NASP/rpki
63
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

优化部署

Browse Source
This commit is contained in:
xiuting.xu 2026-05-12 15:23:09 +08:00
parent a4d674190a
commit 4c6b441753
18 changed files with 273 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Cargo.toml
View File

@ -3,6 +3,10 @@ name = "rpki"
version = "0.1.0"
edition = "2024"
[[bin]]
name = "rpki_rtr"
path = "src/main_rtr.rs"
[dependencies]
der-parser = "10.0.0"
hex = "0.4.3"

17
deploy/client/.env Normal file
View File

@ -0,0 +1,17 @@
# Target RTR server address for client compose files
# TCP example: 10.0.0.12:323
# TLS example: rpki.example.com:324
# SSH example: 10.0.0.12:22
RPKI_RTR_SERVER_ADDR=rpki-rtr-tcp:323
# TLS server name used by --server-name in TLS mode
# Must match server certificate SAN dNSName.
RPKI_RTR_TLS_SERVER_NAME=localhost
# SSH mode examples:
# RPKI_RTR_SERVER_ADDR=10.0.0.12:2222
# RPKI_RTR_CLIENT_KEYS_VOLUME=../../certs:/app/certs:ro
# RPKI_RTR_CLIENT_KEY_PATH=/app/certs/rtr-client.key
# RPKI_RTR_SSH_SERVER_PUBKEY_PATH=/app/certs/ssh_host_rsa_key.pub
# RPKI_RTR_SSH_USERNAME=rpki-rtr
# RPKI_RTR_SSH_PASSWORD=your-password

10
deploy/client/docker-compose.clients.yml
View File

@ -3,7 +3,7 @@ version: "3.9"
services:
rtr-client-1:
image: rpki-rtr-debug-client:latest
command: ["rpki-rtr-tcp:323", "2", "reset", "--keep-after-error", "--summary-only"]
command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "2", "reset", "--keep-after-error", "--summary-only"]
volumes:
- ../../logs/client:/app/logs
restart: no
@ -12,7 +12,7 @@ services:
rtr-client-2:
image: rpki-rtr-debug-client:latest
command: ["rpki-rtr-tcp:323", "2", "reset", "--keep-after-error", "--summary-only"]
command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "2", "reset", "--keep-after-error", "--summary-only"]
volumes:
- ../../logs/client:/app/logs
restart: no
@ -21,7 +21,7 @@ services:
rtr-client-3:
image: rpki-rtr-debug-client:latest
command: ["rpki-rtr-tcp:323", "2", "reset", "--keep-after-error", "--summary-only"]
command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "2", "reset", "--keep-after-error", "--summary-only"]
volumes:
- ../../logs/client:/app/logs
restart: no
@ -30,7 +30,7 @@ services:
rtr-client-4:
image: rpki-rtr-debug-client:latest
command: ["rpki-rtr-tcp:323", "2", "reset", "--keep-after-error", "--summary-only"]
command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "2", "reset", "--keep-after-error", "--summary-only"]
volumes:
- ../../logs/client:/app/logs
restart: no
@ -39,7 +39,7 @@ services:
rtr-client-5:
image: rpki-rtr-debug-client:latest
command: ["rpki-rtr-tcp:323", "2", "reset", "--keep-after-error", "--summary-only"]
command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "2", "reset", "--keep-after-error", "--summary-only"]
volumes:
- ../../logs/client:/app/logs
restart: no

36
deploy/client/docker-compose.ssh.password.yml Normal file
View File

@ -0,0 +1,36 @@
version: "3.9"
services:
rtr-debug-client:
build:
context: ../..
dockerfile: deploy/client/Dockerfile
image: rpki-rtr-debug-client:latest
command:
[
"${RPKI_RTR_SERVER_ADDR:-rpki-rtr-ssh:22}",
"2",
"reset",
"--ssh",
"--ssh-user",
"${RPKI_RTR_SSH_USERNAME:-rpki-rtr}",
"--ssh-password",
"${RPKI_RTR_SSH_PASSWORD}",
"--ssh-server-key",
"${RPKI_RTR_SSH_SERVER_PUBKEY_PATH:-/app/certs/ssh_host_rsa_key.pub}",
"--keep-after-error",
"--summary-only"
]
volumes:
- ${RPKI_RTR_CLIENT_KEYS_VOLUME:-../../certs:/app/certs:ro}
- ../../logs/client:/app/logs
restart: no
stdin_open: true
tty: true
networks:
- rpki_net
networks:
rpki_net:
name: rpki_net
driver: bridge

