Feat(ssh): credential prompting

yunginnanet · yunginnanet · commit 5038ca3b88eb · 2025-02-04T20:27:08.000-08:00
diff --git a/config.go b/config.go
@@ -4,12 +4,26 @@ import (
 	"flag"
 	"fmt"
 	"github.com/sandflysecurity/sandfly-entropyscan/pkg/ssh"
+	"golang.org/x/term"
 	"log"
 	"os"
 	"sync"
 	"time"
 )
 
+type sshConfig struct {
+	Host              string
+	User              string
+	Passwd            string
+	KeyFile           string
+	KeyFilePassphrase string
+	Version           string
+	Port              int
+	Agent             bool
+	Prompt            bool
+	Timeout           time.Duration
+}
+
 type outputConfig struct {
 	delimChar           string
 	csvOutput           bool
@@ -18,17 +32,6 @@ type outputConfig struct {
 	outputFile          string
 }
 
-type sshConfig struct {
-	Host    string
-	User    string
-	Passwd  string
-	KeyFile string
-	Version string
-	Port    int
-	Agent   bool
-	Timeout time.Duration
-}
-
 type inputConfig struct {
 	filePath string
 	dirPath  string
@@ -60,6 +63,31 @@ type config struct {
 
 var cfgOnce sync.Once
 
+func (scfg *sshConfig) prompt() {
+ploop:
+	for {
+		switch {
+		case scfg.Host == "":
+			_, _ = fmt.Printf("Host: ")
+			_, _ = fmt.Scanln(&scfg.Host)
+		case scfg.User == "":
+			_, _ = fmt.Printf("[%s] User: ", scfg.Host)
+			_, _ = fmt.Scanln(&scfg.User)
+		case scfg.KeyFile != "" && scfg.KeyFilePassphrase == "":
+			_, _ = fmt.Printf("[%s] Pass: ", scfg.KeyFile)
+			pb, _ := term.ReadPassword(int(os.Stdin.Fd()))
+			scfg.KeyFilePassphrase = string(pb)
+		case scfg.KeyFile == "" && scfg.Passwd == "":
+			_, _ = fmt.Printf("[%s] Pass: ", scfg.Host)
+			pb, _ := term.ReadPassword(int(os.Stdin.Fd()))
+			scfg.Passwd = string(pb)
+		default:
+			break ploop
+		}
+	}
+	print("\n")
+}
+
 func (cfg *config) parseFlags() {
 	sumMD5, sumSHA1, sumSHA256, sumSHA512 := true, true, true, true
 
@@ -70,37 +98,74 @@ func (cfg *config) parseFlags() {
 		&sumSHA512: HashTypeSHA512,
 	}
 
+	// # Strings
+
 	flag.StringVar(&cfg.inCfg.filePath, "file", "", "full path to a single file to analyze")
 	flag.StringVar(&cfg.inCfg.dirPath, "dir", "", "directory name to analyze")
 	flag.StringVar(&cfg.outCfg.delimChar, "delim", constDelimeterDefault, "delimeter for CSV output")
-	flag.StringVar(&cfg.outCfg.outputFile, "output", "", "output file to write results to (default stdout) (only json and csv formats supported)")
-
-	flag.Float64Var(&cfg.entropyMaxVal, "entropy", 0, "show any file with entropy greater than or equal to this value (0.0 - 8.0 max 8.0, default is 0)")
-
-	flag.BoolVar(&cfg.elfOnly, "elf", false, "only check ELF executables")
-	flag.BoolVar(&cfg.procOnly, "proc", false, "check running processes")
-	flag.BoolVar(&cfg.outCfg.csvOutput, "csv", false, "output results in CSV format (filename, path, entropy, elf_file [true|false], MD5, SHA1, SHA256, SHA512)")
-	flag.BoolVar(&cfg.outCfg.jsonOutput, "json", false, "output results in JSON format")
-	flag.BoolVar(&cfg.outCfg.printInterimResults, "print", false, "print interim results to stdout even if output file is specified")
-	flag.BoolVar(&cfg.version, "version", false, "show version and exit")
-
-	flag.BoolVar(&sumMD5, "md5", true, "calculate and show MD5 checksum of file(s)")
-	flag.BoolVar(&sumSHA1, "sha1", true, "calculate and show SHA1 checksum of file(s)")
-	flag.BoolVar(&sumSHA256, "sha256", true, "calculate and show SHA256 checksum of file(s)")
-	flag.BoolVar(&sumSHA512, "sha512", true, "calculate and show SHA512 checksum of file(s)")
+	flag.StringVar(
+		&cfg.outCfg.outputFile, "output", "",
+		"output file to write results to (default stdout) (only json and csv formats supported)",
+	)
+
+	// # Floats
+
+	flag.Float64Var(
+		&cfg.entropyMaxVal, "entropy", 5.0,
+		"show any file with entropy greater than or equal to this value (0.0 - 8.0, max 8.0) (def: 5.0)",
+	)
+
+	// # Bools
+
+	flag.BoolVar(&cfg.elfOnly, "elf", true, "only check ELF executables (def: true)")
+	flag.BoolVar(&cfg.procOnly, "proc", false, "check running processes (def: false)")
+	flag.BoolVar(
+		&cfg.outCfg.csvOutput, "csv", false,
+		"output results in CSV format (def: false)\n"+
+			"(filename, path, entropy, elf_file [true|false], MD5, SHA1, SHA256, SHA512)",
+	)
+	flag.BoolVar(&cfg.outCfg.jsonOutput, "json", false, "output results in JSON format (def: false)")
+	flag.BoolVar(
+		&cfg.outCfg.printInterimResults, "print", false,
+		"print interim results to stdout even if output file is specified (def: false)",
+	)
+	flag.BoolVar(&cfg.version, "version", false, "show version and exit (def: false)")
+	flag.BoolVar(&sumMD5, "md5", true, "calculate and show MD5 checksum of file(s) (def: true)")
+	flag.BoolVar(&sumSHA1, "sha1", true, "calculate and show SHA1 checksum of file(s) (def: true)")
+	flag.BoolVar(
+		&sumSHA256, "sha256", true,
+		"calculate and show SHA256 checksum of file(s) (def: true)",
+	)
+	flag.BoolVar(
+		&sumSHA512, "sha512", true,
+		"calculate and show SHA512 checksum of file(s) (def: true)",
+	)
+	flag.BoolVar(&cfg.ignoreSelf, "ignore-self", true, "ignore self process (def: true)")
+	flag.BoolVar(
+		&cfg.goFast, "fast", false,
+		"use worker pool for concurrent file processing (experimental)",
+	)
+
+	// # SSH
 
