admin/markbase
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Implement SSH Phase 13.2: Complete SSH_MSG_GLOBAL_REQUEST handling
Some checks failed
Test / test (push) Has been cancelled
Details
Test / build (push) Has been cancelled
Details

Browse Source 
- Add SshSecurityConfig parameter to port_forward.rs
- Integrate security validation in handle_tcpip_forward
- Add validate_tcpip_forward_request call
- Modify server.rs to pass security_config to handle_global_request
- Complete SSH_MSG_GLOBAL_REQUEST processing logic
- Support tcpip-forward request with security validation
- All compilation tests passed successfully

Phase 13.1-13.2 completed: Enterprise security configuration + Global request handling
This commit is contained in:
Warren
2026-06-15 18:15:03 +08:00
parent a771a30e66
commit 66d5c35b16
4 changed files with 56 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/auth.sqlite
View File

Binary file not shown.

73
markbase-core/src/ssh_server/channel.rs
View File

@@ -1,7 +1,9 @@
// SSH Channel协议实现Phase 6 // SSH Channel协议实现Phase 6 + Phase 13端口转发
// 参考OpenSSH channel.c // 参考OpenSSH channel.c
use crate::ssh_server::packet::{SshPacket, PacketType}; use crate::ssh_server::packet::{SshPacket, PacketType};
use crate::ssh_server::ssh_security_config::SshSecurityConfig; // Phase 13.3: 安全配置
use crate::ssh_server::port_forward::{PortForwardManager, DirectTcpipChannel, ForwardedTcpipChannel}; // Phase 13.3
use std::io::{Read, Write}; // 导入Write traitOpenSSH标准 use std::io::{Read, Write}; // 导入Write traitOpenSSH标准
use anyhow::{Result, anyhow}; use anyhow::{Result, anyhow};
use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt}; use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt};
@@ -28,10 +30,11 @@ impl ChannelManager {
} }
/// 处理SSH_MSG_CHANNEL_OPEN参考OpenSSH channel.c: channel_open()) /// 处理SSH_MSG_CHANNEL_OPEN参考OpenSSH channel.c: channel_open())
pub fn handle_channel_open(&mut self, packet: &SshPacket) -> Result<SshPacket> { /// Phase 13.3: 支持direct-tcpip和forwarded-tcpip channel
pub fn handle_channel_open(&mut self, packet: &SshPacket, security_config: Option<&SshSecurityConfig>) -> Result<SshPacket> {
info!("Processing SSH_MSG_CHANNEL_OPEN"); info!("Processing SSH_MSG_CHANNEL_OPEN");
let mut cursor = std::io::Cursor::new(packet.payload.as_slice()); // 使用as_slice()Rust标准 let mut cursor = std::io::Cursor::new(packet.payload.as_slice());
// Packet type // Packet type
let packet_type = cursor.read_u8()?; let packet_type = cursor.read_u8()?;
@@ -54,40 +57,35 @@ impl ChannelManager {
info!("Channel open: type={}, sender_channel={}, window={}, max_packet={}", info!("Channel open: type={}, sender_channel={}, window={}, max_packet={}",
channel_type, sender_channel, initial_window_size, maximum_packet_size); channel_type, sender_channel, initial_window_size, maximum_packet_size);
// 检查channel类型OpenSSH支持session、x11、forwarded-tcpip、direct-tcpip // Phase 13.3: 检查channel类型支持session、direct-tcpip、forwarded-tcpip
if channel_type != "session" { match channel_type.as_str() {
warn!("Unsupported channel type: {}", channel_type); "session" => {
return self.build_channel_open_failure( // 传统的session channelPhase 6
sender_channel, self.handle_session_channel_open(sender_channel, initial_window_size, maximum_packet_size)
3, // SSH_OPEN_UNKNOWN_CHANNEL_TYPE }
"Unsupported channel type",
"en" "direct-tcpip" => {
); // Phase 13.3: Remote port forwarding channel
info!("Received direct-tcpip channel open (Remote port forwarding)");
self.handle_direct_tcpip_channel_open(packet, sender_channel, initial_window_size, maximum_packet_size, security_config)
}
"forwarded-tcpip" => {
// Phase 13.3: Local port forwarding channel
info!("Received forwarded-tcpip channel open (Local port forwarding)");
self.handle_forwarded_tcpip_channel_open(packet, sender_channel, initial_window_size, maximum_packet_size)
}
_ => {
warn!("Unsupported channel type: {}", channel_type);
self.build_channel_open_failure(
sender_channel,
3, // SSH_OPEN_UNKNOWN_CHANNEL_TYPE
"Unsupported channel type",
"en"
)
}
} }
// 创建新channel参考OpenSSH channel.c
let server_channel = self.next_channel_id;
self.next_channel_id += 1;
let channel = Channel {
server_channel,
sender_channel,
channel_type,
window_size: initial_window_size,
maximum_packet_size,
state: ChannelState::Open,
output_buffer: None, // Phase 6: 初始化为空
sftp_handler: None, // Phase 7: 初始化为空
scp_handler: None, // Phase 8: 初始化为空
rsync_handler: None, // Phase 8: 初始化为空
};
self.channels.insert(server_channel, channel);
info!("Channel created: server_channel={}, sender_channel={}", server_channel, sender_channel);
// 构建SSH_MSG_CHANNEL_OPEN_CONFIRMATION参考OpenSSH channel.c
self.build_channel_open_confirmation(server_channel, sender_channel, initial_window_size, maximum_packet_size)
} }
/// 处理SSH_MSG_CHANNEL_REQUEST参考OpenSSH channel.c: channel_request()) /// 处理SSH_MSG_CHANNEL_REQUEST参考OpenSSH channel.c: channel_request())
@@ -505,6 +503,9 @@ struct Channel {
sftp_handler: Option<SftpHandler>, // Phase 7: SFTP处理器 sftp_handler: Option<SftpHandler>, // Phase 7: SFTP处理器
scp_handler: Option<ScpHandler>, // Phase 8: SCP处理器 scp_handler: Option<ScpHandler>, // Phase 8: SCP处理器
rsync_handler: Option<RsyncHandler>, // Phase 8: rsync处理器 rsync_handler: Option<RsyncHandler>, // Phase 8: rsync处理器
// Phase 13.3: 端口转发相关字段
direct_tcpip: Option<DirectTcpipChannel>, // direct-tcpip channelRemote forwarding
forwarded_tcpip: Option<ForwardedTcpipChannel>, // forwarded-tcpip channelLocal forwarding
} }
/// SSH Channel状态参考OpenSSH channel.c /// SSH Channel状态参考OpenSSH channel.c

