61 lines
2.2 KiB
Go
61 lines
2.2 KiB
Go
// This file is part of the happyDomain (R) project.
|
|
// Copyright (c) 2020-2026 happyDomain
|
|
// Authors: Pierre-Olivier Mercier, et al.
|
|
//
|
|
// This program is offered under a commercial and under the AGPL license.
|
|
// For commercial licensing, contact us at <contact@happydomain.org>.
|
|
//
|
|
// For AGPL licensing:
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
package checker
|
|
|
|
import (
|
|
"context"
|
|
|
|
sdk "git.happydns.org/checker-sdk-go/checker"
|
|
)
|
|
|
|
// authMethodsRule reports on the authentication methods advertised by
|
|
// the server (password exposure, missing public-key support). Only
|
|
// active when the auth probe ran.
|
|
type authMethodsRule struct{}
|
|
|
|
func (r *authMethodsRule) Name() string { return "ssh.auth_methods" }
|
|
func (r *authMethodsRule) Description() string {
|
|
return "Reviews the advertised authentication methods (password exposure, public-key availability)."
|
|
}
|
|
|
|
func (r *authMethodsRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
|
|
data, errSt := loadSSHData(ctx, obs)
|
|
if errSt != nil {
|
|
return []sdk.CheckState{*errSt}
|
|
}
|
|
var probed bool
|
|
var issues []Issue
|
|
for _, ep := range data.Endpoints {
|
|
if !ep.AuthProbeAttempted {
|
|
continue
|
|
}
|
|
probed = true
|
|
issues = append(issues, analyseAuthMethods(ep.Address, &ep)...)
|
|
}
|
|
if !probed {
|
|
return []sdk.CheckState{notTestedState("ssh.auth_methods.skipped", "Authentication-method enumeration disabled or not performed.")}
|
|
}
|
|
if len(issues) == 0 {
|
|
return []sdk.CheckState{passState("ssh.auth_methods.ok", "Authentication method posture looks sound.")}
|
|
}
|
|
return statesFromIssues(issues)
|
|
}
|