o fX@snddlZddlZddlZddlmZddlmZmZmZddl m Z m Z m Z e eZdZdZdZdeed ZGd d d ZGd d d ZddZddZddZddZddZddZefddZd7ddZGdddZd eefd!d"Z d eefd#d$Z!d%d&Z"d'ed e#fd(d)Z$d*d+Z%efd,d-Z&d.d/Z'efd0eeeeffd1d2Z(d3d4Z)d5d6Z*dS)8N)suppress)ListSequenceTuple) lifecyclesubputilz/etc/ssh/sshd_config)rsaecdsaed25519z(ecdsa-sha2-nistp256-cert-v01@openssh.comzecdsa-sha2-nistp256z(ecdsa-sha2-nistp384-cert-v01@openssh.comzecdsa-sha2-nistp384z(ecdsa-sha2-nistp521-cert-v01@openssh.comzecdsa-sha2-nistp521z+sk-ecdsa-sha2-nistp256-cert-v01@openssh.comz"sk-ecdsa-sha2-nistp256@openssh.comz#sk-ssh-ed25519-cert-v01@openssh.comzsk-ssh-ed25519@openssh.comz ssh-ed25519-cert-v01@openssh.comz ssh-ed25519zssh-rsa-cert-v01@openssh.comzssh-rsazssh-xmss-cert-v01@openssh.comzssh-xmss@openssh.comzno-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"$USER\" rather than the user \"$DISABLE_USER\".';echo;sleep 10;exit "c@s(eZdZ dddZddZddZdS) AuthKeyLineNcCs"||_||_||_||_||_dSN)base64commentoptionskeytypesource)selfrrrrrr4/usr/lib/python3/dist-packages/cloudinit/ssh_util.py__init__Es  zAuthKeyLine.__init__cCs |jo|jSr)rrrrrrvalidNs zAuthKeyLine.validcCs`g}|jr ||j|jr||j|jr||j|jr&||j|s+|jSd|SN )rappendrrrrjoin)rtoksrrr__str__Qs     zAuthKeyLine.__str__)NNNN)__name__ __module__ __qualname__rrr rrrrrDs   rc@s"eZdZdZddZdddZdS)AuthKeyLineParserau AUTHORIZED_KEYS FILE FORMAT AuthorizedKeysFile specifies the file containing public keys for public key authentication; if none is specified, the default is ~/.ssh/authorized_keys. Each line of the file contains one key (empty (because of the size of the public key encoding) up to a limit of 8 kilo- bytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 kilobits. You don't want to type them in; instead, copy the identity.pub or the id_rsa.pub file and edit it. sshd enforces a minimum RSA key modulus size for protocol 1 and protocol 2 keys of 768 bits. The options (if present) consist of comma-separated option specifica- tions. No spaces are permitted, except within double quotes. The fol- lowing option specifications are supported (note that option keywords are case-insensitive): cCsd}d}|t|krO|s||dvrO||}|dt|kr#|d}n,||d}|dkr6|dkr6|d}n|dkr=| }|d}|t|krO|s||dvs|d|}||d}||fS)z The options (if present) consist of comma-separated option specifica- tions. No spaces are permitted, except within double quotes. Note that option keywords are case-insensitive. Fr)r \r N)lenlstrip)rentquotedicurcnextcrremainrrr_extract_optionsus"   z"AuthKeyLineParser._extract_optionsNc Cs|d}|ds|dkrt|Sdd}|}z ||\}}}Wn/tyT||\} } |dur9| }z || \}}}WntyQt|YYSwYnwt|||||dS)Nz #cSs^|dd}t|dkrtdt||dtvr"td|dt|dkr-|d|S)NzTo few fields: %srzInvalid keytype %sr2)splitr( TypeErrorVALID_KEY_TYPESr)r*rrrr parse_ssh_keys     z.AuthKeyLineParser.parse..parse_ssh_key)rrrr)rstrip startswithstriprr5r0) rsrc_linerliner7r*rrrkeyoptsr/rrrparses2    zAuthKeyLineParser.parser)r!r"r#__doc__r0r>rrrrr$asr$c Csxg}t}g}|D]0}ztj|r&t|}|D] }|||qWq t t