Reduce number of ssh approval prompts

This commit is contained in:
Bernd Schoolmann 2024-02-12 17:41:23 +01:00
parent 9c840f3edc
commit a94d8f052b
No known key found for this signature in database
3 changed files with 32 additions and 9 deletions

View File

@ -130,14 +130,23 @@ func (vaultAgent vaultAgent) Sign(key ssh.PublicKey, data []byte) (*ssh.Signatur
message = fmt.Sprintf(requestTemplate, vaultAgent.context.UserName, sshKey.Name) message = fmt.Sprintf(requestTemplate, vaultAgent.context.UserName, sshKey.Name)
} }
if approved, err := pinentry.GetApproval("SSH Key Signing Request", message); err != nil || !approved { // todo refactor
log.Info("Sign Request for key: %s denied", sshKey.Name) if !systemauth.GetSSHSession(vaultAgent.context) {
return nil, errors.New("Approval not given") if approved, err := pinentry.GetApproval("SSH Key Signing Request", message); err != nil || !approved {
} log.Info("Sign Request for key: %s denied", sshKey.Name)
return nil, errors.New("Approval not given")
}
if permission, err := systemauth.GetPermission(systemauth.SSHKey, vaultAgent.context, vaultAgent.config); err != nil || !permission { if !systemauth.VerifyPinSession(vaultAgent.context) {
log.Info("Sign Request for key: %s denied", key.Marshal()) if permission, err := systemauth.GetPermission(systemauth.SSHKey, vaultAgent.context, vaultAgent.config); err != nil || !permission {
return nil, errors.New("Biometrics not checked") log.Info("Sign Request for key: %s denied", key.Marshal())
return nil, errors.New("Biometrics not checked")
}
}
systemauth.CreateSSHSession(vaultAgent.context)
} else {
log.Info("Using cached session approval")
} }
var rand = rand.Reader var rand = rand.Reader

View File

@ -22,7 +22,7 @@ type SessionType string
const ( const (
AccessVault SessionType = "com.quexten.goldwarden.accessvault" AccessVault SessionType = "com.quexten.goldwarden.accessvault"
SSHKey SessionType = "com.quexten.goldwarden.usesshkey" SSHKey SessionType = "com.quexten.goldwarden.usesshkey"
Pin SessionType = "com.quexten.goldwarden.pin" // this counts as all other permissions Pin SessionType = "com.quexten.goldwarden.pin"
) )
var sessionStore = SessionStore{ var sessionStore = SessionStore{
@ -55,7 +55,7 @@ func (s *SessionStore) CreateSession(pid int, parentpid int, grandparentpid int,
func (s *SessionStore) verifySession(ctx sockets.CallingContext, sessionType SessionType) bool { func (s *SessionStore) verifySession(ctx sockets.CallingContext, sessionType SessionType) bool {
for _, session := range s.Store { for _, session := range s.Store {
if session.ParentPid == ctx.ParentProcessPid && session.GrandParentPid == ctx.GrandParentProcessPid && (session.sessionType == sessionType || session.sessionType == Pin) { if session.ParentPid == ctx.ParentProcessPid && session.GrandParentPid == ctx.GrandParentProcessPid && session.sessionType == sessionType {
if session.Expires.After(time.Now()) { if session.Expires.After(time.Now()) {
return true return true
} }
@ -136,3 +136,15 @@ func CreatePinSession(ctx sockets.CallingContext, ttl time.Duration) Session {
func VerifyPinSession(ctx sockets.CallingContext) bool { func VerifyPinSession(ctx sockets.CallingContext) bool {
return sessionStore.verifySession(ctx, Pin) return sessionStore.verifySession(ctx, Pin)
} }
func CreateSSHSession(ctx sockets.CallingContext) Session {
return sessionStore.CreateSession(ctx.ProcessPid, ctx.ParentProcessPid, ctx.GrandParentProcessPid, SSHKey, SSHTTL)
}
func GetSSHSession(ctx sockets.CallingContext) bool {
return sessionStore.verifySession(ctx, SSHKey)
}
func WipeSessions() {
sessionStore.Store = []Session{}
}

View File

@ -375,6 +375,7 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
cfg.Lock() cfg.Lock()
vault.Clear() vault.Clear()
vault.Keyring.Lock() vault.Keyring.Lock()
systemauth.WipeSessions()
}) })
if err != nil { if err != nil {
log.Warn("Could not monitor screensaver: %s", err.Error()) log.Warn("Could not monitor screensaver: %s", err.Error())
@ -385,6 +386,7 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
cfg.Lock() cfg.Lock()
vault.Clear() vault.Clear()
vault.Keyring.Lock() vault.Keyring.Lock()
systemauth.WipeSessions()
}) })
if err != nil { if err != nil {
log.Warn("Could not monitor idle: %s", err.Error()) log.Warn("Could not monitor idle: %s", err.Error())