external/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2025-03-09 15:40:18 +00:00
Code Issues Releases Wiki Activity

Improved MeshCMD server authentication.

Browse source
This commit is contained in:
Ylian Saint-Hilaire 2021-04-06 09:22:26 -07:00
parent eb9b9d7e53
commit b9b2aa55ba
7 changed files with 28 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

7
agents/meshcmd.js
View file

@ -70,7 +70,7 @@ function onVerifyServer(clientName, certs) {
if (certs == null) { certs = clientName; } // Temporary thing until we fix duktape
// If we have the serverid, used delayed server authentication
if (settings.serverid != null) { settings.meshServerTlsHash = certs[certs.length - 1].fingerprint.split(':').join(''); return; }
if (settings.serverid != null) { settings.meshServerTlsHash = certs[certs.length - 1].fingerprint.replace(/:/g, ''); return; }
// Otherwise, use server HTTPS certificate hash
try { for (var i in certs) { if (certs[i].fingerprint.replace(/:/g, '') == settings.serverhttpshash) { return; } } } catch (e) { }
@ -2064,6 +2064,11 @@ function OnServerWebSocket(msg, s, head) {
var signDataHash = hasher.syncHash(Buffer.concat([Buffer.from(settings.serverAuthClientNonce, 'base64'), Buffer.from(settings.meshServerTlsHash, 'hex'), Buffer.from(command.nonce, 'base64')]));
if (require('RSA').verify(require('RSA').TYPES.SHA384, cert, signDataHash, Buffer.from(command.signature, 'base64')) == false) { console.log("Unable to authenticate the server, invalid signature."); process.exit(1); return; }
// Switch to using HTTPS TLS certificate for authentication
delete settings.serverid;
settings.serverhttpshash = settings.meshServerTlsHash;
delete settings.meshServerTlsHash;
// Figure out the 2FA token to use if any
var xtoken = null;
if (settings.emailtoken) { xtoken = '**email**'; }