diff options
| author | Scott Moser <smoser@ubuntu.com> | 2011-08-29 20:26:17 -0400 |
|---|---|---|
| committer | Scott Moser <smoser@ubuntu.com> | 2011-08-29 20:26:17 -0400 |
| commit | c7123a7f3bc08a2d45ce6b2d66107a669284e3f1 (patch) | |
| tree | 019ba24b8da4ba9b549883f1de4b4f6ab12a02bd /cloudinit/CloudConfig/cc_ssh.py | |
| parent | 5e0edd8cf0a8431d453649037da913285e28850f (diff) | |
| download | vyos-cloud-init-c7123a7f3bc08a2d45ce6b2d66107a669284e3f1.tar.gz vyos-cloud-init-c7123a7f3bc08a2d45ce6b2d66107a669284e3f1.zip | |
improve updating of .ssh/authorized_keys
These changes update the .ssh/authorized_keys rather than simply appending
This is preferable as ssh daemon picks the first key that is present.
This fixes 2 issues where something had edited a .ssh/authorized_keys
prior to cloud-init getting at it.
a.) LP: #434076 a user prior to re-bundling
b.) LP: #833499 the hypervisor
If you want to enable ssh access for root user, the proper way to do it is
with 'disable_root: False' in cloud-config.
LP: #434076, #833499
Diffstat (limited to 'cloudinit/CloudConfig/cc_ssh.py')
| -rw-r--r-- | cloudinit/CloudConfig/cc_ssh.py | 49 |
1 files changed, 4 insertions, 45 deletions
diff --git a/cloudinit/CloudConfig/cc_ssh.py b/cloudinit/CloudConfig/cc_ssh.py index ddeb5009..50b6a73c 100644 --- a/cloudinit/CloudConfig/cc_ssh.py +++ b/cloudinit/CloudConfig/cc_ssh.py @@ -16,6 +16,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. import cloudinit.util as util +import cloudinit.SshUtil as sshutil import os import glob import subprocess @@ -86,57 +87,15 @@ def handle(name,cfg,cloud,log,args): def send_ssh_keys_to_console(): subprocess.call(('/usr/lib/cloud-init/write-ssh-key-fingerprints',)) -def apply_credentials(keys, user, disable_root, disable_root_opts=DISABLE_ROOT_OPTS): +def apply_credentials(keys, user, disable_root, disable_root_opts=DISABLE_ROOT_OPTS, log=global_log): keys = set(keys) if user: - setup_user_keys(keys, user, '') + sshutil.setup_user_keys(keys, user, '', log) if disable_root: key_prefix = disable_root_opts.replace('$USER', user) else: key_prefix = '' - setup_user_keys(keys, 'root', key_prefix) - -def setup_user_keys(keys, user, key_prefix): - import pwd - saved_umask = os.umask(077) - - pwent = pwd.getpwnam(user) - - ssh_dir = '%s/.ssh' % pwent.pw_dir - if not os.path.exists(ssh_dir): - os.mkdir(ssh_dir) - os.chown(ssh_dir, pwent.pw_uid, pwent.pw_gid) - - try: - ssh_cfg = parse_ssh_config() - akeys = ssh_cfg.get("AuthorizedKeysFile","%h/.ssh/authorized_keys") - akeys = akeys.replace("%h", pwent.pw_dir) - akeys = akeys.replace("%u", user) - authorized_keys = akeys - except Exception as e: - authorized_keys = '%s/.ssh/authorized_keys' % pwent.pw_dir - util.logexc(global_log) - - fp = open(authorized_keys, 'a') - key_prefix = key_prefix.replace("\n"," ") - fp.write(''.join(['%s %s\n' % (key_prefix.strip(), key) for key in keys])) - fp.close() - - os.chown(authorized_keys, pwent.pw_uid, pwent.pw_gid) - - os.umask(saved_umask) - -def parse_ssh_config(fname="/etc/ssh/sshd_config"): - ret = { } - fp=open(fname) - for l in fp.readlines(): - l = l.strip() - if not l or l.startswith("#"): - continue - key,val = l.split(None,1) - ret[key]=val - fp.close() - return(ret) + sshutil.setup_user_keys(keys, 'root', key_prefix, log) |