diff --git a/etc/cowrie.cfg.dist b/etc/cowrie.cfg.dist index bea2bafa..2247a5ad 100644 --- a/etc/cowrie.cfg.dist +++ b/etc/cowrie.cfg.dist @@ -640,10 +640,16 @@ forward_tunnel = false # (default: false) #auth_none_enabled = false +# Public key authentication +# This is an all or nothing switch that will allow none or any public key certificate to login +# +# (default: false) +auth_publickey_allow_any = false # Configure keyboard-interactive login auth_keyboard_interactive_enabled = false + # ============================================================================ # Telnet Specific Options # ============================================================================ diff --git a/src/cowrie/core/checkers.py b/src/cowrie/core/checkers.py index 8696879f..5c23ed8a 100644 --- a/src/cowrie/core/checkers.py +++ b/src/cowrie/core/checkers.py @@ -43,7 +43,26 @@ class HoneypotPublicKeyChecker: type=_pubKey.sshType(), ) - return failure.Failure(error.ConchError("Incorrect signature")) + if CowrieConfig.getboolean("ssh", "auth_publickey_allow_any", fallback=False): + log.msg( + eventid="cowrie.login.success", + format="public key login attempt for [%(username)s] succeeded", + username=credentials.username, + fingerprint=_pubKey.fingerprint(), + key=_pubKey.toString("OPENSSH"), + type=_pubKey.sshType(), + ) + return defer.succeed(credentials.username) + else: + log.msg( + eventid="cowrie.login.failed", + format="public key login attempt for [%(username)s] failed", + username=credentials.username, + fingerprint=_pubKey.fingerprint(), + key=_pubKey.toString("OPENSSH"), + type=_pubKey.sshType(), + ) + return failure.Failure(error.ConchError("Incorrect signature")) @implementer(ICredentialsChecker) @@ -55,6 +74,11 @@ class HoneypotNoneChecker: credentialInterfaces = (conchcredentials.IUsername,) def requestAvatarId(self, credentials): + log.msg( + eventid="cowrie.login.success", + format="login attempt [%(username)s] succeeded", + username=credentials.username, + ) return defer.succeed(credentials.username)