x/cloud-init
Code Issues Proposed changes

Add support for printing out the authkey's for the default user.

Browse Source 
1. Adjust the sshutil so that it has functions
   for doing this (used by the previous functions)
2. Create a new module that pretty prints out 
   the given authorized keys fetched (if any) using the standard
   md5 scheme (for now), this module can be disabled by 
   setting 'no_ssh_fingerprints' or just removing it from the running
   list.
This commit is contained in:
Joshua Harlow 2012-08-18 21:15:52 -07:00
parent 7a6334e4bc
commit 17e3d5228b
2 changed files with 139 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
cloudinit/config/cc_ssh_authkey_fingerprints.py Normal file
View File

@ -0,0 +1,86 @@
# vi: ts=4 expandtab
#
# Copyright (C) 2012 Yahoo! Inc.
#
# Author: Joshua Harlow <harlowja@yahoo-inc.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 3, as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import base64
import glob
import hashlib
import os
from prettytable import PrettyTable
from cloudinit import util
from cloudinit import ssh_util
FP_HASH_TYPE = 'md5'
FP_SEGMENT_LEN = 2
FP_SEGMENT_SEP = ":"
def _split_hash(bin_hash):
split_up = []
for i in xrange(0, len(bin_hash), FP_SEGMENT_LEN):
split_up.append(bin_hash[i:i+FP_SEGMENT_LEN])
return split_up
def _gen_fingerprint(b64_text):
if not b64_text:
return ''
# Maybe we should feed this into 'ssh -lf'?
try:
bin_text = base64.b64decode(b64_text)
hasher = hashlib.new(FP_HASH_TYPE)
hasher.update(bin_text)
pp_hash = FP_SEGMENT_SEP.join(_split_hash(hasher.hexdigest()))
return pp_hash
except TypeError:
return ''
def _pprint_key_entries(user, key_fn, key_entries, prefix='ci-info: '):
if not key_entries:
message = "%sno authorized ssh keys fingerprints found for user %s." % (prefix, user)
util.multi_log(message)
return
tbl_fields = ['Keytype', 'Fingerprint', 'Options', 'Comment']
tbl = PrettyTable(tbl_fields)
for entry in key_entries:
row = []
row.append(entry.keytype or '-')
row.append(_gen_fingerprint(entry.base64) or '-')
row.append(entry.comment or '-')
row.append(entry.options or '-')
tbl.add_row(row)
authtbl_s = tbl.get_string()
max_len = len(max(authtbl_s.splitlines(), key=len))
lines = [
util.center("Authorized keys fingerprints from %s for user %s" % (key_fn, user), "+", max_len),
]
lines.extend(authtbl_s.splitlines())
for line in lines:
util.multi_log(text="%s%s\n" % (prefix, line))
def handle(name, cfg, cloud, log, _args):
if 'no_ssh_fingerprints' in cfg:
log.debug(("Skipping module named %s, "
"logging of ssh fingerprints disabled"), name)
user = util.get_cfg_option_str(cfg, "user", "ubuntu")
(auth_key_fn, auth_key_entries) = ssh_util.extract_authorized_keys(user, cloud.paths)
_pprint_key_entries(user, auth_key_fn, auth_key_entries)

92
cloudinit/ssh_util.py
View File

@ -181,12 +181,11 @@ def parse_authorized_keys(fname):
return contents
def update_authorized_keys(fname, keys):
entries = parse_authorized_keys(fname)
def update_authorized_keys(old_entries, keys):
to_add = list(keys)
for i in range(0, len(entries)):
ent = entries[i]
for i in range(0, len(old_entries)):
ent = old_entries[i]
if ent.empty() or not ent.base64:
continue
# Replace those with the same base64
@ -199,66 +198,81 @@ def update_authorized_keys(fname, keys):
# Don't add it later
if k in to_add:
to_add.remove(k)
entries[i] = ent
old_entries[i] = ent
# Now append any entries we did not match above
for key in to_add:
entries.append(key)
old_entries.append(key)
# Now format them back to strings...
lines = [str(b) for b in entries]
lines = [str(b) for b in old_entries]
# Ensure it ends with a newline
lines.append('')
return '\n'.join(lines)
def setup_user_keys(keys, user, key_prefix, paths):
# Make sure the users .ssh dir is setup accordingly
pwent = pwd.getpwnam(user)
ssh_dir = os.path.join(pwent.pw_dir, '.ssh')
ssh_dir = paths.join(False, ssh_dir)
if not os.path.exists(ssh_dir):
util.ensure_dir(ssh_dir, mode=0700)
util.chownbyid(ssh_dir, pwent.pw_uid, pwent.pw_gid)
def users_ssh_info(username, paths):
pw_ent = pwd.getpwnam(username)
if not pw_ent:
raise RuntimeError("Unable to get ssh info for user %r" % (username))
ssh_dir = paths.join(False, os.path.join(pw_ent.pw_dir, '.ssh'))
return (ssh_dir, pw_ent)
# Turn the keys given into actual entries
parser = AuthKeyLineParser()
key_entries = []
for k in keys:
key_entries.append(parser.parse(str(k), def_opt=key_prefix))
def extract_authorized_keys(username, paths):
(ssh_dir, pw_ent) = users_ssh_info(username, paths)
sshd_conf_fn = paths.join(True, DEF_SSHD_CFG)
auth_key_fn = None
with util.SeLinuxGuard(ssh_dir, recursive=True):
try:
# AuthorizedKeysFile may contain tokens
# The 'AuthorizedKeysFile' may contain tokens
# of the form %T which are substituted during connection set-up.
# The following tokens are defined: %% is replaced by a literal
# '%', %h is replaced by the home directory of the user being
# authenticated and %u is replaced by the username of that user.
ssh_cfg = parse_ssh_config_map(sshd_conf_fn)
akeys = ssh_cfg.get("authorizedkeysfile", '')
akeys = akeys.strip()
if not akeys:
akeys = "%h/.ssh/authorized_keys"
akeys = akeys.replace("%h", pwent.pw_dir)
akeys = akeys.replace("%u", user)
akeys = akeys.replace("%%", '%')
if not akeys.startswith('/'):
akeys = os.path.join(pwent.pw_dir, akeys)
authorized_keys = paths.join(False, akeys)
auth_key_fn = ssh_cfg.get("authorizedkeysfile", '').strip()
if not auth_key_fn:
auth_key_fn = "%h/.ssh/authorized_keys"
auth_key_fn = auth_key_fn.replace("%h", pw_ent.pw_dir)
auth_key_fn = auth_key_fn.replace("%u", username)
auth_key_fn = auth_key_fn.replace("%%", '%')
if not auth_key_fn.startswith('/'):
auth_key_fn = os.path.join(pw_ent.pw_dir, auth_key_fn)
auth_key_fn = paths.join(False, auth_key_fn)
except (IOError, OSError):
authorized_keys = os.path.join(ssh_dir, 'authorized_keys')
# Give up and use a default key filename
auth_key_fn = os.path.join(ssh_dir, 'authorized_keys')
util.logexc(LOG, ("Failed extracting 'AuthorizedKeysFile'"
" in ssh config"
" from %s, using 'AuthorizedKeysFile' file"
" %s instead"),
sshd_conf_fn, authorized_keys)
" from %r, using 'AuthorizedKeysFile' file"
" %r instead"),
sshd_conf_fn, auth_key_fn)
auth_key_entries = parse_authorized_keys(auth_key_fn)
return (auth_key_fn, auth_key_entries)
content = update_authorized_keys(authorized_keys, key_entries)
util.ensure_dir(os.path.dirname(authorized_keys), mode=0700)
util.write_file(authorized_keys, content, mode=0600)
util.chownbyid(authorized_keys, pwent.pw_uid, pwent.pw_gid)
def setup_user_keys(keys, username, key_prefix, paths):
# Make sure the users .ssh dir is setup accordingly
(ssh_dir, pwent) = users_ssh_info(username, paths)
if not os.path.isdir(ssh_dir):
util.ensure_dir(ssh_dir, mode=0700)
util.chownbyid(ssh_dir, pwent.pw_uid, pwent.pw_gid)
# Turn the 'update' keys given into actual entries
parser = AuthKeyLineParser()
key_entries = []
for k in keys:
key_entries.append(parser.parse(str(k), def_opt=key_prefix))
# Extract the old and make the new
(auth_key_fn, auth_key_entries) = extract_authorized_keys(username, paths)
with util.SeLinuxGuard(ssh_dir, recursive=True):
content = update_authorized_keys(auth_key_entries, key_entries)
util.ensure_dir(os.path.dirname(auth_key_fn), mode=0700)
util.write_file(auth_key_fn, content, mode=0600)
util.chownbyid(auth_key_fn, pwent.pw_uid, pwent.pw_gid)
class SshdConfigLine(object):