
|
key, _, _, _, err := ssh.ParseAuthorizedKey([]byte(hostKey))
|
||||||
|
if err != nil {
|
||||||
|
return nil, E.New("parse host key ", key)
|
||||||
|
}
|
||||||
|
outbound.hostKey = append(outbound.hostKey, key)
|
||||||
|
}
|
||||||
|
}
|
||||||
return outbound, nil
|
return outbound, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -126,7 +138,16 @@ func (s *SSH) connect() (*ssh.Client, error) {
|
||||||
ClientVersion: s.clientVersion,
|
ClientVersion: s.clientVersion,
|
||||||
HostKeyAlgorithms: s.hostKeyAlgorithms,
|
HostKeyAlgorithms: s.hostKeyAlgorithms,
|
||||||
HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
|
HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
|
||||||
return nil
|
if len(s.hostKey) == 0 {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
serverKey := key.Marshal()
|
||||||
|
for _, hostKey := range s.hostKey {
|
||||||
|
if bytes.Equal(serverKey, hostKey.Marshal()) {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return E.New("host key mismatch, server send ", key.Type(), " ", base64.StdEncoding.EncodeToString(serverKey))
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
clientConn, chans, reqs, err := ssh.NewClientConn(conn, s.serverAddr.Addr.String(), config)
|
clientConn, chans, reqs, err := ssh.NewClientConn(conn, s.serverAddr.Addr.String(), config)
|
||||||
|
|
Loading…
Reference in a new issue