Lock down session auth mode

This commit is contained in:
Bernd Schoolmann 2024-02-09 19:32:01 +01:00
parent f1395d4b6d
commit 35cc409943
No known key found for this signature in database
4 changed files with 18 additions and 16 deletions

View file

@ -103,7 +103,7 @@ func ensureIsNotLocked(action Action) Action {
}
}
systemauth.CreatePinSession(*ctx)
systemauth.CreatePinSession(*ctx, systemauth.SSHTTL)
}
return action(request, cfg, vault, ctx)

View file

@ -40,7 +40,7 @@ func (vaultAgent vaultAgent) List() ([]*agent.Key, error) {
return nil, errors.New("vault is locked")
}
systemauth.CreatePinSession(vaultAgent.context)
systemauth.CreatePinSession(vaultAgent.context, systemauth.SSHTTL)
}
vaultSSHKeys := (*vaultAgent.vault).GetSSHKeys()
@ -87,7 +87,7 @@ func (vaultAgent vaultAgent) Sign(key ssh.PublicKey, data []byte) (*ssh.Signatur
return nil, errors.New("vault is locked")
}
systemauth.CreatePinSession(vaultAgent.context)
systemauth.CreatePinSession(vaultAgent.context, systemauth.SSHTTL)
}
var signer ssh.Signer

View file

@ -14,7 +14,8 @@ import (
var log = logging.GetLogger("Goldwarden", "Systemauth")
const tokenExpiry = 10 * time.Minute
const tokenExpiry = 60 * time.Minute
const SSHTTL = 60 * time.Minute
type SessionType string
@ -40,12 +41,12 @@ type SessionStore struct {
Store []Session
}
func (s *SessionStore) CreateSession(pid int, parentpid int, grandparentpid int, sessionType SessionType) Session {
func (s *SessionStore) CreateSession(pid int, parentpid int, grandparentpid int, sessionType SessionType, ttl time.Duration) Session {
var session = Session{
Pid: pid,
ParentPid: parentpid,
GrandParentPid: grandparentpid,
Expires: time.Now().Add(tokenExpiry),
Expires: time.Now().Add(ttl),
sessionType: sessionType,
}
s.Store = append(s.Store, session)
@ -107,7 +108,7 @@ func GetPermission(sessionType SessionType, ctx sockets.CallingContext, config *
// }
log.Info("Permission granted, creating session")
sessionStore.CreateSession(ctx.ProcessPid, ctx.ParentProcessPid, ctx.GrandParentProcessPid, sessionType)
sessionStore.CreateSession(ctx.ProcessPid, ctx.ParentProcessPid, ctx.GrandParentProcessPid, sessionType, tokenExpiry)
}
return true, nil
}
@ -128,8 +129,8 @@ func CheckBiometrics(callingContext *sockets.CallingContext, approvalType biomet
return approval
}
func CreatePinSession(ctx sockets.CallingContext) {
sessionStore.CreateSession(ctx.ProcessPid, ctx.ParentProcessPid, ctx.GrandParentProcessPid, Pin)
func CreatePinSession(ctx sockets.CallingContext, ttl time.Duration) Session {
return sessionStore.CreateSession(ctx.ProcessPid, ctx.ParentProcessPid, ctx.GrandParentProcessPid, Pin, ttl)
}
func VerifyPinSession(ctx sockets.CallingContext) bool {

View file

@ -2,6 +2,7 @@ package agent
import (
"context"
"crypto/subtle"
"encoding/json"
"fmt"
"net"
@ -65,17 +66,17 @@ func serveAgentSession(c net.Conn, vault *vault.Vault, cfg *config.Config) {
// todo refactor to other file
if msg.Type == messages.MessageTypeForEmptyPayload(messages.SessionAuthRequest{}) {
log.Info("Received session auth request")
req := messages.ParsePayload(msg).(messages.SessionAuthRequest)
fmt.Println("Daemontoken", cfg.ConfigFile.RuntimeConfig.DaemonAuthToken)
fmt.Println("Token", req.Token)
fmt.Println(len(cfg.ConfigFile.RuntimeConfig.DaemonAuthToken), len(req.Token))
verified := subtle.ConstantTimeCompare([]byte(cfg.ConfigFile.RuntimeConfig.DaemonAuthToken), []byte(req.Token)) == 1
payload := messages.SessionAuthResponse{
Verified: cfg.ConfigFile.RuntimeConfig.DaemonAuthToken == req.Token,
Verified: verified,
}
log.Info("Verified: %t", payload.Verified)
log.Info("Verified: %t", verified)
callingContext := sockets.GetCallingContext(c)
systemauth.CreatePinSession(callingContext)
if verified {
systemauth.CreatePinSession(callingContext, 365*24*time.Hour) // permanent session
}
responsePayload, err := messages.IPCMessageFromPayload(payload)
if err != nil {