aboutsummaryrefslogtreecommitdiff
path: root/vendor/golang.org/x/crypto/ssh/server.go
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/golang.org/x/crypto/ssh/server.go')
-rw-r--r--vendor/golang.org/x/crypto/ssh/server.go37
1 files changed, 20 insertions, 17 deletions
diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go
index 9037470..77c84d1 100644
--- a/vendor/golang.org/x/crypto/ssh/server.go
+++ b/vendor/golang.org/x/crypto/ssh/server.go
@@ -10,6 +10,7 @@ import (
"fmt"
"io"
"net"
+ "strings"
)
// The Permissions type holds fine-grained permissions that are
@@ -188,7 +189,7 @@ func (s *connection) serverHandshake(config *ServerConfig) (*Permissions, error)
tr := newTransport(s.sshConn.conn, config.Rand, false /* not client */)
s.transport = newServerTransport(tr, s.clientVersion, s.serverVersion, config)
- if err := s.transport.requestInitialKeyChange(); err != nil {
+ if err := s.transport.waitSession(); err != nil {
return nil, err
}
@@ -231,7 +232,7 @@ func isAcceptableAlgo(algo string) bool {
return false
}
-func checkSourceAddress(addr net.Addr, sourceAddr string) error {
+func checkSourceAddress(addr net.Addr, sourceAddrs string) error {
if addr == nil {
return errors.New("ssh: no address known for client, but source-address match required")
}
@@ -241,18 +242,20 @@ func checkSourceAddress(addr net.Addr, sourceAddr string) error {
return fmt.Errorf("ssh: remote address %v is not an TCP address when checking source-address match", addr)
}
- if allowedIP := net.ParseIP(sourceAddr); allowedIP != nil {
- if allowedIP.Equal(tcpAddr.IP) {
- return nil
- }
- } else {
- _, ipNet, err := net.ParseCIDR(sourceAddr)
- if err != nil {
- return fmt.Errorf("ssh: error parsing source-address restriction %q: %v", sourceAddr, err)
- }
+ for _, sourceAddr := range strings.Split(sourceAddrs, ",") {
+ if allowedIP := net.ParseIP(sourceAddr); allowedIP != nil {
+ if allowedIP.Equal(tcpAddr.IP) {
+ return nil
+ }
+ } else {
+ _, ipNet, err := net.ParseCIDR(sourceAddr)
+ if err != nil {
+ return fmt.Errorf("ssh: error parsing source-address restriction %q: %v", sourceAddr, err)
+ }
- if ipNet.Contains(tcpAddr.IP) {
- return nil
+ if ipNet.Contains(tcpAddr.IP) {
+ return nil
+ }
}
}
@@ -260,7 +263,7 @@ func checkSourceAddress(addr net.Addr, sourceAddr string) error {
}
func (s *connection) serverAuthenticate(config *ServerConfig) (*Permissions, error) {
- var err error
+ sessionID := s.transport.getSessionID()
var cache pubKeyCache
var perms *Permissions
@@ -385,7 +388,7 @@ userAuthLoop:
if !isAcceptableAlgo(sig.Format) {
break
}
- signedData := buildDataSignedForAuth(s.transport.getSessionID(), userAuthReq, algoBytes, pubKeyData)
+ signedData := buildDataSignedForAuth(sessionID, userAuthReq, algoBytes, pubKeyData)
if err := pubKey.Verify(signedData, sig); err != nil {
return nil, err
@@ -421,12 +424,12 @@ userAuthLoop:
return nil, errors.New("ssh: no authentication methods configured but NoClientAuth is also false")
}
- if err = s.transport.writePacket(Marshal(&failureMsg)); err != nil {
+ if err := s.transport.writePacket(Marshal(&failureMsg)); err != nil {
return nil, err
}
}
- if err = s.transport.writePacket([]byte{msgUserAuthSuccess}); err != nil {
+ if err := s.transport.writePacket([]byte{msgUserAuthSuccess}); err != nil {
return nil, err
}
return perms, nil
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-05 03:56:30 +0000