add option to login with any public key (#2391)

additional logging
2024-11-20 09:52:11 +08:00 · 2024-11-20 09:52:11 +08:00 · d4f3a7ef2a
parent 347b61fb08
commit d4f3a7ef2a
2 changed files with 31 additions and 1 deletions
--- a/etc/cowrie.cfg.dist
+++ b/etc/cowrie.cfg.dist
@ -640,10 +640,16 @@ forward_tunnel = false
 # (default: false)
 #auth_none_enabled = false

+# Public key authentication
+# This is an all or nothing switch that will allow none or any public key certificate to login
+#
+# (default: false)
+auth_publickey_allow_any = false

 # Configure keyboard-interactive login
 auth_keyboard_interactive_enabled = false

+
 # ============================================================================
 # Telnet Specific Options
 # ============================================================================
--- a/src/cowrie/core/checkers.py
+++ b/src/cowrie/core/checkers.py
@ -43,7 +43,26 @@ class HoneypotPublicKeyChecker:
            type=_pubKey.sshType(),
        )

-        return failure.Failure(error.ConchError("Incorrect signature"))
+        if CowrieConfig.getboolean("ssh", "auth_publickey_allow_any", fallback=False):
+            log.msg(
+                eventid="cowrie.login.success",
+                format="public key login attempt for [%(username)s] succeeded",
+                username=credentials.username,
+                fingerprint=_pubKey.fingerprint(),
+                key=_pubKey.toString("OPENSSH"),
+                type=_pubKey.sshType(),
+            )
+            return defer.succeed(credentials.username)
+        else:
+            log.msg(
+                eventid="cowrie.login.failed",
+                format="public key login attempt for [%(username)s] failed",
+                username=credentials.username,
+                fingerprint=_pubKey.fingerprint(),
+                key=_pubKey.toString("OPENSSH"),
+                type=_pubKey.sshType(),
+            )
+            return failure.Failure(error.ConchError("Incorrect signature"))


@implementer(ICredentialsChecker)
@ -55,6 +74,11 @@ class HoneypotNoneChecker:
    credentialInterfaces = (conchcredentials.IUsername,)

    def requestAvatarId(self, credentials):
+        log.msg(
+            eventid="cowrie.login.success",
+            format="login attempt [%(username)s] succeeded",
+            username=credentials.username,
+        )
        return defer.succeed(credentials.username)