| commit | author | age | ||
| af816d | 1 | /* |
| DO | 2 | * Copyright 2014 gitblit.com. |
| 3 | * | |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); | |
| 5 | * you may not use this file except in compliance with the License. | |
| 6 | * You may obtain a copy of the License at | |
| 7 | * | |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 | |
| 9 | * | |
| 10 | * Unless required by applicable law or agreed to in writing, software | |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, | |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| 13 | * See the License for the specific language governing permissions and | |
| 14 | * limitations under the License. | |
| 15 | */ | |
| 16 | package com.gitblit.transport.ssh; | |
| 17 | ||
| 18 | import java.io.File; | |
| c910be | 19 | import java.io.FileOutputStream; |
| af816d | 20 | import java.io.IOException; |
| c910be | 21 | import java.io.OutputStreamWriter; |
| af816d | 22 | import java.net.InetSocketAddress; |
| c910be | 23 | import java.security.KeyPair; |
| JM | 24 | import java.security.KeyPairGenerator; |
| af816d | 25 | import java.text.MessageFormat; |
| DO | 26 | import java.util.concurrent.atomic.AtomicBoolean; |
| 27 | ||
| bf4fc5 | 28 | import org.apache.sshd.common.io.IoServiceFactoryFactory; |
| DO | 29 | import org.apache.sshd.common.io.mina.MinaServiceFactoryFactory; |
| 30 | import org.apache.sshd.common.io.nio2.Nio2ServiceFactoryFactory; | |
| c910be | 31 | import org.apache.sshd.common.util.SecurityUtils; |
| d41034 | 32 | import org.apache.sshd.server.SshServer; |
| b3aabb | 33 | import org.apache.sshd.server.auth.CachingPublicKeyAuthenticator; |
| c910be | 34 | import org.bouncycastle.openssl.PEMWriter; |
| af816d | 35 | import org.eclipse.jgit.internal.JGitText; |
| DO | 36 | import org.slf4j.Logger; |
| 37 | import org.slf4j.LoggerFactory; | |
| 38 | ||
| e725e1 | 39 | import com.gitblit.Constants; |
| af816d | 40 | import com.gitblit.IStoredSettings; |
| DO | 41 | import com.gitblit.Keys; |
| 42 | import com.gitblit.manager.IGitblit; | |
| 261ddf | 43 | import com.gitblit.transport.ssh.commands.SshCommandFactory; |
| c910be | 44 | import com.gitblit.utils.JnaUtils; |
| af816d | 45 | import com.gitblit.utils.StringUtils; |
| 5bb55f | 46 | import com.gitblit.utils.WorkQueue; |
| c910be | 47 | import com.google.common.io.Files; |
| af816d | 48 | |
| DO | 49 | /** |
| 50 | * Manager for the ssh transport. Roughly analogous to the | |
| 31f477 | 51 | * {@link com.gitblit.transport.git.GitDaemon} class. |
| 924c9b | 52 | * |
| af816d | 53 | */ |
| 924c9b | 54 | public class SshDaemon { |
| af816d | 55 | |
| DO | 56 | private final Logger log = LoggerFactory.getLogger(SshDaemon.class); |
| 57 | ||
| bf4fc5 | 58 | public static enum SshSessionBackend { |
| DO | 59 | MINA, NIO2 |
| 60 | } | |
| 8982e6 | 61 | |
| af816d | 62 | /** |
| DO | 63 | * 22: IANA assigned port number for ssh. Note that this is a distinct |
| 64 | * concept from gitblit's default conf for ssh port -- this "default" is | |
| 65 | * what the git protocol itself defaults to if it sees and ssh url without a | |
| 66 | * port. | |
| 67 | */ | |
| 68 | public static final int DEFAULT_PORT = 22; | |
| 69 | ||
| 924c9b | 70 | private final AtomicBoolean run; |
| af816d | 71 | |
| 924c9b | 72 | private final IGitblit gitblit; |
| JM | 73 | private final SshServer sshd; |
| af816d | 74 | |
| DO | 75 | /** |
| 76 | * Construct the Gitblit SSH daemon. | |
| 924c9b | 77 | * |
| af816d | 78 | * @param gitblit |
| 5bb55f | 79 | * @param workQueue |
| af816d | 80 | */ |
| 5bb55f | 81 | public SshDaemon(IGitblit gitblit, WorkQueue workQueue) { |
| af816d | 82 | this.gitblit = gitblit; |
| 8982e6 | 83 | |
| af816d | 84 | IStoredSettings settings = gitblit.getSettings(); |
| bf4fc5 | 85 | |
