Fabio/webssh2
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: pull in #234 staged for 0.4.0 #242

Browse source
This commit is contained in:
Bill Church 2021-05-17 20:37:17 +00:00
parent 304a3db1c8
commit fd59c1d0bd
1 changed files with 225 additions and 200 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

425
app/server/socket.js
View file

@ -9,6 +9,9 @@ const debug = require('debug');
const debugWebSSH2 = require('debug')('WebSSH2'); const debugWebSSH2 = require('debug')('WebSSH2');
const SSH = require('ssh2').Client; const SSH = require('ssh2').Client;
const CIDRMatcher = require('cidr-matcher'); const CIDRMatcher = require('cidr-matcher');
const validator = require('validator');
const dnsPromises = require('dns').promises;
// var fs = require('fs') // var fs = require('fs')
// var hostkeys = JSON.parse(fs.readFileSync('./hostkeyhashes.json', 'utf8')) // var hostkeys = JSON.parse(fs.readFileSync('./hostkeyhashes.json', 'utf8'))
let termCols; let termCols;
@ -16,120 +19,140 @@ let termRows;
// public // public
module.exports = function appSocket(socket) { module.exports = function appSocket(socket) {
// if websocket connection arrives without an express session, kill it async function setupConnection() {
if (!socket.request.session) { // if websocket connection arrives without an express session, kill it
socket.emit('401 UNAUTHORIZED'); if (!socket.request.session) {
debugWebSSH2('SOCKET: No Express Session / REJECTED'); socket.emit('401 UNAUTHORIZED');
socket.disconnect(true); debugWebSSH2('SOCKET: No Express Session / REJECTED');
return;
}
/**
* Error handling for various events. Outputs error to client, logs to
* server, destroys session and disconnects socket.
* @param {string} myFunc Function calling this function
* @param {object} err error object or error message
*/
// eslint-disable-next-line complexity
function SSHerror(myFunc, err) {
let theError;
if (socket.request.session) {
// we just want the first error of the session to pass to the client
const firstError = socket.request.session.error || (err ? err.message : undefined);
theError = firstError ? `: ${firstError}` : '';
// log unsuccessful login attempt
if (err && err.level === 'client-authentication') {
console.error(
`WebSSH2 ${'error: Authentication failure'.red.bold} user=${
socket.request.session.username.yellow.bold.underline
} from=${socket.handshake.address.yellow.bold.underline}`
);
socket.emit('allowreauth', socket.request.session.ssh.allowreauth);
socket.emit('reauth');
} else {
// eslint-disable-next-line no-console
console.log(
`WebSSH2 Logout: user=${socket.request.session.username} from=${socket.handshake.address} host=${socket.request.session.ssh.host} port=${socket.request.session.ssh.port} sessionID=${socket.request.sessionID}/${socket.id} allowreplay=${socket.request.session.ssh.allowreplay} term=${socket.request.session.ssh.term}`
);
if (err) {
theError = err ? `: ${err.message}` : '';
console.error(`WebSSH2 error${theError}`);
}
}
socket.emit('ssherror', `SSH ${myFunc}${theError}`);
socket.request.session.destroy();
socket.disconnect(true);
} else {
theError = err ? `: ${err.message}` : '';
socket.disconnect(true);
}
debugWebSSH2(`SSHerror ${myFunc}${theError}`);
}
// If configured, check that requsted host is in a permitted subnet
if (
(((socket.request.session || {}).ssh || {}).allowedSubnets || {}).length &&
socket.request.session.ssh.allowedSubnets.length > 0
) {
const matcher = new CIDRMatcher(socket.request.session.ssh.allowedSubnets);
if (!matcher.contains(socket.request.session.ssh.host)) {
console.error(
`WebSSH2 ${'error: Requested host outside configured subnets / REJECTED'.red.bold} user=${
socket.request.session.username.yellow.bold.underline
} from=${socket.handshake.address.yellow.bold.underline}`
);
socket.emit('ssherror', '401 UNAUTHORIZED');
socket.disconnect(true); socket.disconnect(true);
return; return;
} }
}
const conn = new SSH(); /**
socket.on('geometry', (cols, rows) => { * Error handling for various events. Outputs error to client, logs to
termCols = cols; * server, destroys session and disconnects socket.
