Loading onboard/onboard.go +9 −7 Original line number Diff line number Diff line Loading @@ -23,23 +23,25 @@ import ( // logAuthFailure logs a shibboleth failure to the auth syslog facility // so that tools like CrowdSec can rate-limit abusive IPs. func logAuthFailure(clientIP, fingerprint string) { func logAuthFailure(clientIP, clientPort, fingerprint string) { sl, err := syslog.New(syslog.LOG_AUTHPRIV|syslog.LOG_WARNING, "bulletin") if err != nil { return } defer sl.Close() _ = sl.Warning(fmt.Sprintf("Failed shibboleth from %s (key %s)", clientIP, fingerprint)) _ = sl.Warning(fmt.Sprintf("Failed shibboleth from %s port %s (key %s)", clientIP, clientPort, fingerprint)) } // Run executes the onboarding flow. fingerprint is the SHA256 // fingerprint of the connecting key. pubkeyStr is "type:base64". func Run(fingerprint, pubkeyStr string) int { // Parse client IP from SSH_CONNECTION for auth logging. clientIP := "unknown" // Parse client IP and port from SSH_CONNECTION for auth logging. // Including the port prevents syslog from collapsing repeated failures // from the same IP with "message repeated N times". clientIP, clientPort := "unknown", "unknown" if conn := os.Getenv("SSH_CONNECTION"); conn != "" { if parts := strings.Fields(conn); len(parts) >= 1 { clientIP = parts[0] if parts := strings.Fields(conn); len(parts) >= 2 { clientIP, clientPort = parts[0], parts[1] } } // Open DB. Loading Loading @@ -80,7 +82,7 @@ func Run(fingerprint, pubkeyStr string) int { // Rate limit: increasing delay on wrong answers. delay := time.Duration(i+1) * 2 * time.Second time.Sleep(delay) logAuthFailure(clientIP, fingerprint) logAuthFailure(clientIP, clientPort, fingerprint) fmt.Println("Incorrect answer. Access denied.") return 1 } Loading Loading
onboard/onboard.go +9 −7 Original line number Diff line number Diff line Loading @@ -23,23 +23,25 @@ import ( // logAuthFailure logs a shibboleth failure to the auth syslog facility // so that tools like CrowdSec can rate-limit abusive IPs. func logAuthFailure(clientIP, fingerprint string) { func logAuthFailure(clientIP, clientPort, fingerprint string) { sl, err := syslog.New(syslog.LOG_AUTHPRIV|syslog.LOG_WARNING, "bulletin") if err != nil { return } defer sl.Close() _ = sl.Warning(fmt.Sprintf("Failed shibboleth from %s (key %s)", clientIP, fingerprint)) _ = sl.Warning(fmt.Sprintf("Failed shibboleth from %s port %s (key %s)", clientIP, clientPort, fingerprint)) } // Run executes the onboarding flow. fingerprint is the SHA256 // fingerprint of the connecting key. pubkeyStr is "type:base64". func Run(fingerprint, pubkeyStr string) int { // Parse client IP from SSH_CONNECTION for auth logging. clientIP := "unknown" // Parse client IP and port from SSH_CONNECTION for auth logging. // Including the port prevents syslog from collapsing repeated failures // from the same IP with "message repeated N times". clientIP, clientPort := "unknown", "unknown" if conn := os.Getenv("SSH_CONNECTION"); conn != "" { if parts := strings.Fields(conn); len(parts) >= 1 { clientIP = parts[0] if parts := strings.Fields(conn); len(parts) >= 2 { clientIP, clientPort = parts[0], parts[1] } } // Open DB. Loading Loading @@ -80,7 +82,7 @@ func Run(fingerprint, pubkeyStr string) int { // Rate limit: increasing delay on wrong answers. delay := time.Duration(i+1) * 2 * time.Second time.Sleep(delay) logAuthFailure(clientIP, fingerprint) logAuthFailure(clientIP, clientPort, fingerprint) fmt.Println("Incorrect answer. Access denied.") return 1 } Loading
