From a3dd4c078da9aefabef4a24d0af2e4382d9f74a1 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 3 Dec 2009 15:13:24 -0800 Subject: Set modes of created authorization key (and directory) sshd is picky about modes (and it should be), so make sure and chmod the file. --- lib/Vyatta/Login/User.pm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm index f6706e4e..018e7e12 100755 --- a/lib/Vyatta/Login/User.pm +++ b/lib/Vyatta/Login/User.pm @@ -130,10 +130,11 @@ sub set_authorized_keys { unless (-d $sshdir) { mkdir $sshdir; chown ($uid, $gid, $sshdir); + chmod (0750, $sshdir); } my $auth; - unless (open (my $auth, "$sshdir/authorized_keys")) { + unless (open (my $auth, '>', "$sshdir/authorized_keys")) { warn "open $sshdir/authorized_keys failed: $!"; return; } @@ -152,6 +153,7 @@ sub set_authorized_keys { } select STDOUT; close $auth; + chmod (0640, "$sshdir/authorized_keys"); } sub update { -- cgit v1.2.3 From 31590c67860fb99d5c4b267dd880fe63497fb89f Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 3 Dec 2009 15:20:28 -0800 Subject: Add script for loading public key Variation on existing config file loader that is useful for loading public key. --- scripts/vyatta-load-user-key.pl | 141 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 141 insertions(+) create mode 100644 scripts/vyatta-load-user-key.pl diff --git a/scripts/vyatta-load-user-key.pl b/scripts/vyatta-load-user-key.pl new file mode 100644 index 00000000..ba436efe --- /dev/null +++ b/scripts/vyatta-load-user-key.pl @@ -0,0 +1,141 @@ +#! /bin/perl + +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2006, 2007 Vyatta, Inc. +# All Rights Reserved. +# +# Author: Stephen Hemminger +# Date: 2009 +# +# **** End License **** + +use strict; +use lib "/opt/vyatta/share/perl5/"; + +sub usage { + print "Usage: $0 user filename|url\n"; + exit 1; +} + +sub check_http { + my ($url) = @_; + + # + # error codes are send back in html, so 1st try a header + # and look for "HTTP/1.1 200 OK" + # + my $rc = `curl -q -I $url 2>&1`; + if ( $rc =~ /HTTP\/\d+\.?\d\s+(\d+)\s+(.*)$/mi ) { + my $rc_code = $1; + my $rc_string = $2; + + die "http error: [$rc_code] $rc_string\n" + unless ( $rc_code == 200 ); + } else { + die "Error: $rc\n"; + } +} + +sub load_url { + my ($url, $tmpfile) = @_; + my $proto; + + if ( $url =~ /^(\w+):\/\/\w/ ) { + $proto = lc($1); + } else { + die "Invalid url [$url]\n"; + } + + die "Invalid url protocol [$proto]\n" + unless( $proto eq 'tftp' || + $proto eq 'ftp' || + $proto eq 'http' || + $proto eq 'scp' ); + + check_http($url) + if ($proto eq 'http'); + + system("curl -# -o $tmpfile $url") == 0 + or die "Can not fetch remote file $url\n"; +} + +usage unless ($#ARGV != 2); + +my $user = $ARGV[0]; +my $loadfile = $ARGV[1]; + +my $sbindir = $ENV{vyatta_sbindir}; +my $config = new Vyatta::Config; +$config->setLevel("system login user"); + +die "$user does not exist in configuration\n" + unless $config->exists($user); + +if ( $loadfile =~ /^[^\/]\w+:\// ) { + my $tmp_file = "/tmp/key.$user.$$"; + + load_url ($loadfile, $tmp_file); + $loadfile = $tmp_file; +} + +open(my $cfg, '<', $loadfile) + or die "Cannot open file $loadfile: $!\n"; + +while (<$cfg>) { + chomp; + # public key (format 2) consist of: + # options, keytype, base64-encoded key, comment. + # The options field is optional (but not supported). + my ($keytype, $keycode, $comment) = split / /; + die "Not a valid key file format (see man sshd)" + unless $keycode; + + die "Not a valid ssh public file format\n" + unless ($keytype =~ /ssh-rsa|ssh-dsa/); + + my $cmd = "set system login user $user authorized-key $keycode" + . " key-type $keytype"; + system ("$sbindir/my_$cmd"); + if ($? >> 8) { + die "\"$cmd\" failed\n"; + } + + if ($comment) { + $cmd = "set system login user $user authorized-key $keycode" + ." description $comment"; + system ("$sbindir/my_$cmd"); + if ($? >> 8) { + die "\"$cmd\" failed\n"; + } + } +} +close $cfg; + +system("$sbindir/my_commit"); +if ( $? >> 8 ) { + print "Load failed (commit failed)\n"; + exit 1; +} + +print "Done\n"; +exit 0; + + + + + + + + + + -- cgit v1.2.3