From c7dfad08bc97da8d61e732ae72a94f7a225a7a48 Mon Sep 17 00:00:00 2001 From: Bill Church Date: Fri, 29 Nov 2024 22:46:03 +0000 Subject: [PATCH] feat: add `ssh.disableInteractiveAuth` feature in support of #379 --- README.md | 7 +++++++ app/config.js | 1 + app/configSchema.js | 1 + app/socket.js | 7 +++++++ config.json.sample | 1 + 5 files changed, 17 insertions(+) diff --git a/README.md b/README.md index 10a5786..e02c263 100644 --- a/README.md +++ b/README.md @@ -91,11 +91,18 @@ Edit `config.json` to customize the following options: - `user.name` - _string_ - Default SSH username (default: `null`) - `user.password` - _string_ - Default SSH password (default: `null`) - `ssh.host` - _string_ - Default SSH host (default: `null`) +- `user.privatekey` - _string_ - Default SSH private key (default: `null`) - `ssh.port` - _integer_ - Default SSH port (default: `22`) - `ssh.term` - _string_ - Terminal emulation (default: `"xterm-color"`) - `ssh.readyTimeout` - _integer_ - SSH handshake timeout in ms (default: `20000`) - `ssh.keepaliveInterval` - _integer_ - SSH keepalive interval in ms (default: `120000`) - `ssh.keepaliveCountMax` - _integer_ - Max SSH keepalive packets (default: `10`) +- `ssh.disableInteractiveAuth` - _boolean_ - When set to `true`, prevents interactive authentication through the web interface. Users must use Basic Authentication via the `/ssh/host/` route. (default: `false`) +- `ssh.algorithms.cipher` - _array_ - Supported cipher algorithms (default: `["aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm", "aes128-gcm@openssh.com", "aes256-gcm", "aes256-gcm@openssh.com", "aes256-cbc"]`) +- `ssh.algorithms.compress` - _array_ - Supported compression methods (default: `["none", "zlib@openssh.com", "zlib"]`) +- `ssh.algorithms.hmac` - _array_ - Supported HMAC algorithms (default: `["hmac-sha2-256", "hmac-sha2-512", "hmac-sha1"]`) +- `ssh.algorithms.kex` - _array_ - Supported key exchange methods (default: `["ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group14-sha1"]`) +- `ssh.algorithms.serverHostKey` - _array_ - Supported host key types (default: `["ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", "ssh-rsa"]`) - `header.text` - _string_ - Header text (default: `null`) - `header.background` - _string_ - Header background color (default: `"green"`) - `session.name` - _string_ - Session cookie name (default: `"webssh2.sid"`) diff --git a/app/config.js b/app/config.js index 1f1a251..8dcf583 100644 --- a/app/config.js +++ b/app/config.js @@ -32,6 +32,7 @@ const defaultConfig = { keepaliveInterval: 120000, keepaliveCountMax: 10, alwaysSendKeyboardInteractivePrompts: false, + disableInteractiveAuth: false, algorithms: { cipher: [ "aes128-ctr", diff --git a/app/configSchema.js b/app/configSchema.js index 156ac4b..4bd37a3 100644 --- a/app/configSchema.js +++ b/app/configSchema.js @@ -39,6 +39,7 @@ const configSchema = { readyTimeout: { type: "integer" }, keepaliveInterval: { type: "integer" }, keepaliveCountMax: { type: "integer" }, + disableInteractiveAuth: { type: "boolean" }, algorithms: { type: "object", properties: { diff --git a/app/socket.js b/app/socket.js index c0798e0..e9beba9 100644 --- a/app/socket.js +++ b/app/socket.js @@ -49,6 +49,13 @@ class WebSSH2Socket extends EventEmitter { ) this.handleAuthenticate(creds) } else if (!this.sessionState.authenticated) { + // Check if interactive auth is disabled + if (this.config.ssh.disableInteractiveAuth) { + debug(`handleConnection: ${this.socket.id}, interactive auth disabled`) + this.handleError("Interactive Auth Disabled") + return + } + debug(`handleConnection: ${this.socket.id}, emitting request_auth`) this.socket.emit("authentication", { action: "request_auth" }) } diff --git a/config.json.sample b/config.json.sample index 2539795..b28e9bd 100644 --- a/config.json.sample +++ b/config.json.sample @@ -26,6 +26,7 @@ "keepaliveCountMax": 10, "allowedSubnets": [], "alwaysSendKeyboardInteractivePrompts": false, + "disableInteractiveAuth": true, "algorithms": { "cipher": [ "aes128-ctr",