Optionaler Parameter für filter_ssh_key, der fingerprint/hash zurückgibt
Hanno Böck commited on 2025-04-29 13:43:46
Zeige 1 geänderte Dateien mit 9 Einfügungen und 1 Löschungen.
- inc/security.php 70243da..adeff11
| ... | ... |
@@ -258,7 +258,7 @@ function verify_shell($input) |
| 258 | 258 |
} |
| 259 | 259 |
|
| 260 | 260 |
|
| 261 |
-function filter_ssh_key($key) |
|
| 261 |
+function filter_ssh_key($key, &$fphash = "") |
|
| 262 | 262 |
{
|
| 263 | 263 |
$filtered = trim(str_replace(["\r", "\n"], ' ', $key)); |
| 264 | 264 |
$keyparts = explode(" ", $filtered);
|
| ... | ... |
@@ -296,10 +296,18 @@ function filter_ssh_key($key) |
| 296 | 296 |
]; |
| 297 | 297 |
$sshcmd = proc_open("ssh-keygen -l -f -", $descr, $pipes, null, null);
|
| 298 | 298 |
fwrite($pipes[0], $fkey); |
| 299 |
+ fclose($pipes[0]); |
|
| 300 |
+ $fphash = fread($pipes[1], 1024); |
|
| 299 | 301 |
if (proc_close($sshcmd) !== 0) {
|
| 300 | 302 |
system_failure("Ungültiger SSH-Key laut ssh-keygen!");
|
| 301 | 303 |
} |
| 302 | 304 |
|
| 305 |
+ $fphash = explode(" ", $fphash)[1];
|
|
| 306 |
+ if ((strlen($fphash) != 50) || (substr($fphash, 0, 7) != "SHA256:")) {
|
|
| 307 |
+ system_failure("Interner Fehler: Fingerprint im falschen Format");
|
|
| 308 |
+ } |
|
| 309 |
+ $fphash = substr($fphash, 7); |
|
| 310 |
+ |
|
| 303 | 311 |
return $fkey; |
| 304 | 312 |
} |
| 305 | 313 |
|
| 306 | 314 |