10
deploy/client/docker-compose.ssh.yml
View File

@ -8,21 +8,21 @@ services:
image: rpki-rtr-debug-client:latest
command:
[
"rpki-rtr-ssh:${RPKI_RTR_SSH_PORT:-22}",
"${RPKI_RTR_SERVER_ADDR:-rpki-rtr-ssh:22}",
"2",
"reset",
"--ssh",
"--ssh-user",
"rpki-rtr",
"${RPKI_RTR_SSH_USERNAME:-rpki-rtr}",
"--ssh-key",
"/app/certs/rtr-client.key",
"${RPKI_RTR_CLIENT_KEY_PATH:-/app/certs/rtr-client.key}",
"--ssh-server-key",
"/app/certs/ssh_host_rsa_key.pub",
"${RPKI_RTR_SSH_SERVER_PUBKEY_PATH:-/app/certs/ssh_host_rsa_key.pub}",
"--keep-after-error",
"--summary-only"
]
volumes:
- ../../certs:/app/certs:ro
- ${RPKI_RTR_CLIENT_KEYS_VOLUME:-../../certs:/app/certs:ro}
- ../../logs/client:/app/logs
restart: no
stdin_open: true

2
deploy/client/docker-compose.tcp.yml
View File

@ -4,7 +4,7 @@ services:
context: ../..
dockerfile: deploy/client/Dockerfile
image: rpki-rtr-debug-client:latest
command: ["rpki-rtr-tcp:323", "2", "reset", "--keep-after-error", "--summary-only"]
command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "2", "reset", "--keep-after-error", "--summary-only"]
volumes:
- ../../logs/client:/app/logs
restart: no

4
deploy/client/docker-compose.tls.yml
View File

@ -8,14 +8,14 @@ services:
image: rpki-rtr-debug-client:latest
command:
[
"rpki-rtr-tls:324",
"${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tls:324}",
"2",
"reset",
"--tls",
"--ca-cert",
"/app/certs/client-ca.crt",
"--server-name",
"localhost",
"${RPKI_RTR_TLS_SERVER_NAME:-localhost}",
"--client-cert",
"/app/certs/client-good.crt",
"--client-key",

2
deploy/client/docker-compose.yml
View File

@ -4,7 +4,7 @@ services:
context: ../..
dockerfile: deploy/client/Dockerfile
image: rpki-rtr-debug-client:latest
command: ["rpki-rtr-tcp:323", "2", "reset", "--keep-after-error", "--summary-only"]
command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "2", "reset", "--keep-after-error", "--summary-only"]
volumes:
- ../../logs/client:/app/logs
restart: no

4
deploy/server/Dockerfile
View File

@ -32,7 +32,7 @@ RUN apt-get update \
COPY Cargo.toml Cargo.lock ./
COPY src ./src
RUN cargo build --release --bin rpki
RUN cargo build --release --bin rpki_rtr
FROM debian:bookworm-slim AS runtime
@ -60,7 +60,7 @@ RUN apt-get update \
WORKDIR /app
COPY --from=builder /build/target/release/rpki /usr/local/bin/rpki
COPY --from=builder /build/target/release/rpki_rtr /usr/local/bin/rpki_rtr
COPY --chmod=755 deploy/server/entrypoint.sh /usr/local/bin/rpki-rtr-entrypoint.sh
RUN mkdir -p /app/data /app/rtr-db /app/certs /app/slurm /app/logs