| c910be | 86 | // Ensure that Bouncy Castle is our JCE provider |
| JM | 87 | SecurityUtils.setRegisterBouncyCastle(true); |
| 5604f3 | 88 | if (SecurityUtils.isBouncyCastleRegistered()) { |
| JM | 89 | log.debug("BouncyCastle is registered as a JCE provider"); |
| 90 | } | |
| c910be | 91 | |
| JM | 92 | // Generate host RSA and DSA keypairs and create the host keypair provider |
| 93 | File rsaKeyStore = new File(gitblit.getBaseFolder(), "ssh-rsa-hostkey.pem"); | |
| 94 | File dsaKeyStore = new File(gitblit.getBaseFolder(), "ssh-dsa-hostkey.pem"); | |
| 95 | generateKeyPair(rsaKeyStore, "RSA", 2048); | |
| 96 | generateKeyPair(dsaKeyStore, "DSA", 0); | |
| 97 | FileKeyPairProvider hostKeyPairProvider = new FileKeyPairProvider(); | |
| 98 | hostKeyPairProvider.setFiles(new String [] { rsaKeyStore.getPath(), dsaKeyStore.getPath(), dsaKeyStore.getPath() }); | |
| 99 | ||
| 100 | // Client public key authenticator | |
| 7a273c | 101 | SshKeyAuthenticator keyAuthenticator = |
| JM | 102 | new SshKeyAuthenticator(gitblit.getPublicKeyManager(), gitblit); |
| c910be | 103 | |
| JM | 104 | // Configure the preferred SSHD backend |
| bf4fc5 | 105 | String sshBackendStr = settings.getString(Keys.git.sshBackend, |
| DO | 106 | SshSessionBackend.NIO2.name()); |
| 107 | SshSessionBackend backend = SshSessionBackend.valueOf(sshBackendStr); | |
| 108 | System.setProperty(IoServiceFactoryFactory.class.getName(), | |
| 109 | backend == SshSessionBackend.MINA | |
| 110 | ? MinaServiceFactoryFactory.class.getName() | |
| 111 | : Nio2ServiceFactoryFactory.class.getName()); | |
| 8982e6 | 112 | |
| c910be | 113 | // Create the socket address for binding the SSH server |
| JM | 114 | int port = settings.getInteger(Keys.git.sshPort, 0); |
| 115 | String bindInterface = settings.getString(Keys.git.sshBindInterface, ""); | |
| 924c9b | 116 | InetSocketAddress addr; |
| af816d | 117 | if (StringUtils.isEmpty(bindInterface)) { |
| 924c9b | 118 | addr = new InetSocketAddress(port); |
| af816d | 119 | } else { |
| 924c9b | 120 | addr = new InetSocketAddress(bindInterface, port); |
| af816d | 121 | } |
| b3aabb | 122 | |
| c910be | 123 | // Create the SSH server |
| 924c9b | 124 | sshd = SshServer.setUpDefaultServer(); |
| JM | 125 | sshd.setPort(addr.getPort()); |
| 126 | sshd.setHost(addr.getHostName()); | |
| c910be | 127 | sshd.setKeyPairProvider(hostKeyPairProvider); |
| 7a273c | 128 | sshd.setPublickeyAuthenticator(new CachingPublicKeyAuthenticator(keyAuthenticator)); |
| 448145 | 129 | sshd.setPasswordAuthenticator(new UsernamePasswordAuthenticator(gitblit)); |
| 92ae83 | 130 | if (settings.getBoolean(Keys.git.sshWithKrb5, false)) { |
| JM | 131 | sshd.setGSSAuthenticator(new SshKrbAuthenticator(settings, gitblit)); |
| 5485da | 132 | } |
| 61b32f | 133 | sshd.setSessionFactory(new SshServerSessionFactory()); |
| 924c9b | 134 | sshd.setFileSystemFactory(new DisabledFilesystemFactory()); |
| 9ba6bc | 135 | sshd.setTcpipForwardingFilter(new NonForwardingFilter()); |
| 5bb55f | 136 | sshd.setCommandFactory(new SshCommandFactory(gitblit, workQueue)); |
| e725e1 | 137 | sshd.setShellFactory(new WelcomeShell(settings)); |
| JM | 138 | |
| c910be | 139 | // Set the server id. This can be queried with: |
| JM | 140 | // ssh-keyscan -t rsa,dsa -p 29418 localhost |
| 141 | String version = String.format("%s (%s-%s)", Constants.getGitBlitVersion().replace(' ', '_'), | |
| 142 | sshd.getVersion(), sshBackendStr); | |
| e725e1 | 143 | sshd.getProperties().put(SshServer.SERVER_IDENTIFICATION, version); |
| af816d | 144 | |
| DO | 145 | run = new AtomicBoolean(false); |
| 146 | } | |
| 147 | ||
| 148 | public String formatUrl(String gituser, String servername, String repository) { | |
| 182312 | 149 | IStoredSettings settings = gitblit.getSettings(); |
| MB | 150 | |
