Erlang ssh server #1

Merged
Simponic merged 7 commits from erlang_ssh_server into main 2022-12-29 20:37:51 -05:00
16 changed files with 231 additions and 45 deletions
Showing only changes of commit 1a2bdccf12 - Show all commits

1
.env Normal file
View File

@ -0,0 +1 @@
NODE_ID=node-one

1
.env.example Normal file
View File

@ -0,0 +1 @@
NODE_ID=aUniqueString

View File

@ -3,10 +3,14 @@ import Config
config :chessh, config :chessh,
ecto_repos: [Chessh.Repo], ecto_repos: [Chessh.Repo],
key_dir: Path.join(Path.dirname(__DIR__), "priv/keys"), key_dir: Path.join(Path.dirname(__DIR__), "priv/keys"),
max_password_attempts: 3,
port: 42_069, port: 42_069,
max_sessions: 255 max_sessions: 255
config :chessh, RateLimits,
jail_timeout_ms: 5 * 60 * 1000,
jail_threshold: 15,
max_concurrent_user_sessions: 5
config :hammer, config :hammer,
backend: {Hammer.Backend.ETS, [expiry_ms: 60_000 * 60 * 4, cleanup_interval_ms: 60_000 * 10]} backend: {Hammer.Backend.ETS, [expiry_ms: 60_000 * 60 * 4, cleanup_interval_ms: 60_000 * 10]}

View File

@ -1,7 +1,8 @@
import Config import Config
config :hammer, config :chessh, RateLimits,
backend: {Hammer.Backend.ETS, [expiry_ms: 60_000 * 60 * 4, cleanup_interval_ms: 60_000 * 10]} jail_timeout_ms: 1000,
jail_threshold: 2
config :chessh, Chessh.Repo, config :chessh, Chessh.Repo,
database: "chessh-test", database: "chessh-test",

View File

@ -1,9 +1,23 @@
defmodule Chessh.Application do defmodule Chessh.Application do
alias Chessh.{PlayerSession, Node}
use Application use Application
def initialize_player_sessions_on_node() do
# If we have more than one node running the ssh daemon, we'd want to ensure
# this is restarting after every potential crash. Otherwise the player sessions
# on the node would hang.
node_id = System.fetch_env!("NODE_ID")
Node.boot(node_id)
PlayerSession.delete_all_on_node(node_id)
end
def start(_, _) do def start(_, _) do
children = [Chessh.Repo, Chessh.SSH.Daemon] children = [Chessh.Repo, Chessh.SSH.Daemon]
opts = [strategy: :one_for_one, name: Chessh.Supervisor] opts = [strategy: :one_for_one, name: Chessh.Supervisor]
Supervisor.start_link(children, opts)
with {:ok, pid} <- Supervisor.start_link(children, opts) do
initialize_player_sessions_on_node()
{:ok, pid}
end
end end
end end

View File

@ -2,8 +2,8 @@ defmodule Chessh.Auth.PasswordAuthenticator do
alias Chessh.{Player, Repo} alias Chessh.{Player, Repo}
def authenticate(username, password) do def authenticate(username, password) do
case Repo.get_by(Player, username: String.Chars.to_string(username)) do case Repo.get_by(Player, username: username) do
x -> Player.valid_password?(x, String.Chars.to_string(password)) x -> Player.valid_password?(x, password)
end end
end end
end end

24
lib/chessh/schema/node.ex Normal file
View File

@ -0,0 +1,24 @@
defmodule Chessh.Node do
alias Chessh.Repo
import Ecto.Changeset
use Ecto.Schema
@primary_key {:id, :string, []}
schema "nodes" do
field(:last_start, :utc_datetime)
end
def changeset(node, attrs) do
node
|> cast(attrs, [:last_start])
end
def boot(node_id) do
case Repo.get(Chessh.Node, node_id) do
nil -> %Chessh.Node{id: node_id}
node -> node
end
|> Chessh.Node.changeset(%{last_start: DateTime.utc_now()})
|> Repo.insert_or_update()
end
end

View File

@ -0,0 +1,34 @@
defmodule Chessh.PlayerSession do
alias Chessh.Repo
use Ecto.Schema
import Ecto.{Query, Changeset}
schema "player_sessions" do
field(:login, :utc_datetime)
belongs_to(:node, Chessh.Node, type: :string)
belongs_to(:player, Chessh.Player)
end
def changeset(player_session, attrs) do
player_session
|> cast(attrs, [:login])
end
def concurrent_sessions(player) do
Repo.aggregate(
from(p in Chessh.PlayerSession,
where: p.player_id == ^player.id
),
:count
)
end
def delete_all_on_node(node_id) do
Repo.delete_all(
from(p in Chessh.PlayerSession,
where: p.node_id == ^node_id
)
)
end
end