15
deploy/server/docker-compose.ssh.yml
View File

@ -10,16 +10,18 @@ services:
restart: no
ports:
- "323:323"
- "${RPKI_RTR_SSH_HOST_PORT:-2222}:22"
- "${RPKI_RTR_SSH_HOST_PORT:-2222}:${RPKI_RTR_SSH_CONTAINER_PORT:-22}"
environment:
RPKI_RTR_ENABLE_TLS: "false"
RPKI_RTR_ENABLE_SSH: "true"
RPKI_RTR_TCP_ADDR: "0.0.0.0:323"
RPKI_RTR_SSH_ADDR: "0.0.0.0:22"
RPKI_RTR_SSH_HOST_KEY_PATH: "/app/certs/ssh_host_rsa_key"
RPKI_RTR_SSH_AUTHORIZED_KEYS_PATH: "/app/certs/rtr-authorized_keys"
RPKI_RTR_SSH_USERNAME: "rpki-rtr"
RPKI_RTR_SSH_SUBSYSTEM_NAME: "rpki-rtr"
RPKI_RTR_SSH_ADDR: "0.0.0.0:${RPKI_RTR_SSH_CONTAINER_PORT:-22}"
RPKI_RTR_SSH_HOST_KEY_PATH: "${RPKI_RTR_SSH_HOST_KEY_PATH:-/host-ssh/ssh_host_ed25519_key}"
RPKI_RTR_SSH_AUTHORIZED_KEYS_PATH: "${RPKI_RTR_SSH_AUTHORIZED_KEYS_PATH:-/app/certs/rtr-authorized_keys}"
RPKI_RTR_SSH_USERNAME: "${RPKI_RTR_SSH_USERNAME:-rpki-rtr}"
RPKI_RTR_SSH_SUBSYSTEM_NAME: "${RPKI_RTR_SSH_SUBSYSTEM_NAME:-rpki-rtr}"
# SSH auth mode: key | password | both
RPKI_RTR_SSH_AUTH_MODE: "${RPKI_RTR_SSH_AUTH_MODE:-key}"
# Optional: enable password authentication in addition to publickey
# RPKI_RTR_SSH_PASSWORD: "test-password"
RPKI_RTR_DB_PATH: "/app/rtr-db"
@ -33,6 +35,7 @@ services:
- ../../data:/app/data:ro
- ../../rtr-db:/app/rtr-db
- ../../data:/app/slurm:ro
- ${RPKI_RTR_SSH_KEYS_VOLUME:-/etc/ssh:/host-ssh:ro}
- ../../certs:/app/certs:ro
- ../../logs/server:/app/logs
networks:

2
deploy/server/entrypoint.sh
View File

@ -7,4 +7,4 @@ log_name="${HOSTNAME:-rpki-rtr}"
stdout_log="/app/logs/${log_name}.stdout.log"
stderr_log="/app/logs/${log_name}.stderr.log"
exec /usr/local/bin/rpki "$@" >>"$stdout_log" 2>>"$stderr_log"
exec /usr/local/bin/rpki_rtr "$@" >>"$stdout_log" 2>>"$stderr_log"

21
src/bin/rtr_debug_client/README.md
View File

@ -148,3 +148,24 @@ SSH 参数:
- `keep-after-error`
- `output` / `output verbose` / `output summary`
- `quit`
## SSH Password Auth (Added)
`rtr_debug_client` now supports password auth in SSH mode.
- Use exactly one auth option in SSH mode:
- `--ssh-key <path>`
- `--ssh-password <value>`
- Host key verification is still required:
- `--ssh-known-hosts <path>` or `--ssh-server-key <path>`
Example:
```sh
cargo run --bin rtr_debug_client -- \
127.0.0.1:22 1 reset \
--ssh \
--ssh-user rpki-rtr \
--ssh-password 'your-password' \
--ssh-server-key certs/ssh_host_rsa_key.pub
```

