U L¬÷dGYã@slddlZddlZddlmZddlmZmZmZddlm Z ddlm Z m Z e   e¡ZdZdZdZd eeƒd ZGd d „d ƒZGd d„dƒZdd„Zdd„Zdd„Zdd„Zdd„Zdd„Zefdd„Zd8dd„ZGdd „d ƒZeed!œd"d#„Z eed!œd$d%„Z!d&d'„Z"ee#d(œd)d*„Z$d+d,„Z%efd-d.„Z&d/d0„Z'efeeeefd1œd2d3„Z(d4d5„Z)d6d7„Z*dS)9éN)Úsuppress)ÚListÚSequenceÚTuple)Úlog)ÚsubpÚutilz/etc/ssh/sshd_config)ZdsaZrsaZecdsaZed25519z(ecdsa-sha2-nistp256-cert-v01@openssh.comzecdsa-sha2-nistp256z(ecdsa-sha2-nistp384-cert-v01@openssh.comzecdsa-sha2-nistp384z(ecdsa-sha2-nistp521-cert-v01@openssh.comzecdsa-sha2-nistp521z+sk-ecdsa-sha2-nistp256-cert-v01@openssh.comz"sk-ecdsa-sha2-nistp256@openssh.comz#sk-ssh-ed25519-cert-v01@openssh.comzsk-ssh-ed25519@openssh.comzssh-dss-cert-v01@openssh.comzssh-dssz ssh-ed25519-cert-v01@openssh.comz ssh-ed25519zssh-rsa-cert-v01@openssh.comzssh-rsazssh-xmss-cert-v01@openssh.comzssh-xmss@openssh.coméŽz§no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"$USER\" rather than the user \"$DISABLE_USER\".';echo;sleep 10;exit ú"c@s&eZdZddd„Zdd„Zdd„ZdS) Ú AuthKeyLineNcCs"||_||_||_||_||_dS©N)Úbase64ÚcommentÚoptionsÚkeytypeÚsource)Úselfrrr rr©rú4/usr/lib/python3/dist-packages/cloudinit/ssh_util.pyÚ__init__Hs zAuthKeyLine.__init__cCs |jo |jSr )r r©rrrrÚvalidQszAuthKeyLine.validcCsdg}|jr| |j¡|jr(| |j¡|jr:| |j¡|jrL| |j¡|sV|jSd |¡SdS©Nú )rÚappendrr rrÚjoin)rÚtoksrrrÚ__str__Ts    zAuthKeyLine.__str__)NNNN)Ú__name__Ú __module__Ú __qualname__rrrrrrrr Gsÿ r c@s"eZdZdZdd„Zddd„ZdS)ÚAuthKeyLineParsera‚ AUTHORIZED_KEYS FILE FORMAT AuthorizedKeysFile specifies the file containing public keys for public key authentication; if none is specified, the default is ~/.ssh/authorized_keys. Each line of the file contains one key (empty (because of the size of the public key encoding) up to a limit of 8 kilo- bytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 kilobits. You don't want to type them in; instead, copy the identity.pub, id_dsa.pub, or the id_rsa.pub file and edit it. sshd enforces a minimum RSA key modulus size for protocol 1 and protocol 2 keys of 768 bits. The options (if present) consist of comma-separated option specifica- tions. No spaces are permitted, except within double quotes. The fol- lowing option specifications are supported (note that option keywords are case-insensitive): cCs¨d}d}|t|ƒkr„|s$||dkr„||}|dt|ƒkrF|d}q„||d}|dkrl|dkrl|d}n|dkrz| }|d}q|d|…}||d… ¡}||fS)z× The