[aur-dev] [PATCH v2 02/10] Add support for adding SSH public keys to profiles
Lukas Fleischer
archlinux at cryptocrack.de
Sat Dec 27 11:51:38 UTC 2014
Users can now add an SSH public key on the account edit page. This will
later be used to authenticate users via SSH.
Signed-off-by: Lukas Fleischer <archlinux at cryptocrack.de>
---
schema/aur-schema.sql | 1 +
upgrading/4.0.0.txt | 5 +++
web/html/account.php | 5 ++-
web/lib/acctfuncs.inc.php | 78 ++++++++++++++++++++++++++++++++++----
web/template/account_edit_form.php | 5 +++
5 files changed, 85 insertions(+), 9 deletions(-)
create mode 100644 upgrading/4.0.0.txt
diff --git a/schema/aur-schema.sql b/schema/aur-schema.sql
index 9c57683..dfd158f 100644
--- a/schema/aur-schema.sql
+++ b/schema/aur-schema.sql
@@ -33,6 +33,7 @@ CREATE TABLE Users (
LangPreference VARCHAR(5) NOT NULL DEFAULT 'en',
IRCNick VARCHAR(32) NOT NULL DEFAULT '',
PGPKey VARCHAR(40) NULL DEFAULT NULL,
+ SSHPubKey VARCHAR(4096) NULL DEFAULT NULL,
LastLogin BIGINT UNSIGNED NOT NULL DEFAULT 0,
LastLoginIPAddress INTEGER UNSIGNED NOT NULL DEFAULT 0,
InactivityTS BIGINT UNSIGNED NOT NULL DEFAULT 0,
diff --git a/upgrading/4.0.0.txt b/upgrading/4.0.0.txt
new file mode 100644
index 0000000..543fbac
--- /dev/null
+++ b/upgrading/4.0.0.txt
@@ -0,0 +1,5 @@
+1. Add a field for the SSH public key to the Users table:
+
+----
+ALTER TABLE Users ADD COLUMN SSHPubKey VARCHAR(4096) NULL DEFAULT NULL;
+----
diff --git a/web/html/account.php b/web/html/account.php
index c1a1cd7..3dc8ef0 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -59,7 +59,7 @@ if (isset($_COOKIE["AURSID"])) {
display_account_form("UpdateAccount", $row["Username"],
$row["AccountTypeID"], $row["Suspended"], $row["Email"],
"", "", $row["RealName"], $row["LangPreference"],
- $row["IRCNick"], $row["PGPKey"],
+ $row["IRCNick"], $row["PGPKey"], $row["SSHPubKey"],
$row["InactivityTS"] ? 1 : 0, $row["ID"]);
} else {
print __("You do not have permission to edit this account.");
@@ -98,7 +98,8 @@ if (isset($_COOKIE["AURSID"])) {
in_request("U"), in_request("T"), in_request("S"),
in_request("E"), in_request("P"), in_request("C"),
in_request("R"), in_request("L"), in_request("I"),
- in_request("K"), in_request("J"), in_request("ID"));
+ in_request("K"), in_request("PK"), in_request("J"),
+ in_request("ID"));
}
} else {
if (has_credential(CRED_ACCOUNT_SEARCH)) {
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index 2d8dbaf..20ac081 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -53,13 +53,14 @@ function html_format_pgp_fingerprint($fingerprint) {
* @param string $L The language preference of the displayed user
* @param string $I The IRC nickname of the displayed user
* @param string $K The PGP key fingerprint of the displayed user
+ * @param string $PK The SSH public key of the displayed user
* @param string $J The inactivity status of the displayed user
* @param string $UID The user ID of the displayed user
*
* @return void
*/
-function display_account_form($A,$U="",$T="",$S="",
- $E="",$P="",$C="",$R="",$L="",$I="",$K="",$J="", $UID=0) {
+function display_account_form($A,$U="",$T="",$S="",$E="",$P="",$C="",$R="",
+ $L="",$I="",$K="",$PK="",$J="", $UID=0) {
global $SUPPORTED_LANGS;
include("account_edit_form.php");
@@ -82,13 +83,14 @@ function display_account_form($A,$U="",$T="",$S="",
* @param string $L The language preference of the user
* @param string $I The IRC nickname of the user
* @param string $K The PGP fingerprint of the user
+ * @param string $PK The SSH public key of the user
* @param string $J The inactivity status of the user
* @param string $UID The user ID of the modified account
*
* @return string|void Return void if successful, otherwise return error
*/
-function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",
- $P="",$C="",$R="",$L="",$I="",$K="",$J="",$UID=0) {
+function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$P="",$C="",
+ $R="",$L="",$I="",$K="",$PK="",$J="",$UID=0) {
global $SUPPORTED_LANGS;
$error = '';
@@ -146,6 +148,15 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",
$error = __("The PGP key fingerprint is invalid.");
}
+ if (!$error && !empty($PK)) {
+ if (valid_ssh_pubkey($PK)) {
+ $tokens = explode(" ", $PK);
+ $PK = $tokens[0] . " " . $tokens[1];
+ } else {
+ $error = __("The SSH public key is invalid.");
+ }
+ }
+
if (isset($_COOKIE['AURSID'])) {
$atype = account_from_sid($_COOKIE['AURSID']);
if (($atype == "User" && $T > 1) || ($atype == "Trusted User" && $T > 2)) {
@@ -192,11 +203,29 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",
"<strong>", htmlspecialchars($E,ENT_QUOTES), "</strong>");
}
}
+ if (!$error) {
+ /*
+ * Check whether the SSH public key is available.
