summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorScott Moser <smoser@ubuntu.com>2012-08-20 15:58:19 -0400
committerScott Moser <smoser@ubuntu.com>2012-08-20 15:58:19 -0400
commitc54ba02b176a2f8e43820a6df0ddd2c68b79c9e7 (patch)
treec7a4d53266a7023e7e0b7d55aeaee08d31310765
parent4540821caa31dc9ed0bedf521cd36975ddafebfa (diff)
parent4a86775c9cff53a5598db8f4a395abe7c228a147 (diff)
downloadvyos-cloud-init-c54ba02b176a2f8e43820a6df0ddd2c68b79c9e7.tar.gz
vyos-cloud-init-c54ba02b176a2f8e43820a6df0ddd2c68b79c9e7.zip
add ssh-authkey-fingerprint config module, to print fingerprints to console
Example output: ci-info: +---------+-------------------------+---------+-----------------+ ci-info: | Keytype | Fingerprint (md5) | Options | Comment | ci-info: +---------+-------------------------+---------+-----------------+ ci-info: | ssh-rsa | e3:..:84:81:72:38:..:6a | - | smoser@brickies | ci-info: | ssh-rsa | 21:..:32:8a:da:98:..:42 | - | smoser@bart | ci-info: | ssh-rsa | 7b:..:ac:a7:17:51:..:b2 | - | smoser@kaypeah | ci-info: +---------+-------------------------+---------+-----------------+
-rw-r--r--ChangeLog1
-rw-r--r--cloudinit/config/cc_ssh_authkey_fingerprints.py87
-rw-r--r--cloudinit/ssh_util.py94
-rw-r--r--config/cloud.cfg1
4 files changed, 143 insertions, 40 deletions
diff --git a/ChangeLog b/ChangeLog
index fc45ff2d..61297404 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,5 @@
0.7.0:
+ - write ssh authorized keys to console, ssh_authkey_fingerprints
- Added RHEVm and vSphere support as source AltCloud [Joseph VLcek]
- add write-files module (LP: #1012854)
- Add setuptools + cheetah to debian package build dependencies (LP: #1022101)
diff --git a/cloudinit/config/cc_ssh_authkey_fingerprints.py b/cloudinit/config/cc_ssh_authkey_fingerprints.py
new file mode 100644
index 00000000..35a68709
--- /dev/null
+++ b/cloudinit/config/cc_ssh_authkey_fingerprints.py
@@ -0,0 +1,87 @@
+# vi: ts=4 expandtab
+#
+# Copyright (C) 2012 Yahoo! Inc.
+#
+# Author: Joshua Harlow <harlowja@yahoo-inc.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3, as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import base64
+import hashlib
+
+from prettytable import PrettyTable
+
+from cloudinit import ssh_util
+from cloudinit import util
+
+FP_HASH_TYPE = 'md5'
+FP_SEGMENT_LEN = 2
+FP_SEGMENT_SEP = ":"
+
+
+def _split_hash(bin_hash):
+ split_up = []
+ for i in xrange(0, len(bin_hash), FP_SEGMENT_LEN):
+ split_up.append(bin_hash[i:i + FP_SEGMENT_LEN])
+ return split_up
+
+
+def _gen_fingerprint(b64_text):
+ if not b64_text:
+ return ''
+ # Maybe we should feed this into 'ssh -lf'?
+ try:
+ bin_text = base64.b64decode(b64_text)
+ hasher = hashlib.new(FP_HASH_TYPE)
+ hasher.update(bin_text)
+ pp_hash = FP_SEGMENT_SEP.join(_split_hash(hasher.hexdigest()))
+ return pp_hash
+ except TypeError:
+ return ''
+
+
+def _pprint_key_entries(user, key_fn, key_entries, prefix='ci-info: '):
+ if not key_entries:
+ message = ("%sno authorized ssh keys fingerprints found for user %s."
