Commit 7715f935 by Iwasaki Yudai

Merge pull request #69 from uovobw:add-tls-client-certificate-authentication

2 parents 57923e98 7321b43f
Showing with 97 additions and 73 deletions
...@@ -30,6 +30,12 @@ ...@@ -30,6 +30,12 @@
// [string] Default TLS key file path // [string] Default TLS key file path
// tls_key_file = "~/.gotty.key" // tls_key_file = "~/.gotty.key"
// [bool] Enable client certificate authentication
// enable_tls_client_auth = false
// [string] Certificate file of CA for client certificates
// tls_ca_crt_file = "~/.gotty.ca.crt"
// [string] Custom index.html file // [string] Custom index.html file
// index_file = "" // index_file = ""
......
...@@ -58,6 +58,7 @@ By default, GoTTY starts a web server at port 8080. Open the URL on your web bro ...@@ -58,6 +58,7 @@ By default, GoTTY starts a web server at port 8080. Open the URL on your web bro
--tls, -t Enable TLS/SSL [$GOTTY_TLS] --tls, -t Enable TLS/SSL [$GOTTY_TLS]
--tls-crt "~/.gotty.key" TLS/SSL crt file path [$GOTTY_TLS_CRT] --tls-crt "~/.gotty.key" TLS/SSL crt file path [$GOTTY_TLS_CRT]
--tls-key "~/.gotty.crt" TLS/SSL key file path [$GOTTY_TLS_KEY] --tls-key "~/.gotty.crt" TLS/SSL key file path [$GOTTY_TLS_KEY]
--tls-ca-crt "~/.gotty.ca.crt" TLS/SSL CA certificate file for client certifications [$GOTTY_TLS_CA_CRT]
--index Custom index file [$GOTTY_INDEX] --index Custom index file [$GOTTY_INDEX]
--title-format "GoTTY - {{ .Command }} ({{ .Hostname }})" Title format of browser window [$GOTTY_TITLE_FORMAT] --title-format "GoTTY - {{ .Command }} ({{ .Hostname }})" Title format of browser window [$GOTTY_TITLE_FORMAT]
--reconnect Enable reconnection [$GOTTY_RECONNECT] --reconnect Enable reconnection [$GOTTY_RECONNECT]
...@@ -93,7 +94,9 @@ See the [`.gotty`](https://github.com/yudai/gotty/blob/master/.gotty) file in th ...@@ -93,7 +94,9 @@ See the [`.gotty`](https://github.com/yudai/gotty/blob/master/.gotty) file in th
By default, GoTTY doesn't allow clients to send any keystrokes or commands except terminal window resizing. When you want to permit clients to write input to the TTY, add the `-w` option. However, accepting input from remote clients is dangerous for most commands. When you need interaction with the TTY for some reasons, consider starting GoTTY with tmux or GNU Screen and run your command on it (see "Sharing with Multiple Clients" section for detail). By default, GoTTY doesn't allow clients to send any keystrokes or commands except terminal window resizing. When you want to permit clients to write input to the TTY, add the `-w` option. However, accepting input from remote clients is dangerous for most commands. When you need interaction with the TTY for some reasons, consider starting GoTTY with tmux or GNU Screen and run your command on it (see "Sharing with Multiple Clients" section for detail).
To restrict client access, you can use the `-c` option to enable the basic authentication. With this option, clients need to input the specified username and password to connect to the GoTTY server. The `-r` option is a little bit casualer way to restrict access. With this option, GoTTY generates a random URL so that only people who know the URL can get access to the server. Note that the credentical will be transmitted between the server and clients in plain text. To restrict client access, you can use the `-c` option to enable the basic authentication. With this option, clients need to input the specified username and password to connect to the GoTTY server. Note that the credentical will be transmitted between the server and clients in plain text. For more strict authentication, consider the SSL/TLS client certificate authentication described below.
