summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoshua Harlow <harlowja@yahoo-inc.com>2012-08-18 21:15:52 -0700
committerJoshua Harlow <harlowja@yahoo-inc.com>2012-08-18 21:15:52 -0700
commit4a86775c9cff53a5598db8f4a395abe7c228a147 (patch)
treef61347d2dc549d54029274208176a96d48334bfd
parent4540821caa31dc9ed0bedf521cd36975ddafebfa (diff)
downloadvyos-cloud-init-4a86775c9cff53a5598db8f4a395abe7c228a147.tar.gz
vyos-cloud-init-4a86775c9cff53a5598db8f4a395abe7c228a147.zip
Add support for printing out the authkey's for the default user.
1. Adjust the sshutil so that it has functions for doing this (used by the previous functions) 2. Create a new module that pretty prints out the given authorized keys fetched (if any) using the standard md5 scheme (for now), this module can be disabled by setting 'no_ssh_fingerprints' or just removing it from the running list.
-rw-r--r--cloudinit/config/cc_ssh_authkey_fingerprints.py86
-rw-r--r--cloudinit/ssh_util.py94
2 files changed, 140 insertions, 40 deletions
diff --git a/cloudinit/config/cc_ssh_authkey_fingerprints.py b/cloudinit/config/cc_ssh_authkey_fingerprints.py
new file mode 100644
index 00000000..d4f136c2
--- /dev/null
+++ b/cloudinit/config/cc_ssh_authkey_fingerprints.py
@@ -0,0 +1,86 @@
+# vi: ts=4 expandtab
+#
+# Copyright (C) 2012 Yahoo! Inc.
+#
+# Author: Joshua Harlow <harlowja@yahoo-inc.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3, as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import base64
+import glob
+import hashlib
+import os
+
+from prettytable import PrettyTable
+
+from cloudinit import util
+from cloudinit import ssh_util
+
+FP_HASH_TYPE = 'md5'
+FP_SEGMENT_LEN = 2
+FP_SEGMENT_SEP = ":"
+
+
+def _split_hash(bin_hash):
+ split_up = []
+ for i in xrange(0, len(bin_hash), FP_SEGMENT_LEN):
+ split_up.append(bin_hash[i:i+FP_SEGMENT_LEN])
+ return split_up
+
+
+def _gen_fingerprint(b64_text):
+ if not b64_text:
+ return ''
+ # Maybe we should feed this into 'ssh -lf'?
+ try:
+ bin_text = base64.b64decode(b64_text)
+ hasher = hashlib.new(FP_HASH_TYPE)
+ hasher.update(bin_text)
+ pp_hash = FP_SEGMENT_SEP.join(_split_hash(hasher.hexdigest()))
+ return pp_hash
+ except TypeError:
+ return ''
+
+
+def _pprint_key_entries(user, key_fn, key_entries, prefix='ci-info: '):
+ if not key_entries:
+ message = "%sno authorized ssh keys fingerprints found for user %s." % (prefix, user)
+ util.multi_log(message)
+ return
+ tbl_fields = ['Keytype', 'Fingerprint', 'Options', 'Comment']
+ tbl = PrettyTable(tbl_fields)
+ for entry in key_entries:
+ row = []
+ row.append(entry.keytype or '-')
+ row.append(_gen_fingerprint(entry.base64) or '-')
+ row.append(entry.comment or '-')
+ row.append(entry.options or '-')
+ tbl.add_row(row)
+ authtbl_s = tbl.get_string()
+ max_len = len(max(authtbl_s.splitlines(), key=len))
+ lines = [
+ util.center("Authorized keys fingerprints from %s for user %s" % (key_fn, user), "+", max_len),
+ ]
+ lines.extend(authtbl_s.splitlines())
+ for line in lines:
+ util.multi_log(text="%s%s\n" % (prefix, line))
+
+
+def handle(name, cfg, cloud, log, _args):
+ if 'no_ssh_fingerprints' in cfg:
+ log.debug(("Skipping module named %s, "
+ "logging of ssh fingerprints disabled"), name)
+
+ user = util.get_cfg_option_str(cfg, "user", "ubuntu")
+ (auth_key_fn, auth_key_entries) = ssh_util.extract_authorized_keys(user, cloud.paths)
+ _pprint_key_entries(user, auth_key_fn, auth_key_entries)
diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py
index e0a2f0ca..88a11a1a 100644
--- a/cloudinit/ssh_util.py
+++ b/cloudinit/ssh_util.py
@@ -181,12 +181,11 @@ def parse_authorized_keys(fname):
return contents
-def update_authorized_keys(fname, keys):
- entries = parse_authorized_keys(fname)
+def update_authorized_keys(old_entries, keys):
to_add = list(keys)
- for i in range(0, len(entries)):
- ent = entries[i]
+ for i in range(0, len(old_entries)):
+ ent = old_entries[i]
if ent.empty() or not ent.base64:
continue
# Replace those with the same base64
@@ -199,66 +198,81 @@ def update_authorized_keys(fname, keys):
# Don't add it later
if k in to_add:
to_add.remove(k)
- entries[i] = ent
+ old_entries[i] = ent
# Now append any entries we did not match above
for key in to_add:
- entries.append(key)
+ old_entries.append(key)
