diff options
author | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2010-02-16 18:35:12 -0800 |
---|---|---|
committer | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2010-02-17 09:36:02 -0800 |
commit | 3ec0331cad6790982f9b1b2b4137eaadbc006b52 (patch) | |
tree | 45c22ed5793afafa30ec50dad0625680b1d14772 | |
parent | b2f4a85413d7dd687601b945a8e930119e5e8db2 (diff) | |
download | vyatta-cfg-system-3ec0331cad6790982f9b1b2b4137eaadbc006b52.tar.gz vyatta-cfg-system-3ec0331cad6790982f9b1b2b4137eaadbc006b52.zip |
Handle DSA keys
Bug 5350
Need some changes to support DSA keys (Protocol V2).
Also add support for options in key file.
-rwxr-xr-x | scripts/vyatta-load-user-key.pl | 101 | ||||
-rw-r--r-- | templates/system/login/user/node.tag/authentication/public-keys/node.tag/type/node.def | 4 |
2 files changed, 60 insertions, 45 deletions
diff --git a/scripts/vyatta-load-user-key.pl b/scripts/vyatta-load-user-key.pl index 32af1af2..96114d45 100755 --- a/scripts/vyatta-load-user-key.pl +++ b/scripts/vyatta-load-user-key.pl @@ -4,19 +4,19 @@ # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 as # published by the Free Software Foundation. -# +# # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2006, 2007 Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc. # All Rights Reserved. -# +# # Author: Stephen Hemminger -# Date: 2009 -# +# Date: February 2010 +# # **** End License **** use lib "/opt/vyatta/share/perl5/"; @@ -25,6 +25,7 @@ use warnings; use Vyatta::Config; +my $sbindir = $ENV{vyatta_sbindir}; sub usage { print "Usage: $0 user filename|url\n"; @@ -33,7 +34,7 @@ sub usage { sub check_http { my ($url) = @_; - + # # error codes are send back in html, so 1st try a header # and look for "HTTP/1.1 200 OK" @@ -43,7 +44,7 @@ sub check_http { my $rc_code = $1; my $rc_string = $2; - die "http error: [$rc_code] $rc_string\n" + die "http error: [$rc_code] $rc_string\n" unless ( $rc_code == 200 ); } else { die "Error: $rc\n"; @@ -51,12 +52,19 @@ sub check_http { } sub geturl { - my ($proto, $url) = @_; + my $url = shift; - if ($proto eq 'http') { - check_http($url) + # Is it a local file? + unless ($url =~ m#(^[^/]\w+)://# ) { + open(my $in, '<', $url) + or die "Cannot open file $url: $!\n"; + return $in; } + my $proto = $1; + check_http($url) + if ($proto eq 'http'); + my $cmd = "curl -#"; # Handle user@host syntax which curl doesn't do @@ -74,50 +82,57 @@ sub geturl { return $curl; } +sub badkey { + die "Not a valid key file format (see man sshd)" +} + +sub getkeys { + my ($user, $in) = @_; + + while (<$in>) { + chomp; + + next if /^#/; # ignore comments + + # public key (format 2) consist of: + # options, keytype, base64-encoded key, comment. + my $pos = index $_, "ssh-"; + badkey + unless ($pos >= 0); # missing keytype + + my ($keytype, $keycode, $comment) = split / /, substr($_, $pos); + + badkey + unless defined($keytype) && defined($keycode) && defined($comment); + + badkey + unless ($keytype eq 'ssh-rsa' || $keytype eq 'ssh-dss'); + + my $cmd + = "set system login user $user authentication public-keys $comment"; + + system ("$sbindir/my_$cmd" . " type $keytype"); + die "\"$cmd\" type failed\n" + if ($? >> 8); + + system ("$sbindir/my_$cmd" . " key \"$keycode\""); + die "\"$cmd\" key failed\n" + if ($? >> 8); + } +} + usage unless ($#ARGV == 1); my $user = $ARGV[0]; my $source = $ARGV[1]; -my $sbindir = $ENV{vyatta_sbindir}; my $config = new Vyatta::Config; $config->setLevel("system login user"); die "User $user does not exist in current configuration\n" unless $config->exists($user); -# If it has protocol:// then use curl to copy -my $in; -if ( $source =~ m#(^[^/]\w+)://# ) { - $in = geturl ($1, $source); -} else { - open($in, '<', $source) - or die "Cannot open file $source: $!\n"; -} - -while (<$in>) { - chomp; - # public key (format 2) consist of: - # options, keytype, base64-encoded key, comment. - # The options field is optional (but not supported). - my ($keytype, $keycode, $comment) = split / /; - - die "Not a valid key file format (see man sshd)" - unless defined($keytype) && defined($keycode) && defined($comment); - - die "$keytype: not a known ssh public format\n" - unless ($keytype =~ /ssh-rsa|ssh-dsa/); - - my $cmd = "set system login user $user authentication public-keys $comment"; - system ("$sbindir/my_$cmd" . " key $keycode"); - die "\"$cmd\" key failed\n" - if ($? >> 8); - - system ("$sbindir/my_$cmd" . " type $keytype"); - die "\"$cmd\" type failed\n" - if ($? >> 8); -} -close $in; +addkeys($user, geturl($source)); system("$sbindir/my_commit"); if ( $? >> 8 ) { diff --git a/templates/system/login/user/node.tag/authentication/public-keys/node.tag/type/node.def b/templates/system/login/user/node.tag/authentication/public-keys/node.tag/type/node.def index b2cb9652..30138fe6 100644 --- a/templates/system/login/user/node.tag/authentication/public-keys/node.tag/type/node.def +++ b/templates/system/login/user/node.tag/authentication/public-keys/node.tag/type/node.def @@ -1,4 +1,4 @@ type: txt help: Set public key type -allowed: echo "ssh-dsa ssh-rsa" -syntax:expression: $VAR(@) in "ssh-rsa", "ssh-dsa" ; "Unknown key type" +allowed: echo "ssh-dss ssh-rsa" +syntax:expression: $VAR(@) in "ssh-rsa", "ssh-dss" ; "Unknown key type" |