The `-r` option is a little bit casualer way to restrict access. With this option, GoTTY generates a random URL so that only people who know the URL can get access to the server.
All traffic between the server and clients are NOT encrypted by default. When you send secret information through GoTTY, we strongly recommend you use the `-t` option which enables TLS/SSL on the session. By default, GoTTY loads the crt and key files placed at `~/.gotty.crt` and `~/.gotty.key`. You can overwrite these file paths with the `--tls-crt` and `--tls-key` options. When you need to generate a self-signed certification file, you can use the `openssl` command. All traffic between the server and clients are NOT encrypted by default. When you send secret information through GoTTY, we strongly recommend you use the `-t` option which enables TLS/SSL on the session. By default, GoTTY loads the crt and key files placed at `~/.gotty.crt` and `~/.gotty.key`. You can overwrite these file paths with the `--tls-crt` and `--tls-key` options. When you need to generate a self-signed certification file, you can use the `openssl` command.
...@@ -103,6 +106,8 @@ openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout ~/.gotty.key -out ~ ...@@ -103,6 +106,8 @@ openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout ~/.gotty.key -out ~
(NOTE: For Safari uses, see [how to enable self-signed certificates for WebSockets](http://blog.marcon.me/post/24874118286/secure-websockets-safari) when use self-signed certificates) (NOTE: For Safari uses, see [how to enable self-signed certificates for WebSockets](http://blog.marcon.me/post/24874118286/secure-websockets-safari) when use self-signed certificates)
For additional security, you can use the SSL/TLS client certificate authentication by providing a CA certificate file to the `--tls-ca-crt` option (this option requires the `-t` or `--tls` to be set). This option requires all clients to send valid client certificates that are signed by the specified certification authority.
## Sharing with Multiple Clients ## Sharing with Multiple Clients
GoTTY starts a new process with the given command when a new client connects to the server. This means users cannot share a single terminal with others by default. However, you can use terminal multiplexers for sharing a single process with multiple clients. GoTTY starts a new process with the given command when a new client connects to the server. This means users cannot share a single terminal with others by default. However, you can use terminal multiplexers for sharing a single process with multiple clients.
......
...@@ -37,47 +37,47 @@ type App struct { ...@@ -37,47 +37,47 @@ type App struct {
} }
type Options struct { type Options struct {
Address string `hcl:"address"` Address string `hcl:"address"`
Port string `hcl:"port"` Port string `hcl:"port"`
PermitWrite bool `hcl:"permit_write"` PermitWrite bool `hcl:"permit_write"`
EnableBasicAuth bool `hcl:"enable_basic_auth"` EnableBasicAuth bool `hcl:"enable_basic_auth"`
Credential string `hcl:"credential"` Credential string `hcl:"credential"`
EnableRandomUrl bool `hcl:"enable_random_url"` EnableRandomUrl bool `hcl:"enable_random_url"`
RandomUrlLength int `hcl:"random_url_length"` RandomUrlLength int `hcl:"random_url_length"`
IndexFile string `hcl:"index_file"` IndexFile string `hcl:"index_file"`
EnableTLS bool `hcl:"enable_tls"` EnableTLS bool `hcl:"enable_tls"`
TLSCrtFile string `hcl:"tls_crt_file"` TLSCrtFile string `hcl:"tls_crt_file"`
TLSKeyFile string `hcl:"tls_key_file"` TLSKeyFile string `hcl:"tls_key_file"`
VerifyClientCert bool `hcl:"verify_client_cert"` EnableTLSClientAuth bool `hcl:"enable_tls_client_auth"`
ClientCAs []string `hcl:"client_cas"` TLSCACrtFile string `hcl:"tls_ca_crt_file"`
TitleFormat string `hcl:"title_format"` TitleFormat string `hcl:"title_format"`
EnableReconnect bool `hcl:"enable_reconnect"` EnableReconnect bool `hcl:"enable_reconnect"`
ReconnectTime int `hcl:"reconnect_time"` ReconnectTime int `hcl:"reconnect_time"`
Once bool `hcl:"once"` Once bool `hcl:"once"`
Preferences map[string]interface{} `hcl:"preferences"` Preferences map[string]interface{} `hcl:"preferences"`
} }
var Version = "0.0.10" var Version = "0.0.10"
var DefaultOptions = Options{ var DefaultOptions = Options{
Address: "", Address: "",
Port: "8080", Port: "8080",
PermitWrite: false, PermitWrite: false,
EnableBasicAuth: false, EnableBasicAuth: false,
Credential: "", Credential: "",
EnableRandomUrl: false, EnableRandomUrl: false,
RandomUrlLength: 8, RandomUrlLength: 8,
IndexFile: "", IndexFile: "",
EnableTLS: false, EnableTLS: false,
TLSCrtFile: "~/.gotty.crt", TLSCrtFile: "~/.gotty.crt",
TLSKeyFile: "~/.gotty.key", TLSKeyFile: "~/.gotty.key",
VerifyClientCert: false, EnableTLSClientAuth: false,
ClientCAs: []string{}, TLSCACrtFile: "~/.gotty.ca.crt",
TitleFormat: "GoTTY - {{ .Command }} ({{ .Hostname }})", TitleFormat: "GoTTY - {{ .Command }} ({{ .Hostname }})",
EnableReconnect: false, EnableReconnect: false,
ReconnectTime: 10, ReconnectTime: 10,
Once: false, Once: false,
Preferences: make(map[string]interface{}), Preferences: make(map[string]interface{}),
} }
func New(command []string, options *Options) (*App, error) { func New(command []string, options *Options) (*App, error) {
...@@ -120,6 +120,13 @@ func ApplyConfigFile(options *Options, filePath string) error { ...@@ -120,6 +120,13 @@ func ApplyConfigFile(options *Options, filePath string) error {
return nil return nil
} }
func CheckConfig(options *Options) error {
if options.EnableTLSClientAuth && !options.EnableTLS {
return errors.New("TLS client authentication is enabled, but TLS is not enabled")
}
return nil
}
func (app *App) Run() error { func (app *App) Run() error {
if app.options.PermitWrite { if app.options.PermitWrite {
log.Printf("Permitting clients to write input to the PTY.") log.Printf("Permitting clients to write input to the PTY.")
...@@ -197,50 +204,20 @@ func (app *App) Run() error { ...@@ -197,50 +204,20 @@ func (app *App) Run() error {
} }
} }
serverMaker := func() *http.Server { server, err := app.makeServer(endpoint, &siteHandler)
return &http.Server{ if err != nil {
Addr: endpoint, return errors.New("Failed to build server: " + err.Error())
Handler: siteHandler}
}
if app.options.VerifyClientCert && app.options.EnableTLS {
serverMaker = func() *http.Server {
clientCaPool := x509.NewCertPool()
for _, path := range app.options.ClientCAs {
pem, err := ioutil.ReadFile(path)
if err != nil {
log.Printf("Could not read pem file at: " + path)
return nil
}
if clientCaPool.AppendCertsFromPEM(pem) {
log.Printf("Could not parse pem file at: " + path)
return nil
}
}
return &http.Server{
Addr: endpoint,
Handler: siteHandler,
TLSConfig: &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: clientCaPool,
PreferServerCipherSuites: true}}
}
}
server := serverMaker()
if server == nil {
log.Printf("Failed to build server.")
return errors.New("Failed to build server.")