termRows = rows; * @param {string} myFunc Function calling this function
}); * @param {object} err error object or error message
conn.on('banner', (data) => { */
// need to convert to cr/lf for proper formatting // eslint-disable-next-line complexity
socket.emit('data', data.replace(/\r?\n/g, '\r\n').toString('utf-8')); function SSHerror(myFunc, err) {
}); let theError;
if (socket.request.session) {
conn.on('ready', () => { // we just want the first error of the session to pass to the client
debugWebSSH2( const firstError = socket.request.session.error || (err ? err.message : undefined);
`WebSSH2 Login: user=${socket.request.session.username} from=${socket.handshake.address} host=${socket.request.session.ssh.host} port=${socket.request.session.ssh.port} sessionID=${socket.request.sessionID}/${socket.id} mrhsession=${socket.request.session.ssh.mrhsession} allowreplay=${socket.request.session.ssh.allowreplay} term=${socket.request.session.ssh.term}` theError = firstError ? `: ${firstError}` : '';
); // log unsuccessful login attempt
socket.emit('menu'); if (err && err.level === 'client-authentication') {
socket.emit('allowreauth', socket.request.session.ssh.allowreauth); console.error(
socket.emit('setTerminalOpts', socket.request.session.ssh.terminal); `WebSSH2 ${'error: Authentication failure'.red.bold} user=${
socket.emit('title', `ssh://${socket.request.session.ssh.host}`); socket.request.session.username.yellow.bold.underline
if (socket.request.session.ssh.header.background) } from=${socket.handshake.address.yellow.bold.underline}`
socket.emit('headerBackground', socket.request.session.ssh.header.background); );
if (socket.request.session.ssh.header.name) socket.emit('allowreauth', socket.request.session.ssh.allowreauth);
socket.emit('header', socket.request.session.ssh.header.name); socket.emit('reauth');
socket.emit( } else {
'footer', // eslint-disable-next-line no-console
`ssh://${socket.request.session.username}@${socket.request.session.ssh.host}:${socket.request.session.ssh.port}` console.log(
); `WebSSH2 Logout: user=${socket.request.session.username} from=${socket.handshake.address} host=${socket.request.session.ssh.host} port=${socket.request.session.ssh.port} sessionID=${socket.request.sessionID}/${socket.id} allowreplay=${socket.request.session.ssh.allowreplay} term=${socket.request.session.ssh.term}`
socket.emit('status', 'SSH CONNECTION ESTABLISHED'); );
socket.emit('statusBackground', 'green'); if (err) {
socket.emit('allowreplay', socket.request.session.ssh.allowreplay); theError = err ? `: ${err.message}` : '';
conn.shell( console.error(`WebSSH2 error${theError}`);
{ }
term: socket.request.session.ssh.term, }
cols: termCols, socket.emit('ssherror', `SSH ${myFunc}${theError}`);
rows: termRows, socket.request.session.destroy();
}, socket.disconnect(true);
(err, stream) => { } else {
if (err) { theError = err ? `: ${err.message}` : '';
SSHerror(`EXEC ERROR${err}`); socket.disconnect(true);
conn.end(); }
debugWebSSH2(`SSHerror ${myFunc}${theError}`);
}
// If configured, check that requsted host is in a permitted subnet
if (
(((socket.request.session || {}).ssh || {}).allowedSubnets || {}).length &&
socket.request.session.ssh.allowedSubnets.length > 0
) {
let ipaddress = socket.request.session.ssh.host;
if (!validator.isIP(`${ipaddress}`)) {
try {
const result = await dnsPromises.lookup(socket.request.session.ssh.host);
ipaddress = result.address;
} catch (err) {
console.error(
`WebSSH2 ${`error: ${err.code} ${err.hostname}`.red.bold} user=${
socket.request.session.username.yellow.bold.underline
} from=${socket.handshake.address.yellow.bold.underline}`
);
socket.emit('ssherror', '404 HOST IP NOT FOUND');
socket.disconnect(true);
return; return;
} }
// poc to log commands from client }
// if (socket.request.session.ssh.serverlog.client) var dataBuffer;
socket.on('data', (data) => { const matcher = new CIDRMatcher(socket.request.session.ssh.allowedSubnets);
stream.write(data); if (!matcher.contains(ipaddress)) {
console.error(
`WebSSH2 ${
`error: Requested host ${ipaddress} outside configured subnets / REJECTED`.red.bold
