From 35cc40994347eddf4c7d1e6b73c82797d80f15a5 Mon Sep 17 00:00:00 2001 From: Bernd Schoolmann Date: Fri, 9 Feb 2024 19:32:01 +0100 Subject: [PATCH] Lock down session auth mode --- agent/actions/actions.go | 2 +- agent/ssh/ssh.go | 4 ++-- agent/systemauth/systemauth.go | 13 +++++++------ agent/unixsocketagent.go | 15 ++++++++------- 4 files changed, 18 insertions(+), 16 deletions(-) diff --git a/agent/actions/actions.go b/agent/actions/actions.go index 0bb56a6..8790293 100644 --- a/agent/actions/actions.go +++ b/agent/actions/actions.go @@ -103,7 +103,7 @@ func ensureIsNotLocked(action Action) Action { } } - systemauth.CreatePinSession(*ctx) + systemauth.CreatePinSession(*ctx, systemauth.SSHTTL) } return action(request, cfg, vault, ctx) diff --git a/agent/ssh/ssh.go b/agent/ssh/ssh.go index d195581..415780d 100644 --- a/agent/ssh/ssh.go +++ b/agent/ssh/ssh.go @@ -40,7 +40,7 @@ func (vaultAgent vaultAgent) List() ([]*agent.Key, error) { return nil, errors.New("vault is locked") } - systemauth.CreatePinSession(vaultAgent.context) + systemauth.CreatePinSession(vaultAgent.context, systemauth.SSHTTL) } vaultSSHKeys := (*vaultAgent.vault).GetSSHKeys() @@ -87,7 +87,7 @@ func (vaultAgent vaultAgent) Sign(key ssh.PublicKey, data []byte) (*ssh.Signatur return nil, errors.New("vault is locked") } - systemauth.CreatePinSession(vaultAgent.context) + systemauth.CreatePinSession(vaultAgent.context, systemauth.SSHTTL) } var signer ssh.Signer diff --git a/agent/systemauth/systemauth.go b/agent/systemauth/systemauth.go index c3655ac..b889d70 100644 --- a/agent/systemauth/systemauth.go +++ b/agent/systemauth/systemauth.go @@ -14,7 +14,8 @@ import ( var log = logging.GetLogger("Goldwarden", "Systemauth") -const tokenExpiry = 10 * time.Minute +const tokenExpiry = 60 * time.Minute +const SSHTTL = 60 * time.Minute type SessionType string @@ -40,12 +41,12 @@ type SessionStore struct { Store []Session } -func (s *SessionStore) CreateSession(pid int, parentpid int, grandparentpid int, sessionType SessionType) Session { +func (s *SessionStore) CreateSession(pid int, parentpid int, grandparentpid int, sessionType SessionType, ttl time.Duration) Session { var session = Session{ Pid: pid, ParentPid: parentpid, GrandParentPid: grandparentpid, - Expires: time.Now().Add(tokenExpiry), + Expires: time.Now().Add(ttl), sessionType: sessionType, } s.Store = append(s.Store, session) @@ -107,7 +108,7 @@ func GetPermission(sessionType SessionType, ctx sockets.CallingContext, config * // } log.Info("Permission granted, creating session") - sessionStore.CreateSession(ctx.ProcessPid, ctx.ParentProcessPid, ctx.GrandParentProcessPid, sessionType) + sessionStore.CreateSession(ctx.ProcessPid, ctx.ParentProcessPid, ctx.GrandParentProcessPid, sessionType, tokenExpiry) } return true, nil } @@ -128,8 +129,8 @@ func CheckBiometrics(callingContext *sockets.CallingContext, approvalType biomet return approval } -func CreatePinSession(ctx sockets.CallingContext) { - sessionStore.CreateSession(ctx.ProcessPid, ctx.ParentProcessPid, ctx.GrandParentProcessPid, Pin) +func CreatePinSession(ctx sockets.CallingContext, ttl time.Duration) Session { + return sessionStore.CreateSession(ctx.ProcessPid, ctx.ParentProcessPid, ctx.GrandParentProcessPid, Pin, ttl) } func VerifyPinSession(ctx sockets.CallingContext) bool { diff --git a/agent/unixsocketagent.go b/agent/unixsocketagent.go index e80924c..9c8dbb0 100644 --- a/agent/unixsocketagent.go +++ b/agent/unixsocketagent.go @@ -2,6 +2,7 @@ package agent import ( "context" + "crypto/subtle" "encoding/json" "fmt" "net" @@ -65,17 +66,17 @@ func serveAgentSession(c net.Conn, vault *vault.Vault, cfg *config.Config) { // todo refactor to other file if msg.Type == messages.MessageTypeForEmptyPayload(messages.SessionAuthRequest{}) { - log.Info("Received session auth request") req := messages.ParsePayload(msg).(messages.SessionAuthRequest) - fmt.Println("Daemontoken", cfg.ConfigFile.RuntimeConfig.DaemonAuthToken) - fmt.Println("Token", req.Token) - fmt.Println(len(cfg.ConfigFile.RuntimeConfig.DaemonAuthToken), len(req.Token)) + verified := subtle.ConstantTimeCompare([]byte(cfg.ConfigFile.RuntimeConfig.DaemonAuthToken), []byte(req.Token)) == 1 + payload := messages.SessionAuthResponse{ - Verified: cfg.ConfigFile.RuntimeConfig.DaemonAuthToken == req.Token, + Verified: verified, } - log.Info("Verified: %t", payload.Verified) + log.Info("Verified: %t", verified) callingContext := sockets.GetCallingContext(c) - systemauth.CreatePinSession(callingContext) + if verified { + systemauth.CreatePinSession(callingContext, 365*24*time.Hour) // permanent session + } responsePayload, err := messages.IPCMessageFromPayload(payload) if err != nil {