use build tags to make password auth available or not

francoismichel · Dec 21, 2023 · 79bae80 · 79bae80
1 parent 1bf6a65
commit 79bae80
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 6 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -116,3 +116,4 @@ jobs:
         env:
           GOOS: ${{matrix.goos}}
           GOARCH: ${{matrix.goarch}}
+          GO_TAGS: disable_password_auth
diff --git a/Makefile b/Makefile
@@ -2,6 +2,7 @@ GOOS?=linux
 BUILDFLAGS ?=-ldflags "-X main.version=$(shell git describe --tags --always --dirty) -X main.buildDate=$(shell date +%Y-%m-%d)"
 
 GO_OPTS?=CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS)
+GO_TAGS?=
 TEST_OPTS?=-v GOOS=$(GOOS) GOARCH=$(GOARCH)
 
 lint:
@@ -33,7 +34,7 @@ install:
 build: client server
 
 client:
-	$(GO_OPTS) go build $(BUILD_FLAGS) -o bin/client ./cmd/ssh3/
+	$(GO_OPTS) go build -tags "$(GO_TAGS)" $(BUILD_FLAGS) -o bin/client ./cmd/ssh3/
 
 server:
-	$(GO_OPTS) go build $(BUILD_FLAGS) -o bin/server ./cmd/ssh3-server/
+	$(GO_OPTS) go build -tags "$(GO_TAGS)" $(BUILD_FLAGS) -o bin/server ./cmd/ssh3-server/
diff --git a/cmd/ssh3-server/main.go b/cmd/ssh3-server/main.go
@@ -671,16 +671,19 @@ func fileExists(path string) bool {
 func main() {
 	bindAddr := flag.String("bind", "[::]:443", "the address:port pair to listen to, e.g. 0.0.0.0:443")
 	verbose := flag.Bool("v", false, "verbose mode, if set")
-	enablePasswordLogin := flag.Bool("enable-password-login", false, "if set, enable password authentication (disabled by default)")
 	urlPath := flag.String("url-path", "/ssh3-term", "the secret URL path on which the ssh3 server listens")
 	generateSelfSignedCert := flag.Bool("generate-selfsigned-cert", false, "if set, generates a self-self-signed cerificate and key "+
 		"that will be stored at the paths indicated by the -cert and -key args (they must not already exist)")
 	certPath := flag.String("cert", "./cert.pem", "the filename of the server certificate (or fullchain)")
 	keyPath := flag.String("key", "./priv.key", "the filename of the certificate private key")
+	enablePasswordLogin := false
+	if unix_util.PasswordAuthAvailable() {
+		flag.BoolVar(&enablePasswordLogin, "enable-password-login", false, "if set, enable password authentication (disabled by default)")
+	}
 	flag.Parse()
 
-	if !*enablePasswordLogin {
-		fmt.Fprintln(os.Stderr, "password login is currently disabled")
+	if !enablePasswordLogin {
+		fmt.Fprintln(os.Stderr, "password login is disabled")
 	}
 
 	certPathExists := fileExists(*certPath)
@@ -847,7 +850,7 @@ func main() {
 			}
 		})
 		ssh3Handler := ssh3Server.GetHTTPHandlerFunc(context.Background())
-		handler, err := unix_server.HandleAuths(context.Background(), *enablePasswordLogin, 30000, ssh3Handler)
+		handler, err := unix_server.HandleAuths(context.Background(), enablePasswordLogin, 30000, ssh3Handler)
 		if err != nil {
 			log.Error().Msgf("Could not get authentication handlers: %s", err)
 			return

diff --git a/util/unix_util/linux_user.go b/util/unix_util/linux_user.go
@@ -167,3 +167,7 @@ func getpwnam(name string) (*User, error) {
 
 	return &s, nil
 }
+
+func passwordAuthAvailable() bool {
+	return true
+}
diff --git a/util/unix_util/non_password_auth_user.go b/util/unix_util/non_password_auth_user.go
@@ -45,3 +45,7 @@ func getUser(username string) (*User, error) {
 func userPasswordAuthentication(username, password string) (bool, error) {
 	return false, fmt.Errorf("password-based authentication is not implemented on %s/%s systems", runtime.GOOS, runtime.GOARCH)
 }
+
+func passwordAuthAvailable() bool {
+	return false
+}
diff --git a/util/unix_util/user.go b/util/unix_util/user.go
@@ -86,3 +86,7 @@ func (u *User) CreateCommandPipeOutput(addEnv string, loginShell bool, command s
 func UserPasswordAuthentication(username, password string) (bool, error) {
 	return userPasswordAuthentication(username, password)
 }
+
+func PasswordAuthAvailable() bool {
+	return passwordAuthAvailable()
+}