View File

@ -1,4 +1,5 @@
defmodule Chessh.SSH.Daemon do defmodule Chessh.SSH.Daemon do
alias Chessh.Auth.PasswordAuthenticator
use GenServer use GenServer
def start_link(_) do def start_link(_) do
@ -12,24 +13,39 @@ defmodule Chessh.SSH.Daemon do
{:ok, state} {:ok, state}
end end
def pwd_authenticate(username, password, _address, attempts) do def pwd_authenticate(username, password) do
if Chessh.Auth.PasswordAuthenticator.authenticate(username, password) do # TODO - check concurrent sessions
true PasswordAuthenticator.authenticate(
else String.Chars.to_string(username),
newAttempts = String.Chars.to_string(password)
case attempts do )
:undefined -> 0 end
_ -> attempts
end
if Application.fetch_env!(:chessh, :max_password_attempts) <= newAttempts do def pwd_authenticate(username, password, inet) do
[jail_timeout_ms, jail_threshold] =
Application.get_env(:chessh, RateLimits)
|> Keyword.take([:jail_timeout_ms, :jail_threshold])
|> Keyword.values()
{ip, _port} = inet
rateId = "failed_password_attempts:#{Enum.join(Tuple.to_list(ip), ".")}"
case Hammer.check_rate(rateId, jail_timeout_ms, jail_threshold) do
{:allow, _count} ->
pwd_authenticate(username, password) ||
(fn ->
Hammer.check_rate_inc(rateId, jail_timeout_ms, jail_threshold, 1)
false
end).()
{:deny, _limit} ->
:disconnect :disconnect
else
{false, newAttempts + 1}
end
end end
end end
def pwd_authenticate(username, password, inet, _address),
do: pwd_authenticate(username, password, inet)
def handle_cast(:start, state) do def handle_cast(:start, state) do
port = Application.fetch_env!(:chessh, :port) port = Application.fetch_env!(:chessh, :port)
key_dir = String.to_charlist(Application.fetch_env!(:chessh, :key_dir)) key_dir = String.to_charlist(Application.fetch_env!(:chessh, :key_dir))
@ -40,6 +56,7 @@ defmodule Chessh.SSH.Daemon do
system_dir: key_dir, system_dir: key_dir,
pwdfun: &pwd_authenticate/4, pwdfun: &pwd_authenticate/4,
key_cb: Chessh.SSH.ServerKey, key_cb: Chessh.SSH.ServerKey,
# disconnectfun:
id_string: :random, id_string: :random,
subsystems: [], subsystems: [],
parallel_login: true, parallel_login: true,

View File

@ -1,8 +1,9 @@
defmodule Chessh.SSH.ServerKey do defmodule Chessh.SSH.ServerKey do
alias Chessh.Auth.KeyAuthenticator
@behaviour :ssh_server_key_api @behaviour :ssh_server_key_api
def is_auth_key(key, username, _daemon_options) do def is_auth_key(key, username, _daemon_options) do
Chessh.Auth.KeyAuthenticator.authenticate(username, key) KeyAuthenticator.authenticate(username, key)
end end
def host_key(algorithm, daemon_options) do def host_key(algorithm, daemon_options) do

View File

@ -32,7 +32,7 @@ defmodule Chessh.MixProject do
{:ecto_sql, "~> 3.9"}, {:ecto_sql, "~> 3.9"},
{:postgrex, "~> 0.16.5"}, {:postgrex, "~> 0.16.5"},
{:bcrypt_elixir, "~> 3.0"}, {:bcrypt_elixir, "~> 3.0"},
{:hammer, "~> 6.0"} {:hammer, "~> 6.1"}
] ]
end end

View File

@ -0,0 +1,10 @@
defmodule Chessh.Repo.Migrations.AddNode do
use Ecto.Migration
def change do
create table(:nodes, primary_key: false) do
add(:id, :string, primary_key: true)
add(:last_start, :utc_datetime)
end
end
end

View File

@ -0,0 +1,11 @@
defmodule Chessh.Repo.Migrations.AddUserSession do
use Ecto.Migration
def change do
create table(:player_sessions) do
add(:login, :utc_datetime)
add(:player_id, references(:players))
add(:node_id, references(:nodes, type: :string))
end
end
end