+ % (prefix, user))
+ util.multi_log(message)
+ return
+ tbl_fields = ['Keytype', 'Fingerprint', 'Options', 'Comment']
+ tbl = PrettyTable(tbl_fields)
+ for entry in key_entries:
+ row = []
+ row.append(entry.keytype or '-')
+ row.append(_gen_fingerprint(entry.base64) or '-')
+ row.append(entry.comment or '-')
+ row.append(entry.options or '-')
+ tbl.add_row(row)
+ authtbl_s = tbl.get_string()
+ max_len = len(max(authtbl_s.splitlines(), key=len))
+ lines = [
+ util.center("Authorized keys fingerprints from %s for user %s" %
+ (key_fn, user), "+", max_len),
+ ]
+ lines.extend(authtbl_s.splitlines())
+ for line in lines:
+ util.multi_log(text="%s%s\n" % (prefix, line))
+
+
+def handle(name, cfg, cloud, log, _args):
+ if 'no_ssh_fingerprints' in cfg:
+ log.debug(("Skipping module named %s, "
+ "logging of ssh fingerprints disabled"), name)
+
+ user = util.get_cfg_option_str(cfg, "user", "ubuntu")
+ extract = ssh_util.extract_authorized_keys
+ (auth_key_fn, auth_key_entries) = extract(user, cloud.paths)
+ _pprint_key_entries(user, auth_key_fn, auth_key_entries)
diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py
index e0a2f0ca..88a11a1a 100644
--- a/cloudinit/ssh_util.py
+++ b/cloudinit/ssh_util.py
@@ -181,12 +181,11 @@ def parse_authorized_keys(fname):
return contents
-def update_authorized_keys(fname, keys):
- entries = parse_authorized_keys(fname)
+def update_authorized_keys(old_entries, keys):
to_add = list(keys)
- for i in range(0, len(entries)):
- ent = entries[i]
+ for i in range(0, len(old_entries)):
+ ent = old_entries[i]
if ent.empty() or not ent.base64:
continue
# Replace those with the same base64
@@ -199,66 +198,81 @@ def update_authorized_keys(fname, keys):
# Don't add it later
if k in to_add:
to_add.remove(k)
- entries[i] = ent
+ old_entries[i] = ent
# Now append any entries we did not match above
for key in to_add:
- entries.append(key)
+ old_entries.append(key)
# Now format them back to strings...
- lines = [str(b) for b in entries]
+ lines = [str(b) for b in old_entries]
# Ensure it ends with a newline
lines.append('')
return '\n'.join(lines)
-def setup_user_keys(keys, user, key_prefix, paths):
- # Make sure the users .ssh dir is setup accordingly
- pwent = pwd.getpwnam(user)
- ssh_dir = os.path.join(pwent.pw_dir, '.ssh')
- ssh_dir = paths.join(False, ssh_dir)
- if not os.path.exists(ssh_dir):
- util.ensure_dir(ssh_dir, mode=0700)
- util.chownbyid(ssh_dir, pwent.pw_uid, pwent.pw_gid)
+def users_ssh_info(username, paths):
+ pw_ent = pwd.getpwnam(username)
+ if not pw_ent:
+ raise RuntimeError("Unable to get ssh info for user %r" % (username))
+ ssh_dir = paths.join(False, os.path.join(pw_ent.pw_dir, '.ssh'))
+ return (ssh_dir, pw_ent)
- # Turn the keys given into actual entries
- parser = AuthKeyLineParser()
- key_entries = []
- for k in keys:
- key_entries.append(parser.parse(str(k), def_opt=key_prefix))
+def extract_authorized_keys(username, paths):
+ (ssh_dir, pw_ent) = users_ssh_info(username, paths)
sshd_conf_fn = paths.join(True, DEF_SSHD_CFG)
+ auth_key_fn = None
with util.SeLinuxGuard(ssh_dir, recursive=True):
try:
- # AuthorizedKeysFile may contain tokens
+ # The 'AuthorizedKeysFile' may contain tokens
# of the form %T which are substituted during connection set-up.
# The following tokens are defined: %% is replaced by a literal
# '%', %h is replaced by the home directory of the user being
# authenticated and %u is replaced by the username of that user.
ssh_cfg = parse_ssh_config_map(sshd_conf_fn)
- akeys = ssh_cfg.get("authorizedkeysfile", '')
- akeys = akeys.strip()
- if not akeys:
- akeys = "%h/.ssh/authorized_keys"
- akeys = akeys.replace("%h", pwent.pw_dir)
- akeys = akeys.replace("%u", user)
- akeys = akeys.replace("%%", '%')
- if not akeys.startswith('/'):
- akeys = os.path.join(pwent.pw_dir, akeys)
- authorized_keys = paths.join(False, akeys)
+ auth_key_fn = ssh_cfg.get("authorizedkeysfile", '').strip()
+ if not auth_key_fn:
+ auth_key_fn = "%h/.ssh/authorized_keys"
+ auth_key_fn = auth_key_fn.replace("%h", pw_ent.pw_dir)
+ auth_key_fn = auth_key_fn.replace("%u", username)
+ auth_key_fn = auth_key_fn.replace("%%", '%')
+ if not auth_key_fn.startswith('/'):
+ auth_key_fn = os.path.join(pw_ent.pw_dir, auth_key_fn)
+ auth_key_fn = paths.join(False, auth_key_fn)
except (IOError, OSError):
- authorized_keys = os.path.join(ssh_dir, 'authorized_keys')
+ # Give up and use a default key filename
+ auth_key_fn = os.path.join(ssh_dir, 'authorized_keys')
util.logexc(LOG, ("Failed extracting 'AuthorizedKeysFile'"
" in ssh config"
- " from %s, using 'AuthorizedKeysFile' file"
- " %s instead"),
- sshd_conf_fn, authorized_keys)
-
- content = update_authorized_keys(authorized_keys, key_entries)
- util.ensure_dir(os.path.dirname(authorized_keys), mode=0700)
- util.write_file(authorized_keys, content, mode=0600)
- util.chownbyid(authorized_keys, pwent.pw_uid, pwent.pw_gid)
+ " from %r, using 'AuthorizedKeysFile' file"
+ " %r instead"),
+ sshd_conf_fn, auth_key_fn)
+ auth_key_entries = parse_authorized_keys(auth_key_fn)
+ return (auth_key_fn, auth_key_entries)
+
+
+def setup_user_keys(keys, username, key_prefix, paths):
+ # Make sure the users .ssh dir is setup accordingly
+ (ssh_dir, pwent) = users_ssh_info(username, paths)
+ if not os.path.isdir(ssh_dir):
+ util.ensure_dir(ssh_dir, mode=0700)
+ util.chownbyid(ssh_dir, pwent.pw_uid, pwent.pw_gid)
+
+ # Turn the 'update' keys given into actual entries
+ parser = AuthKeyLineParser()
+ key_entries = []
+ for k in keys:
+ key_entries.append(parser.parse(str(k), def_opt=key_prefix))
+
+ # Extract the old and make the new
+ (auth_key_fn, auth_key_entries) = extract_authorized_keys(username, paths)
+ with util.SeLinuxGuard(ssh_dir, recursive=True):
+ content = update_authorized_keys(auth_key_entries, key_entries)
+ util.ensure_dir(os.path.dirname(auth_key_fn), mode=0700)
+ util.write_file(auth_key_fn, content, mode=0600)
+ util.chownbyid(auth_key_fn, pwent.pw_uid, pwent.pw_gid)
class SshdConfigLine(object):
diff --git a/config/cloud.cfg b/config/cloud.cfg
index 2b4d9e63..f8d62e27 100644
--- a/config/cloud.cfg
+++ b/config/cloud.cfg
@@ -59,6 +59,7 @@ cloud_final_modules:
- scripts-per-boot
- scripts-per-instance
- scripts-user
+ - ssh-auth-key-fingerprints
- keys-to-console
- phone-home
- final-message