diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index aeb9e45..9b70a21 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -116,3 +116,4 @@ jobs: env: GOOS: ${{matrix.goos}} GOARCH: ${{matrix.goarch}} + GO_TAGS: disable_password_auth diff --git a/Makefile b/Makefile index 1bea03b..8202dd3 100644 --- a/Makefile +++ b/Makefile @@ -2,6 +2,7 @@ GOOS?=linux BUILDFLAGS ?=-ldflags "-X main.version=$(shell git describe --tags --always --dirty) -X main.buildDate=$(shell date +%Y-%m-%d)" GO_OPTS?=CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) +GO_TAGS?= TEST_OPTS?=-v GOOS=$(GOOS) GOARCH=$(GOARCH) lint: @@ -33,7 +34,7 @@ install: build: client server client: - $(GO_OPTS) go build $(BUILD_FLAGS) -o bin/client ./cmd/ssh3/ + $(GO_OPTS) go build -tags "$(GO_TAGS)" $(BUILD_FLAGS) -o bin/client ./cmd/ssh3/ server: - $(GO_OPTS) go build $(BUILD_FLAGS) -o bin/server ./cmd/ssh3-server/ + $(GO_OPTS) go build -tags "$(GO_TAGS)" $(BUILD_FLAGS) -o bin/server ./cmd/ssh3-server/ diff --git a/cmd/ssh3-server/main.go b/cmd/ssh3-server/main.go index 101ac71..9b55871 100644 --- a/cmd/ssh3-server/main.go +++ b/cmd/ssh3-server/main.go @@ -671,16 +671,19 @@ func fileExists(path string) bool { func main() { bindAddr := flag.String("bind", "[::]:443", "the address:port pair to listen to, e.g. 0.0.0.0:443") verbose := flag.Bool("v", false, "verbose mode, if set") - enablePasswordLogin := flag.Bool("enable-password-login", false, "if set, enable password authentication (disabled by default)") urlPath := flag.String("url-path", "/ssh3-term", "the secret URL path on which the ssh3 server listens") generateSelfSignedCert := flag.Bool("generate-selfsigned-cert", false, "if set, generates a self-self-signed cerificate and key "+ "that will be stored at the paths indicated by the -cert and -key args (they must not already exist)") certPath := flag.String("cert", "./cert.pem", "the filename of the server certificate (or fullchain)") keyPath := flag.String("key", "./priv.key", "the filename of the certificate private key") + enablePasswordLogin := false + if unix_util.PasswordAuthAvailable() { + flag.BoolVar(&enablePasswordLogin, "enable-password-login", false, "if set, enable password authentication (disabled by default)") + } flag.Parse() - if !*enablePasswordLogin { - fmt.Fprintln(os.Stderr, "password login is currently disabled") + if !enablePasswordLogin { + fmt.Fprintln(os.Stderr, "password login is disabled") } certPathExists := fileExists(*certPath) @@ -847,7 +850,7 @@ func main() { } }) ssh3Handler := ssh3Server.GetHTTPHandlerFunc(context.Background()) - handler, err := unix_server.HandleAuths(context.Background(), *enablePasswordLogin, 30000, ssh3Handler) + handler, err := unix_server.HandleAuths(context.Background(), enablePasswordLogin, 30000, ssh3Handler) if err != nil { log.Error().Msgf("Could not get authentication handlers: %s", err) return diff --git a/util/unix_util/linux_user.go b/util/unix_util/linux_user.go index e649d0e..abf4508 100644 --- a/util/unix_util/linux_user.go +++ b/util/unix_util/linux_user.go @@ -167,3 +167,7 @@ func getpwnam(name string) (*User, error) { return &s, nil } + +func passwordAuthAvailable() bool { + return true +} \ No newline at end of file diff --git a/util/unix_util/non_password_auth_user.go b/util/unix_util/non_password_auth_user.go index d5a1079..1f709a7 100644 --- a/util/unix_util/non_password_auth_user.go +++ b/util/unix_util/non_password_auth_user.go @@ -45,3 +45,7 @@ func getUser(username string) (*User, error) { func userPasswordAuthentication(username, password string) (bool, error) { return false, fmt.Errorf("password-based authentication is not implemented on %s/%s systems", runtime.GOOS, runtime.GOARCH) } + +func passwordAuthAvailable() bool { + return false +} \ No newline at end of file diff --git a/util/unix_util/user.go b/util/unix_util/user.go index 9b9c74a..4210417 100644 --- a/util/unix_util/user.go +++ b/util/unix_util/user.go @@ -86,3 +86,7 @@ func (u *User) CreateCommandPipeOutput(addEnv string, loginShell bool, command s func UserPasswordAuthentication(username, password string) (bool, error) { return userPasswordAuthentication(username, password) } + +func PasswordAuthAvailable() bool { + return passwordAuthAvailable() +}