summaryrefslogtreecommitdiff
path: root/cloudinit/ssh_util.py
AgeCommit message (Collapse)Author
2018-09-08config: disable ssh access to a configured user accountChad Smith
Cloud config can now disable ssh access to non-root users. When defining the 'users' list in cloud-configuration a boolean 'ssh_redirect_user: true' can be provided to disable ssh logins for that user. Any ssh 'public-keys' defined in cloud meta-data will be added and disabled in .ssh/authorized_keys. Any attempts to ssh as this user using acceptable ssh keys will be presented with a message like the following: Please login as the user "ubuntu" rather than the user "youruser".
2018-04-20set_passwords: Add newline to end of sshd config, only restart if updated.Scott Moser
This admittedly does a fairly extensive re-factor to simply add a newline to the end of sshd_config. It makes the ssh_config updating portion of set_passwords more testable and adds tests for that. The new function is in 'update_ssh_config_lines' which allows you to update a config with multiple changes even though only a single one is currently used. We also only restart the ssh daemon now if a change was made to the config file. Before it was always restarted if the user specified a value for ssh_pwauth other than 'unchanged'. Thanks to Lorens Kockum for initial diagnosis and patch. LP: #1677205
2018-02-02Fix ssh keys validation in ssh_utilTatiana Kholkina
This fixes a bug where invalid keys would sneak into authorized_keys.
2017-01-24Add 3 ecdsa-sha2-nistp* ssh key types now that they are standardizedLars Kellogg-Stedman
cloud-init adds ssh_authorized_keys to the default user and to root but for root it disables the keys with a prefix command. However, if the public_key key is of type ecdsa-sha2-nistp521, it is not parsed correctly, and the prefix command is not prepended. Resolves: rhbz#1151824 LP: #1658174
2016-12-22LICENSE: Allow dual licensing GPL-3 or Apache 2.0Jon Grimm
This has been a recurring ask and we had initially just made the change to the cloud-init 2.0 codebase. As the current thinking is we'll just continue to enhance the current codebase, its desirable to relicense to match what we'd intended as part of the 2.0 plan here. - put a brief description of license in LICENSE file - put full license versions in LICENSE-GPLv3 and LICENSE-Apache2.0 - simplify the per-file header to reference LICENSE - tox: ignore H102 (Apache License Header check) Add license header to files that ship. Reformat headers, make sure everything has vi: at end of file. Non-shipping files do not need the copyright header, but at the moment tests/ have it.
2016-12-20pep8: whitespace fixScott Moser
2016-12-20Update the list of valid ssh keys.Michael Felt
Update ssh_util.py with latest list of keys (from openssh-7.3p1/sshkeys.c), and remove extinct keys ending with "-v00@openssh.com" Added keys: rsa-sha2-256, rsa-sha2-512, ed25519, ssh-ed25519, ssh-ed25519-cert-v01@openssh.com Removed both of the double entries for the keys: ssh-dss-cert-v00@openssh.com ssh-rsa-cert-v00@openssh.com
2016-03-03Update pep8 runner and fix pep8 issuesRyan Harper
2015-01-21Largely merge lp:~harlowja/cloud-init/py2-3 albeit manually because it seemedBarry Warsaw
to be behind trunk. `tox -e py27` passes full test suite. Now to work on replacing mocker.
2014-11-12Handle = used as config delimiter in SSH config.Daniel Watkins
2013-06-19fix and cleanup usage of util.logexcJuerg Haefliger
2013-03-07pep8 and pylint fixesScott Moser
2013-03-01fix reversed logicScott Moser
2013-03-01remove debug codeScott Moser
2013-03-01change parser.parse 'default_opts' to 'options'Scott Moser
Now, parser.parse specifies options that override any options found, rather than just being default options. There could still potentially be a user for default_options, but since we're not using them anywhere, I've dropped it. The difference is that in setting up the root user, we're now insisting that all keys that go in there have the key_prefix, even if the key content had other options. I think this is actually the commit that fixes LP: #1136343.
2013-03-01move function to a static list, comment where it came fromScott Moser
2013-03-01add some unit tests, fix an issue or twoScott Moser
* drop the parsing of options into csv, as we were only exploding them back. That can only result in error. Just do minimal parsing. * change the parsing of key lines to: if entry is valid: * use it else try taking off options: if good, use it else fail
2012-10-27Helpful cleanups.harlowja
1. Remove the usage of the path.join function now that all code should be going through the util file methods (and they can be mocked out as needed). 2. Adjust all occurences of the above join function to either not use it or replace it with the standard os.path.join (which can also be mocked out as needed) 3. Fix pylint from complaining about the tests folder 'helpers.py' not being found 4. Add a pylintrc file that is used instead of the options hidden in the 'run_pylint' tool.
2012-08-18Add support for printing out the authkey's for the default user.Joshua Harlow
1. Adjust the sshutil so that it has functions for doing this (used by the previous functions) 2. Create a new module that pretty prints out the given authorized keys fetched (if any) using the standard md5 scheme (for now), this module can be disabled by setting 'no_ssh_fingerprints' or just removing it from the running list.
2012-06-29Don't remove the key if its not there (or was already removed)Joshua Harlow
2012-06-21Simplify sshd config loading to make it use one set of functions/objects/classesJoshua Harlow
2012-06-20Massive pylint + pep8 fixups!Joshua Harlow
2012-06-20Ensure any authorized key file found in authorized keys is path adjusted as wellharlowja
2012-06-19Make most of all the places use the paths join() function so that testing ↵Joshua Harlow
with non-real read/write paths is easier.
2012-06-16Remove default since it will never be called that way and apply default ↵Joshua Harlow
since its not currently being called that way
2012-06-16Send in src line instead of stripped line.Joshua Harlow
2012-06-16Update ssh_util to have a parser class and a line entry class. Joshua Harlow
Also have a method that will parse the authorized key file. This allows: 1. Testing of parsing seperate from testing of entry construction. 1. Testing of authorized key file parsing, separate from updating.
2012-06-16Comments as to why we are using a csv parser and do some of the logic checks ↵Joshua Harlow
that are done for option extraction
2012-06-15Ensure when an exception is captured that we use the util.logexc helper.Joshua Harlow
2012-06-11Add comments on formats, add in function that handles option extraction + ↵Joshua Harlow
other pylint cleanups.
2012-06-09Cleanup this and add refactoring around large constructors (add a parse ↵Joshua Harlow
method). Handle error cases better...
2012-06-08Remove the main function from this, seems like that should be in a test if ↵Joshua Harlow
needed.
2012-06-071. Adding some new helper files that split off file inclusion, templating, ↵Joshua Harlow
importing, constant usage. 1. Move all datasources to a new sources directory 1. Rename some files to be more consistent with python file/module naming.