accept and log and fail publickey authentication

kippo.tac

@@ -31,9 +31,11 @@ from kippo import core
 factory = core.ssh.HoneyPotSSHFactory()
 factory.portal = portal.Portal(core.ssh.HoneyPotRealm())
 
+factory.portal.registerChecker(core.auth.HoneypotPublicKeyChecker())
+factory.portal.registerChecker(core.auth.HoneypotPasswordChecker())
+
 rsa_pubKeyString, rsa_privKeyString = core.ssh.getRSAKeys()
 dsa_pubKeyString, dsa_privKeyString = core.ssh.getDSAKeys()
-factory.portal.registerChecker(core.auth.HoneypotPasswordChecker())
 factory.publicKeys = {'ssh-rsa': keys.Key.fromString(data=rsa_pubKeyString),
                       'ssh-dss': keys.Key.fromString(data=dsa_pubKeyString)}
 factory.privateKeys = {'ssh-rsa': keys.Key.fromString(data=rsa_privKeyString),

kippo/core/auth.py

@@ -8,7 +8,9 @@ from zope.interface import implementer
 import twisted
 from twisted.cred import checkers, credentials, error
 from twisted.internet import defer
-from twisted.python import log
+from twisted.python import log, failure
+from twisted.conch import error
+from twisted.conch.ssh import keys
 
 from kippo.core.config import config
 
@@ -101,6 +103,19 @@ class UserDB(object):
         self.userdb.append((login, uid, passwd))
         self.save()
 
+@implementer(checkers.ICredentialsChecker)
+class HoneypotPublicKeyChecker:
+    """
+    Checker that logs public key authentication attempts
+    """
+
+    credentialInterfaces = (credentials.ISSHPrivateKey,)
+
+    def requestAvatarId(self, credentials):
+        _pubKey = keys.Key.fromString(credentials.blob)
+        log.msg( 'Public Key attempt for user %s with fingerprint %s' % ( credentials.username, _pubKey.fingerprint() ) )
+        return failure.Failure(error.ConchError("Incorrect signature"))
+
 @implementer(checkers.ICredentialsChecker)
 class HoneypotPasswordChecker: