Multiple file fix for AuthorizedKeysFile config (#60)

Currently cloud-init does not know how to handle multiple file
configuration on section AuthorizedKeysFile of ssh configuration.
cloud-init will mess up the home user directory by creating bogus
folders inside it.

This patch provides a fix for this erroneous behavior. It gathers all
keys from all the files listed on the section AuthorizedKeysFile of ssh
configuration and merge all of them inside home user
~/.ssh/authorized_keys of the vm deployed.

Signed-off-by: Eduardo Otubo <otubo@redhat.com>

1 files changed, 43 insertions, 29 deletions

diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py
index 3f99b58c..bcb23a5a 100644
--- a/cloudinit/ssh_util.py
+++ b/cloudinit/ssh_util.py
@@ -160,19 +160,19 @@ class AuthKeyLineParser(object):
                            comment=comment, options=options)
 
 
-def parse_authorized_keys(fname):
+def parse_authorized_keys(fnames):
     lines = []
-    try:
-        if os.path.isfile(fname):
-            lines = util.load_file(fname).splitlines()
-    except (IOError, OSError):
-        util.logexc(LOG, "Error reading lines from %s", fname)
-        lines = []
-
     parser = AuthKeyLineParser()
     contents = []
-    for line in lines:
-        contents.append(parser.parse(line))
+    for fname in fnames:
+        try:
+            if os.path.isfile(fname):
+                lines = util.load_file(fname).splitlines()
+                for line in lines:
+                    contents.append(parser.parse(line))
+        except (IOError, OSError):
+            util.logexc(LOG, "Error reading lines from %s", fname)
+
     return contents
 
 
@@ -211,32 +211,46 @@ def users_ssh_info(username):
     return (os.path.join(pw_ent.pw_dir, '.ssh'), pw_ent)
 
 
-def extract_authorized_keys(username):
+def render_authorizedkeysfile_paths(value, homedir, username):
+    # The 'AuthorizedKeysFile' may contain tokens
+    # of the form %T which are substituted during connection set-up.
+    # The following tokens are defined: %% is replaced by a literal
+    # '%', %h is replaced by the home directory of the user being
+    # authenticated and %u is replaced by the username of that user.
+    macros = (("%h", homedir), ("%u", username), ("%%", "%"))
+    if not value:
+        value = "%h/.ssh/authorized_keys"
+    paths = value.split()
+    rendered = []
+    for path in paths:
+        for macro, field in macros:
+            path = path.replace(macro, field)
+        if not path.startswith("/"):
+            path = os.path.join(homedir, path)
+        rendered.append(path)
+    return rendered
+
+
+def extract_authorized_keys(username, sshd_cfg_file=DEF_SSHD_CFG):
     (ssh_dir, pw_ent) = users_ssh_info(username)
-    auth_key_fn = None
+    default_authorizedkeys_file = os.path.join(ssh_dir, 'authorized_keys')
+    auth_key_fns = []
     with util.SeLinuxGuard(ssh_dir, recursive=True):
         try:
-            # The 'AuthorizedKeysFile' may contain tokens
-            # of the form %T which are substituted during connection set-up.
-            # The following tokens are defined: %% is replaced by a literal
-            # '%', %h is replaced by the home directory of the user being
-            # authenticated and %u is replaced by the username of that user.
-            ssh_cfg = parse_ssh_config_map(DEF_SSHD_CFG)
-            auth_key_fn = ssh_cfg.get("authorizedkeysfile", '').strip()
-            if not auth_key_fn:
-                auth_key_fn = "%h/.ssh/authorized_keys"
-            auth_key_fn = auth_key_fn.replace("%h", pw_ent.pw_dir)
-            auth_key_fn = auth_key_fn.replace("%u", username)
-            auth_key_fn = auth_key_fn.replace("%%", '%')
-            if not auth_key_fn.startswith('/'):
-                auth_key_fn = os.path.join(pw_ent.pw_dir, auth_key_fn)
+            ssh_cfg = parse_ssh_config_map(sshd_cfg_file)
+            auth_key_fns = render_authorizedkeysfile_paths(
+                ssh_cfg.get("authorizedkeysfile", "%h/.ssh/authorized_keys"),
+                pw_ent.pw_dir, username)
+
         except (IOError, OSError):
             # Give up and use a default key filename
-            auth_key_fn = os.path.join(ssh_dir, 'authorized_keys')
+            auth_key_fns[0] = default_authorizedkeys_file
             util.logexc(LOG, "Failed extracting 'AuthorizedKeysFile' in ssh "
                         "config from %r, using 'AuthorizedKeysFile' file "
-                        "%r instead", DEF_SSHD_CFG, auth_key_fn)
-    return (auth_key_fn, parse_authorized_keys(auth_key_fn))
+                        "%r instead", DEF_SSHD_CFG, auth_key_fns[0])
+
+    # always store all the keys in the user's private file
+    return (default_authorizedkeys_file, parse_authorized_keys(auth_key_fns))
 
 
 def setup_user_keys(keys, username, options=None):