o w7eGY@snddlZddlZddlmZddlmZmZmZddlm Z ddlm Z m Z e eZdZdZdZd eed ZGd d d ZGd ddZddZddZddZddZddZddZefddZd8ddZGdd d Zd!eefd"d#Z d!eefd$d%Z!d&d'Z"d(ed!e#fd)d*Z$d+d,Z%efd-d.Z&d/d0Z'efd1eeeeffd2d3Z(d4d5Z)d6d7Z*dS)9N)suppress)ListSequenceTuple)log)subputilz/etc/ssh/sshd_config)dsarsaecdsaed25519z(ecdsa-sha2-nistp256-cert-v01@openssh.comzecdsa-sha2-nistp256z(ecdsa-sha2-nistp384-cert-v01@openssh.comzecdsa-sha2-nistp384z(ecdsa-sha2-nistp521-cert-v01@openssh.comzecdsa-sha2-nistp521z+sk-ecdsa-sha2-nistp256-cert-v01@openssh.comz"sk-ecdsa-sha2-nistp256@openssh.comz#sk-ssh-ed25519-cert-v01@openssh.comzsk-ssh-ed25519@openssh.comzssh-dss-cert-v01@openssh.comzssh-dssz ssh-ed25519-cert-v01@openssh.comz ssh-ed25519zssh-rsa-cert-v01@openssh.comzssh-rsazssh-xmss-cert-v01@openssh.comzssh-xmss@openssh.comzno-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"$USER\" rather than the user \"$DISABLE_USER\".';echo;sleep 10;exit "c@s(eZdZ dddZddZddZdS) AuthKeyLineNcCs"||_||_||_||_||_dSN)base64commentoptionskeytypesource)selfrrrrrr4/usr/lib/python3/dist-packages/cloudinit/ssh_util.py__init__Hs  zAuthKeyLine.__init__cCs |jo|jSr)rrrrrrvalidQs zAuthKeyLine.validcCs`g}|jr ||j|jr||j|jr||j|jr&||j|s+|jSd|SN )rappendrrrrjoin)rtoksrrr__str__Ts     zAuthKeyLine.__str__)NNNN)__name__ __module__ __qualname__rrr!rrrrrGs   rc@s"eZdZdZddZdddZdS)AuthKeyLineParsera AUTHORIZED_KEYS FILE FORMAT AuthorizedKeysFile specifies the file containing public keys for public key authentication; if none is specified, the default is ~/.ssh/authorized_keys. Each line of the file contains one key (empty (because of the size of the public key encoding) up to a limit of 8 kilo- bytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 kilobits. You don't want to type them in; instead, copy the identity.pub, id_dsa.pub, or the id_rsa.pub file and edit it. sshd enforces a minimum RSA key modulus size for protocol 1 and protocol 2 keys of 768 bits. The options (if present) consist of comma-separated option specifica- tions. No spaces are permitted, except within double quotes. The fol- lowing option specifications are supported (note that option keywords are case-insensitive): cCsd}d}|t|krO|s||dvrO||}|dt|kr#|d}n,||d}|dkr6|dkr6|d}n|dkr=| }|d}|t|krO|s||dvs|d|}||d}||fS)z The options (if present) consist of comma-separated option specifica- tions. No spaces are permitted, except within double quotes. Note that option keywords are case-insensitive. Fr)r \rN)lenlstrip)rentquotedicurcnextcrremainrrr_extract_optionsxs"   z"AuthKeyLineParser._extract_optionsNc Cs|d}|ds|dkrt|Sdd}|}z ||\}}}Wn/tyT||\} } |dur9| }z || \}}}WntyQt|YYSwYnwt|||||dS)Nz #cSs^|dd}t|dkrtdt||dtvr"td|dt|dkr-|d|S)NzTo few fields: %srzInvalid keytype %sr3)splitr) TypeErrorVALID_KEY_TYPESr)r+r rrr parse_ssh_keys     z.AuthKeyLineParser.parse..parse_ssh_key)rrrr)rstrip startswithstriprr6r1) rsrc_linerliner8r+rrrkeyoptsr0rrrparses2    zAuthKeyLineParser.parser)r"r#r$__doc__r1r?rrrrr%dsr%c