} user=${socket.request.session.username.yellow.bold.underline} from=${
socket.handshake.address.yellow.bold.underline
}`
);
socket.emit('ssherror', '401 UNAUTHORIZED');
socket.disconnect(true);
return;
}
}
const conn = new SSH();
socket.on('geometry', (cols, rows) => {
termCols = cols;
termRows = rows;
});
conn.on('banner', (data) => {
// need to convert to cr/lf for proper formatting
socket.emit('data', data.replace(/\r?\n/g, '\r\n').toString('utf-8'));
});
conn.on('ready', () => {
debugWebSSH2(
`WebSSH2 Login: user=${socket.request.session.username} from=${socket.handshake.address} host=${socket.request.session.ssh.host} port=${socket.request.session.ssh.port} sessionID=${socket.request.sessionID}/${socket.id} mrhsession=${socket.request.session.ssh.mrhsession} allowreplay=${socket.request.session.ssh.allowreplay} term=${socket.request.session.ssh.term}`
);
socket.emit('menu');
socket.emit('allowreauth', socket.request.session.ssh.allowreauth);
socket.emit('setTerminalOpts', socket.request.session.ssh.terminal);
socket.emit('title', `ssh://${socket.request.session.ssh.host}`);
if (socket.request.session.ssh.header.background)
socket.emit('headerBackground', socket.request.session.ssh.header.background);
if (socket.request.session.ssh.header.name)
socket.emit('header', socket.request.session.ssh.header.name);
socket.emit(
'footer',
`ssh://${socket.request.session.username}@${socket.request.session.ssh.host}:${socket.request.session.ssh.port}`
);
socket.emit('status', 'SSH CONNECTION ESTABLISHED');
socket.emit('statusBackground', 'green');
socket.emit('allowreplay', socket.request.session.ssh.allowreplay);
conn.shell(
{
term: socket.request.session.ssh.term,
cols: termCols,
rows: termRows,
},
(err, stream) => {
if (err) {
SSHerror(`EXEC ERROR${err}`);
conn.end();
return;
}
// poc to log commands from client // poc to log commands from client
/* if (socket.request.session.ssh.serverlog.client) { // if (socket.request.session.ssh.serverlog.client) var dataBuffer;
socket.on('data', (data) => {
stream.write(data);
// poc to log commands from client
/* if (socket.request.session.ssh.serverlog.client) {
if (data === '\r') { if (data === '\r') {
console.log(`serverlog.client: ${socket.request.session.id}/${socket.id} console.log(`serverlog.client: ${socket.request.session.id}/${socket.id}
host: ${socket.request.session.ssh.host} command: ${dataBuffer}`); host: ${socket.request.session.ssh.host} command: ${dataBuffer}`);
@ -138,100 +161,102 @@ module.exports = function appSocket(socket) {
dataBuffer = (dataBuffer) ? dataBuffer + data : data; dataBuffer = (dataBuffer) ? dataBuffer + data : data;
} }
} */ } */
}); });
socket.on('control', (controlData) => { socket.on('control', (controlData) => {
switch (controlData) { switch (controlData) {
case 'replayCredentials': case 'replayCredentials':
if (socket.request.session.ssh.allowreplay) { if (socket.request.session.ssh.allowreplay) {
stream.write(`${socket.request.session.userpassword}\n`); stream.write(`${socket.request.session.userpassword}\n`);
} }
/* falls through */ /* falls through */
default: default:
debugWebSSH2(`controlData: ${controlData}`); debugWebSSH2(`controlData: ${controlData}`);
} }
}); });
socket.on('resize', (data) => { socket.on('resize', (data) => {
stream.setWindow(data.rows, data.cols); stream.setWindow(data.rows, data.cols);
}); });
socket.on('disconnecting', (reason) => { socket.on('disconnecting', (reason) => {
debugWebSSH2(`SOCKET DISCONNECTING: ${reason}`); debugWebSSH2(`SOCKET DISCONNECTING: ${reason}`);
}); });
socket.on('disconnect', (reason) => { socket.on('disconnect', (reason) => {
debugWebSSH2(`SOCKET DISCONNECT: ${reason}`); debugWebSSH2(`SOCKET DISCONNECT: ${reason}`);
const errMsg = { message: reason }; const errMsg = { message: reason };
SSHerror('CLIENT SOCKET DISCONNECT', errMsg); SSHerror('CLIENT SOCKET DISCONNECT', errMsg);
conn.end(); conn.end();
// socket.request.session.destroy() // socket.request.session.destroy()
}); });
socket.on('error', (errMsg) => { socket.on('error', (errMsg) => {
SSHerror('SOCKET ERROR', errMsg); SSHerror('SOCKET ERROR', errMsg);