 	flag.StringVar(&cfg.inCfg.sshConfig.Host, "ssh-host", "", "SSH host to connect to")
 	flag.StringVar(&cfg.inCfg.sshConfig.User, "ssh-user", "", "SSH user name")
 	flag.StringVar(&cfg.inCfg.sshConfig.Passwd, "ssh-pass", "", "SSH password")
 	flag.StringVar(&cfg.inCfg.sshConfig.KeyFile, "ssh-key", "", "SSH private key file")
+	flag.StringVar(
+		&cfg.inCfg.sshConfig.KeyFilePassphrase,
+		"ssh-key-pass", "", "SSH private key passphrase",
+	)
 	flag.DurationVar(&cfg.inCfg.sshConfig.Timeout, "ssh-timeout", 30*time.Second, "SSH connection timeout")
-	flag.StringVar(&cfg.inCfg.sshConfig.Version, "ssh-version", "SSH-2.0-EntropyScanner", "SSH version string")
+	flag.StringVar(
+		&cfg.inCfg.sshConfig.Version, "ssh-version", "SSH-2.0-SFScan", "SSH version string",
+	)
 	flag.IntVar(&cfg.inCfg.sshConfig.Port, "ssh-port", 22, "SSH port")
 	flag.BoolVar(&cfg.inCfg.sshConfig.Agent, "ssh-agent", false, "use SSH agent")
-
-	flag.BoolVar(&cfg.goFast, "fast", false, "use worker pool for concurrent file processing (experimental)")
-
-	flag.BoolVar(&cfg.ignoreSelf, "ignore-self", true, "ignore self process")
+	flag.BoolVar(
+		&cfg.inCfg.sshConfig.Prompt, "ssh-prompt", false,
+		"prompt for credentials (def: false)",
+	)
 
 	flag.Parse()
 
@@ -134,6 +199,10 @@ func newConfigFromFlags() *config {
 		log.Fatal("only one of -file, -dir, or -ssh-host can be specified")
 	}
 
+	if cfg.inCfg.sshConfig.Prompt {
+		cfg.inCfg.sshConfig.prompt()
+	}
+
 	if cfg.inCfg.sshConfig.Host != "" && cfg.inCfg.sshConfig.User == "" {
 		log.Fatal("ssh-host requires ssh-user")
 	}
@@ -146,6 +215,7 @@ func newConfigFromFlags() *config {
 		!cfg.inCfg.sshConfig.Agent &&
 		cfg.inCfg.sshConfig.KeyFile == "" &&
 		cfg.inCfg.sshConfig.Passwd == "" {
+
 		log.Fatal("ssh mode requires ssh-key, ssh-pass, or ssh-agent")
 	}
 
diff --git a/go.mod b/go.mod
@@ -5,6 +5,7 @@ go 1.19
 require (
 	github.com/panjf2000/ants/v2 v2.9.1
 	golang.org/x/crypto v0.18.0
+	golang.org/x/term v0.16.0
 )
 
 require (
diff --git a/go.sum b/go.sum
@@ -21,6 +21,7 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
 golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE=
+golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/pkg/ssh/auth.go b/pkg/ssh/auth.go
@@ -20,24 +20,38 @@ func (s *SSH) WithPassword(password string) *SSH {
 }
 