View File

@ -14,13 +14,13 @@ defmodule Chessh.Auth.PasswordAuthenticatorTest do
test "Password can authenticate a hashed password" do test "Password can authenticate a hashed password" do
assert Chessh.Auth.PasswordAuthenticator.authenticate( assert Chessh.Auth.PasswordAuthenticator.authenticate(
String.to_charlist(@valid_user.username), @valid_user.username,
String.to_charlist(@valid_user.password) @valid_user.password
) )
refute Chessh.Auth.PasswordAuthenticator.authenticate( refute Chessh.Auth.PasswordAuthenticator.authenticate(
String.to_charlist(@valid_user.username), @valid_user.username,
String.to_charlist("a_bad_password") "a_bad_password"
) )
end end
end end

View File

@ -0,0 +1,81 @@
defmodule Chessh.SSH.AuthTest do
use ExUnit.Case
alias Chessh.{Player, Repo, Key}
@localhost '127.0.0.1'
@key_name "The Gamer Machine"
@valid_user %{username: "logan", password: "password"}
@client_test_keys_dir Path.join(Application.compile_env!(:chessh, :key_dir), "client_keys")
@client_pub_key 'id_ed25519.pub'
setup_all do
case Ecto.Adapters.SQL.Sandbox.checkout(Repo) do
:ok -> nil
{:already, :owner} -> nil
end
Ecto.Adapters.SQL.Sandbox.mode(Repo, {:shared, self()})
{:ok, player} = Repo.insert(Player.registration_changeset(%Player{}, @valid_user))
{:ok, key_text} = File.read(Path.join(@client_test_keys_dir, @client_pub_key))
{:ok, _key} =
Repo.insert(
Key.changeset(%Key{}, %{key: key_text, name: @key_name})
|> Ecto.Changeset.put_assoc(:player, player)
)
:ok
end
test "Password attempts are rate limited" do
assert :disconnect ==
Enum.reduce(
1..Application.fetch_env!(:chessh, RateLimits, :jail_threshold),
fn _, _ ->
Chessh.SSH.Daemon.pwd_authenticate(
@valid_user.username,
'wrong_password',
@localhost
) do
end
)
end
test "INTEGRATION - Can ssh into daemon with password or public key" do
{:ok, sup} = Task.Supervisor.start_link()
test_pid = self()
Task.Supervisor.start_child(sup, fn ->
{:ok, _pid} =
:ssh.connect(@localhost, Application.fetch_env!(:chessh, :port),
user: String.to_charlist(@valid_user.username),
password: String.to_charlist(@valid_user.password),
auth_methods: 'password',
silently_accept_hosts: true
)
send(test_pid, :connected_via_password)
end)
Task.Supervisor.start_child(sup, fn ->
{:ok, _pid} =
:ssh.connect(@localhost, Application.fetch_env!(:chessh, :port),
user: String.to_charlist(@valid_user.username),
auth_methods: 'publickey',
silently_accept_hosts: true,
user_dir: String.to_charlist(@client_test_keys_dir)
)
send(test_pid, :connected_via_public_key)
end)
assert_receive(:connected_via_password, 500)
assert_receive(:connected_via_public_key, 500)
end
test "INTEGRATION - User cannot have more than specified concurrent sessions" do
:ok
end
end

View File

@ -29,26 +29,21 @@ defmodule Chessh.SSH.AuthTest do
:ok :ok
end end
test "Fails to authenticate after configured max password attempt" do test "Password attempts are rate limited" do
assert :disconnect == assert :disconnect ==
Enum.reduce( Enum.reduce(
1..Application.fetch_env!(:chessh, :max_password_attempts), 1..Application.fetch_env!(:chessh, RateLimits, :jail_threshold),
%{attempts: 0}, fn _, _ ->
fn acc, _ -> Chessh.SSH.Daemon.pwd_authenticate(
case Chessh.SSH.Daemon.pwd_authenticate(
@valid_user.username, @valid_user.username,
'wrong_password', 'wrong_password',
@localhost, @localhost
acc
) do ) do
{false, state} -> state
x -> x
end
end end
) )
end end
test "INTEGRATION TEST - Can ssh into daemon with password or public key" do test "INTEGRATION - Can ssh into daemon with password or public key" do
{:ok, sup} = Task.Supervisor.start_link() {:ok, sup} = Task.Supervisor.start_link()
test_pid = self() test_pid = self()
@ -80,15 +75,7 @@ defmodule Chessh.SSH.AuthTest do
assert_receive(:connected_via_public_key, 500) assert_receive(:connected_via_public_key, 500)
end end
test "Hosts are rate limited via password attempts" do test "INTEGRATION - User cannot have more than specified concurrent sessions" do
:ok
end
test "Hosts are also rate limited with public keys" do
:ok
end
test "User cannot have more than one current session" do
:ok :ok
end end
end end