From c7123a7f3bc08a2d45ce6b2d66107a669284e3f1 Mon Sep 17 00:00:00 2001 From: Scott Moser Date: Mon, 29 Aug 2011 20:26:17 -0400 Subject: improve updating of .ssh/authorized_keys These changes update the .ssh/authorized_keys rather than simply appending This is preferable as ssh daemon picks the first key that is present. This fixes 2 issues where something had edited a .ssh/authorized_keys prior to cloud-init getting at it. a.) LP: #434076 a user prior to re-bundling b.) LP: #833499 the hypervisor If you want to enable ssh access for root user, the proper way to do it is with 'disable_root: False' in cloud-config. LP: #434076, #833499 --- cloudinit/CloudConfig/cc_ssh.py | 49 ++++------------------------------------- 1 file changed, 4 insertions(+), 45 deletions(-) (limited to 'cloudinit/CloudConfig/cc_ssh.py') diff --git a/cloudinit/CloudConfig/cc_ssh.py b/cloudinit/CloudConfig/cc_ssh.py index ddeb5009..50b6a73c 100644 --- a/cloudinit/CloudConfig/cc_ssh.py +++ b/cloudinit/CloudConfig/cc_ssh.py @@ -16,6 +16,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . import cloudinit.util as util +import cloudinit.SshUtil as sshutil import os import glob import subprocess @@ -86,57 +87,15 @@ def handle(name,cfg,cloud,log,args): def send_ssh_keys_to_console(): subprocess.call(('/usr/lib/cloud-init/write-ssh-key-fingerprints',)) -def apply_credentials(keys, user, disable_root, disable_root_opts=DISABLE_ROOT_OPTS): +def apply_credentials(keys, user, disable_root, disable_root_opts=DISABLE_ROOT_OPTS, log=global_log): keys = set(keys) if user: - setup_user_keys(keys, user, '') + sshutil.setup_user_keys(keys, user, '', log) if disable_root: key_prefix = disable_root_opts.replace('$USER', user) else: key_prefix = '' - setup_user_keys(keys, 'root', key_prefix) - -def setup_user_keys(keys, user, key_prefix): - import pwd - saved_umask = os.umask(077) - - pwent = pwd.getpwnam(user) - - ssh_dir = '%s/.ssh' % pwent.pw_dir - if not os.path.exists(ssh_dir): - os.mkdir(ssh_dir) - os.chown(ssh_dir, pwent.pw_uid, pwent.pw_gid) - - try: - ssh_cfg = parse_ssh_config() - akeys = ssh_cfg.get("AuthorizedKeysFile","%h/.ssh/authorized_keys") - akeys = akeys.replace("%h", pwent.pw_dir) - akeys = akeys.replace("%u", user) - authorized_keys = akeys - except Exception as e: - authorized_keys = '%s/.ssh/authorized_keys' % pwent.pw_dir - util.logexc(global_log) - - fp = open(authorized_keys, 'a') - key_prefix = key_prefix.replace("\n"," ") - fp.write(''.join(['%s %s\n' % (key_prefix.strip(), key) for key in keys])) - fp.close() - - os.chown(authorized_keys, pwent.pw_uid, pwent.pw_gid) - - os.umask(saved_umask) - -def parse_ssh_config(fname="/etc/ssh/sshd_config"): - ret = { } - fp=open(fname) - for l in fp.readlines(): - l = l.strip() - if not l or l.startswith("#"): - continue - key,val = l.split(None,1) - ret[key]=val - fp.close() - return(ret) + sshutil.setup_user_keys(keys, 'root', key_prefix, log) -- cgit v1.2.3