 // WithKey parses data from an SSH key to extract signers for authentication.
-func (s *SSH) WithKey(key []byte) *SSH {
-	signer, err := ssh.ParsePrivateKey(key)
+func (s *SSH) WithKey(key []byte, pass ...string) *SSH {
+	var err error
+	var signer ssh.Signer
+
+	if pass == nil || len(pass) == 0 || pass[0] == "" {
+		signer, err = ssh.ParsePrivateKey(key)
+	} else {
+		signer, err = ssh.ParsePrivateKeyWithPassphrase(key, []byte(pass[0]))
+	}
+
 	if err != nil {
-		_, _ = os.Stdout.WriteString(err.Error() + "\n")
+		_, _ = os.Stderr.WriteString(err.Error() + "\n")
 		return s
 	}
+
 	s.auth = append(s.auth, ssh.PublicKeys(signer))
 	return s
 }
 
 // WithKeyFile parses data from an SSH to be processed by [s.WithKey].
-func (s *SSH) WithKeyFile(path string) *SSH {
+func (s *SSH) WithKeyFile(path string, pass ...string) *SSH {
 	dat, err := os.ReadFile(path)
 	if err != nil {
-		_, _ = os.Stdout.WriteString(err.Error() + "\n")
+		_, _ = os.Stderr.WriteString(err.Error() + "\n")
 		return s
 	}
-	return s.WithKey(dat)
+	return s.WithKey(dat, pass...)
+}
+
+// WithEncryptedKeyFile parses data from an SSH key to extract signers for authentication.
+func (s *SSH) WithEncryptedKeyFile(path, pass string) *SSH {
+	return s.WithKeyFile(path, pass)
 }
 
 // WithAgent adds all available signers from an SSH agent to the [SSH] struct for authentication. (*nix)
@@ -51,7 +65,7 @@ func (s *SSH) WithAgent() *SSH {
 	sshAgent := agent.NewClient(conn)
 	signers, serr := sshAgent.Signers()
 	if serr != nil {
-		_, _ = os.Stdout.WriteString(serr.Error() + "\n")
+		_, _ = os.Stderr.WriteString(serr.Error() + "\n")
 		_ = conn.Close()
 		return s
 	}
diff --git a/pkg/ssh/ssh.go b/pkg/ssh/ssh.go
@@ -9,7 +9,7 @@ import (
 
 const (
 	defaultSSHPort    = 22
-	defaultSSHVersion = "SSH-2.0-EntropyScan"
+	defaultSSHVersion = "SSH-2.0-SFScan"
 )
 
 // SSH is a struct that enables using SSH for remote agent-less entropy scanning.
@@ -75,12 +75,15 @@ func (s *SSH) Connect() error {
 	}
 
 	config := &ssh.ClientConfig{
-		User:          s.user,
-		Auth:          s.auth,
-		ClientVersion: s.ver,
-		Timeout:       s.tout,
+		User:            s.user,
+		Auth:            s.auth,
+		ClientVersion:   s.ver,
+		Timeout:         s.tout,
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
 	}
 
+	config.SetDefaults()
+
 	var err error
 	if s.client, err = ssh.Dial("tcp", s.host+":"+fmt.Sprintf("%d", s.port), config); err != nil {
 		return err
diff --git a/scan.go b/scan.go
@@ -250,6 +250,19 @@ func (cfg *config) scanSSH(parallel bool) error {
 		errs = append(errs, perr)
 	}
 
+	syncWork := func(pid int, pidPath string, pidData []byte) {
+		perr := cfg.sshProcess(pid, pidPath, pidData)
+		if errors.Is(perr, ErrNotElf) || errors.Is(perr, ErrLowEntropy) {
+			log.Println(perr.Error())
+			wg.Done()
+			return
+		}
+		errMu.Lock()
+		errs = append(errs, perr)
+		errMu.Unlock()
+		wg.Done()
+	}
+
 	concurrent := func(pid int) {
 		pidPath, pidData, err := cfg.sshPID(pid)
 		if err != nil {
@@ -260,20 +273,14 @@ func (cfg *config) scanSSH(parallel bool) error {
 		}
 
 		wg.Add(1)
-		_ = workers.Submit(func() {
-			perr := cfg.sshProcess(pid, pidPath, pidData)
-			errMu.Lock()
-			errs = append(errs, perr)
-			errMu.Unlock()
-			wg.Done()
-		})
+
+		_ = workers.Submit(func() { syncWork(pid, pidPath, pidData) })
 	}
 
 	for pid := constMinPID; pid < constMaxPID; pid++ {
 		switch parallel {
 		case false:
 			synchronous(pid)
-			continue
 		case true:
 			concurrent(pid)
 		}

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@ go 1.19`
`5`	`5`	`require (`
`6`	`6`	`github.com/panjf2000/ants/v2 v2.9.1`
`7`	`7`	`golang.org/x/crypto v0.18.0`
	`8`	`+ golang.org/x/term v0.16.0`
`8`	`9`	`)`
`9`	`10`
`10`	`11`	`require (`