U ӇgX@slddlZddlZddlZddlmZddlmZmZmZddl m Z m Z m Z e eZdZdZdZdeed ZGd d d ZGd d d ZddZddZddZddZddZddZefddZd7ddZGdddZeed d!d"Z eed d#d$Z!d%d&Z"ee#d'd(d)Z$d*d+Z%efd,d-Z&d.d/Z'efeeeefd0d1d2Z(d3d4Z)d5d6Z*dS)8N)suppress)ListSequenceTuple) lifecyclesubputilz/etc/ssh/sshd_config)ZrsaZecdsaZed25519z(ecdsa-sha2-nistp256-cert-v01@openssh.comzecdsa-sha2-nistp256z(ecdsa-sha2-nistp384-cert-v01@openssh.comzecdsa-sha2-nistp384z(ecdsa-sha2-nistp521-cert-v01@openssh.comzecdsa-sha2-nistp521z+sk-ecdsa-sha2-nistp256-cert-v01@openssh.comz"sk-ecdsa-sha2-nistp256@openssh.comz#sk-ssh-ed25519-cert-v01@openssh.comzsk-ssh-ed25519@openssh.comz ssh-ed25519-cert-v01@openssh.comz ssh-ed25519zssh-rsa-cert-v01@openssh.comzssh-rsazssh-xmss-cert-v01@openssh.comzssh-xmss@openssh.comzno-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"$USER\" rather than the user \"$DISABLE_USER\".';echo;sleep 10;exit "c@s&eZdZdddZddZddZdS) AuthKeyLineNcCs"||_||_||_||_||_dSN)base64commentoptionskeytypesource)selfrrr rrr4/usr/lib/python3/dist-packages/cloudinit/ssh_util.py__init__Es zAuthKeyLine.__init__cCs |jo |jSr )r rrrrrvalidNszAuthKeyLine.validcCsdg}|jr||j|jr(||j|jr:||j|jrL||j|sV|jSd|SdSN )rappendrr rrjoin)rtoksrrr__str__Qs    zAuthKeyLine.__str__)NNNN)__name__ __module__ __qualname__rrrrrrrr Ds r c@s"eZdZdZddZdddZdS)AuthKeyLineParserau AUTHORIZED_KEYS FILE FORMAT AuthorizedKeysFile specifies the file containing public keys for public key authentication; if none is specified, the default is ~/.ssh/authorized_keys. Each line of the file contains one key (empty (because of the size of the public key encoding) up to a limit of 8 kilo- bytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 kilobits. You don't want to type them in; instead, copy the identity.pub or the id_rsa.pub file and edit it. sshd enforces a minimum RSA key modulus size for protocol 1 and protocol 2 keys of 768 bits. The options (if present) consist of comma-separated option specifica- tions. No spaces are permitted, except within double quotes. The fol- lowing option specifications are supported (note that option keywords are case-insensitive): cCsd}d}|t|kr|s$||dkr||}|dt|krF|d}q||d}|dkrl|dkrl|d}n|dkrz| }|d}q|d|}||d}||fS)z The options (if present) consist of comma-separated option specifica- tions. No spaces are permitted, except within double quotes. Note that option keywords are case-insensitive. Fr)r \r N)lenlstrip)rentZquotediZcurcZnextcrremainrrr_extract_optionsus     z"AuthKeyLineParser._extract_optionsNc Cs|d}|ds |dkr(t|Sdd}|}z||\}}}Wnbtk r||\} } |dkrt| }z|| \}}}Wn tk rt|YYSXYnXt|||||dS)Nz #cSs^|dd}t|dkr(tdt||dtkrDtd|dt|dkrZ|d|S)NzTo few fields: %srzInvalid keytype %sr,)splitr% TypeErrorVALID_KEY_TYPESr)r'rrrr parse_ssh_keys     z.AuthKeyLineParser.parse..parse_ssh_key)rr rr)rstrip startswithstripr r/r*) rZsrc_linerliner1r'rr