From ba8f7823f15fdc463fe247e73c41c834e7c216c5 Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Wed, 18 Dec 2024 19:01:15 +0100 Subject: [PATCH] don't allow DSA keys Signed-off-by: Nicola Murino --- internal/dataprovider/dataprovider.go | 9 ++++++++- internal/util/i18n.go | 1 + static/locales/en/translation.json | 3 ++- static/locales/it/translation.json | 3 ++- 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/internal/dataprovider/dataprovider.go b/internal/dataprovider/dataprovider.go index 26cfc977..4b18babe 100644 --- a/internal/dataprovider/dataprovider.go +++ b/internal/dataprovider/dataprovider.go @@ -2869,11 +2869,18 @@ func validatePublicKeys(user *User) error { util.I18nErrorPubKeyInvalid, ) } + if out.Type() == ssh.InsecureKeyAlgoDSA { + providerLog(logger.LevelError, "dsa public key not accepted, position: %d", idx) + return util.NewI18nError( + util.NewValidationError(fmt.Sprintf("DSA key format is insecure and it is not allowed for key at position %d", idx)), + util.I18nErrorKeyInsecure, + ) + } if k, ok := out.(ssh.CryptoPublicKey); ok { cryptoKey := k.CryptoPublicKey() if rsaKey, ok := cryptoKey.(*rsa.PublicKey); ok { if size := rsaKey.N.BitLen(); size < 2048 { - providerLog(logger.LevelError, "rsa key with size %d not accepted, minimum 2048", size) + providerLog(logger.LevelError, "rsa key with size %d at position %d not accepted, minimum 2048", size, idx) return util.NewI18nError( util.NewValidationError(fmt.Sprintf("invalid size %d for rsa key at position %d, minimum 2048", size, idx)), diff --git a/internal/util/i18n.go b/internal/util/i18n.go index 56db5b60..e326db34 100644 --- a/internal/util/i18n.go +++ b/internal/util/i18n.go @@ -121,6 +121,7 @@ const ( I18nErrorPubKeyInvalid = "user.pub_key_invalid" I18nErrorPrivKeyInvalid = "user.priv_key_invalid" I18nErrorKeySizeInvalid = "user.key_invalid_size" + I18nErrorKeyInsecure = "user.key_insecure" I18nErrorPrimaryGroup = "user.err_primary_group" I18nErrorDuplicateGroup = "user.err_duplicate_group" I18nErrorNoPermission = "user.no_permissions" diff --git a/static/locales/en/translation.json b/static/locales/en/translation.json index 6a3c417f..cae6ade6 100644 --- a/static/locales/en/translation.json +++ b/static/locales/en/translation.json @@ -501,7 +501,8 @@ "home_invalid": "The home directory must be an absolute path", "pub_key_invalid": "Invalid public key", "priv_key_invalid": "Invalid private key", - "key_invalid_size": "Invalid RSA key: the minimum supported size is 2048", + "key_invalid_size": "Invalid RSA public key: the minimum supported size is 2048", + "key_insecure": "Insecure public key format not allowed", "err_primary_group": "Only one primary group is allowed", "err_duplicate_group": "Duplicate groups detected", "no_permissions": "Directories permissions are mandatory", diff --git a/static/locales/it/translation.json b/static/locales/it/translation.json index 99c2e0f0..246ed893 100644 --- a/static/locales/it/translation.json +++ b/static/locales/it/translation.json @@ -501,7 +501,8 @@ "home_invalid": "La directory principale deve essere un path assoluto", "pub_key_invalid": "Chiave pubblica non valida", "priv_key_invalid": "Chiave privata non valida", - "key_invalid_size": "Chiave RSA non valida: la dimensione minima supportata è 2048", + "key_invalid_size": "Chiave pubblica RSA non valida: la dimensione minima supportata è 2048", + "key_insecure": "Formato chiave pubblica non sicuro non consentito", "err_primary_group": "È consentito un solo gruppo primario", "err_duplicate_group": "Rilevati gruppi duplicati", "no_permissions": "I permessi per le directory sono obbligatori",