diff options
| author | Scott Moser <smoser@ubuntu.com> | 2012-08-20 15:58:19 -0400 |
|---|---|---|
| committer | Scott Moser <smoser@ubuntu.com> | 2012-08-20 15:58:19 -0400 |
| commit | c54ba02b176a2f8e43820a6df0ddd2c68b79c9e7 (patch) | |
| tree | c7a4d53266a7023e7e0b7d55aeaee08d31310765 | |
| parent | 4540821caa31dc9ed0bedf521cd36975ddafebfa (diff) | |
| parent | 4a86775c9cff53a5598db8f4a395abe7c228a147 (diff) | |
| download | vyos-cloud-init-c54ba02b176a2f8e43820a6df0ddd2c68b79c9e7.tar.gz vyos-cloud-init-c54ba02b176a2f8e43820a6df0ddd2c68b79c9e7.zip | |
add ssh-authkey-fingerprint config module, to print fingerprints to console
Example output:
ci-info: +---------+-------------------------+---------+-----------------+
ci-info: | Keytype | Fingerprint (md5) | Options | Comment |
ci-info: +---------+-------------------------+---------+-----------------+
ci-info: | ssh-rsa | e3:..:84:81:72:38:..:6a | - | smoser@brickies |
ci-info: | ssh-rsa | 21:..:32:8a:da:98:..:42 | - | smoser@bart |
ci-info: | ssh-rsa | 7b:..:ac:a7:17:51:..:b2 | - | smoser@kaypeah |
ci-info: +---------+-------------------------+---------+-----------------+
| -rw-r--r-- | ChangeLog | 1 | ||||
| -rw-r--r-- | cloudinit/config/cc_ssh_authkey_fingerprints.py | 87 | ||||
| -rw-r--r-- | cloudinit/ssh_util.py | 94 | ||||
| -rw-r--r-- | config/cloud.cfg | 1 |
4 files changed, 143 insertions, 40 deletions
@@ -1,4 +1,5 @@ 0.7.0: + - write ssh authorized keys to console, ssh_authkey_fingerprints - Added RHEVm and vSphere support as source AltCloud [Joseph VLcek] - add write-files module (LP: #1012854) - Add setuptools + cheetah to debian package build dependencies (LP: #1022101) diff --git a/cloudinit/config/cc_ssh_authkey_fingerprints.py b/cloudinit/config/cc_ssh_authkey_fingerprints.py new file mode 100644 index 00000000..35a68709 --- /dev/null +++ b/cloudinit/config/cc_ssh_authkey_fingerprints.py @@ -0,0 +1,87 @@ +# vi: ts=4 expandtab +# +# Copyright (C) 2012 Yahoo! Inc. +# +# Author: Joshua Harlow <harlowja@yahoo-inc.com> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 3, as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import base64 +import hashlib + +from prettytable import PrettyTable + +from cloudinit import ssh_util +from cloudinit import util + +FP_HASH_TYPE = 'md5' +FP_SEGMENT_LEN = 2 +FP_SEGMENT_SEP = ":" + + +def _split_hash(bin_hash): + split_up = [] + for i in xrange(0, len(bin_hash), FP_SEGMENT_LEN): + split_up.append(bin_hash[i:i + FP_SEGMENT_LEN]) + return split_up + + +def _gen_fingerprint(b64_text): + if not b64_text: + return '' + # Maybe we should feed this into 'ssh -lf'? + try: + bin_text = base64.b64decode(b64_text) + hasher = hashlib.new(FP_HASH_TYPE) + hasher.update(bin_text) + pp_hash = FP_SEGMENT_SEP.join(_split_hash(hasher.hexdigest())) + return pp_hash + except TypeError: + return '' + + +def _pprint_key_entries(user, key_fn, key_entries, prefix='ci-info: '): + if not key_entries: + message = ("%sno authorized ssh keys fingerprints found for user %s." + % (prefix, user)) + util.multi_log(message) + return + tbl_fields = ['Keytype', 'Fingerprint', 'Options', 'Comment'] + tbl = PrettyTable(tbl_fields) + for entry in key_entries: + row = [] + row.append(entry.keytype or '-') + row.append(_gen_fingerprint(entry.base64) or '-') + row.append(entry.comment or '-') + row.append(entry.options or '-') + tbl.add_row(row) + authtbl_s = tbl.get_string() + max_len = len(max(authtbl_s.splitlines(), key=len)) + lines = [ + util.center("Authorized keys fingerprints from %s for user %s" % + (key_fn, user), "+", max_len), + ] + lines.extend(authtbl_s.splitlines()) + for line in lines: + util.multi_log(text="%s%s\n" % (prefix, line)) + + +def handle(name, cfg, cloud, log, _args): + if 'no_ssh_fingerprints' in cfg: + log.debug(("Skipping module named %s, " + "logging of ssh fingerprints disabled"), name) + + user = util.get_cfg_option_str(cfg, "user", "ubuntu") + extract = ssh_util.extract_authorized_keys + (auth_key_fn, auth_key_entries) = extract(user, cloud.paths) + _pprint_key_entries(user, auth_key_fn, auth_key_entries) diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py index e0a2f0ca..88a11a1a 100644 --- a/cloudinit/ssh_util.py +++ b/cloudinit/ssh_util.py @@ -181,12 +181,11 @@ def parse_authorized_keys(fname): return contents -def update_authorized_keys(fname, keys): - entries = parse_authorized_keys(fname) +def update_authorized_keys(old_entries, keys): to_add = list(keys) - for i in range(0, len(entries)): - ent = entries[i] + for i in range(0, len(old_entries)): + ent = old_entries[i] if ent.empty() or not ent.base64: continue # Replace those with the same base64 @@ -199,66 +198,81 @@ def update_authorized_keys(fname, keys): # Don't add it later if k in to_add: to_add.remove(k) - entries[i] = ent + old_entries[i] = ent # Now append any entries we did not match above for key in to_add: - entries.append(key) + old_entries.append(key) # Now format them back to strings... - lines = [str(b) for b in entries] + lines = [str(b) for b in old_entries] # Ensure it ends with a newline lines.append('') return '\n'.join(lines) -def setup_user_keys(keys, user, key_prefix, paths): - # Make sure the users .ssh dir is setup accordingly - pwent = pwd.getpwnam(user) - ssh_dir = os.path.join(pwent.pw_dir, '.ssh') - ssh_dir = paths.join(False, ssh_dir) - if not os.path.exists(ssh_dir): - util.ensure_dir(ssh_dir, mode=0700) - util.chownbyid(ssh_dir, pwent.pw_uid, pwent.pw_gid) +def users_ssh_info(username, paths): + pw_ent = pwd.getpwnam(username) + if not pw_ent: + raise RuntimeError("Unable to get ssh info for user %r" % (username)) + ssh_dir = paths.join(False, os.path.join(pw_ent.pw_dir, '.ssh')) + return (ssh_dir, pw_ent) - # Turn the keys given into actual entries - parser = AuthKeyLineParser() - key_entries = [] - for k in keys: - key_entries.append(parser.parse(str(k), def_opt=key_prefix)) +def extract_authorized_keys(username, paths): + (ssh_dir, pw_ent) = users_ssh_info(username, paths) sshd_conf_fn = paths.join(True, DEF_SSHD_CFG) + auth_key_fn = None with util.SeLinuxGuard(ssh_dir, recursive=True): try: - # AuthorizedKeysFile may contain tokens + # The 'AuthorizedKeysFile' may contain tokens # of the form %T which are substituted during connection set-up. # The following tokens are defined: %% is replaced by a literal # '%', %h is replaced by the home directory of the user being # authenticated and %u is replaced by the username of that user. ssh_cfg = parse_ssh_config_map(sshd_conf_fn) - akeys = ssh_cfg.get("authorizedkeysfile", '') - akeys = akeys.strip() - if not akeys: - akeys = "%h/.ssh/authorized_keys" - akeys = akeys.replace("%h", pwent.pw_dir) - akeys = akeys.replace("%u", user) - akeys = akeys.replace("%%", '%') - if not akeys.startswith('/'): - akeys = os.path.join(pwent.pw_dir, akeys) - authorized_keys = paths.join(False, akeys) + auth_key_fn = ssh_cfg.get("authorizedkeysfile", '').strip() + if not auth_key_fn: + auth_key_fn = "%h/.ssh/authorized_keys" + auth_key_fn = auth_key_fn.replace("%h", pw_ent.pw_dir) + auth_key_fn = auth_key_fn.replace("%u", username) + auth_key_fn = auth_key_fn.replace("%%", '%') + if not auth_key_fn.startswith('/'): + auth_key_fn = os.path.join(pw_ent.pw_dir, auth_key_fn) + auth_key_fn = paths.join(False, auth_key_fn) except (IOError, OSError): - authorized_keys = os.path.join(ssh_dir, 'authorized_keys') + # Give up and use a default key filename + auth_key_fn = os.path.join(ssh_dir, 'authorized_keys') util.logexc(LOG, ("Failed extracting 'AuthorizedKeysFile'" " in ssh config" - " from %s, using 'AuthorizedKeysFile' file" - " %s instead"), - sshd_conf_fn, authorized_keys) - - content = update_authorized_keys(authorized_keys, key_entries) - util.ensure_dir(os.path.dirname(authorized_keys), mode=0700) - util.write_file(authorized_keys, content, mode=0600) - util.chownbyid(authorized_keys, pwent.pw_uid, pwent.pw_gid) + " from %r, using 'AuthorizedKeysFile' file" + " %r instead"), + sshd_conf_fn, auth_key_fn) + auth_key_entries = parse_authorized_keys(auth_key_fn) + return (auth_key_fn, auth_key_entries) + + +def setup_user_keys(keys, username, key_prefix, paths): + # Make sure the users .ssh dir is setup accordingly + (ssh_dir, pwent) = users_ssh_info(username, paths) + if not os.path.isdir(ssh_dir): + util.ensure_dir(ssh_dir, mode=0700) + util.chownbyid(ssh_dir, pwent.pw_uid, pwent.pw_gid) + + # Turn the 'update' keys given into actual entries + parser = AuthKeyLineParser() + key_entries = [] + for k in keys: + key_entries.append(parser.parse(str(k), def_opt=key_prefix)) + + # Extract the old and make the new + (auth_key_fn, auth_key_entries) = extract_authorized_keys(username, paths) + with util.SeLinuxGuard(ssh_dir, recursive=True): + content = update_authorized_keys(auth_key_entries, key_entries) + util.ensure_dir(os.path.dirname(auth_key_fn), mode=0700) + util.write_file(auth_key_fn, content, mode=0600) + util.chownbyid(auth_key_fn, pwent.pw_uid, pwent.pw_gid) class SshdConfigLine(object): diff --git a/config/cloud.cfg b/config/cloud.cfg index 2b4d9e63..f8d62e27 100644 --- a/config/cloud.cfg +++ b/config/cloud.cfg @@ -59,6 +59,7 @@ cloud_final_modules: - scripts-per-boot - scripts-per-instance - scripts-user + - ssh-auth-key-fingerprints - keys-to-console - phone-home - final-message |