91
src/bin/rtr_debug_client/main.rs
View File

@ -1001,6 +1001,15 @@ impl Config {
})?;
ensure_ssh_config(&mut transport)?.private_key = Some(PathBuf::from(path));
}
"--ssh-password" => {
let password = args.next().ok_or_else(|| {
io::Error::new(
io::ErrorKind::InvalidInput,
"--ssh-password requires a value",
)
})?;
ensure_ssh_config(&mut transport)?.password = Some(password);
}
"--ssh-subsystem" => {
let subsystem = args.next().ok_or_else(|| {
io::Error::new(
@ -1181,8 +1190,15 @@ impl TransportConfig {
.unwrap_or_else(|| "<none>".to_string())
),
Self::Ssh(cfg) => format!(
"ssh (user={}, subsystem={}, host_key_check={})",
"ssh (user={}, auth={}, subsystem={}, host_key_check={})",
cfg.user.as_deref().unwrap_or("<unset>"),
if cfg.private_key.is_some() {
"publickey"
} else if cfg.password.is_some() {
"password"
} else {
"<unset>"
},
cfg.subsystem
.as_deref()
.unwrap_or(DEFAULT_SSH_SUBSYSTEM_NAME),
@ -1222,6 +1238,7 @@ impl HostKeyVerification {
struct SshConfig {
user: Option<String>,
private_key: Option<PathBuf>,
password: Option<String>,
subsystem: Option<String>,
known_hosts: Option<PathBuf>,
server_key: Option<PathBuf>,
@ -1315,12 +1332,28 @@ fn finalize_transport(transport: TransportConfig, addr: &str) -> io::Result<Tran
));
}
let private_key = cfg.private_key.take().ok_or_else(|| {
io::Error::new(
let private_key = cfg.private_key.take();
let password = cfg.password.take().and_then(|value| {
let trimmed = value.trim();
if trimmed.is_empty() {
None
} else {
Some(trimmed.to_string())
}
});
if private_key.is_some() && password.is_some() {
return Err(io::Error::new(
io::ErrorKind::InvalidInput,
"SSH mode requires --ssh-key <path>",
)
})?;
"SSH mode authentication must choose one: --ssh-key <path> or --ssh-password <value>",
));
}
if private_key.is_none() && password.is_none() {
return Err(io::Error::new(
io::ErrorKind::InvalidInput,
"SSH mode requires authentication: --ssh-key <path> or --ssh-password <value>",
));
}
if cfg.known_hosts.is_some() && cfg.server_key.is_some() {
return Err(io::Error::new(
@ -1356,7 +1389,8 @@ fn finalize_transport(transport: TransportConfig, addr: &str) -> io::Result<Tran
Ok(TransportConfig::Ssh(SshConfig {
user: Some(user),
private_key: Some(private_key),
private_key,
password,
subsystem: Some(subsystem),
known_hosts: None,
server_key: None,
@ -1439,10 +1473,24 @@ async fn connect_ssh_stream(addr: &str, ssh: &SshConfig) -> io::Result<DynStream
.user
.as_deref()
.ok_or_else(|| io::Error::new(io::ErrorKind::InvalidInput, "missing SSH user"))?;
let private_key_path = ssh
.private_key
.as_ref()
.ok_or_else(|| io::Error::new(io::ErrorKind::InvalidInput, "missing SSH private key"))?;
let private_key_path = ssh.private_key.as_ref();
let password = ssh
.password
.as_deref()
.map(str::trim)
.filter(|value| !value.is_empty());
if private_key_path.is_some() && password.is_some() {
return Err(io::Error::new(
io::ErrorKind::InvalidInput,
"SSH auth config invalid: both private key and password provided",
));
}
if private_key_path.is_none() && password.is_none() {
return Err(io::Error::new(
io::ErrorKind::InvalidInput,
"SSH auth config invalid: neither private key nor password provided",
));
}
let subsystem = ssh
.subsystem
.as_deref()
@ -1471,6 +1519,7 @@ async fn connect_ssh_stream(addr: &str, ssh: &SshConfig) -> io::Result<DynStream
)
})?;
let auth_result = if let Some(private_key_path) = private_key_path {
let private_key = load_secret_key(private_key_path, None).map_err(|err| {
io::Error::new(
io::ErrorKind::InvalidInput,
@ -1487,7 +1536,7 @@ async fn connect_ssh_stream(addr: &str, ssh: &SshConfig) -> io::Result<DynStream
format!("failed to negotiate SSH RSA hash: {}", err),
)
})?;
let auth_result = session
session
.authenticate_publickey(
user.to_string(),
PrivateKeyWithHashAlg::new(Arc::new(private_key), rsa_hash.flatten()),
@ -1498,11 +1547,25 @@ async fn connect_ssh_stream(addr: &str, ssh: &SshConfig) -> io::Result<DynStream
io::ErrorKind::PermissionDenied,
format!("SSH publickey authentication failed: {}", err),
)
})?;
})?
} else {
session
.authenticate_password(
user.to_string(),
password.expect("password checked above").to_string(),
)
.await
.map_err(|err| {
io::Error::new(
io::ErrorKind::PermissionDenied,
format!("SSH password authentication failed: {}", err),
)
})?
};
if !auth_result.success() {
return Err(io::Error::new(
io::ErrorKind::PermissionDenied,
"SSH publickey authentication rejected by server",
"SSH authentication rejected by server",
));
}

14
src/main.rs → src/main_rtr.rs
View File

@ -11,6 +11,7 @@ use tracing::{info, warn};
use rpki::rtr::cache::{RtrCache, SharedRtrCache};
use rpki::rtr::payload::Timing;
use rpki::rtr::server::ssh::SshAuthMode;
use rpki::rtr::server::{RtrNotifier, RtrService, RtrServiceConfig, RunningRtrService};
use rpki::rtr::store::RtrStore;
use rpki::source::pipeline::{PayloadLoadConfig, load_payloads_from_latest_sources};
@ -33,6 +34,7 @@ struct AppConfig {
ssh_authorized_keys_path: String,
ssh_username: String,
ssh_subsystem_name: String,
ssh_auth_mode: SshAuthMode,
ssh_password: Option<String>,
max_delta: u8,
@ -63,6 +65,7 @@ impl Default for AppConfig {
ssh_authorized_keys_path: "./certs/rtr-authorized_keys".to_string(),
ssh_username: "rpki-rtr".to_string(),
ssh_subsystem_name: "rpki-rtr".to_string(),
ssh_auth_mode: SshAuthMode::Key,
ssh_password: None,
max_delta: 100,
@ -153,6 +156,14 @@ impl AppConfig {
if let Some(value) = env_var("RPKI_RTR_SSH_SUBSYSTEM_NAME")? {
config.ssh_subsystem_name = value;
}
if let Some(value) = env_var("RPKI_RTR_SSH_AUTH_MODE")? {
config.ssh_auth_mode = SshAuthMode::parse(&value).ok_or_else(|| {
anyhow!(
"invalid RPKI_RTR_SSH_AUTH_MODE '{}': expected key|password|both",
value
)
})?;
}
if let Some(value) = env_var("RPKI_RTR_SSH_PASSWORD")? {
let value = value.trim().to_string();
config.ssh_password = if value.is_empty() { None } else { Some(value) };
@ -368,6 +379,7 @@ fn start_servers(config: &AppConfig, service: &RtrService) -> RunningRtrService
&config.ssh_authorized_keys_path,
&config.ssh_username,
&config.ssh_subsystem_name,
config.ssh_auth_mode,
config.ssh_password.as_deref(),
)
} else if config.enable_tls {
@ -388,6 +400,7 @@ fn start_servers(config: &AppConfig, service: &RtrService) -> RunningRtrService
&config.ssh_authorized_keys_path,
&config.ssh_username,
&config.ssh_subsystem_name,
config.ssh_auth_mode,
config.ssh_password.as_deref(),
)
} else {
@ -505,6 +518,7 @@ fn log_startup_config(config: &AppConfig) {
);
info!("ssh_username={}", config.ssh_username);
info!("ssh_subsystem_name={}", config.ssh_subsystem_name);
info!("ssh_auth_mode={}", config.ssh_auth_mode.as_str());
info!("ssh_password_enabled={}", config.ssh_password.is_some());
}

