xaizek / rocketgit (License: AGPLv3+) (since 2018-12-09)
Light and fast Git hosting solution suitable to serve both as a hub or as a personal code storage with its tickets, pull requests, API and much more.
Commit 0afb8c5c5885ef504a28d02b07d040fd2c92c79a

Disable weak keys if admin says so.

Also, mark them with red background in the keys list.

Author: Catalin(ux) M. BOIE
Author date (UTC): 2016-11-15 20:50
Committer: Catalin(ux) M. BOIE
Commit date (UTC): 2016-11-15 20:50
Tree: a8583a75716e503be1267cbd4d1699ca243efb9f
Parents: f25bd7cf263f651870d880d0bb745a4cc07450cb
File Lines added Lines deleted
inc/keys.inc.php 70 50
root/themes/default/hints/ssh/key.html 6 1
root/themes/default/user/keys/list/line.html 1 1
tools/rg_authorize 14 1

File inc/keys.inc.php changed (mode: 100644) (index 31381da..44f519f)
... ... function rg_keys_event_notify_user($db, $event)
132 132 } }
133 133
134 134 /* /*
135 * Returns TRUE if the key is too weak by the admin standards
136 * @ki - output of rg_keys_info()
137 */
138 function rg_keys_weak($db, $ki)
139 {
140 $ret = array('ok' => 0, 'weak' => 1);
141
142 if (strcmp($ki['type'], 'ssh-rsa') == 0) {
143 $min = rg_state_get($db, 'ssh_key_min_bits_rsa');
144 if ($min === FALSE) {
145 rg_keys_set_error('cannot lookup state');
146 return $ret;
147 }
148 if ($ki['bits'] < $min) {
149 rg_keys_set_error('RSA key has less than '
150 . $min . ' bits (' . $ki['bits'] . ')');
151 $ret['ok'] = 1;
152 return $ret;
153 }
154 } else if (strcmp($ki['type'], 'ssh-dss') == 0) {
155 $r = rg_state_get($db, 'ssh_key_allow_dsa');
156 if ($r === FALSE) {
157 rg_keys_set_error('cannot lookup state');
158 return $ret;
159 }
160 if ($r != 1) {
161 rg_keys_set_error('DSA keys are not allowed');
162 $ret['ok'] = 1;
163 return $ret;
164 }
165 } else if (strncmp($ki['type'], 'ecdsa-', 6) == 0) {
166 $min = rg_state_get($db, 'ssh_key_min_bits_ecdsa');
167 if ($min === FALSE) {
168 rg_keys_set_error('cannot lookup state');
169 return $ret;
170 }
171 if ($ki['bits'] < $min) {
172 rg_keys_set_error('ECDSA key has less than '
173 . $min . ' bits (' . $ki['bits'] . ')');
174 $ret['ok'] = 1;
175 return $ret;
176 }
177 }
178
179 $ret['ok'] = 1;
180 $ret['weak'] = 0;
181 return $ret;
182 }
183
184 /*
135 185 * Extracts info about a ssh key * Extracts info about a ssh key
136 186 */ */
137 187 function rg_keys_info($key) function rg_keys_info($key)
 
... ... function rg_keys_add($db, $ui, $key)
423 473 break; break;
424 474
425 475 $r = rg_keys_weak($db, $ki); $r = rg_keys_weak($db, $ki);
476 if ($r['ok'] != 1)
477 break;
426 478 if ($r['weak'] != 0) if ($r['weak'] != 0)
427 479 break; break;
428 480
 
... ... function rg_keys_regen($db)
697 749
698 750 $errors = 0; $errors = 0;
699 751 foreach ($list as $row) { foreach ($list as $row) {
752 // Ignore invalid keys
753 $ki = rg_keys_info($row['key']);
754 if ($ki['ok'] != 1)
755 continue;
756
757 // Ignore weak keys
758 $r = rg_keys_weak($db, $ki);
759 if ($r['ok'] != 1)
760 continue;
761 if ($r['weak'] != 0)
762 continue;
763
700 764 //rg_log("Writing key [" . $row['key'] . "] for uid " . $row['uid']); //rg_log("Writing key [" . $row['key'] . "] for uid " . $row['uid']);
701 765 $buf = rg_keys_output_line($row); $buf = rg_keys_output_line($row);
766
702 767 if (@fwrite($f, $buf) === FALSE) { if (@fwrite($f, $buf) === FALSE) {
703 768 rg_keys_set_error("cannot write; disk space problems? ($php_errormsg)"); rg_keys_set_error("cannot write; disk space problems? ($php_errormsg)");
704 769 $errors = 1; $errors = 1;
 
... ... function rg_keys_list($db, $ui)
755 820 continue; continue;
756 821 } }
757 822
823 $r = rg_keys_weak($db, $ki);
824 if ($r['ok'] != 1)
825 continue;
826 $ki['weak'] = $r['weak'];
827
758 828 $t = $ki; $t = $ki;
759 829 $t['key_id'] = $row['key_id']; $t['key_id'] = $row['key_id'];
760 830 if ($row['itime'] == 0) if ($row['itime'] == 0)
 