Csxg}t}g}|D]0}ztj|r&t|}|D] }|||qWq t t fy9t t d|Yq w|S)NzError reading lines from %s) r%ospathisfiler load_file splitlinesrr?IOErrorOSErrorlogexcLOG)fnameslinesparsercontentsfnamer=rrrparse_authorized_keyss rOcCstdd|D}tdt|D]%}||}|sq|D]}|j|jkr0|}||vr0||q|||<q|D]}||q8dd|D}|dd|S)NcSsg|]}|r|qSr)r.0krrr z*update_authorized_keys..rcSg|]}t|qSrstr)rQbrrrrSr3 )listranger)rrremoverr) old_entrieskeysto_addr-r+rRkeyrKrrrupdate_authorized_keyss"      rbcCs4t|}|r |jstd|tj|jd|fS)Nz"Unable to get SSH info for user %rz.ssh)pwdgetpwnampw_dir RuntimeErrorrArBr)usernamepw_entrrrusers_ssh_infos   ric Cspd|fd|fdf}|s d}|}g}|D] }|D] \}}|||}q|ds0tj||}||q|S)N%h%u)z%%%%h/.ssh/authorized_keys/)r5replacer:rArBrr) valuehomedirrgmacrospathsrenderedrBmacrofieldrrrrender_authorizedkeysfile_pathss   rwc Csd}|rd}t|}|r ||kr |dkr td||||dSt|}||kr.|dM}nt|}t|} || vrA|dM}n|dM}||@d krUtd |||dS|rf|d @d krftd ||dSd S)aVCheck if the file/folder in @current_path has the right permissions. We need to check that: 1. If StrictMode is enabled, the owner is either root or the user 2. the user can access the file/folder, otherwise ssh won't use it 3. If StrictMode is enabled, no write permission is given to group and world users (022) iirootzXPath %s in %s must be own by user %s or by root, but instead is own by %s. Ignoring key.F8rzBPath %s in %s must be accessible by user %s, check its permissionszRPath %s in %s must not give writepermission to group or world users. Ignoring key.T)r get_ownerrIdebugget_permissions get_groupget_user_groups) rg current_path full_pathis_file strictmodesminimal_permissionsownerparent_permission group_owner user_groupsrrrcheck_permissionssJ        rc Cst|d}tdd}z|ddd}d}tj|j}|D]}|d|7}tj|r9td|WdStj |rItd|WdS| |sS||jkrTq!tj |st |-d } |j} |j} | |jrvd } |j} |j} tj|| d d t || | Wdn1swYt|||d|} | sWdSq!tj|stj|rtd |WdStj |st j|ddd dt ||j|jt|||d |} | sWdSWd Sttfy} zt tt| WYd} ~ dSd} ~ ww)Nr'rxrnr3z-Invalid directory. Symlink exists in path: %sFz*Invalid directory. File exists in path: %sryT)modeexist_okz%s is not a file!)rensure_dir_exists)rir5rArBdirnamereislinkrIr~rCr:existsr SeLinuxGuardpw_uidpw_gidmakedirs chownbyidrisdir write_filerFrGrHrW)rgfilenamer user_pwent root_pwent directories parent_folder home_folder directoryruidgid permissionserrrcheck_create_pathJsv             rc Cs0t|\}}tj|d}|}g}tj|dd;zt|}|dd}|dd} t||j |}Wnt t fyK||d<t t d t|dYnwWdn1sVwYt||D]$\} } td | vd | v| d |j grt|| | dk} | r| }nqb||krt d ||t|gfS)Nauthorized_keysT recursiveauthorizedkeysfilermryesrzhFailed extracting 'AuthorizedKeysFile' in SSH config from %r, using 'AuthorizedKeysFile' file %r insteadrkrjz{}/zAAuthorizedKeysFile has an user-specific authorized_keys, using %s)rirArBrrrparse_ssh_config_mapgetrwrerFrGrHrI DEF_SSHD_CFGzipr5anyr:formatrr~rO) rg sshd_cfg_filessh_dirrhdefault_authorizedkeys_fileuser_authorizedkeys_file auth_key_fnsssh_cfg key_pathsrkey_path auth_key_fnpermissions_okrrrextract_authorized_keyss^   rc Cst}g}|D]}||jt||dqt|\}}tj|}tj |ddt ||} tj || ddWddS1sBwYdS)N)rTr preserve_mode) r%rr?rWrrArBrrrrbr) r_rgrrL key_entriesrRrauth_key_entriesrcontentrrrsetup_user_keyss   "rc@s*eZdZdddZeddZddZdS) SshdConfigLineNcCs||_||_||_dSr)r=_keyrp)rr=rRvrrrrs zSshdConfigLine.