o f, @sUdZddlZddlZddlZddlZddlZddlmZmZm Z ddl m Z m Z m Z mZddlmZddlmZddlmZddlmZmZdd lmZd egegd Zeed <eeZgd ZdgZ e!dZ"dZ#dZ$gZ%ee&ed<iZ'iZ(eD]2Z)e'*e)de#e)dfe)de#e)ddfe)de#e)ddfie)de(e)d<q|dZ+de&ddfddZ,de&d ed!ed"e-ddf d#d$Z.d%d&Z/d*d'ee e&fd(d)Z0dS)+zSSH: Configure SSH and SSH keysN)ListOptionalSequence) lifecyclessh_utilsubputil)Cloud)Config) MetaSchema) ALL_DISTROSug_util) PER_INSTANCEcc_ssh)iddistros frequencyactivate_by_schema_keysmeta)rsaecdsaed25519rz4^(ecdsa-sk|ed25519-sk)_(private|public|certificate)$z/etc/ssh/ssh_host_%s_keyTHOST_KEY_PUBLISH_BLACKLIST_private_public.pub _certificatez -cert.pubz;o=$(ssh-keygen -yf "%s") && echo "$o" root@localhost > "%s"keyfilereturncCsld}t}|r|tddkrd}nd}td}|dkr%t|d|t||t|d|d S) a For fedora 37, centos 9 stream and below: - sshd version is earlier than version 9. - 'ssh_keys' group is present and owns the private keys. - private keys have permission 0o640. For fedora 38, centos 10 stream and above: - ssh version is atleast version 9. - 'ssh_keys' group is absent. 'root' group owns the keys. - private keys have permission 0o600, same as upstream. Public keys in all cases have permission 0o644. r rirssh_keysrN) rget_opensshd_upstream_versionrVersionr get_group_idoschownchmod)rpermissions_public ssh_versionpermissions_privategidr.9/usr/lib/python3/dist-packages/cloudinit/config/cc_ssh.pyset_redhat_keyfile_perms@s   r0namecfgcloudargsc$ Cs|ddr,tjdd}t|D]}zt|Wqty+tt d|Yqwd|vrg}|d D]:\}}|t vrRt |rHd} nd} t d | |q8t |d } t |d } t| || d |vrr|d t| fq8|rzt|t D]c\} } | |dvs| |dvrq~t | d t | d }}ddt||fg}z'tjdddtj|ddWdn1swYt d||Wq~tytt d|d|Yq~wnt|dt}ts|ndd|D}t||}|r t dd||D]}t|}tj|rq t tj!|dd|ddd |g}tjdddlz*tj|dd!d"id#\}}t"|d$dsSt#j$%t&||j'j(d%kr^t)|Wn9tj*y}z+t&|j+,}|j-d kr|,.d&rt d'|ntt d(||WYd}~nd}~wwWdn 1swYq d)|vrt|d)d*t/}t"|d)d+t0}nt/}t0}|rt1|d,}z|j23|Wntytt d-YnwzNt45||j'\}}t46|\}}t"|d.d} t7|d/tj8}!g}"t"|d0dr|9pg}"nt d1d2|vr-|d2}#|":|#t;|"|| |!WdStyGtt d3YdSw)4Nssh_deletekeysTz /etc/ssh/zssh_host_*key*zFailed deleting key file %sr" unsupported unrecognizedz Skipping %s ssh_keys entry: "%s"rrHostCertificateshz-xcz/etc/ssh) recursiveF)capturezGenerated a key for %s from %szFailed generating a key for z from ssh_genkeytypescSsg|]}|tvr|qSr.)FIPS_UNSUPPORTED_KEY_NAMES).0namesr.r.r/ zhandle..z5skipping keys that are not supported in fips mode: %s,z ssh-keygenz-tz-Nz-fLANGC)r< update_envssh_quiet_keygenredhatz unknown keyz!ssh-keygen: unknown key type '%s'z(Failed generating key type %s to file %sssh_publish_hostkeys blacklistenabled)rKzPublishing host keys failed! disable_rootdisable_root_optsallow_public_ssh_keyszSSkipping import of publish SSH keys per config setting: allow_public_ssh_keys=Falsessh_authorized_keysz Applying SSH credentials failed!)<getr'pathjoinglobrdel_file ExceptionlogexcLOGitemsCONFIG_KEY_TO_FILEpattern_unsupported_config_keysmatchwarning write_fileappendstrrappend_ssh_config PRIV_TO_PUB KEY_GEN_TPL SeLinuxGuardrdebugget_cfg_option_listGENERATE_KEY_NAMES fips_enabledset difference KEY_FILE_TPLexists ensure_dirdirnameget_cfg_option_boolsysstdoutwrite decode_binarydistroosfamilyr0ProcessExecutionErrorstderrlower exit_code startswithrPUBLISH_HOST_KEYSget_public_host_keys datasourcepublish_host_keysr normalize_users_groupsextract_defaultget_cfg_option_strDISABLE_USER_OPTSget_public_ssh_keysextendapply_credentials)$r1r2r3r4key_pthf cert_configkeyvalreasontgt_fn tgt_perms private_type public_type private_file public_filecmdgenkeys key_names skipped_keyskeytyperouterrehost_key_blacklistpublish_hostkeyshostkeysusers_groupsuser _user_configrMrNkeyscfgkeysr.r.r/handleds                   rcCsVt|}|r t|||r|sd}|d|}|dd}nd}tj|d|ddS)NNONEz$USERz $DISABLE_USERrootrD)options)rirsetup_user_keysreplace)rrrMrN key_prefixr.r.r/rs  rrKcsdtfg}g|rfdd|DfddtdD}|D]}t|}|}|rBt|dkrB|t|ddq$|S) aRead host keys from /etc/ssh/*.pub files and return them as a list. @param blacklist: List of key types to ignore. e.g. ['rsa'] @returns: List of keys, each formatted as a two-element tuple. e.g. [('ssh-rsa', 'AAAAB3Nz...'), ('ssh-ed25519', 'AAAAC3Nx...')] z%s.pubcsg|]}|fqSr.r.)r?key_type)public_key_file_tmplr.r/rA s z(get_public_host_keys..csg|]}|vr|qSr.r.)r?hostfile)blacklist_filesr.r/rA$rB)*r8N)rkrTrload_text_filesplitlenr_tuple)rKkey_list file_list file_name file_contentskey_datar.)rrr/r|s"     r|)N)1__doc__rTloggingr'rerptypingrrr cloudinitrrrrcloudinit.cloudr cloudinit.configr cloudinit.config.schemar cloudinit.distrosr r cloudinit.settingsrr__annotations__ getLogger__name__rXrgr>compiler[rkr{rr`rZrbkupdatercr0listrrr|r.r.r.r/sV     $