From ab3d13cf287af2309fe632aec5e69842db974cae Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Thu, 29 Aug 2019 20:44:47 +0200
Subject: [PATCH] check SSH key

---
 lam/lib/remote.inc                | 40 +++++++++++++++++---------
 lam/templates/config/confmain.php | 48 ++++++++++++++++++++++++-------
 2 files changed, 64 insertions(+), 24 deletions(-)

diff --git a/lam/lib/remote.inc b/lam/lib/remote.inc
index f5aca48e..9190d7fd 100644
--- a/lam/lib/remote.inc
+++ b/lam/lib/remote.inc
@@ -117,21 +117,9 @@ class Remote {
 		}
 		$password = $_SESSION['ldap']->getPassword();
 		$keyPath = $_SESSION['config']->getScriptSSHKey();
+		$keyPassword = $_SESSION['config']->getScriptSSHKeyPassword();
 		if (!empty($keyPath)) {
-			// use key authentication
-			if (!file_exists($keyPath) || !is_readable($keyPath)) {
-				throw new LAMException(sprintf(_("Unable to read %s."), htmlspecialchars($keyPath)));
-			}
-			$key = file_get_contents($keyPath);
-			$rsa = new RSA();
-			$keyPassword = $_SESSION['config']->getScriptSSHKeyPassword();
-			if (!empty($keyPassword)) {
-				$rsa->setPassword($keyPassword);
-			}
-			if (!$rsa->loadKey($key)) {
-				throw new LAMException(sprintf(_("Unable to load key %s."), htmlspecialchars($keyPath)));
-			}
-			$password = $rsa;
+			$password = $this->loadKey($keyPath, $keyPassword);
 		}
 		$login = @$handle->login($username, $password);
 		if (!$login) {
@@ -160,6 +148,30 @@ class Remote {
 		require_once($prefix . 'Net/SSH2.php');
 	}
 
+	/**
+	 * Loads the key
+	 *
+	 * @param string $keyPath file name
+	 * @param string $keyPassword password
+	 * @throws LAMException error loading key
+	 * @return \phpseclib\Crypt\RSA key object
+	 */
+	public function loadKey($keyPath, $keyPassword) {
+		// use key authentication
+		if (!file_exists($keyPath) || !is_readable($keyPath)) {
+			throw new LAMException(sprintf(_("Unable to read %s."), htmlspecialchars($keyPath)));
+		}
+		$key = file_get_contents($keyPath);
+		$rsa = new RSA();
+		if (!empty($keyPassword)) {
+			$rsa->setPassword($keyPassword);
+		}
+		if (!$rsa->loadKey($key)) {
+			throw new LAMException(sprintf(_("Unable to load key %s."), htmlspecialchars($keyPath)));
+		}
+		return $rsa;
+	}
+
 }
 
 ?>
diff --git a/lam/templates/config/confmain.php b/lam/templates/config/confmain.php
index 24c74135..7f8abe91 100644
--- a/lam/templates/config/confmain.php
+++ b/lam/templates/config/confmain.php
@@ -22,7 +22,7 @@ use \htmlGroup;
 /*
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2018  Roland Gruber
+  Copyright (C) 2003 - 2019  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -659,15 +659,33 @@ function checkInput() {
 	$chmodOwner = 0;
 	$chmodGroup = 0;
 	$chmodOther = 0;
-	if (isset($_POST['chmod_owr']) && ($_POST['chmod_owr'] == 'on')) $chmodOwner += 4;
-	if (isset($_POST['chmod_oww']) && ($_POST['chmod_oww'] == 'on')) $chmodOwner += 2;
-	if (isset($_POST['chmod_owe']) && ($_POST['chmod_owe'] == 'on')) $chmodOwner += 1;
-	if (isset($_POST['chmod_grr']) && ($_POST['chmod_grr'] == 'on')) $chmodGroup += 4;
-	if (isset($_POST['chmod_grw']) && ($_POST['chmod_grw'] == 'on')) $chmodGroup += 2;
-	if (isset($_POST['chmod_gre']) && ($_POST['chmod_gre'] == 'on')) $chmodGroup += 1;
-	if (isset($_POST['chmod_otr']) && ($_POST['chmod_otr'] == 'on')) $chmodOther += 4;
-	if (isset($_POST['chmod_otw']) && ($_POST['chmod_otw'] == 'on')) $chmodOther += 2;
-	if (isset($_POST['chmod_ote']) && ($_POST['chmod_ote'] == 'on')) $chmodOther += 1;
+	if (isset($_POST['chmod_owr']) && ($_POST['chmod_owr'] == 'on')) {
+		$chmodOwner += 4;
+	}
+	if (isset($_POST['chmod_oww']) && ($_POST['chmod_oww'] == 'on')) {
+		$chmodOwner += 2;
+	}
+	if (isset($_POST['chmod_owe']) && ($_POST['chmod_owe'] == 'on')) {
+		$chmodOwner += 1;
+	}
+	if (isset($_POST['chmod_grr']) && ($_POST['chmod_grr'] == 'on')) {
+		$chmodGroup += 4;
+	}
+	if (isset($_POST['chmod_grw']) && ($_POST['chmod_grw'] == 'on')) {
+		$chmodGroup += 2;
+	}
+	if (isset($_POST['chmod_gre']) && ($_POST['chmod_gre'] == 'on')) {
+		$chmodGroup += 1;
+	}
+	if (isset($_POST['chmod_otr']) && ($_POST['chmod_otr'] == 'on')) {
+		$chmodOther += 4;
+	}
+	if (isset($_POST['chmod_otw']) && ($_POST['chmod_otw'] == 'on')) {
+		$chmodOther += 2;
+	}
+	if (isset($_POST['chmod_ote']) && ($_POST['chmod_ote'] == 'on')) {
+		$chmodOther += 1;
+	}
 	$chmod = $chmodOwner . $chmodGroup . $chmodOther;
 	if (!$conf->set_scriptrights($chmod)) {
 		$errors[] = array("ERROR", _("Script rights are invalid!"));
@@ -675,6 +693,16 @@ function checkInput() {
 	$conf->setScriptUserName($_POST['scriptuser']);
 	$conf->setScriptSSHKey($_POST['scriptkey']);
 	$conf->setScriptSSHKeyPassword($_POST['scriptkeypassword']);
+	if (!empty($_POST['scriptkey'])) {
+		include_once '../../lib/remote.inc';
+		$remote = new \LAM\REMOTE\Remote();
+		try {
+			$remote->loadKey($conf->getScriptSSHKey(), $conf->getScriptSSHKeyPassword());
+		}
+		catch (\LAMException $e) {
+			$errors[] = array('ERROR', _('SSH key file'), $e->getTitle());
+		}
+	}
 	// tool settings
 	$tools = getTools();
 	$toolSettings = array();