diff --git a/data/auth.sqlite b/data/auth.sqlite index 2f6fccf..92c0591 100644 Binary files a/data/auth.sqlite and b/data/auth.sqlite differ diff --git a/markbase-core/src/ssh_server/channel.rs b/markbase-core/src/ssh_server/channel.rs index 5f57630..2fcb353 100644 --- a/markbase-core/src/ssh_server/channel.rs +++ b/markbase-core/src/ssh_server/channel.rs @@ -1,7 +1,9 @@ -// SSH Channel协议实现(Phase 6) +// SSH Channel协议实现(Phase 6 + Phase 13端口转发) // 参考OpenSSH channel.c use crate::ssh_server::packet::{SshPacket, PacketType}; +use crate::ssh_server::ssh_security_config::SshSecurityConfig; // Phase 13.3: 安全配置 +use crate::ssh_server::port_forward::{PortForwardManager, DirectTcpipChannel, ForwardedTcpipChannel}; // Phase 13.3 use std::io::{Read, Write}; // 导入Write trait(OpenSSH标准) use anyhow::{Result, anyhow}; use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt}; @@ -28,10 +30,11 @@ impl ChannelManager { } /// 处理SSH_MSG_CHANNEL_OPEN(参考OpenSSH channel.c: channel_open()) - pub fn handle_channel_open(&mut self, packet: &SshPacket) -> Result { + /// Phase 13.3: 支持direct-tcpip和forwarded-tcpip channel + pub fn handle_channel_open(&mut self, packet: &SshPacket, security_config: Option<&SshSecurityConfig>) -> Result { info!("Processing SSH_MSG_CHANNEL_OPEN"); - let mut cursor = std::io::Cursor::new(packet.payload.as_slice()); // 使用as_slice()(Rust标准) + let mut cursor = std::io::Cursor::new(packet.payload.as_slice()); // Packet type let packet_type = cursor.read_u8()?; @@ -54,40 +57,35 @@ impl ChannelManager { info!("Channel open: type={}, sender_channel={}, window={}, max_packet={}", channel_type, sender_channel, initial_window_size, maximum_packet_size); - // 检查channel类型(OpenSSH支持:session、x11、forwarded-tcpip、direct-tcpip) - if channel_type != "session" { - warn!("Unsupported channel type: {}", channel_type); - return self.build_channel_open_failure( - sender_channel, - 3, // SSH_OPEN_UNKNOWN_CHANNEL_TYPE - "Unsupported channel type", - "en" - ); + // Phase 13.3: 检查channel类型(支持session、direct-tcpip、forwarded-tcpip) + match channel_type.as_str() { + "session" => { + // 传统的session channel(Phase 6) + self.handle_session_channel_open(sender_channel, initial_window_size, maximum_packet_size) + } + + "direct-tcpip" => { + // Phase 13.3: Remote port forwarding channel + info!("Received direct-tcpip channel open (Remote port forwarding)"); + self.handle_direct_tcpip_channel_open(packet, sender_channel, initial_window_size, maximum_packet_size, security_config) + } + + "forwarded-tcpip" => { + // Phase 13.3: Local port forwarding channel + info!("Received forwarded-tcpip channel open (Local port forwarding)"); + self.handle_forwarded_tcpip_channel_open(packet, sender_channel, initial_window_size, maximum_packet_size) + } + + _ => { + warn!("Unsupported channel type: {}", channel_type); + self.build_channel_open_failure( + sender_channel, + 3, // SSH_OPEN_UNKNOWN_CHANNEL_TYPE + "Unsupported channel type", + "en" + ) + } } - - // 创建新channel(参考OpenSSH channel.c) - let server_channel = self.next_channel_id; - self.next_channel_id += 1; - - let channel = Channel { - server_channel, - sender_channel, - channel_type, - window_size: initial_window_size, - maximum_packet_size, - state: ChannelState::Open, - output_buffer: None, // Phase 6: 初始化为空 - sftp_handler: None, // Phase 7: 初始化为空 - scp_handler: None, // Phase 8: 初始化为空 - rsync_handler: None, // Phase 8: 初始化为空 - }; - - self.channels.insert(server_channel, channel); - - info!("Channel created: server_channel={}, sender_channel={}", server_channel, sender_channel); - - // 构建SSH_MSG_CHANNEL_OPEN_CONFIRMATION(参考OpenSSH channel.c) - self.build_channel_open_confirmation(server_channel, sender_channel, initial_window_size, maximum_packet_size) } /// 处理SSH_MSG_CHANNEL_REQUEST(参考OpenSSH channel.c: channel_request()) @@ -505,6 +503,9 @@ struct Channel { sftp_handler: Option, // Phase 7: SFTP处理器 scp_handler: Option, // Phase 8: SCP处理器 rsync_handler: Option, // Phase 8: rsync处理器 + // Phase 13.3: 端口转发相关字段 + direct_tcpip: Option, // direct-tcpip channel(Remote forwarding) + forwarded_tcpip: Option, // forwarded-tcpip channel(Local forwarding) } /// SSH Channel状态(参考OpenSSH channel.c) diff --git a/markbase-core/src/ssh_server/port_forward.rs b/markbase-core/src/ssh_server/port_forward.rs index 545323d..dfe80dc 100644 --- a/markbase-core/src/ssh_server/port_forward.rs +++ b/markbase-core/src/ssh_server/port_forward.rs @@ -8,6 +8,7 @@ use std::io::{Read, Write}; use std::sync::{Arc, Mutex}; use std::thread; use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt}; +use crate::ssh_server::ssh_security_config::SshSecurityConfig; // Phase 13.2: 安全配置 /// 端口转发类型(参考RFC 4254) #[derive(Debug, Clone, PartialEq, Eq)] @@ -44,7 +45,8 @@ impl PortForwardManager { /// 处理SSH_MSG_GLOBAL_REQUEST(端口转发请求) /// 参考RFC 4254 Section 4 - pub fn handle_global_request(&mut self, data: &[u8]) -> Result<(bool, Option>)> { + /// Phase 13.2: 添加安全配置验证 + pub fn handle_global_request(&mut self, data: &[u8], security_config: &SshSecurityConfig) -> Result<(bool, Option>)> { info!("Processing SSH_MSG_GLOBAL_REQUEST for port forwarding"); let mut cursor = std::io::Cursor::new(data); @@ -61,7 +63,7 @@ impl PortForwardManager { match request_name.as_str() { "tcpip-forward" => { // Local port forwarding (-L) - self.handle_tcpip_forward(&mut cursor, want_reply) + self.handle_tcpip_forward(&mut cursor, want_reply, security_config) // Phase 13.2 } "cancel-tcpip-forward" => { // Cancel port forwarding @@ -81,7 +83,8 @@ impl PortForwardManager { /// 处理tcpip-forward请求(Local port forwarding) /// 参考RFC 4254 Section 7.1 - fn handle_tcpip_forward(&mut self, cursor: &mut std::io::Cursor<&[u8]>, want_reply: bool) -> Result<(bool, Option>)> { + /// Phase 13.2: 添加安全配置验证 + fn handle_tcpip_forward(&mut self, cursor: &mut std::io::Cursor<&[u8]>, want_reply: bool, security_config: &SshSecurityConfig) -> Result<(bool, Option>)> { // 读取bind address(SSH string) let bind_address = read_ssh_string(cursor)?; @@ -90,10 +93,20 @@ impl PortForwardManager { info!("tcpip-forward request: bind_address={}, bind_port={}", bind_address, bind_port); + // Phase 13.2: 安全配置验证 + if let Err(e) = security_config.validate_tcpip_forward_request(&bind_address, bind_port) { + warn!("tcpip-forward security validation failed: {}", e); + return Ok((false, None)); // 拒绝请求 + } + + info!("tcpip-forward security validation passed"); + // 添加到active forwards let mut forwards = self.active_forwards.lock().unwrap(); forwards.push((bind_port, PortForwardType::Local)); + info!("tcpip-forward registered: bind_port={}", bind_port); + // 返回成功响应(包含bind_port) if want_reply { let response = self.build_global_request_response(true, Some(bind_port))?; diff --git a/markbase-core/src/ssh_server/server.rs b/markbase-core/src/ssh_server/server.rs index 559f036..8228926 100644 --- a/markbase-core/src/ssh_server/server.rs +++ b/markbase-core/src/ssh_server/server.rs @@ -376,10 +376,10 @@ fn handle_ssh_service_loop( info!("Sent SSH_MSG_REQUEST_FAILURE (TCP forwarding disabled)"); continue; } - drop(security); // 释放锁 - // Phase 13: 调用PortForwardManager处理 - let (success, response) = port_forward_manager.handle_global_request(&packet.payload)?; + // Phase 13.2: 调用PortForwardManager处理(传递security_config) + let (success, response) = port_forward_manager.handle_global_request(&packet.payload, &security)?; + drop(security); // 释放锁 if success { if let Some(response_data) = response {