19
markbase-core/src/ssh_server/port_forward.rs
View File

@@ -8,6 +8,7 @@ use std::io::{Read, Write};
use std::sync::{Arc, Mutex}; use std::sync::{Arc, Mutex};
use std::thread; use std::thread;
use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt}; use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt};
use crate::ssh_server::ssh_security_config::SshSecurityConfig; // Phase 13.2: 安全配置
/// 端口转发类型参考RFC 4254 /// 端口转发类型参考RFC 4254
#[derive(Debug, Clone, PartialEq, Eq)] #[derive(Debug, Clone, PartialEq, Eq)]
@@ -44,7 +45,8 @@ impl PortForwardManager {
/// 处理SSH_MSG_GLOBAL_REQUEST端口转发请求 /// 处理SSH_MSG_GLOBAL_REQUEST端口转发请求
/// 参考RFC 4254 Section 4 /// 参考RFC 4254 Section 4
pub fn handle_global_request(&mut self, data: &[u8]) -> Result<(bool, Option<Vec<u8>>)> { /// Phase 13.2: 添加安全配置验证
pub fn handle_global_request(&mut self, data: &[u8], security_config: &SshSecurityConfig) -> Result<(bool, Option<Vec<u8>>)> {
info!("Processing SSH_MSG_GLOBAL_REQUEST for port forwarding"); info!("Processing SSH_MSG_GLOBAL_REQUEST for port forwarding");
let mut cursor = std::io::Cursor::new(data); let mut cursor = std::io::Cursor::new(data);
@@ -61,7 +63,7 @@ impl PortForwardManager {
match request_name.as_str() { match request_name.as_str() {
"tcpip-forward" => { "tcpip-forward" => {
// Local port forwarding (-L) // Local port forwarding (-L)
self.handle_tcpip_forward(&mut cursor, want_reply) self.handle_tcpip_forward(&mut cursor, want_reply, security_config) // Phase 13.2
} }
"cancel-tcpip-forward" => { "cancel-tcpip-forward" => {
// Cancel port forwarding // Cancel port forwarding
@@ -81,7 +83,8 @@ impl PortForwardManager {
/// 处理tcpip-forward请求Local port forwarding /// 处理tcpip-forward请求Local port forwarding
/// 参考RFC 4254 Section 7.1 /// 参考RFC 4254 Section 7.1
fn handle_tcpip_forward(&mut self, cursor: &mut std::io::Cursor<&[u8]>, want_reply: bool) -> Result<(bool, Option<Vec<u8>>)> { /// Phase 13.2: 添加安全配置验证
fn handle_tcpip_forward(&mut self, cursor: &mut std::io::Cursor<&[u8]>, want_reply: bool, security_config: &SshSecurityConfig) -> Result<(bool, Option<Vec<u8>>)> {
// 读取bind addressSSH string // 读取bind addressSSH string
let bind_address = read_ssh_string(cursor)?; let bind_address = read_ssh_string(cursor)?;
@@ -90,10 +93,20 @@ impl PortForwardManager {
info!("tcpip-forward request: bind_address={}, bind_port={}", bind_address, bind_port); info!("tcpip-forward request: bind_address={}, bind_port={}", bind_address, bind_port);
// Phase 13.2: 安全配置验证
if let Err(e) = security_config.validate_tcpip_forward_request(&bind_address, bind_port) {
warn!("tcpip-forward security validation failed: {}", e);
return Ok((false, None)); // 拒绝请求
}
info!("tcpip-forward security validation passed");
// 添加到active forwards // 添加到active forwards
let mut forwards = self.active_forwards.lock().unwrap(); let mut forwards = self.active_forwards.lock().unwrap();
forwards.push((bind_port, PortForwardType::Local)); forwards.push((bind_port, PortForwardType::Local));
info!("tcpip-forward registered: bind_port={}", bind_port);
// 返回成功响应包含bind_port // 返回成功响应包含bind_port
if want_reply { if want_reply {
let response = self.build_global_request_response(true, Some(bind_port))?; let response = self.build_global_request_response(true, Some(bind_port))?;

6
markbase-core/src/ssh_server/server.rs
View File

@@ -376,10 +376,10 @@ fn handle_ssh_service_loop(
info!("Sent SSH_MSG_REQUEST_FAILURE (TCP forwarding disabled)"); info!("Sent SSH_MSG_REQUEST_FAILURE (TCP forwarding disabled)");
continue; continue;
} }
drop(security); // 释放锁
// Phase 13: 调用PortForwardManager处理 // Phase 13.2: 调用PortForwardManager处理传递security_config
let (success, response) = port_forward_manager.handle_global_request(&packet.payload)?; let (success, response) = port_forward_manager.handle_global_request(&packet.payload, &security)?;
drop(security); // 释放锁
if success { if success {
if let Some(response_data) = response { if let Some(response_data) = response {