__init__cCs|jdurdS|jSr)rlowerrrrrras  zSshdConfigLine.keycCs:|jdur t|jSt|j}|jr|dt|j7}|Sr)rrWr=rp)rrrrrr!s   zSshdConfigLine.__str__)NN)r"r#r$rpropertyrar!rrrrrs    rreturncCs"tj|sgStt|Sr)rArBrCparse_ssh_config_linesrrDrErNrrrparse_ssh_configs rc Csg}|D]M}|}|r|dr|t|qz |dd\}}Wn$tyGz |dd\}}WntyDtd|YYqwYnw|t|||q|S)Nr2r'=z;sshd_config: option "%s" has no key/value pair, skipping it)r;r:rrr5 ValueErrorrIr~)rKretr=ravalrrrrs,   rcCs6t|}|siSi}|D] }|jsq |j||j<q |Sr)rrarp)rNrKrr=rrrrsrrNcCsntj|sdSt|d }|D]}|d|dr$WddSqWddS1s0wYdS)NFrzInclude z .d/*.confT)rArBrCopenr:)rNfr=rrr_includes_dconf%s   rcCs^t|r-tj|dstj|dddtj|dd}tj|s-t|d|S)Nz.dr)rz50-cloud-init.confr) rrArBrr ensure_dirrrC ensure_filerrrr"_ensure_cloud_init_ssh_config_file/s  rcCsPt|}t|}t||d}|r"tj|ddd|Ddddt|dkS)zRead fname, and update if changes are necessary. @param updates: dictionary of desired values {Option: value} @return: boolean indicating if an update was done.)rKupdatesrZcSrUrrV)rQr=rrrrSErYz%update_ssh_config..Trr)rrupdate_ssh_config_linesrrrr))rrNrKchangedrrrupdate_ssh_config:s  rc Cst}g}tdd|D}t|ddD];\}}|jsq|j|vrQ||j}||}|||j|kr?td|||q| |td|||j|||_qt |t |kr| D]!\}}||vrgq^| || t d||tdt |||q^|S) zUpdate the SSH config lines per updates. @param lines: array of SshdConfigLine. This array is updated in place. @param updates: dictionary of desired values {Option: value} @return: A list of keys in updates that were changed.cSsg|]}||fqSr)rrPrrrrSUrTz+update_ssh_config_lines..r')startz$line %d: option %s already set to %sz#line %d: option %s updated %s -> %sr3z line %d: option %s added with %s) setdictr_ enumerateraaddrprIr~rr)itemsr) rKrfoundrcasemapr-r=rarprrrrKsD       rrKcCs>|sdSt|}dd|D}tj|d|dddddS)Ncss"|] \}}|d|VqdS)rNr)rQrRrrrr }s z$append_ssh_config..rZabT)omoder)rrrr)rKrNrrrrappend_ssh_configys  rcCsd}ttjtjddgddgd\}}Wdn1swYd}|d D]}||r?|t||d Sq+dS) zGet the full version of the OpenSSH sshd daemon on the system. On an ubuntu system, this would look something like: 1.2p1 Ubuntu-1ubuntu0.1 If we can't find `sshd` or parse the version number, return None. r3sshdz-Vrr')rcsNOpenSSH_rZ,)rrProcessExecutionErrorr5r:r)find)err_prefixr=rrrget_opensshd_versions  rc Csd}t}|durtj|Sd|vr|d|d}nd|vr+|d|d}n|}z tj|}|WSttfyHtd|YdSw)zGet the upstream version of the OpenSSH sshd dameon on the system. This will NOT include the portable number, so if the Ubuntu version looks like `1.2p1 Ubuntu-1ubuntu0.1`, then this function would return `1.2` z9.0Nprz Could not parse sshd version: %s) rrVersionfrom_strrrr6rIwarning)upstream_version full_versionrrrget_opensshd_upstream_versions  rr)+rArc contextlibrtypingrrr cloudinitrloggingrr getLoggerr"rIrr7_DISABLE_USER_SSH_EXITrWDISABLE_USER_OPTSrr%rOrbrirwrrrrrrrrboolrrrrrrrrrrrsJ   YE O 9  .