diff options
author | Scott Moser <smoser@ubuntu.com> | 2011-01-28 14:39:46 -0500 |
---|---|---|
committer | Scott Moser <smoser@ubuntu.com> | 2011-01-28 14:39:46 -0500 |
commit | 7d26b49482f5e7a4205d3a7999cd9db11a696993 (patch) | |
tree | b4b659e9a2e71724cc48818fed58d11d60e974a6 | |
parent | 8038c24d6dce45a4cc7eab55323c39901a7b072a (diff) | |
parent | 818ac2e096ecf14f11f4adb9de0155e3e2f8a93f (diff) | |
download | vyos-cloud-init-7d26b49482f5e7a4205d3a7999cd9db11a696993.tar.gz vyos-cloud-init-7d26b49482f5e7a4205d3a7999cd9db11a696993.zip |
add support for setting passwords and managing PasswordAuthentication
Note: by default, nothing is done. No users will have passwords
set, nor will sshd's configuration be changed unless cloud-config
is modified. Additionally, by default, users whose passwords are
set have their password expired, forcing a change.
-rw-r--r-- | ChangeLog | 2 | ||||
-rw-r--r-- | cloudinit/CloudConfig/cc_set_passwords.py | 124 | ||||
-rw-r--r-- | config/cloud.cfg | 1 | ||||
-rw-r--r-- | doc/examples/cloud-config.txt | 37 |
4 files changed, 164 insertions, 0 deletions
@@ -3,6 +3,8 @@ - improve comment strings in rsyslog file tools/21-cloudinit.conf - add previous-instance-id and previous-datasource files to datadir - add 'datasource' file to instance dir + - add setting of passwords and enabling/disabling of PasswordAuthentication + for sshd. By default no changes are done to sshd. 0.6.0: - change permissions of /var/log/cloud-init.log to accomodate syslog writing to it (LP: #704509) diff --git a/cloudinit/CloudConfig/cc_set_passwords.py b/cloudinit/CloudConfig/cc_set_passwords.py new file mode 100644 index 00000000..92f0aac7 --- /dev/null +++ b/cloudinit/CloudConfig/cc_set_passwords.py @@ -0,0 +1,124 @@ +# vi: ts=4 expandtab +# +# Copyright (C) 2009-2010 Canonical Ltd. +# +# Author: Scott Moser <scott.moser@canonical.com> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 3, as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +import cloudinit.util as util +import subprocess +import sys +import random +import string + +def handle(name,cfg,cloud,log,args): + if len(args) != 0: + # if run from command line, and give args, wipe the chpasswd['list'] + password = args[0] + if 'chpasswd' in cfg and 'list' in cfg['chpasswd']: + del cfg['chpasswd']['list'] + else: + password = util.get_cfg_option_str(cfg,"password",None) + + expire = True + pw_auth = "no" + change_pwauth = False + plist = None + + if 'chpasswd' in cfg: + chfg = cfg['chpasswd'] + plist = util.get_cfg_option_str(chfg,'list',plist) + expire = util.get_cfg_option_bool(chfg,'expire', expire) + + if not plist and password: + user = util.get_cfg_option_str(cfg,"user","ubuntu") + plist = "%s:%s" % (user, password) + + errors = [] + if plist: + plist_in = [] + randlist = [] + users = [] + for line in plist.splitlines(): + u,p = line.split(':',1) + if p == "R" or p == "RANDOM": + p = rand_user_password() + randlist.append("%s:%s" % (u,p)) + plist_in.append("%s:%s" % (u,p)) + users.append(u) + + ch_in = '\n'.join(plist_in) + try: + util.subp(['chpasswd'], ch_in) + log.debug("changed password for %s:" % users) + except Exception as e: + errors.append(e) + log.warn("failed to set passwords with chpasswd: %s" % e) + + if len(randlist): + sys.stdout.write("%s\n%s\n" % ("Set the following passwords\n", + '\n'.join(randlist) )) + + if expire: + enum=len(errors) + for u in users: + try: + util.subp(['passwd', '--expire', u]) + except Exception as e: + errors.append(e) + log.warn("failed to expire account for %s" % u ) + if enum == len(errors): + log.debug("expired passwords for: %s" % u) + + if 'ssh_pwauth' in cfg: + val = str(cfg['ssh_pwauth']).lower() + if val in ( "true", "1", "yes"): + pw_auth="yes" + change_pwauth=True + elif val in ( "false", "0", "no"): + pw_auth="no" + change_pwauth=True + else: + change_pwauth=False + + if change_pwauth: + pa_s = "\(#*\)\(PasswordAuthentication[[:space:]]\+\)\(yes\|no\)" + msg = "set PasswordAuthentication to '%s'" % pw_auth + try: + cmd = [ 'sed', '-i', 's,%s,\\2%s,' % (pa_s, pw_auth), + '/etc/ssh/sshd_config' ] + util.subp(cmd) + log.debug(msg) + except Exception as e: + log.warn("failed %s" % msg) + errors.append(e) + + try: + p = util.subp(['service', 'ssh', 'restart']) + log.debug("restarted sshd") + except: + log.warn("restart of ssh failed") + + if len(errors): + raise(errors[0]) + + return + +def rand_str(strlen=32, select_from=string.letters+string.digits): + return("".join([random.choice(select_from) for x in range(0, strlen)])) + +def rand_user_password(pwlen=9): + selfrom=(string.letters.translate(None,'loLOI') + + string.digits.translate(None,'01')) + return(rand_str(pwlen,select_from=selfrom)) + diff --git a/config/cloud.cfg b/config/cloud.cfg index 90e7ae30..dcd61280 100644 --- a/config/cloud.cfg +++ b/config/cloud.cfg @@ -14,6 +14,7 @@ cloud_config_modules: - ssh-import-id - locale - ssh + - set-passwords - grub-dpkg - apt-update-upgrade - puppet diff --git a/doc/examples/cloud-config.txt b/doc/examples/cloud-config.txt index 443fee2e..0a1d4279 100644 --- a/doc/examples/cloud-config.txt +++ b/doc/examples/cloud-config.txt @@ -346,3 +346,40 @@ timezone: US/Eastern # if either is empty, then no change of ownership will be done def_log_file: /var/log/my-logging-file.log syslog_fix_perms: syslog:root + +# you can set passwords for a user or multiple users +# this is off by default. +# to set the default user's password, use the 'password' option. +# if set, to 'R' or 'RANDOM', then a random password will be +# generated and written to stdout (the console) +# password: passw0rd +# +# also note, that this will expire the password, forcing a change +# on first login. If you do not want to expire, see 'chpasswd' below. +# +# By default in the UEC images password authentication is disabled +# Thus, simply setting 'password' as above will only allow you to login +# via the console. +# +# in order to enable password login via ssh you must set +# 'ssh_pwauth'. +# If it is set, to 'True' or 'False', then sshd_config will be updated +# to ensure the desired function. If not set, or set to '' or 'unchanged' +# then sshd_config will not be updated. +# ssh_pwauth: True +# +# there is also an option to set multiple users passwords, using 'chpasswd' +# That looks like the following, with 'expire' set to 'True' by default. +# to not expire users passwords, set 'expire' to 'False': +# chpasswd: +# list: | +# user1:password1 +# user2:RANDOM +# expire: True +# ssh_pwauth: [ True, False, "" or "unchanged" ] +# +# So, a simple working example to allow login via ssh, and not expire +# for the default user would look like: +password: passw0rd +chpasswd: { expire: False } +ssh_pwauth: True |