conn.end(); conn.end();
}); });
stream.on('data', (data) => { stream.on('data', (data) => {
socket.emit('data', data.toString('utf-8')); socket.emit('data', data.toString('utf-8'));
}); });
stream.on('close', (code, signal) => { stream.on('close', (code, signal) => {
const errMsg = { const errMsg = {
message: message:
code || signal code || signal
? (code ? `CODE: ${code}` : '') + ? (code ? `CODE: ${code}` : '') +
(code && signal ? ' ' : '') + (code && signal ? ' ' : '') +
(signal ? `SIGNAL: ${signal}` : '') (signal ? `SIGNAL: ${signal}` : '')
: undefined, : undefined,
}; };
SSHerror('STREAM CLOSE', errMsg); SSHerror('STREAM CLOSE', errMsg);
conn.end(); conn.end();
}); });
stream.stderr.on('data', (data) => { stream.stderr.on('data', (data) => {
console.error(`STDERR: ${data}`); console.error(`STDERR: ${data}`);
}); });
} }
); );
});
conn.on('end', (err) => {
SSHerror('CONN END BY HOST', err);
});
conn.on('close', (err) => {
SSHerror('CONN CLOSE', err);
});
conn.on('error', (err) => {
SSHerror('CONN ERROR', err);
});
conn.on('keyboard-interactive', (name, instructions, instructionsLang, prompts, finish) => {
debugWebSSH2("conn.on('keyboard-interactive')");
finish([socket.request.session.userpassword]);
});
if (
socket.request.session.username &&
(socket.request.session.userpassword || socket.request.session.privatekey) &&
socket.request.session.ssh
) {
// console.log('hostkeys: ' + hostkeys[0].[0])
conn.connect({
host: socket.request.session.ssh.host,
port: socket.request.session.ssh.port,
localAddress: socket.request.session.ssh.localAddress,
localPort: socket.request.session.ssh.localPort,
username: socket.request.session.username,
password: socket.request.session.userpassword,
privateKey: socket.request.session.privatekey,
tryKeyboard: true,
algorithms: socket.request.session.ssh.algorithms,
readyTimeout: socket.request.session.ssh.readyTimeout,
keepaliveInterval: socket.request.session.ssh.keepaliveInterval,
keepaliveCountMax: socket.request.session.ssh.keepaliveCountMax,
debug: debug('ssh2'),
}); });
} else {
debugWebSSH2( conn.on('end', (err) => {
`Attempt to connect without session.username/password or session varialbles defined, potentially previously abandoned client session. disconnecting websocket client.\r\nHandshake information: \r\n ${JSON.stringify( SSHerror('CONN END BY HOST', err);
socket.handshake });
)}` conn.on('close', (err) => {
); SSHerror('CONN CLOSE', err);
socket.emit('ssherror', 'WEBSOCKET ERROR - Refresh the browser and try again'); });
socket.request.session.destroy(); conn.on('error', (err) => {
socket.disconnect(true); SSHerror('CONN ERROR', err);
});
conn.on('keyboard-interactive', (name, instructions, instructionsLang, prompts, finish) => {
debugWebSSH2("conn.on('keyboard-interactive')");
finish([socket.request.session.userpassword]);
});
if (
socket.request.session.username &&
(socket.request.session.userpassword || socket.request.session.privatekey) &&
socket.request.session.ssh
) {
// console.log('hostkeys: ' + hostkeys[0].[0])
conn.connect({
host: socket.request.session.ssh.host,
port: socket.request.session.ssh.port,
localAddress: socket.request.session.ssh.localAddress,
localPort: socket.request.session.ssh.localPort,
username: socket.request.session.username,
password: socket.request.session.userpassword,
privateKey: socket.request.session.privatekey,
tryKeyboard: true,
algorithms: socket.request.session.ssh.algorithms,
readyTimeout: socket.request.session.ssh.readyTimeout,
keepaliveInterval: socket.request.session.ssh.keepaliveInterval,
keepaliveCountMax: socket.request.session.ssh.keepaliveCountMax,
debug: debug('ssh2'),
});
} else {
debugWebSSH2(
`Attempt to connect without session.username/password or session varialbles defined, potentially previously abandoned client session. disconnecting websocket client.\r\nHandshake information: \r\n ${JSON.stringify(
socket.handshake
)}`
);
socket.emit('ssherror', 'WEBSOCKET ERROR - Refresh the browser and try again');
socket.request.session.destroy();
socket.disconnect(true);
}
} }
setupConnection();
}; };