10
src/rtr/cache/core.rs vendored
View File

@ -65,7 +65,7 @@ pub struct VersionState {
impl VersionState {
fn new(session_id: u16, serial: u32, snapshot: Snapshot, max_delta: u8) -> Self {
let rtr_payloads = Arc::new(snapshot.payloads_for_rtr());
let rtr_payloads = snapshot.rtr_payloads_for_rtr_arc();
Self {
session_id,
serial,
@ -199,7 +199,7 @@ impl RtrCacheBuilder {
VersionState {
session_id: session_ids.as_array()[idx],
serial: serials[idx],
rtr_payloads: Arc::new(snapshot.payloads_for_rtr()),
rtr_payloads: snapshot.rtr_payloads_for_rtr_arc(),
snapshot: Arc::new(snapshot),
deltas: deltas[idx].clone(),
}
@ -230,7 +230,7 @@ impl RtrCache {
self.availability = CacheAvailability::NoDataAvailable;
for version_state in &mut self.versions {
version_state.snapshot = Arc::new(Snapshot::empty());
version_state.rtr_payloads = Arc::new(Vec::new());
version_state.rtr_payloads = version_state.snapshot.rtr_payloads_for_rtr_arc();
version_state.deltas.clear();
}
}
@ -247,7 +247,7 @@ impl RtrCache {
state.session_id = new_session_ids.get(v);
state.serial = 1;
state.snapshot = Arc::new(project_snapshot_for_version(source_snapshot, v));
state.rtr_payloads = Arc::new(state.snapshot.as_ref().payloads_for_rtr());
state.rtr_payloads = state.snapshot.rtr_payloads_for_rtr_arc();
state.deltas.clear();
}
self.last_update_end = DualTime::now();
@ -362,7 +362,7 @@ impl RtrCache {
}
state.snapshot = Arc::new(projected);
state.rtr_payloads = Arc::new(state.snapshot.as_ref().payloads_for_rtr());
state.rtr_payloads = state.snapshot.rtr_payloads_for_rtr_arc();
Self::push_delta(
state,
self.max_delta,

8
src/rtr/server/service.rs
View File

@ -13,7 +13,7 @@ use crate::rtr::cache::SharedRtrCache;
use crate::rtr::server::config::RtrServiceConfig;
use crate::rtr::server::listener::RtrServer;
use crate::rtr::server::notifier::RtrNotifier;
use crate::rtr::server::ssh::load_rtr_ssh_runtime_config;
use crate::rtr::server::ssh::{SshAuthMode, load_rtr_ssh_runtime_config};
pub struct RtrService {
cache: SharedRtrCache,
@ -167,6 +167,7 @@ impl RtrService {
authorized_keys_path: impl AsRef<Path>,
username: &str,
subsystem_name: &str,
auth_mode: SshAuthMode,
password: Option<&str>,
) -> JoinHandle<()> {
let host_key_path = host_key_path.as_ref().to_path_buf();
@ -184,6 +185,7 @@ impl RtrService {
&authorized_keys_path,
&username,
&subsystem_name,
auth_mode,
password.as_deref(),
inactivity_timeout,
keepalive_interval,
@ -213,6 +215,7 @@ impl RtrService {
authorized_keys_path: impl AsRef<Path>,
username: &str,
subsystem_name: &str,
auth_mode: SshAuthMode,
password: Option<&str>,
) -> RunningRtrService {
let tcp_handle = self.spawn_tcp(tcp_bind_addr);
@ -222,6 +225,7 @@ impl RtrService {
authorized_keys_path,
username,
subsystem_name,
auth_mode,
password,
);
@ -244,6 +248,7 @@ impl RtrService {
authorized_keys_path: impl AsRef<Path>,
username: &str,
subsystem_name: &str,
auth_mode: SshAuthMode,
password: Option<&str>,
) -> RunningRtrService {
let tcp_handle = self.spawn_tcp(tcp_bind_addr);
@ -255,6 +260,7 @@ impl RtrService {
authorized_keys_path,
username,
subsystem_name,
auth_mode,
password,
);

