Mirrors/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-12-07 06:40:54 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add support for allowed/denied IP/Mask

Browse Source 
Login can be restricted to specific ranges of IP address or to a specific IP
address.

Please apply the appropriate SQL upgrade script to add the filter field to your
database.

The filter database field will allow to add other filters without requiring a
new database migration
This commit is contained in:
Nicola Murino
2019-12-30 18:37:50 +01:00
parent ad5436e3f6
commit 1b1c740b29
22 changed files with 623 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
sftpd/server.go
View File

@@ -352,12 +352,24 @@ func (c Configuration) createHandler(connection Connection) sftp.Handlers {
}
}
func loginUser(user dataprovider.User, loginType string) (*ssh.Permissions, error) {
func loginUser(user dataprovider.User, loginType string, remoteAddr string) (*ssh.Permissions, error) {
if !filepath.IsAbs(user.HomeDir) {
logger.Warn(logSender, "", "user %#v has an invalid home dir: %#v. Home dir must be an absolute path, login not allowed",
user.Username, user.HomeDir)
return nil, fmt.Errorf("cannot login user with invalid home dir: %#v", user.HomeDir)
}
if user.MaxSessions > 0 {
activeSessions := getActiveSessions(user.Username)
if activeSessions >= user.MaxSessions {
logger.Debug(logSender, "", "authentication refused for user: %#v, too many open sessions: %v/%v", user.Username,
activeSessions, user.MaxSessions)
return nil, fmt.Errorf("too many open sessions: %v", activeSessions)
}
}
if !user.IsLoginAllowed(remoteAddr) {
logger.Debug(logSender, "", "cannot login user %#v, remote address is not allowed: %v", user.Username, remoteAddr)
return nil, fmt.Errorf("Login is not allowed from this address: %v", remoteAddr)
}
if _, err := os.Stat(user.HomeDir); os.IsNotExist(err) {
err := os.MkdirAll(user.HomeDir, 0777)
logger.Debug(logSender, "", "home directory %#v for user %#v does not exist, try to create, mkdir error: %v",
@@ -367,15 +379,6 @@ func loginUser(user dataprovider.User, loginType string) (*ssh.Permissions, erro
}
}
if user.MaxSessions > 0 {
activeSessions := getActiveSessions(user.Username)
if activeSessions >= user.MaxSessions {
logger.Debug(logSender, "", "authentication refused for user: %#v, too many open sessions: %v/%v", user.Username,
activeSessions, user.MaxSessions)
return nil, fmt.Errorf("too many open sessions: %v", activeSessions)
}
}
json, err := json.Marshal(user)
if err != nil {
logger.Warn(logSender, "", "error serializing user info: %v, authentication rejected", err)
@@ -432,7 +435,7 @@ func (c Configuration) validatePublicKeyCredentials(conn ssh.ConnMetadata, pubKe
metrics.AddLoginAttempt(true)
if user, keyID, err = dataprovider.CheckUserAndPubKey(dataProvider, conn.User(), pubKey); err == nil {
sshPerm, err = loginUser(user, "public_key:"+keyID)
sshPerm, err = loginUser(user, "public_key:"+keyID, conn.RemoteAddr().String())
} else {
logger.ConnectionFailedLog(conn.User(), utils.GetIPFromRemoteAddress(conn.RemoteAddr().String()), "public_key", err.Error())
}
@@ -447,7 +450,7 @@ func (c Configuration) validatePasswordCredentials(conn ssh.ConnMetadata, pass [
metrics.AddLoginAttempt(false)
if user, err = dataprovider.CheckUserAndPass(dataProvider, conn.User(), string(pass)); err == nil {
sshPerm, err = loginUser(user, "password")
sshPerm, err = loginUser(user, "password", conn.RemoteAddr().String())
} else {
logger.ConnectionFailedLog(conn.User(), utils.GetIPFromRemoteAddress(conn.RemoteAddr().String()), "password", err.Error())
}