fy9t t d|Yq w|S)NzError reading lines from %s) r$ospathisfilerload_text_file splitlinesrr>IOErrorOSErrorlogexcLOG)fnameslinesparsercontentsfnamer<rrrparse_authorized_keyss rNcCstdd|D}tt|D]%}||}|sq|D]}|j|jkr/|}||vr/||q|||<q|D]}||q7dd|D}|dd|S)NcSsg|]}|r|qSr)r.0krrr z*update_authorized_keys..cSg|]}t|qSrstr)rPbrrrrRr2 )listranger(rrremoverr) old_entrieskeysto_addr,r*rQkeyrJrrrupdate_authorized_keyss"      racCs4t|}|r |jstd|tj|jd|fS)Nz"Unable to get SSH info for user %rz.ssh)pwdgetpwnampw_dir RuntimeErrorr@rAr)usernamepw_entrrrusers_ssh_infos   rhc Cspd|fd|fdf}|s d}|}g}|D] }|D] \}}|||}q|ds0tj||}||q|S)N%h%u)z%%%%h/.ssh/authorized_keys/)r4replacer9r@rArr) valuehomedirrfmacrospathsrenderedrAmacrofieldrrrrender_authorizedkeysfile_pathss   rvc Csd}|rd}t|}|r ||kr |dkr td||||dSt|}||kr.|dM}nt|}t|} || vrA|dM}n|dM}||@d krUtd |||dS|rf|d @d krftd ||dSd S)aVCheck if the file/folder in @current_path has the right permissions. We need to check that: 1. If StrictMode is enabled, the owner is either root or the user 2. the user can access the file/folder, otherwise ssh won't use it 3. If StrictMode is enabled, no write permission is given to group and world users (022) iirootzXPath %s in %s must be own by user %s or by root, but instead is own by %s. Ignoring key.F8rzBPath %s in %s must be accessible by user %s, check its permissionszRPath %s in %s must not give writepermission to group or world users. Ignoring key.T)r get_ownerrHdebugget_permissions get_groupget_user_groups) rf current_path full_pathis_file strictmodesminimal_permissionsownerparent_permission group_owner user_groupsrrrcheck_permissionssJ        rc Cst|d}tdd}z|ddd}d}tj|j}|D]}|d|7}tj|r9td|WdStj |rItd|WdS| |sS||jkrTq!tj |st |-d } |j} |j} | |jrvd } |j} |j} tj|| d d t || | Wdn1swYt|||d|} | sWdSq!tj|stj|rtd |WdStj |st j|ddd dt ||j|jt|||d |} | sWdSWd Sttfy} zt tt| WYd} ~ dSd} ~ ww)Nr&rwrmr2z-Invalid directory. Symlink exists in path: %sFz*Invalid directory. File exists in path: %srxT)modeexist_okz%s is not a file!)rensure_dir_exists)rhr4r@rAdirnamerdislinkrHr}rBr9existsr SeLinuxGuardpw_uidpw_gidmakedirs chownbyidrisdir write_filerErFrGrV)rffilenamer user_pwent root_pwent directories parent_folder home_folder directoryruidgid permissionserrrcheck_create_pathGsv             rc Cs0t|\}}tj|d}|}g}tj|dd;zt|}|dd}|dd} t||j |}Wnt t fyK||d<t t d t|dYnwWdn1sVwYt||D]$\} } td | vd | v| d |j grt|| | dk} | r| }nqb||krt d ||t|gfS)Nauthorized_keysT recursiveauthorizedkeysfilerlryesrzhFailed extracting 'AuthorizedKeysFile' in SSH config from %r, using 'AuthorizedKeysFile' file %r insteadrjriz{}/zAAuthorizedKeysFile has an user-specific authorized_keys, using %s)rhr@rArrrparse_ssh_config_mapgetrvrdrErFrGrH DEF_SSHD_CFGzipr4anyr9formatrr}rN) rf sshd_cfg_filessh_dirrgdefault_authorizedkeys_fileuser_authorizedkeys_file auth_key_fnsssh_cfg key_pathsrkey_path auth_key_fnpermissions_okrrrextract_authorized_keyss^   rc Cst}g}|D]}||jt||dqt|\}}tj|}tj |ddt ||} tj || ddWddS1sBwYdS)N)rTr preserve_mode) r$rr>rVrr@rArrrrar) r^rfrrK key_entriesrQrauth_key_entriesrcontentrrrsetup_user_keyss   "rc@s*eZdZdddZeddZddZdS) SshdConfigLineNcCs||_||_||_dSr)r<_keyro)rr<rQvrrrrs zSshdConfigLine.