| 151 | int port = sshd.getPort(); | |
| b3aabb | 152 | int displayPort = settings.getInteger(Keys.git.sshAdvertisedPort, port); |
| JM | 153 | String displayServername = settings.getString(Keys.git.sshAdvertisedHost, ""); |
| 182312 | 154 | if(displayServername.isEmpty()) { |
| MB | 155 | displayServername = servername; |
| 156 | } | |
| 157 | if (displayPort == DEFAULT_PORT) { | |
| af816d | 158 | // standard port |
| 182312 | 159 | return MessageFormat.format("ssh://{0}@{1}/{2}", gituser, displayServername, |
| af816d | 160 | repository); |
| DO | 161 | } else { |
| 162 | // non-standard port | |
| 163 | return MessageFormat.format("ssh://{0}@{1}:{2,number,0}/{3}", | |
| 182312 | 164 | gituser, displayServername, displayPort, repository); |
| af816d | 165 | } |
| DO | 166 | } |
| 167 | ||
| 168 | /** | |
| 169 | * Start this daemon on a background thread. | |
| 924c9b | 170 | * |
| af816d | 171 | * @throws IOException |
| DO | 172 | * the server socket could not be opened. |
| 173 | * @throws IllegalStateException | |
| 174 | * the daemon is already running. | |
| 175 | */ | |
| 176 | public synchronized void start() throws IOException { | |
| 177 | if (run.get()) { | |
| 178 | throw new IllegalStateException(JGitText.get().daemonAlreadyRunning); | |
| 179 | } | |
| 180 | ||
| 924c9b | 181 | sshd.start(); |
| af816d | 182 | run.set(true); |
| DO | 183 | |
| 2b5484 | 184 | String sshBackendStr = gitblit.getSettings().getString(Keys.git.sshBackend, |
| JM | 185 | SshSessionBackend.NIO2.name()); |
| 186 | ||
| af816d | 187 | log.info(MessageFormat.format( |
| 2b5484 | 188 | "SSH Daemon ({0}) is listening on {1}:{2,number,0}", |
| JM | 189 | sshBackendStr, sshd.getHost(), sshd.getPort())); |
| af816d | 190 | } |
| DO | 191 | |
| 192 | /** @return true if this daemon is receiving connections. */ | |
| 193 | public boolean isRunning() { | |
| 194 | return run.get(); | |
| 195 | } | |
| 196 | ||
| 197 | /** Stop this daemon. */ | |
| 198 | public synchronized void stop() { | |
| 199 | if (run.get()) { | |
| 200 | log.info("SSH Daemon stopping..."); | |
| 201 | run.set(false); | |
| 202 | ||
| 203 | try { | |
| 23c416 | 204 | ((SshCommandFactory) sshd.getCommandFactory()).stop(); |
| 924c9b | 205 | sshd.stop(); |
| d41034 | 206 | } catch (IOException e) { |
| af816d | 207 | log.error("SSH Daemon stop interrupted", e); |
| DO | 208 | } |
| b53611 | 209 | } |
| JM | 210 | } |
| c910be | 211 | |
| JM | 212 | private void generateKeyPair(File file, String algorithm, int keySize) { |
| 213 | if (file.exists()) { | |
| 214 | return; | |
| 215 | } | |
| 216 | try { | |
| 217 | KeyPairGenerator generator = SecurityUtils.getKeyPairGenerator(algorithm); | |
| 218 | if (keySize != 0) { | |
| 219 | generator.initialize(keySize); | |
| 220 | log.info("Generating {}-{} SSH host keypair...", algorithm, keySize); | |
| 221 | } else { | |
| 222 | log.info("Generating {} SSH host keypair...", algorithm); | |
| 223 | } | |
| 224 | KeyPair kp = generator.generateKeyPair(); | |
| 225 | ||
| 226 | // create an empty file and set the permissions | |
| 227 | Files.touch(file); | |
| 228 | try { | |
| 229 | JnaUtils.setFilemode(file, JnaUtils.S_IRUSR | JnaUtils.S_IWUSR); | |
| 01ff0f | 230 | } catch (UnsatisfiedLinkError | UnsupportedOperationException e) { |
| JM | 231 | // Unexpected/Unsupported OS or Architecture |
| c910be | 232 | } |
| JM | 233 | |
| 234 | FileOutputStream os = new FileOutputStream(file); | |
| 235 | PEMWriter w = new PEMWriter(new OutputStreamWriter(os)); | |
| 236 | w.writeObject(kp); | |
| 237 | w.flush(); | |
| 238 | w.close(); | |
| 239 | } catch (Exception e) { | |
| 240 | log.warn(MessageFormat.format("Unable to generate {0} keypair", algorithm), e); | |
| 241 | return; | |
| 242 | } | |
| 243 | } | |
| af816d | 244 | } |