options (if present) consist of comma-separated option specifica- tions. No spaces are permitted, except within double quotes. Note that option keywords are case-insensitive. Fr)rú éú\r N)ÚlenÚlstrip)rÚentZquotedÚiZcurcZnextcrÚremainrrrÚ_extract_optionsxs     z"AuthKeyLineParser._extract_optionsNc CsÀ| d¡}| d¡s | ¡dkr(t|ƒSdd„}| ¡}z||ƒ\}}}Wnbtk r¬| |¡\} } |dkrt| }z|| ƒ\}}}Wn tk r¦t|ƒYYSXYnXt|||||dS)Nz ú#ÚcSs^| dd¡}t|ƒdkr(tdt|ƒƒ‚|dtkrDtd|dƒ‚t|ƒdkrZ| d¡|S)NézTo few fields: %srzInvalid keytype %sr,)Úsplitr%Ú TypeErrorÚVALID_KEY_TYPESr)r'rrrrÚ parse_ssh_key˜s     z.AuthKeyLineParser.parse..parse_ssh_key)rr rr)ÚrstripÚ startswithÚstripr r/r*) rZsrc_linerÚliner1r'rr rZkeyoptsr)rrrÚparse’s, ûzAuthKeyLineParser.parse)N)rrr Ú__doc__r*r6rrrrr!dsr!c Cs|g}tƒ}g}|D]d}z8tj |¡rLt |¡ ¡}|D]}| | |¡¡q6Wqt t fk rtt  t d|¡YqXq|S)NzError reading lines from %s) r!ÚosÚpathÚisfilerÚ load_fileÚ splitlinesrr6ÚIOErrorÚOSErrorÚlogexcÚLOG)ÚfnamesÚlinesÚparserÚcontentsÚfnamer5rrrÚparse_authorized_keys½s rFcCs¢tdd„|Dƒƒ}tdt|ƒƒD]J}||}| ¡s6q |D]&}|j|jkr:|}||kr:| |¡q:|||<q |D]}| |¡qpdd„|Dƒ}| d¡d |¡S)NcSsg|]}| ¡r|‘qSr)r©Ú.0ÚkrrrÚ Îsz*update_authorized_keys..rcSsg|] }t|ƒ‘qSr©Ústr)rHÚbrrrrJâsr,Ú )ÚlistÚranger%rr Úremoverr)Z old_entriesÚkeysZto_addr(r'rIÚkeyrBrrrÚupdate_authorized_keysÍs      rTcCs4t |¡}|r|js td|ƒ‚tj |jd¡|fS)Nz"Unable to get SSH info for user %rz.ssh)ÚpwdÚgetpwnamÚpw_dirÚ RuntimeErrorr8r9r)ÚusernameÚpw_entrrrÚusers_ssh_infoés   r[c Cspd|fd|fdf}|sd}| ¡}g}|D]@}|D]\}}| ||¡}q2| d¡s`tj ||¡}| |¡q*|S)Nú%hú%u)z%%ú%ú%h/.ssh/authorized_keysú/)r.Úreplacer3r8r9rr) ÚvalueZhomedirrYZmacrosÚpathsZrenderedr9ZmacroZfieldrrrÚrender_authorizedkeysfile_pathsðs   rdc CsÐd}|r d}t |¡}|r@||kr@|dkr@t d||||¡dSt |¡}||kr\|dM}n.t |¡}t |¡} || kr‚|dM}n|dM}||@d krªt d |||¡dS|rÌ|d @d krÌt d ||¡dSd S)aVCheck if the file/folder in @current_path has the right permissions. We need to check that: 1. If StrictMode is enabled, the owner is either root or the user 2. the user can access the file/folder, otherwise ssh won't use it 3. If StrictMode is enabled, no write permission is given to group and world users (022) iÉi¤ÚrootzXPath %s in %s must be own by user %s or by root, but instead is own by %s. Ignoring key.FéÀé8érzBPath %s in %s must be accessible by user %s, check its permissionsézRPath %s in %s must not give writepermission to group or world users. Ignoring key.T)rZ get_ownerr@ÚdebugZget_permissionsZ get_groupZget_user_groups) rYZ current_pathÚ full_pathÚis_fileÚ strictmodesZminimal_permissionsÚownerZparent_permissionZ group_ownerZ user_groupsrrrÚcheck_permissionssJ  ú      ûüroc Csøt|ƒd}tdƒd}zš| d¡dd…}d}tj |j¡}|D]ð}|d|7}tj |¡rtt d|¡WdStj  |¡r”t d|¡WdS|  |¡sD||jkrªqDtj  |¡st   |¡Pd } |j} |j} |  |j¡rðd } |j} |j} tj|| d d t  || | ¡W5QRXt|||d|ƒ} | sDWdSqDtj |¡sRtj |¡rdt d |¡WdStj  |¡s–t j|ddd dt  ||j|j¡t|||d |ƒ} | s²WdSWn>ttfk rò} zt  tt| ƒ¡WY¢dSd} ~ XYnXd S)Nr#rer`éÿÿÿÿr,z-Invalid directory. Symlink exists in path: %sFz*Invalid directory. File exists in path: %séírfT)ÚmodeÚexist_okz%s is not a file!é€)rrZensure_dir_exists)r[r.r8r9ÚdirnamerWÚislinkr@rjr:r3ÚexistsrÚ SeLinuxGuardZpw_uidZpw_gidÚmakedirsZ chownbyidroÚisdirÚ write_filer=r>r?rL)rYÚfilenamermZ user_pwentZ root_pwentZ directoriesZ parent_folderZ home_folderZ directoryrrZuidÚgidZ permissionsÚerrrÚcheck_create_pathJs€    þ ÿÿþ  ÿ  ÿ rc Cs t|ƒ\}}tj |d¡}|}g}tj|ddnz2t|ƒ}| dd¡}| dd¡} t||j |ƒ}Wn4t t fk r˜||d<t  t d t|d¡YnXW5QRXt| ¡|ƒD]H\} } td | kd | k|  d  |j ¡¡gƒr²t|| | dkƒ} | r²| }qüq²||krt  d |¡|t|gƒfS)NZauthorized_keysT©Ú recursiveZauthorizedkeysfiler_rmZyesrzhFailed extracting 'AuthorizedKeysFile' in SSH config from %r, using 'AuthorizedKeysFile' file %r insteadr]r\z{}/zAAuthorizedKeysFile has an user-specific authorized_keys, using %s)r[r8r9rrrxÚparse_ssh_config_mapÚgetrdrWr=r>r?r@Ú DEF_SSHD_CFGÚzipr.Úanyr3ÚformatrrjrF) rYZ sshd_cfg_fileÚssh_dirrZZdefault_authorizedkeys_fileZuser_authorizedkeys_fileZ auth_key_fnsZssh_cfgZ key_pathsrmZkey_pathÚ auth_key_fnZpermissions_okrrrÚextract_authorized_keys™s` ÿ ÿú ýÿÿ ýþrŠc Cs|tƒ}g}|D]}| |jt|ƒ|d¡qt|ƒ\}}tj |¡}tj |dd t ||ƒ} tj || ddW5QRXdS)N)rTr€©Ú preserve_mode) r!rr6rLrŠr8r9rurrxrTr{) rRrYrrCZ key_entriesrIr‰Zauth_key_entriesrˆÚcontentrrrÚsetup_user_keysÒs   rŽc@s*eZdZddd„Zedd„ƒZdd„ZdS) ÚSshdConfigLineNcCs||_||_||_dSr )r5Ú_keyrb)rr5rIÚvrrrrâszSshdConfigLine.__init__cCs|jdkrdS|j ¡Sr )rÚlowerrrrrrSçs zSshdConfigLine.keycCs>|jdkrt|jƒSt|jƒ}|jr6|dt|jƒ7}|SdSr)rrLr5rb)rr‘rrrrîs    zSshdConfigLine.