rZkeyoptsr)rrrparses, zAuthKeyLineParser.parse)N)rrr __doc__r*r6rrrrr!asr!c Cs|g}t}g}|D]d}z8tj|rLt|}|D]}|||q6Wqt t fk rtt t d|YqXq|S)NzError reading lines from %s) r!ospathisfilerload_text_file splitlinesrr6IOErrorOSErrorlogexcLOG)fnameslinesparsercontentsfnamer5rrrparse_authorized_keyss rFcCstdd|D}tt|D]J}||}|s4q|D]&}|j|jkr8|}||kr8||q8|||<q|D]}||qndd|D}|dd|S)NcSsg|]}|r|qSr)r.0krrr sz*update_authorized_keys..cSsg|] }t|qSrstr)rHbrrrrJsr, )listranger%rr removerr)Z old_entrieskeysZto_addr(r'rIkeyrBrrrupdate_authorized_keyss      rTcCs4t|}|r|js td|tj|jd|fS)Nz"Unable to get SSH info for user %rz.ssh)pwdgetpwnampw_dir RuntimeErrorr8r9r)usernamepw_entrrrusers_ssh_infos   r[c Cspd|fd|fdf}|sd}|}g}|D]@}|D]\}}|||}q2|ds`tj||}||q*|S)N%h%u)z%%%%h/.ssh/authorized_keys/)r.replacer3r8r9rr) valueZhomedirrYZmacrospathsZrenderedr9ZmacroZfieldrrrrender_authorizedkeysfile_pathss   rdc Csd}|r d}t|}|r@||kr@|dkr@td||||dSt|}||kr\|dM}n.t|}t|} || kr|dM}n|dM}||@d krtd |||dS|r|d @d krtd ||dSd S)aVCheck if the file/folder in @current_path has the right permissions. We need to check that: 1. If StrictMode is enabled, the owner is either root or the user 2. the user can access the file/folder, otherwise ssh won't use it 3. If StrictMode is enabled, no write permission is given to group and world users (022) iirootzXPath %s in %s must be own by user %s or by root, but instead is own by %s. Ignoring key.F8rzBPath %s in %s must be accessible by user %s, check its permissionszRPath %s in %s must not give writepermission to group or world users. Ignoring key.T)rZ get_ownerr@debugZget_permissionsZ get_groupZget_user_groups) rYZ current_path full_pathis_file strictmodesZminimal_permissionsownerZparent_permissionZ group_ownerZ user_groupsrrrcheck_permissionssJ        roc Cst|d}tdd}z|ddd}d}tj|j}|D]}|d|7}tj|rttd|WdStj |rtd|WdS| |sD||jkrqDtj |st |Pd } |j} |j} | |jrd } |j} |j} tj|| d d t || | W5QRXt|||d|} | sDWdSqDtj|sRtj|rdtd |WdStj |st j|ddd dt ||j|jt|||d |} | sWdSWn>ttfk r} zt tt| WYdSd} ~ XYnXd S)Nr#rer`r,z-Invalid directory. Symlink exists in path: %sFz*Invalid directory. File exists in path: %srfT)modeexist_okz%s is not a file!)rrZensure_dir_exists)r[r.r8r9dirnamerWislinkr@rjr:r3existsr SeLinuxGuardZpw_uidZpw_gidmakedirsZ chownbyidroisdir write_filer=r>r?rL)rYfilenamermZ user_pwentZ root_pwentZ directoriesZ parent_folderZ home_folderZ directoryrrZuidgidZ permissionserrrcheck_create_pathGs          rc Cs t|\}}tj|d}|}g}tj|ddnz2t|}|dd}|dd} t||j |}Wn4t t fk r||d<t t d t|dYnXW5QRXt||D]H\} } td | kd | k| d |j grt|| | dk} | r| }qq||krt d ||t|gfS)NZauthorized_keysT recursiveZauthorizedkeysfiler_rmZyesrzhFailed extracting 'AuthorizedKeysFile' in SSH config from %r, using 'AuthorizedKeysFile' file %r insteadr]r\z{}/zAAuthorizedKeysFile has an user-specific authorized_keys, using %s)r[r8r9rrrxparse_ssh_config_mapgetrdrWr=r>r?r@ DEF_SSHD_CFGzipr.anyr3formatrrjrF) rYZ sshd_cfg_filessh_dirrZZdefault_authorizedkeys_fileZuser_authorizedkeys_fileZ auth_key_fnsZssh_cfgZ key_pathsrmZkey_path auth_key_fnZpermissions_okrrrextract_authorized_keyss`    rc Cs|t}g}|D]}||jt||dqt|\}}tj|}tj |dd t ||} tj || ddW5QRXdS)N)rTr preserve_mode) r!rr6rLrr8r9rurrxrTr{) rRrYrrCZ key_entriesrIrZauth_key_entriesrcontentrrrsetup_user_keyss   rc@s*eZdZdddZeddZddZdS) SshdConfigLineNcCs||_||_||_dSr )r5_keyrb)rr5rIvrrrrszSshdConfigLine.__init__cCs|jdkrdS|jSr )rlowerrrrrrSs zSshdConfigLine.keycCs>|jdkrt|jSt|j}|jr6|dt|j7}|SdSr)rrLr5rb)rrrrrrs    zSshdConfigLine.__str__)NN)rrr rpropertyrSrrrrrrs  r)returncCs"tj|sgStt|Sr )r8r9r:parse_ssh_config_linesrr;r<rErrrparse_ssh_configs rc Csg}|D]}|}|r"|dr2|t|qz|dd\}}WnPtk rz|dd\}}Wn&tk rtd|YYqYnXYnX|t|||q|S)Nr+r#=z;sshd_config: option "%s" has no key/value pair, skipping it)r4r3rrr. ValueErrorr@rj)rBretr5rSvalrrrrs&rcCs6t|}|siSi}|D]}|js$q|j||j<q|Sr )rrSrb)rErBrr5rrrrsr)rErcCs@tj|sdSt|D]}|d|drdSqdS)NFzInclude z .d/*.confT)r8r9r:rr;r<r3)rEr5rrr_includes_dconf"s  rcCs^t|rZtj|ds.tj|dddtj|dd}tj|sZt|d|S)Nz.drq)rrz50-cloud-init.confrt) rr8r9rzrZ ensure_dirrr:Z ensure_filerrrr"_ensure_cloud_init_ssh_config_file+s  rcCsPt|}t|}t||d}|rDtj|ddd|Ddddt|dkS)zRead fname, and update if changes are necessary. @param updates: dictionary of desired values {Option: value} @return: boolean indicating if an update was done.)rBupdatesrNcSsg|] }t|qSrrK)rHr5rrrrJAsz%update_ssh_config..Trr)rrupdate_ssh_config_linesrr{rr%)rrErBchangedrrrupdate_ssh_config6s rc Cst}g}tdd|D}t|ddD]v\}}|js.r#)startz$line %d: option %s already set to %sz#line %d: option %s updated %s -> %sr,z line %d: option %s added with %s) setdictrR enumeraterSaddrbr@rjrr%itemsr) rBrfoundrZcasemapr(r5rSrbrrrrGsN      r)rBcCs>|sdSt|}dd|D}tj|d|dddddS)Ncss |]\}}|d|VqdS)rNr)rHrIrrrr ysz$append_ssh_config..rNZabT)Zomoder)rrr{r)rBrErrrrappend_ssh_configus rc Cspd}ttj tjddgddgd\}}W5QRXd}|dD](}||rB|t||d SqBd S) zGet the full version of the OpenSSH sshd daemon on the system. On an ubuntu system, this would look something like: 1.2p1 Ubuntu-1ubuntu0.1 If we can't find `sshd` or parse the version number, return None. r,Zsshdz-Vrr#)ZrcsZOpenSSH_rN,N)rrZProcessExecutionErrorr.r3r%find)err_prefixr5rrrget_opensshd_versions  $ rc Csd}t}|dkrtj|Sd|kr:|d|d}n d|krV|d|d}n|}ztj|}|WSttfk rtd|YnXdS)zGet the upstream version of the OpenSSH sshd daemon on the system. This will NOT include the portable number, so if the Ubuntu version looks like `1.2p1 Ubuntu-1ubuntu0.1`, then this function would return `1.2` z9.0Nprz Could not parse sshd version: %s) rrZVersionZfrom_strrrr/r@Zwarning)Zupstream_versionZ full_versionrrrget_opensshd_upstream_versions  r)N)+Zloggingr8rU contextlibrtypingrrrZ cloudinitrrrZ getLoggerrr@rr0Z_DISABLE_USER_SSH_EXITrLZDISABLE_USER_OPTSr r!rFrTr[rdrorrrrrrrboolrrrrrrrrrrr sH  YEO 9    .