-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sanitize SSH pubkeys (and Support multiple) when sync from LDAP #13984
Comments
The above behaviour was tested with version 1.12.3 |
Gitea asks LDAP to provide it with the SSHPublicKey attributes and collects them as a []string gitea/modules/auth/ldap/ldap.go Line 336 in 729f0f5
gitea/modules/auth/ldap/ldap.go Lines 387 to 389 in 729f0f5
It then passes that array to and individually adds them as separate public keys: Lines 1588 to 1609 in 729f0f5
The issue here must be that instead of having separate attributes for each public key you must just have a single attribute containing all of the public keys. Is that really the correct way to store these? |
On Mon, Dec 14, 2020 at 06:55:29AM -0800, zeripath wrote:
The issue here must be that instead of having separate attributes for each public key you must just have a single attribute containing all of the public keys. Is that really the correct way to store these?
I don't know if it's correct or not, possibly not, but still I think
Gitea should be made more tolerant to these kind of errors, checking
that the each element of the retrived array is a valid single-line ssh
key, to avoid assumptions which may open security holes.
|
so it's strange because at first glance Gitea is attempting to assert that thing is a valid public key Line 1591 in 729f0f5
but the problem is that line is an abuse of that function. That function is there parse out the valid ssh-key lines one by one. I think this should just be fixed to just parse the string reading in all of the keys one by one |
Fix go-gitea#13984 Signed-off-by: Andrew Thornton <art27@cantab.net>
We could go further than the attached PR - we use this function in a similar way in another place Lines 110 to 207 in c3fc190
This has a different set of acceptable SSH keys. Likely these two functions should be made more similar. |
* Accept multiple SSH keys in single LDAP SSHPublicKey attribute Fix #13984 Signed-off-by: Andrew Thornton <art27@cantab.net>
I'm reopening this as I just had a chance to test 1.14.0+dev-423-gb4f8da533e and it still doesn't seem to support multiple keys in a single attribute. Nothing is printed in logs about the reason why a single key is extracted when there are two in the ldap database. Both keys are in the same element of the attribute array (array of a single attribute) |
@strk you're gonna have to give us an example of a value that doesn't work. |
This is what I'm getting out of LDAP:
|
The above string is what is printed upon login with this patch:
I don't know what the |
Interesting enough, google finds the |
Basically: GetAttributes returns a single attribute being a concatenation of 2 public keys. I guess Gitea is discarding anything after the first space (before the comment). I agree this is most probably a WRONG way to store public ssh keys in LDAP but would be nice if Gitea could report a problem of some kind (spurious comment? Unexpected newline ?) |
For the record: the probably WRONG format for ssh keys in our LDAP is discussed in https://trac.osgeo.org/osgeo/ticket/2542 |
I finally fixed the way we store SSH keys in LDAP, and I confirm the support for multiple keys is working in master branch. And I confirm multiple keys support did NOT work in version 1.12.3 - Great work ! |
For the record: I was wrong, 1.12.3 supports multiple keys just fine too, once they are correctly stored in LDAP |
I guess I just have no idea where that |
For the record, I re-checked and once SSH keys are correctly stored in LDAP even the 1.12.3 version works fine |
Probably, yes. or escaped |
Hmm... now you say base64 - well that would explain the 03d which would probably represent an That would imply that the items are being split by |
Sounds very likely, yes. Now that I fixed the LDAP storage I indeed had to split by |
…tea#13989) Backport go-gitea#13989 Fix go-gitea#13984 Fix go-gitea#14566 Signed-off-by: Andrew Thornton <art27@cantab.net>
In our setup we allow multiple SSH keys to be entered in the LDAP database, for each user.
When Gitea synchonizes those keys it does so by creating a wrong configuration, including newlines (which separate the SSH keys) in the authorized_key, basically allowing direct ssh access.
The text was updated successfully, but these errors were encountered: