4d1d7a9bb5
1. Remove the usage of the path.join function now that all code should be going through the util file methods (and they can be mocked out as needed). 2. Adjust all occurences of the above join function to either not use it or replace it with the standard os.path.join (which can also be mocked out as needed) 3. Fix pylint from complaining about the tests folder 'helpers.py' not being found 4. Add a pylintrc file that is used instead of the options hidden in the 'run_pylint' tool.
139 lines
5.1 KiB
Python
139 lines
5.1 KiB
Python
# vi: ts=4 expandtab
|
|
#
|
|
# Copyright (C) 2009-2010 Canonical Ltd.
|
|
# Copyright (C) 2012 Hewlett-Packard Development Company, L.P.
|
|
#
|
|
# Author: Scott Moser <scott.moser@canonical.com>
|
|
# Author: Juerg Haefliger <juerg.haefliger@hp.com>
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License version 3, as
|
|
# published by the Free Software Foundation.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
import glob
|
|
import os
|
|
|
|
# Ensure this is aliased to a name not 'distros'
|
|
# since the module attribute 'distros'
|
|
# is a list of distros that are supported, not a sub-module
|
|
from cloudinit import distros as ds
|
|
|
|
from cloudinit import ssh_util
|
|
from cloudinit import util
|
|
|
|
DISABLE_ROOT_OPTS = ("no-port-forwarding,no-agent-forwarding,"
|
|
"no-X11-forwarding,command=\"echo \'Please login as the user \\\"$USER\\\" "
|
|
"rather than the user \\\"root\\\".\';echo;sleep 10\"")
|
|
|
|
KEY_2_FILE = {
|
|
"rsa_private": ("/etc/ssh/ssh_host_rsa_key", 0600),
|
|
"rsa_public": ("/etc/ssh/ssh_host_rsa_key.pub", 0644),
|
|
"dsa_private": ("/etc/ssh/ssh_host_dsa_key", 0600),
|
|
"dsa_public": ("/etc/ssh/ssh_host_dsa_key.pub", 0644),
|
|
"ecdsa_private": ("/etc/ssh/ssh_host_ecdsa_key", 0600),
|
|
"ecdsa_public": ("/etc/ssh/ssh_host_ecdsa_key.pub", 0644),
|
|
}
|
|
|
|
PRIV_2_PUB = {
|
|
'rsa_private': 'rsa_public',
|
|
'dsa_private': 'dsa_public',
|
|
'ecdsa_private': 'ecdsa_public',
|
|
}
|
|
|
|
KEY_GEN_TPL = 'o=$(ssh-keygen -yf "%s") && echo "$o" root@localhost > "%s"'
|
|
|
|
GENERATE_KEY_NAMES = ['rsa', 'dsa', 'ecdsa']
|
|
|
|
KEY_FILE_TPL = '/etc/ssh/ssh_host_%s_key'
|
|
|
|
|
|
def handle(_name, cfg, cloud, log, _args):
|
|
|
|
# remove the static keys from the pristine image
|
|
if cfg.get("ssh_deletekeys", True):
|
|
key_pth = os.path.join("/etc/ssh/", "ssh_host_*key*")
|
|
for f in glob.glob(key_pth):
|
|
try:
|
|
util.del_file(f)
|
|
except:
|
|
util.logexc(log, "Failed deleting key file %s", f)
|
|
|
|
if "ssh_keys" in cfg:
|
|
# if there are keys in cloud-config, use them
|
|
for (key, val) in cfg["ssh_keys"].iteritems():
|
|
if key in KEY_2_FILE:
|
|
tgt_fn = KEY_2_FILE[key][0]
|
|
tgt_perms = KEY_2_FILE[key][1]
|
|
util.write_file(tgt_fn, val, tgt_perms)
|
|
|
|
for (priv, pub) in PRIV_2_PUB.iteritems():
|
|
if pub in cfg['ssh_keys'] or not priv in cfg['ssh_keys']:
|
|
continue
|
|
pair = (KEY_2_FILE[priv][0], KEY_2_FILE[pub][0])
|
|
cmd = ['sh', '-xc', KEY_GEN_TPL % pair]
|
|
try:
|
|
# TODO(harlowja): Is this guard needed?
|
|
with util.SeLinuxGuard("/etc/ssh", recursive=True):
|
|
util.subp(cmd, capture=False)
|
|
log.debug("Generated a key for %s from %s", pair[0], pair[1])
|
|
except:
|
|
util.logexc(log, ("Failed generated a key"
|
|
" for %s from %s"), pair[0], pair[1])
|
|
else:
|
|
# if not, generate them
|
|
genkeys = util.get_cfg_option_list(cfg,
|
|
'ssh_genkeytypes',
|
|
GENERATE_KEY_NAMES)
|
|
for keytype in genkeys:
|
|
keyfile = KEY_FILE_TPL % (keytype)
|
|
util.ensure_dir(os.path.dirname(keyfile))
|
|
if not os.path.exists(keyfile):
|
|
cmd = ['ssh-keygen', '-t', keytype, '-N', '', '-f', keyfile]
|
|
try:
|
|
# TODO(harlowja): Is this guard needed?
|
|
with util.SeLinuxGuard("/etc/ssh", recursive=True):
|
|
util.subp(cmd, capture=False)
|
|
except:
|
|
util.logexc(log, ("Failed generating key type"
|
|
" %s to file %s"), keytype, keyfile)
|
|
|
|
try:
|
|
(users, _groups) = ds.normalize_users_groups(cfg, cloud.distro)
|
|
(user, _user_config) = ds.extract_default(users)
|
|
disable_root = util.get_cfg_option_bool(cfg, "disable_root", True)
|
|
disable_root_opts = util.get_cfg_option_str(cfg, "disable_root_opts",
|
|
DISABLE_ROOT_OPTS)
|
|
|
|
keys = cloud.get_public_ssh_keys() or []
|
|
if "ssh_authorized_keys" in cfg:
|
|
cfgkeys = cfg["ssh_authorized_keys"]
|
|
keys.extend(cfgkeys)
|
|
|
|
apply_credentials(keys, user, disable_root, disable_root_opts)
|
|
except:
|
|
util.logexc(log, "Applying ssh credentials failed!")
|
|
|
|
|
|
def apply_credentials(keys, user, disable_root, disable_root_opts):
|
|
|
|
keys = set(keys)
|
|
if user:
|
|
ssh_util.setup_user_keys(keys, user, '')
|
|
|
|
if disable_root:
|
|
if not user:
|
|
user = "NONE"
|
|
key_prefix = disable_root_opts.replace('$USER', user)
|
|
else:
|
|
key_prefix = ''
|
|
|
|
ssh_util.setup_user_keys(keys, 'root', key_prefix)
|