#300 Enforce remote-user header when a user logs in

4 years ago · 75785c463c
4 changed files with 26 additions and 28 deletions
--- a/src/server.ts
+++ b/src/server.ts
@ -47,7 +47,7 @@ export async function start(
     * @name connection
     */
    logger.info('Connection accepted.');
-    const { args, user: sshUser } = getCommand(socket, ssh, command, forcessh);
+    const [args, sshUser] = getCommand(socket, ssh, command, forcessh);
    logger.debug('Command Generated', {
      user: sshUser,
      cmd: args.join(' '),
--- a/src/server/command.ts
+++ b/src/server/command.ts
@ -15,11 +15,9 @@ const urlArgs = (
 ): { [s: string]: string } =>
  Object.assign(def, url.parse(referer, true).query);

-export const getCommand = (
+export function getCommand(
  {
-    request: {
-      headers: { referer },
-    },
+    request: { headers },
    client: {
      conn: { remoteAddress },
    },
@ -27,13 +25,15 @@ export const getCommand = (
  { user, host, port, auth, pass, key, knownHosts, config }: SSH,
  command: string,
  forcessh: boolean,
-): { args: string[]; user: boolean } => ({
-  args:
-    !forcessh && localhost(host)
-      ? loginOptions(command, remoteAddress)
-      : sshOptions(
+): [string[], boolean] {
+  const sshAddress = address(headers, user, host);
+  const localLogin = !forcessh && localhost(host);
+  return localLogin
+    ? [loginOptions(command, remoteAddress), localLogin]
+    : [
+        sshOptions(
          {
-            ...urlArgs(referer, {
+            ...urlArgs(headers.referer, {
              port: `${port}`,
              pass: pass || '',
              command,
@ -41,13 +41,10 @@ export const getCommand = (
              knownHosts,
              config: config || '',
            }),
-            host: address(referer, user, host),
+            host: sshAddress,
          },
          key,
        ),
-  user:
-    (!forcessh && localhost(host)) ||
-    user !== '' ||
-    user.includes('@') ||
-    address(referer, user, host).includes('@'),
-});
+        user !== '' || user.includes('@') || sshAddress.includes('@'),
+      ];
+}
--- a/src/server/command/address.ts
+++ b/src/server/command/address.ts
@ -1,5 +1,14 @@
-export function address(referer: string, user: string, host: string): string {
-  const match = referer.match('.+/ssh/([^/]+)$');
+export function address(
+  headers: Record<string, string>,
+  user: string,
+  host: string,
+): string {
+  // Check request-header for username
+  const remoteUser = headers['remote-user'];
+  if (remoteUser) {
+    return `${remoteUser}@${host}`;
+  }
+  const match = headers.referer.match('.+/ssh/([^/]+)$');
  const fallback = user ? `${user}@${host}` : host;
  return match ? `${match[1].split('?')[0]}@${host}` : fallback;
 }
--- a/src/server/login.ts
+++ b/src/server/login.ts
@ -11,14 +11,6 @@ const executable = resolvePath(
 );

 export function login(socket: SocketIO.Socket): Promise<string> {
-  // Check request-header for username
-  const remoteUser = socket.request.headers['remote-user'];
-  if (remoteUser) {
-    return new Promise(resolve => {
-      resolve(remoteUser);
-    });
-  }
-
  // Request carries no username information
  // Create terminal and ask user for username
  const term = pty.spawn('/usr/bin/env', ['node', executable], xterm);