__init__cCs|jdurdS|jSr)rlowerrrrrr`s  zSshdConfigLine.keycCs:|jdur t|jSt|j}|jr|dt|j7}|Sr)rrVr<ro)rrrrrr s   zSshdConfigLine.__str__)NN)r!r"r#rpropertyr`r rrrrrs    rreturncCs"tj|sgStt|Sr)r@rArBparse_ssh_config_linesrrCrDrMrrrparse_ssh_configs rc Csg}|D]M}|}|r|dr|t|qz |dd\}}Wn$tyGz |dd\}}WntyDtd|YYqwYnw|t|||q|S)Nr1r&=z;sshd_config: option "%s" has no key/value pair, skipping it)r:r9rrr4 ValueErrorrHr})rJretr<r`valrrrrs,   rcCs6t|}|siSi}|D] }|jsq |j||j<q |Sr)rr`ro)rMrJrr<rrrrsrrMcCsntj|sdSt|d }|D]}|d|dr$WddSqWddS1s0wYdS)NFrzInclude z .d/*.confT)r@rArBopenr9)rMfr<rrr_includes_dconf"s   rcCs^t|r-tj|dstj|dddtj|dd}tj|s-t|d|S)Nz.dr)rz50-cloud-init.confr) rr@rArr ensure_dirrrB ensure_filerrrr"_ensure_cloud_init_ssh_config_file,s  rcCsPt|}t|}t||d}|r"tj|ddd|Ddddt|dkS)zRead fname, and update if changes are necessary. @param updates: dictionary of desired values {Option: value} @return: boolean indicating if an update was done.)rJupdatesrYcSrTrrU)rPr<rrrrRBrXz%update_ssh_config..Trr)rrupdate_ssh_config_linesrrrr()rrMrJchangedrrrupdate_ssh_config7s  rc Cst}g}tdd|D}t|ddD];\}}|jsq|j|vrQ||j}||}|||j|kr?td|||q| |td|||j|||_qt |t |kr| D]!\}}||vrgq^| || t d||tdt |||q^|S) zUpdate the SSH config lines per updates. @param lines: array of SshdConfigLine. This array is updated in place. @param updates: dictionary of desired values {Option: value} @return: A list of keys in updates that were changed.cSsg|]}||fqSr)rrOrrrrRRrSz+update_ssh_config_lines..r&)startz$line %d: option %s already set to %sz#line %d: option %s updated %s -> %sr2z line %d: option %s added with %s) setdictr^ enumerater`addrorHr}rr(itemsr) rJrfoundrcasemapr,r<r`rorrrrHsD       rrJcCs>|sdSt|}dd|D}tj|d|dddddS)Ncss"|] \}}|d|VqdS)rNr)rPrQrrrr zs z$append_ssh_config..rYabT)omoder)rrrr)rJrMrrrrappend_ssh_configvs  rcCsd}ttjtjddgddgd\}}Wdn1swYd}|d D]}||r?|t||d Sq+dS) zGet the full version of the OpenSSH sshd daemon on the system. On an ubuntu system, this would look something like: 1.2p1 Ubuntu-1ubuntu0.1 If we can't find `sshd` or parse the version number, return None. r2sshdz-Vrr&)rcsNOpenSSH_rY,)rrProcessExecutionErrorr4r9r(find)err_prefixr<rrrget_opensshd_versions  rc Csd}t}|durtj|Sd|vr|d|d}nd|vr+|d|d}n|}z tj|}|WSttfyHtd|YdSw)zGet the upstream version of the OpenSSH sshd daemon on the system. This will NOT include the portable number, so if the Ubuntu version looks like `1.2p1 Ubuntu-1ubuntu0.1`, then this function would return `1.2` z9.0Nprz Could not parse sshd version: %s) rrVersionfrom_strrrr5rHwarning)upstream_version full_versionrrrget_opensshd_upstream_versions  rr)+loggingr@rb contextlibrtypingrrr cloudinitrrr getLoggerr!rHrr6_DISABLE_USER_SSH_EXITrVDISABLE_USER_OPTSrr$rNrarhrvrrrrrrrrboolrrrrrrrrrrrsJ  YE O 9  .