40
src/rtr/server/ssh.rs
View File

@ -9,6 +9,32 @@ use russh::keys::ssh_key::{self, AuthorizedKeys};
use russh::server::Config as RusshServerConfig;
use russh::{MethodKind, MethodSet};
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum SshAuthMode {
Key,
Password,
Both,
}
impl SshAuthMode {
pub fn parse(value: &str) -> Option<Self> {
match value.trim().to_ascii_lowercase().as_str() {
"key" | "publickey" => Some(Self::Key),
"password" => Some(Self::Password),
"both" => Some(Self::Both),
_ => None,
}
}
pub fn as_str(self) -> &'static str {
match self {
Self::Key => "key",
Self::Password => "password",
Self::Both => "both",
}
}
}
#[derive(Debug, Clone)]
pub struct RtrSshRuntimeConfig {
pub server_config: Arc<RusshServerConfig>,
@ -23,6 +49,7 @@ pub fn load_rtr_ssh_runtime_config(
authorized_keys_path: impl AsRef<Path>,
username: &str,
subsystem_name: &str,
auth_mode: SshAuthMode,
password: Option<&str>,
inactivity_timeout: Option<Duration>,
keepalive_interval: Option<Duration>,
@ -35,12 +62,21 @@ pub fn load_rtr_ssh_runtime_config(
}
let host_key = load_host_key(host_key_path.as_ref())?;
let authorized_keys = load_authorized_keys(authorized_keys_path.as_ref())?;
let authorized_keys = if matches!(auth_mode, SshAuthMode::Key | SshAuthMode::Both) {
load_authorized_keys(authorized_keys_path.as_ref())?
} else {
Vec::new()
};
let password = password.map(str::trim).filter(|value| !value.is_empty());
if matches!(auth_mode, SshAuthMode::Password | SshAuthMode::Both) && password.is_none() {
bail!("SSH auth mode '{}' requires non-empty password", auth_mode.as_str());
}
let mut methods = MethodSet::empty();
if matches!(auth_mode, SshAuthMode::Key | SshAuthMode::Both) {
methods.push(MethodKind::PublicKey);
if password.is_some() {
}
if matches!(auth_mode, SshAuthMode::Password | SshAuthMode::Both) {
methods.push(MethodKind::Password);
}

4
tests/test_server_transports.rs
View File

@ -16,6 +16,7 @@ use tokio_rustls::TlsConnector;
use rpki::rtr::cache::{RtrCacheBuilder, SessionIds, SharedRtrCache};
use rpki::rtr::payload::Timing;
use rpki::rtr::pdu::{CacheResponse, EndOfDataV1, ResetQuery};
use rpki::rtr::server::ssh::SshAuthMode;
use rpki::rtr::server::RtrService;
use russh::client;
use russh::keys;
@ -201,6 +202,7 @@ async fn unified_server_ssh_opens_listener_and_emits_banner() {
&authorized_keys_path,
"rpki-rtr",
"rpki-rtr",
SshAuthMode::Key,
None,
);
wait_for_port(ssh_addr).await;
@ -249,6 +251,7 @@ async fn unified_server_ssh_accepts_password_when_configured() {
&authorized_keys_path,
"rpki-rtr",
"rpki-rtr",
SshAuthMode::Both,
Some("test-password"),
);
wait_for_port(ssh_addr).await;
@ -323,6 +326,7 @@ async fn unified_server_ssh_rejects_password_when_not_configured() {
&authorized_keys_path,
"rpki-rtr",
"rpki-rtr",
SshAuthMode::Key,
None,
);
wait_for_port(ssh_addr).await;