From 79bae80a7c47e1c58f5b67eff72110f95580be29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Michel?= <francois.michel@uclouvain.be>
Date: Thu, 21 Dec 2023 17:02:29 +0000
Subject: [PATCH] use build tags to make password auth available or not

---
 .github/workflows/build.yml              |  1 +
 Makefile                                 |  5 +++--
 cmd/ssh3-server/main.go                  | 11 +++++++----
 util/unix_util/linux_user.go             |  4 ++++
 util/unix_util/non_password_auth_user.go |  4 ++++
 util/unix_util/user.go                   |  4 ++++
 6 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index aeb9e45..9b70a21 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -116,3 +116,4 @@ jobs:
         env:
           GOOS: ${{matrix.goos}}
           GOARCH: ${{matrix.goarch}}
+          GO_TAGS: disable_password_auth
diff --git a/Makefile b/Makefile
index 1bea03b..8202dd3 100644
--- a/Makefile
+++ b/Makefile
@@ -2,6 +2,7 @@ GOOS?=linux
 BUILDFLAGS ?=-ldflags "-X main.version=$(shell git describe --tags --always --dirty) -X main.buildDate=$(shell date +%Y-%m-%d)"
 
 GO_OPTS?=CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS)
+GO_TAGS?=
 TEST_OPTS?=-v GOOS=$(GOOS) GOARCH=$(GOARCH)
 
 lint:
@@ -33,7 +34,7 @@ install:
 build: client server
 
 client:
-	$(GO_OPTS) go build $(BUILD_FLAGS) -o bin/client ./cmd/ssh3/
+	$(GO_OPTS) go build -tags "$(GO_TAGS)" $(BUILD_FLAGS) -o bin/client ./cmd/ssh3/
 
 server:
-	$(GO_OPTS) go build $(BUILD_FLAGS) -o bin/server ./cmd/ssh3-server/
+	$(GO_OPTS) go build -tags "$(GO_TAGS)" $(BUILD_FLAGS) -o bin/server ./cmd/ssh3-server/
diff --git a/cmd/ssh3-server/main.go b/cmd/ssh3-server/main.go
index 101ac71..9b55871 100644
--- a/cmd/ssh3-server/main.go
+++ b/cmd/ssh3-server/main.go
@@ -671,16 +671,19 @@ func fileExists(path string) bool {
 func main() {
 	bindAddr := flag.String("bind", "[::]:443", "the address:port pair to listen to, e.g. 0.0.0.0:443")
 	verbose := flag.Bool("v", false, "verbose mode, if set")
-	enablePasswordLogin := flag.Bool("enable-password-login", false, "if set, enable password authentication (disabled by default)")
 	urlPath := flag.String("url-path", "/ssh3-term", "the secret URL path on which the ssh3 server listens")
 	generateSelfSignedCert := flag.Bool("generate-selfsigned-cert", false, "if set, generates a self-self-signed cerificate and key "+
 		"that will be stored at the paths indicated by the -cert and -key args (they must not already exist)")
 	certPath := flag.String("cert", "./cert.pem", "the filename of the server certificate (or fullchain)")
 	keyPath := flag.String("key", "./priv.key", "the filename of the certificate private key")
+	enablePasswordLogin := false
+	if unix_util.PasswordAuthAvailable() {
+		flag.BoolVar(&enablePasswordLogin, "enable-password-login", false, "if set, enable password authentication (disabled by default)")
+	}
 	flag.Parse()
 
-	if !*enablePasswordLogin {
-		fmt.Fprintln(os.Stderr, "password login is currently disabled")
+	if !enablePasswordLogin {
+		fmt.Fprintln(os.Stderr, "password login is disabled")
 	}
 
 	certPathExists := fileExists(*certPath)
@@ -847,7 +850,7 @@ func main() {
 			}
 		})
 		ssh3Handler := ssh3Server.GetHTTPHandlerFunc(context.Background())
-		handler, err := unix_server.HandleAuths(context.Background(), *enablePasswordLogin, 30000, ssh3Handler)
+		handler, err := unix_server.HandleAuths(context.Background(), enablePasswordLogin, 30000, ssh3Handler)
 		if err != nil {
 			log.Error().Msgf("Could not get authentication handlers: %s", err)
 			return
diff --git a/util/unix_util/linux_user.go b/util/unix_util/linux_user.go
index e649d0e..abf4508 100644
--- a/util/unix_util/linux_user.go
+++ b/util/unix_util/linux_user.go
@@ -167,3 +167,7 @@ func getpwnam(name string) (*User, error) {
 
 	return &s, nil
 }
+
+func passwordAuthAvailable() bool {
+	return true
+}
\ No newline at end of file
diff --git a/util/unix_util/non_password_auth_user.go b/util/unix_util/non_password_auth_user.go
index d5a1079..1f709a7 100644
--- a/util/unix_util/non_password_auth_user.go
+++ b/util/unix_util/non_password_auth_user.go
@@ -45,3 +45,7 @@ func getUser(username string) (*User, error) {
 func userPasswordAuthentication(username, password string) (bool, error) {
 	return false, fmt.Errorf("password-based authentication is not implemented on %s/%s systems", runtime.GOOS, runtime.GOARCH)
 }
+
+func passwordAuthAvailable() bool {
+	return false
+}
\ No newline at end of file
diff --git a/util/unix_util/user.go b/util/unix_util/user.go
index 9b9c74a..4210417 100644
--- a/util/unix_util/user.go
+++ b/util/unix_util/user.go
@@ -86,3 +86,7 @@ func (u *User) CreateCommandPipeOutput(addEnv string, loginShell bool, command s
 func UserPasswordAuthentication(username, password string) (bool, error) {
 	return userPasswordAuthentication(username, password)
 }
+
+func PasswordAuthAvailable() bool {
+	return passwordAuthAvailable()
+}