__str__)NN)rrr rÚpropertyrSrrrrrrás  r)ÚreturncCs"tj |¡sgStt |¡ ¡ƒSr )r8r9r:Úparse_ssh_config_linesrr;r<©rErrrÚparse_ssh_configøs r—c Cs°g}|D]¢}| ¡}|r"| d¡r2| t|ƒ¡qz| dd¡\}}WnPtk r–z| dd¡\}}Wn&tk rt d|¡YYqYnXYnX| t|||ƒ¡q|S)Nr+r#ú=z;sshd_config: option "%s" has no key/value pair, skipping it)r4r3rrr.Ú ValueErrorr@rj)rBÚretr5rSÚvalrrrr•þs&ýr•cCs6t|ƒ}|siSi}|D]}|js$q|j||j<q|Sr )r—rSrb)rErBršr5rrrr‚sr‚)rEr”c CsVtj |¡sdSt|dƒ2}|D]&}| d|›d¡r W5QR£dSq W5QRXdS)NFÚrzInclude z .d/*.confT)r8r9r:Úopenr3)rEÚfr5rrrÚ_includes_dconf%s  rŸcCs^t|ƒrZtj |›d¡s.tj|›dddtj |›dd¡}tj |¡sZt |d¡|S)Nz.drq)rrz50-cloud-init.confrt) rŸr8r9rzrZ ensure_dirrr:Z ensure_filer–rrrÚ"_ensure_cloud_init_ssh_config_file/s  r cCsPt|ƒ}t|ƒ}t||d}|rDtj|d dd„|Dƒ¡dddt|ƒdkS)z©Read fname, and update if changes are necessary. @param updates: dictionary of desired values {Option: value} @return: boolean indicating if an update was done.)rBÚupdatesrNcSsg|] }t|ƒ‘qSrrK)rHr5rrrrJEsz%update_ssh_config..Tr‹r)r r—Úupdate_ssh_config_linesrr{rr%)r¡rErBÚchangedrrrÚupdate_ssh_config:s ýr¤c Cstƒ}g}tdd„| ¡Dƒƒ}t|ddD]v\}}|js.r#)Ústartz$line %d: option %s already set to %sz#line %d: option %s updated %s -> %sr,z line %d: option %s added with %s) ÚsetÚdictrRÚ enumeraterSÚaddrbr@rjrr%Úitemsr) rBr¡Úfoundr£Zcasemapr(r5rSrbrrrr¢KsN    ÿ û ÿr¢)rBcCs>|sdSt|ƒ}dd„|Dƒ}tj|d |¡dddddS)Ncss |]\}}|›d|›VqdS)rNr)rHrIr‘rrrÚ }sz$append_ssh_config..rNZabT)ZomoderŒ)r rr{r)rBrErrrrÚappend_ssh_configys ür­c Cspd}ttjƒ tjddgddgd\}}W5QRXd}| d¡D](}| |¡rB|t|ƒ| d ¡…SqBd S) zàGet the full version of the OpenSSH sshd daemon on the system. On an ubuntu system, this would look something like: 1.2p1 Ubuntu-1ubuntu0.1 If we can't find `sshd` or parse the version number, return None. r,Zsshdz-Vrr#)ZrcsZOpenSSH_rNú,N)rrZProcessExecutionErrorr.r3r%Úfind)ÚerrÚ_Úprefixr5rrrÚget_opensshd_version†s  $ r³c Cs–d}tƒ}|dkrtj |¡Sd|kr:|d| d¡…}n d|krV|d| d¡…}n|}ztj |¡}|WSttfk rt d|¡YnXdS)zäGet the upstream version of the OpenSSH sshd dameon on the system. This will NOT include the portable number, so if the Ubuntu version looks like `1.2p1 Ubuntu-1ubuntu0.1`, then this function would return `1.2` z9.0NÚprz Could not parse sshd version: %s) r³rZVersionZfrom_strr¯r™r/r@Zwarning)Zupstream_versionZ full_versionrrrÚget_opensshd_upstream_versionšs  rµ)N)+r8rUÚ contextlibrÚtypingrrrZ cloudinitrZloggingrrZ getLoggerrr@r„r0Z_DISABLE_USER_SSH_EXITrLZDISABLE_USER_OPTSr r!rFrTr[rdrorrŠrŽrr—r•r‚ÚboolrŸr r¤r¢r­r³rµrrrrÚ sH   ýýÿYEO 9    .