f566314695
Now, parser.parse specifies options that override any options found, rather than just being default options. There could still potentially be a user for default_options, but since we're not using them anywhere, I've dropped it. The difference is that in setting up the root user, we're now insisting that all keys that go in there have the key_prefix, even if the key content had other options. I think this is actually the commit that fixes LP: #1136343.
139 lines
5.1 KiB
Python
139 lines
5.1 KiB
Python
# vi: ts=4 expandtab
|
|
#
|
|
# Copyright (C) 2009-2010 Canonical Ltd.
|
|
# Copyright (C) 2012 Hewlett-Packard Development Company, L.P.
|
|
#
|
|
# Author: Scott Moser <scott.moser@canonical.com>
|
|
# Author: Juerg Haefliger <juerg.haefliger@hp.com>
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License version 3, as
|
|
# published by the Free Software Foundation.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
import glob
|
|
import os
|
|
|
|
# Ensure this is aliased to a name not 'distros'
|
|
# since the module attribute 'distros'
|
|
# is a list of distros that are supported, not a sub-module
|
|
from cloudinit import distros as ds
|
|
|
|
from cloudinit import ssh_util
|
|
from cloudinit import util
|
|
|
|
DISABLE_ROOT_OPTS = ("no-port-forwarding,no-agent-forwarding,"
|
|
"no-X11-forwarding,command=\"echo \'Please login as the user \\\"$USER\\\" "
|
|
"rather than the user \\\"root\\\".\';echo;sleep 10\"")
|
|
|
|
KEY_2_FILE = {
|
|
"rsa_private": ("/etc/ssh/ssh_host_rsa_key", 0600),
|
|
"rsa_public": ("/etc/ssh/ssh_host_rsa_key.pub", 0644),
|
|
"dsa_private": ("/etc/ssh/ssh_host_dsa_key", 0600),
|
|
"dsa_public": ("/etc/ssh/ssh_host_dsa_key.pub", 0644),
|
|
"ecdsa_private": ("/etc/ssh/ssh_host_ecdsa_key", 0600),
|
|
"ecdsa_public": ("/etc/ssh/ssh_host_ecdsa_key.pub", 0644),
|
|
}
|
|
|
|
PRIV_2_PUB = {
|
|
'rsa_private': 'rsa_public',
|
|
'dsa_private': 'dsa_public',
|
|
'ecdsa_private': 'ecdsa_public',
|
|
}
|
|
|
|
KEY_GEN_TPL = 'o=$(ssh-keygen -yf "%s") && echo "$o" root@localhost > "%s"'
|
|
|
|
GENERATE_KEY_NAMES = ['rsa', 'dsa', 'ecdsa']
|
|
|
|
KEY_FILE_TPL = '/etc/ssh/ssh_host_%s_key'
|
|
|
|
|
|
def handle(_name, cfg, cloud, log, _args):
|
|
|
|
# remove the static keys from the pristine image
|
|
if cfg.get("ssh_deletekeys", True):
|
|
key_pth = os.path.join("/etc/ssh/", "ssh_host_*key*")
|
|
for f in glob.glob(key_pth):
|
|
try:
|
|
util.del_file(f)
|
|
except:
|
|
util.logexc(log, "Failed deleting key file %s", f)
|
|
|
|
if "ssh_keys" in cfg:
|
|
# if there are keys in cloud-config, use them
|
|
for (key, val) in cfg["ssh_keys"].iteritems():
|
|
if key in KEY_2_FILE:
|
|
tgt_fn = KEY_2_FILE[key][0]
|
|
tgt_perms = KEY_2_FILE[key][1]
|
|
util.write_file(tgt_fn, val, tgt_perms)
|
|
|
|
for (priv, pub) in PRIV_2_PUB.iteritems():
|
|
if pub in cfg['ssh_keys'] or not priv in cfg['ssh_keys']:
|
|
continue
|
|
pair = (KEY_2_FILE[priv][0], KEY_2_FILE[pub][0])
|
|
cmd = ['sh', '-xc', KEY_GEN_TPL % pair]
|
|
try:
|
|
# TODO(harlowja): Is this guard needed?
|
|
with util.SeLinuxGuard("/etc/ssh", recursive=True):
|
|
util.subp(cmd, capture=False)
|
|
log.debug("Generated a key for %s from %s", pair[0], pair[1])
|
|
except:
|
|
util.logexc(log, ("Failed generated a key"
|
|
" for %s from %s"), pair[0], pair[1])
|
|
else:
|
|
# if not, generate them
|
|
genkeys = util.get_cfg_option_list(cfg,
|
|
'ssh_genkeytypes',
|
|
GENERATE_KEY_NAMES)
|
|
for keytype in genkeys:
|
|
keyfile = KEY_FILE_TPL % (keytype)
|
|
util.ensure_dir(os.path.dirname(keyfile))
|
|
if not os.path.exists(keyfile):
|
|
cmd = ['ssh-keygen', '-t', keytype, '-N', '', '-f', keyfile]
|
|
try:
|
|
# TODO(harlowja): Is this guard needed?
|
|
with util.SeLinuxGuard("/etc/ssh", recursive=True):
|
|
util.subp(cmd, capture=False)
|
|
except:
|
|
util.logexc(log, ("Failed generating key type"
|
|
" %s to file %s"), keytype, keyfile)
|
|
|
|
try:
|
|
(users, _groups) = ds.normalize_users_groups(cfg, cloud.distro)
|
|
(user, _user_config) = ds.extract_default(users)
|
|
disable_root = util.get_cfg_option_bool(cfg, "disable_root", True)
|
|
disable_root_opts = util.get_cfg_option_str(cfg, "disable_root_opts",
|
|
DISABLE_ROOT_OPTS)
|
|
|
|
keys = cloud.get_public_ssh_keys() or []
|
|
if "ssh_authorized_keys" in cfg:
|
|
cfgkeys = cfg["ssh_authorized_keys"]
|
|
keys.extend(cfgkeys)
|
|
|
|
apply_credentials(keys, user, disable_root, disable_root_opts)
|
|
except:
|
|
util.logexc(log, "Applying ssh credentials failed!")
|
|
|
|
|
|
def apply_credentials(keys, user, disable_root, disable_root_opts):
|
|
|
|
keys = set(keys)
|
|
if user:
|
|
ssh_util.setup_user_keys(keys, user)
|
|
|
|
if disable_root:
|
|
if not user:
|
|
user = "NONE"
|
|
key_prefix = disable_root_opts.replace('$USER', user)
|
|
else:
|
|
key_prefix = ''
|
|
|
|
ssh_util.setup_user_keys(keys, 'root', options=key_prefix)
|