+ * TODO: Fix race condition.
+ */
+ $q = "SELECT COUNT(*) FROM Users ";
+ $q.= "WHERE SSHPubKey = " . $dbh->quote($PK);
+ if ($TYPE == "edit") {
+ $q.= " AND ID != " . intval($UID);
+ }
+ $result = $dbh->query($q);
+ $row = $result->fetch(PDO::FETCH_NUM);
+
+ if ($row[0]) {
+ $error = __("The SSH public key, %s%s%s, is already in use.",
+ "<strong>", htmlspecialchars($PK, ENT_QUOTES), "</strong>");
+ }
+ }
if ($error) {
print "<ul class='errorlist'><li>".$error."</li></ul>\n";
display_account_form($A, $U, $T, $S, $E, "", "",
- $R, $L, $I, $K, $J, $UID);
+ $R, $L, $I, $K, $PK, $J, $UID);
return;
}
@@ -218,11 +247,13 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",
$L = $dbh->quote($L);
$I = $dbh->quote($I);
$K = $dbh->quote(str_replace(" ", "", $K));
+ $PK = $dbh->quote($PK);
$q = "INSERT INTO Users (AccountTypeID, Suspended, ";
$q.= "InactivityTS, Username, Email, Passwd, Salt, ";
- $q.= "RealName, LangPreference, IRCNick, PGPKey) ";
+ $q.= "RealName, LangPreference, IRCNick, PGPKey, ";
+ $q.= "SSHPubKey) ";
$q.= "VALUES (1, 0, 0, $U, $E, $P, $salt, $R, $L, ";
- $q.= "$I, $K)";
+ $q.= "$I, $K, $PK)";
$result = $dbh->exec($q);
if (!$result) {
print __("Error trying to create account, %s%s%s.",
@@ -290,6 +321,7 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",
$q.= ", LangPreference = " . $dbh->quote($L);
$q.= ", IRCNick = " . $dbh->quote($I);
$q.= ", PGPKey = " . $dbh->quote(str_replace(" ", "", $K));
+ $q.= ", SSHPubKey = " . $dbh->quote($PK);
$q.= ", InactivityTS = " . $inactivity_ts;
$q.= " WHERE ID = ".intval($UID);
$result = $dbh->exec($q);
@@ -800,6 +832,38 @@ function valid_pgp_fingerprint($fingerprint) {
}
/**
+ * Determine if the SSH public key is valid
+ *
+ * @param string $pubkey SSH public key to check
+ *
+ * @return bool True if the SSH public key is valid, otherwise false
+ */
+function valid_ssh_pubkey($pubkey) {
+ $valid_prefixes = array(
+ "ssh-rsa", "ssh-dss", "ecdsa-sha2-nistp256",
+ "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", "ssh-ed25519"
+ );
+
+ $has_valid_prefix = false;
+ foreach ($valid_prefixes as $prefix) {
+ if (strpos($pubkey, $prefix . " ") === 0) {
+ $has_valid_prefix = true;
+ break;
+ }
+ }
+ if (!$has_valid_prefix) {
+ return false;
+ }
+
+ $tokens = explode(" ", $pubkey);
+ if (empty($tokens[1])) {
+ return false;
+ }
+
+ return (base64_encode(base64_decode($tokens[1], true)) == $tokens[1]);
+}
+
+/**
* Determine if the user account has been suspended
*
* @param string $id The ID of user to check if suspended
diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php
index 17dd937..996c207 100644
--- a/web/template/account_edit_form.php
+++ b/web/template/account_edit_form.php
@@ -98,6 +98,11 @@
</p>
<p>
+ <label for="id_ssh"><?= __("SSH Public Key") ?>:</label>
+ <textarea name="PK" id="id_ssh" rows="5" cols="30"><?= htmlspecialchars($PK) ?></textarea>
+ </p>
+
+ <p>
<label for="id_language"><?= __("Language") ?>:</label>
<select name="L" id="id_language">
<?php
--
2.2.1
More information about the aur-dev
mailing list