bd8c4d84c2
the previous 'user' and make those locations go through the new distros functions to select the default user or the user list (depending on usage). Adjust the tests to check the new 'default' field that signifies the default user + test the new method to extract just the default user from a normalized user dictionary.
137 lines
5.1 KiB
Python
137 lines
5.1 KiB
Python
# vi: ts=4 expandtab
|
|
#
|
|
# Copyright (C) 2009-2010 Canonical Ltd.
|
|
# Copyright (C) 2012 Hewlett-Packard Development Company, L.P.
|
|
#
|
|
# Author: Scott Moser <scott.moser@canonical.com>
|
|
# Author: Juerg Haefliger <juerg.haefliger@hp.com>
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License version 3, as
|
|
# published by the Free Software Foundation.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
import glob
|
|
import os
|
|
|
|
from cloudinit import distros as ds
|
|
from cloudinit import ssh_util
|
|
from cloudinit import util
|
|
|
|
DISABLE_ROOT_OPTS = ("no-port-forwarding,no-agent-forwarding,"
|
|
"no-X11-forwarding,command=\"echo \'Please login as the user \\\"$USER\\\" "
|
|
"rather than the user \\\"root\\\".\';echo;sleep 10\"")
|
|
|
|
KEY_2_FILE = {
|
|
"rsa_private": ("/etc/ssh/ssh_host_rsa_key", 0600),
|
|
"rsa_public": ("/etc/ssh/ssh_host_rsa_key.pub", 0644),
|
|
"dsa_private": ("/etc/ssh/ssh_host_dsa_key", 0600),
|
|
"dsa_public": ("/etc/ssh/ssh_host_dsa_key.pub", 0644),
|
|
"ecdsa_private": ("/etc/ssh/ssh_host_ecdsa_key", 0600),
|
|
"ecdsa_public": ("/etc/ssh/ssh_host_ecdsa_key.pub", 0644),
|
|
}
|
|
|
|
PRIV_2_PUB = {
|
|
'rsa_private': 'rsa_public',
|
|
'dsa_private': 'dsa_public',
|
|
'ecdsa_private': 'ecdsa_public',
|
|
}
|
|
|
|
KEY_GEN_TPL = 'o=$(ssh-keygen -yf "%s") && echo "$o" root@localhost > "%s"'
|
|
|
|
GENERATE_KEY_NAMES = ['rsa', 'dsa', 'ecdsa']
|
|
|
|
KEY_FILE_TPL = '/etc/ssh/ssh_host_%s_key'
|
|
|
|
|
|
def handle(_name, cfg, cloud, log, _args):
|
|
|
|
# remove the static keys from the pristine image
|
|
if cfg.get("ssh_deletekeys", True):
|
|
key_pth = cloud.paths.join(False, "/etc/ssh/", "ssh_host_*key*")
|
|
for f in glob.glob(key_pth):
|
|
try:
|
|
util.del_file(f)
|
|
except:
|
|
util.logexc(log, "Failed deleting key file %s", f)
|
|
|
|
if "ssh_keys" in cfg:
|
|
# if there are keys in cloud-config, use them
|
|
for (key, val) in cfg["ssh_keys"].iteritems():
|
|
if key in KEY_2_FILE:
|
|
tgt_fn = KEY_2_FILE[key][0]
|
|
tgt_perms = KEY_2_FILE[key][1]
|
|
util.write_file(cloud.paths.join(False, tgt_fn),
|
|
val, tgt_perms)
|
|
|
|
for (priv, pub) in PRIV_2_PUB.iteritems():
|
|
if pub in cfg['ssh_keys'] or not priv in cfg['ssh_keys']:
|
|
continue
|
|
pair = (KEY_2_FILE[priv][0], KEY_2_FILE[pub][0])
|
|
cmd = ['sh', '-xc', KEY_GEN_TPL % pair]
|
|
try:
|
|
# TODO(harlowja): Is this guard needed?
|
|
with util.SeLinuxGuard("/etc/ssh", recursive=True):
|
|
util.subp(cmd, capture=False)
|
|
log.debug("Generated a key for %s from %s", pair[0], pair[1])
|
|
except:
|
|
util.logexc(log, ("Failed generated a key"
|
|
" for %s from %s"), pair[0], pair[1])
|
|
else:
|
|
# if not, generate them
|
|
genkeys = util.get_cfg_option_list(cfg,
|
|
'ssh_genkeytypes',
|
|
GENERATE_KEY_NAMES)
|
|
for keytype in genkeys:
|
|
keyfile = cloud.paths.join(False, KEY_FILE_TPL % (keytype))
|
|
util.ensure_dir(os.path.dirname(keyfile))
|
|
if not os.path.exists(keyfile):
|
|
cmd = ['ssh-keygen', '-t', keytype, '-N', '', '-f', keyfile]
|
|
try:
|
|
# TODO(harlowja): Is this guard needed?
|
|
with util.SeLinuxGuard("/etc/ssh", recursive=True):
|
|
util.subp(cmd, capture=False)
|
|
except:
|
|
util.logexc(log, ("Failed generating key type"
|
|
" %s to file %s"), keytype, keyfile)
|
|
|
|
try:
|
|
(users, _groups) = ds.normalize_users_groups(cfg, cloud.distro)
|
|
(user, _user_config) = ds.extract_default(users)
|
|
disable_root = util.get_cfg_option_bool(cfg, "disable_root", True)
|
|
disable_root_opts = util.get_cfg_option_str(cfg, "disable_root_opts",
|
|
DISABLE_ROOT_OPTS)
|
|
|
|
keys = cloud.get_public_ssh_keys() or []
|
|
if "ssh_authorized_keys" in cfg:
|
|
cfgkeys = cfg["ssh_authorized_keys"]
|
|
keys.extend(cfgkeys)
|
|
|
|
apply_credentials(keys, user, cloud.paths,
|
|
disable_root, disable_root_opts)
|
|
except:
|
|
util.logexc(log, "Applying ssh credentials failed!")
|
|
|
|
|
|
def apply_credentials(keys, user, paths, disable_root, disable_root_opts):
|
|
|
|
keys = set(keys)
|
|
if user:
|
|
ssh_util.setup_user_keys(keys, user, '', paths)
|
|
|
|
if disable_root:
|
|
if not user:
|
|
user = "NONE"
|
|
key_prefix = disable_root_opts.replace('$USER', user)
|
|
else:
|
|
key_prefix = ''
|
|
|
|
ssh_util.setup_user_keys(keys, 'root', key_prefix, paths)
|