# Now format them back to strings...
- lines = [str(b) for b in entries]
+ lines = [str(b) for b in old_entries]
# Ensure it ends with a newline
lines.append('')
return '\n'.join(lines)
-def setup_user_keys(keys, user, key_prefix, paths):
- # Make sure the users .ssh dir is setup accordingly
- pwent = pwd.getpwnam(user)
- ssh_dir = os.path.join(pwent.pw_dir, '.ssh')
- ssh_dir = paths.join(False, ssh_dir)
- if not os.path.exists(ssh_dir):
- util.ensure_dir(ssh_dir, mode=0700)
- util.chownbyid(ssh_dir, pwent.pw_uid, pwent.pw_gid)
+def users_ssh_info(username, paths):
+ pw_ent = pwd.getpwnam(username)
+ if not pw_ent:
+ raise RuntimeError("Unable to get ssh info for user %r" % (username))
+ ssh_dir = paths.join(False, os.path.join(pw_ent.pw_dir, '.ssh'))
+ return (ssh_dir, pw_ent)
- # Turn the keys given into actual entries
- parser = AuthKeyLineParser()
- key_entries = []
- for k in keys:
- key_entries.append(parser.parse(str(k), def_opt=key_prefix))
+def extract_authorized_keys(username, paths):
+ (ssh_dir, pw_ent) = users_ssh_info(username, paths)
sshd_conf_fn = paths.join(True, DEF_SSHD_CFG)
+ auth_key_fn = None
with util.SeLinuxGuard(ssh_dir, recursive=True):
try:
- # AuthorizedKeysFile may contain tokens
+ # The 'AuthorizedKeysFile' may contain tokens
# of the form %T which are substituted during connection set-up.
# The following tokens are defined: %% is replaced by a literal
# '%', %h is replaced by the home directory of the user being
# authenticated and %u is replaced by the username of that user.
ssh_cfg = parse_ssh_config_map(sshd_conf_fn)
- akeys = ssh_cfg.get("authorizedkeysfile", '')
- akeys = akeys.strip()
- if not akeys:
- akeys = "%h/.ssh/authorized_keys"
- akeys = akeys.replace("%h", pwent.pw_dir)
- akeys = akeys.replace("%u", user)
- akeys = akeys.replace("%%", '%')
- if not akeys.startswith('/'):
- akeys = os.path.join(pwent.pw_dir, akeys)
- authorized_keys = paths.join(False, akeys)
+ auth_key_fn = ssh_cfg.get("authorizedkeysfile", '').strip()
+ if not auth_key_fn:
+ auth_key_fn = "%h/.ssh/authorized_keys"
+ auth_key_fn = auth_key_fn.replace("%h", pw_ent.pw_dir)
+ auth_key_fn = auth_key_fn.replace("%u", username)
+ auth_key_fn = auth_key_fn.replace("%%", '%')
+ if not auth_key_fn.startswith('/'):
+ auth_key_fn = os.path.join(pw_ent.pw_dir, auth_key_fn)
+ auth_key_fn = paths.join(False, auth_key_fn)
except (IOError, OSError):
- authorized_keys = os.path.join(ssh_dir, 'authorized_keys')
+ # Give up and use a default key filename
+ auth_key_fn = os.path.join(ssh_dir, 'authorized_keys')
util.logexc(LOG, ("Failed extracting 'AuthorizedKeysFile'"
" in ssh config"
- " from %s, using 'AuthorizedKeysFile' file"
- " %s instead"),
- sshd_conf_fn, authorized_keys)
-
- content = update_authorized_keys(authorized_keys, key_entries)
- util.ensure_dir(os.path.dirname(authorized_keys), mode=0700)
- util.write_file(authorized_keys, content, mode=0600)
- util.chownbyid(authorized_keys, pwent.pw_uid, pwent.pw_gid)
+ " from %r, using 'AuthorizedKeysFile' file"
+ " %r instead"),
+ sshd_conf_fn, auth_key_fn)
+ auth_key_entries = parse_authorized_keys(auth_key_fn)
+ return (auth_key_fn, auth_key_entries)
+
+
+def setup_user_keys(keys, username, key_prefix, paths):
+ # Make sure the users .ssh dir is setup accordingly
+ (ssh_dir, pwent) = users_ssh_info(username, paths)
+ if not os.path.isdir(ssh_dir):
+ util.ensure_dir(ssh_dir, mode=0700)
+ util.chownbyid(ssh_dir, pwent.pw_uid, pwent.pw_gid)
+
+ # Turn the 'update' keys given into actual entries
+ parser = AuthKeyLineParser()
+ key_entries = []
+ for k in keys:
+ key_entries.append(parser.parse(str(k), def_opt=key_prefix))
+
+ # Extract the old and make the new
+ (auth_key_fn, auth_key_entries) = extract_authorized_keys(username, paths)
+ with util.SeLinuxGuard(ssh_dir, recursive=True):
+ content = update_authorized_keys(auth_key_entries, key_entries)
+ util.ensure_dir(os.path.dirname(auth_key_fn), mode=0700)
+ util.write_file(auth_key_fn, content, mode=0600)
+ util.chownbyid(auth_key_fn, pwent.pw_uid, pwent.pw_gid)
class SshdConfigLine(object):