... ... function rg_keys_search_by_fingerprint($db, $fp)
845 915 return $ret; return $ret;
846 916 } }
847 917
848 /*
849 * Returns TRUE if the key is too weak by the admin standards
850 * @ki - output of rg_keys_info()
851 */
852 function rg_keys_weak($db, $ki)
853 {
854 $ret = array('ok' => 0, 'weak' => 1);
855
856 if (strcmp($ki['type'], 'ssh-rsa') == 0) {
857 $min = rg_state_get($db, 'ssh_key_min_bits_rsa');
858 if ($min === FALSE) {
859 rg_keys_set_error('cannot lookup state');
860 return $ret;
861 }
862 if ($ki['bits'] < $min) {
863 rg_keys_set_error('RSA key has less than '
864 . $min . ' bits (' . $ki['bits'] . ')');
865 $ret['ok'] = 1;
866 return $ret;
867 }
868 } else if (strcmp($ki['type'], 'ssh-dss') == 0) {
869 $r = rg_state_get($db, 'ssh_key_allow_dsa');
870 if ($r === FALSE) {
871 rg_keys_set_error('cannot lookup state');
872 return $ret;
873 }
874 if ($r != 1) {
875 rg_keys_set_error('DSA keys are not allowed');
876 $ret['ok'] = 1;
877 return $ret;
878 }
879 } else if (strncmp($ki['type'], 'ecdsa-', 6) == 0) {
880 $min = rg_state_get($db, 'ssh_key_min_bits_ecdsa');
881 if ($min === FALSE) {
882 rg_keys_set_error('cannot lookup state');
883 return $ret;
884 }
885 if ($ki['bits'] < $min) {
886 rg_keys_set_error('ECDSA key has less than '
887 . $min . ' bits (' . $ki['bits'] . ')');
888 $ret['ok'] = 1;
889 return $ret;
890 }
891 }
892
893 $ret['ok'] = 1;
894 $ret['weak'] = 0;
895 return $ret;
896 }
897
898 918 ?> ?>

File root/themes/default/hints/ssh/key.html changed (mode: 100644) (index cf9a1fc..f6491be)
1 1 <br /> <br />
2 Keys marked with <span style="background-color: #f00; padding: 2pt">red</span>
3 are disabled by the admin because are too weak.
4 They cannot by used anymore and should be deleted.<br />
5 <br />
6
2 7 How to create a SSH key for RocketGit:<br /> How to create a SSH key for RocketGit:<br />
3 8 <div class="xcode"> <div class="xcode">
4 9 cd; mkdir -p .ssh; chmod go= .ssh<br /> cd; mkdir -p .ssh; chmod go= .ssh<br />
 
... ... Now, copy in clipboard starting with "ssh-...", including the comment
11 16 and paste it in the form above. Do not worry about spaces or wrapping.<br /> and paste it in the form above. Do not worry about spaces or wrapping.<br />
12 17 <br /> <br />
13 18
14 To force the use of this key when you connect to the server,<br />
19 To force the use of this key when you connect to the server,
15 20 add the following lines to your ~/.ssh/config (use tab key to indent):<br /> add the following lines to your ~/.ssh/config (use tab key to indent):<br />
16 21 <div class="xcode"> <div class="xcode">
17 22 Host @@rg_ssh_host@@<br /> Host @@rg_ssh_host@@<br />

File root/themes/default/user/keys/list/line.html changed (mode: 100644) (index 300ddfa..b904982)
1 1 <tr> <tr>
2 2 <td><input type="checkbox" name="key_delete_ids[@@key_id@@]" /></td> <td><input type="checkbox" name="key_delete_ids[@@key_id@@]" /></td>
3 3 <td>@@itime@@</td> <td>@@itime@@</td>
4 <td>@@type@@ @@bits@@</td>
4 <td@@if(@@weak@@ == 1){{ bgcolor="#f00"}}>@@type@@ @@bits@@</td>
5 5 <td><small>SHA256:@@fingerprint_sha256@@<br />MD5:@@fingerprint_md5@@</small></td> <td><small>SHA256:@@fingerprint_sha256@@<br />MD5:@@fingerprint_md5@@</small></td>
6 6 <td>@@comment@@</td> <td>@@comment@@</td>
7 7 <td>@@first_use@@</td> <td>@@first_use@@</td>

File tools/rg_authorize changed (mode: 100755) (index 0ca4cbc..e0d1680)
... ... if ($r['ok'] !== 1) {
54 54 } }
55 55 rg_log('DEBUG: Found ' . count($r['list']) . ' key(s)'); rg_log('DEBUG: Found ' . count($r['list']) . ' key(s)');
56 56
57 foreach ($r['list'] as $i)
57 foreach ($r['list'] as $i) {
58 // Ignore invalid keys
59 $ki = rg_keys_info($i['key']);
60 if ($ki['ok'] != 1)
61 continue;
62
63 // Ignore weak keys
64 $r = rg_keys_weak($db, $ki);
65 if ($r['ok'] != 1)
66 continue;
67 if ($r['weak'] != 0)
68 continue;
69
58 70 echo rg_keys_output_line($i); echo rg_keys_output_line($i);
71 }
59 72
60 73 rg_prof_end('MAIN'); rg_prof_end('MAIN');
61 74 rg_prof_log(); rg_prof_log();
Hints

Before first commit, do not forget to setup your git environment:
git config --global user.name "your_name_here"
git config --global user.email "your@email_here"

Clone this repository using HTTP(S):
git clone https://code.reversed.top/user/xaizek/rocketgit

Clone this repository using ssh (do not forget to upload a key first):
git clone ssh://rocketgit@code.reversed.top/user/xaizek/rocketgit

You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a pull request:
... clone the repository ...
... make some changes and some commits ...
git push origin master