} }
var err error
app.server = manners.NewWithServer( app.server = manners.NewWithServer(
server, server,
) )
if app.options.EnableTLS { if app.options.EnableTLS {
crtFile := ExpandHomeDir(app.options.TLSCrtFile) crtFile := ExpandHomeDir(app.options.TLSCrtFile)
keyFile := ExpandHomeDir(app.options.TLSKeyFile) keyFile := ExpandHomeDir(app.options.TLSKeyFile)
log.Printf("TLS crt file: " + crtFile) log.Printf("TLS crt file: " + crtFile)
log.Printf("TLS key file: " + keyFile) log.Printf("TLS key file: " + keyFile)
err = app.server.ListenAndServeTLS(crtFile, keyFile) err = app.server.ListenAndServeTLS(crtFile, keyFile)
} else { } else {
err = app.server.ListenAndServe() err = app.server.ListenAndServe()
...@@ -254,6 +231,33 @@ func (app *App) Run() error { ...@@ -254,6 +231,33 @@ func (app *App) Run() error {
return nil return nil
} }
func (app *App) makeServer(addr string, handler *http.Handler) (*http.Server, error) {
server := &http.Server{
Addr: addr,
Handler: *handler,
}
if app.options.EnableTLSClientAuth {
caFile := ExpandHomeDir(app.options.TLSCACrtFile)
log.Printf("CA file: " + caFile)
caCert, err := ioutil.ReadFile(caFile)
if err != nil {
return nil, errors.New("Could not open CA crt file " + caFile)
}
caCertPool := x509.NewCertPool()
if !caCertPool.AppendCertsFromPEM(caCert) {
return nil, errors.New("Could not parse CA crt file data in " + caFile)
}
tlsConfig := &tls.Config{
ClientCAs: caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert,
}
server.TLSConfig = tlsConfig
}
return server, nil
}
func (app *App) handleWS(w http.ResponseWriter, r *http.Request) { func (app *App) handleWS(w http.ResponseWriter, r *http.Request) {
log.Printf("New client connected: %s", r.RemoteAddr) log.Printf("New client connected: %s", r.RemoteAddr)
......
...@@ -26,8 +26,9 @@ func main() { ...@@ -26,8 +26,9 @@ func main() {
flag{"random-url", "r", "Add a random string to the URL"}, flag{"random-url", "r", "Add a random string to the URL"},
flag{"random-url-length", "", "Random URL length"}, flag{"random-url-length", "", "Random URL length"},
flag{"tls", "t", "Enable TLS/SSL"}, flag{"tls", "t", "Enable TLS/SSL"},
flag{"tls-crt", "", "TLS/SSL crt file path"}, flag{"tls-crt", "", "TLS/SSL certificate file path"},
flag{"tls-key", "", "TLS/SSL key file path"}, flag{"tls-key", "", "TLS/SSL key file path"},
flag{"tls-ca-crt", "", "TLS/SSL CA certificate file for client certifications"},
flag{"index", "", "Custom index.html file"}, flag{"index", "", "Custom index.html file"},
flag{"title-format", "", "Title format of browser window"}, flag{"title-format", "", "Title format of browser window"},
flag{"reconnect", "", "Enable reconnection"}, flag{"reconnect", "", "Enable reconnection"},
...@@ -40,6 +41,7 @@ func main() { ...@@ -40,6 +41,7 @@ func main() {
"tls": "EnableTLS", "tls": "EnableTLS",
"tls-crt": "TLSCrtFile", "tls-crt": "TLSCrtFile",
"tls-key": "TLSKeyFile", "tls-key": "TLSKeyFile",
"tls-ca-crt": "TLSCACrtFile",
"random-url": "EnableRandomUrl", "random-url": "EnableRandomUrl",
"reconnect": "EnableReconnect", "reconnect": "EnableReconnect",
} }
...@@ -81,6 +83,13 @@ func main() { ...@@ -81,6 +83,13 @@ func main() {
if c.IsSet("credential") { if c.IsSet("credential") {
options.EnableBasicAuth = true options.EnableBasicAuth = true
} }
if c.IsSet("tls-ca-crt") {
options.EnableTLSClientAuth = true
}
if err := app.CheckConfig(&options); err != nil {
exit(err, 6)
}
app, err := app.New(c.Args(), &options) app, err := app.New(c.Args(), &options)
if err != nil { if err != nil {
......
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!