U ¯AdÛRã@sLddlZddlZddlmZmZmZddlmZddlm Z e  e ¡Z dZ dZdZdeeƒd ZGd d „d ƒZGd d „d ƒZdd„Zdd„Zdd„Zdd„Zdd„Zdd„Ze fdd„Zd3dd„ZGdd„dƒZeed œd!d"„Zeed œd#d$„Zd%d&„Zee d'œd(d)„Z!d*d+„Z"e fd,d-„Z#d.d/„Z$e feeeefd0œd1d2„Z%dS)4éN)ÚListÚSequenceÚTuple)Úlog)Úutilz/etc/ssh/sshd_config)ZdsaZrsaZecdsaZed25519z(ecdsa-sha2-nistp256-cert-v01@openssh.comzecdsa-sha2-nistp256z(ecdsa-sha2-nistp384-cert-v01@openssh.comzecdsa-sha2-nistp384z(ecdsa-sha2-nistp521-cert-v01@openssh.comzecdsa-sha2-nistp521z+sk-ecdsa-sha2-nistp256-cert-v01@openssh.comz"sk-ecdsa-sha2-nistp256@openssh.comz#sk-ssh-ed25519-cert-v01@openssh.comzsk-ssh-ed25519@openssh.comzssh-dss-cert-v01@openssh.comzssh-dssz ssh-ed25519-cert-v01@openssh.comz ssh-ed25519zssh-rsa-cert-v01@openssh.comzssh-rsazssh-xmss-cert-v01@openssh.comzssh-xmss@openssh.coméŽz§no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"$USER\" rather than the user \"$DISABLE_USER\".';echo;sleep 10;exit ú"c@s&eZdZddd„Zdd„Zdd„ZdS) Ú AuthKeyLineNcCs"||_||_||_||_||_dS©N)Úbase64ÚcommentÚoptionsÚkeytypeÚsource)Úselfrrr r r ©rú4/usr/lib/python3/dist-packages/cloudinit/ssh_util.pyÚ__init__Gs zAuthKeyLine.__init__cCs |jo |jSr )r r©rrrrÚvalidPszAuthKeyLine.validcCsdg}|jr| |j¡|jr(| |j¡|jr:| |j¡|jrL| |j¡|sV|jSd |¡SdS©Nú )r Úappendrr r rÚjoin)rÚtoksrrrÚ__str__Ss    zAuthKeyLine.__str__)NNNN)Ú__name__Ú __module__Ú __qualname__rrrrrrrr Fsÿ r c@s"eZdZdZdd„Zddd„ZdS)ÚAuthKeyLineParsera‚ AUTHORIZED_KEYS FILE FORMAT AuthorizedKeysFile specifies the file containing public keys for public key authentication; if none is specified, the default is ~/.ssh/authorized_keys. Each line of the file contains one key (empty (because of the size of the public key encoding) up to a limit of 8 kilo- bytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 kilobits. You don't want to type them in; instead, copy the identity.pub, id_dsa.pub, or the id_rsa.pub file and edit it. sshd enforces a minimum RSA key modulus size for protocol 1 and protocol 2 keys of 768 bits. The options (if present) consist of comma-separated option specifica- tions. No spaces are permitted, except within double quotes. The fol- lowing option specifications are supported (note that option keywords are case-insensitive): cCs¨d}d}|t|ƒkr„|s$||dkr„||}|dt|ƒkrF|d}q„||d}|dkrl|dkrl|d}n|dkrz| }|d}q|d|…}||d… ¡}||fS)z× The options (if present) consist of comma-separated option specifica- tions. No spaces are permitted, except within double quotes. Note that option keywords are case-insensitive. Fr)rú éú\rN)ÚlenÚlstrip)rÚentZquotedÚiZcurcZnextcr ÚremainrrrÚ_extract_optionsws     z"AuthKeyLineParser._extract_optionsNc CsÀ| d¡}| d¡s | ¡dkr(t|ƒSdd„}| ¡}z||ƒ\}}}Wnbtk r¬| |¡\} } |dkrt| }z|| ƒ\}}}Wn tk r¦t|ƒYYSXYnXt|||||dS)Nz ú#ÚcSs^| dd¡}t|ƒdkr(tdt|ƒƒ‚|dtkrDtd|dƒ‚t|ƒdkrZ| d¡|S)NézTo few fields: %srzInvalid keytype %sr*)Úsplitr#Ú TypeErrorÚVALID_KEY_TYPESr)r%rrrrÚ parse_ssh_key—s     z.AuthKeyLineParser.parse..parse_ssh_key)rr r r )ÚrstripÚ startswithÚstripr r-r() rZsrc_liner Úliner/r%rr r Zkeyoptsr'rrrÚparse‘s, ûzAuthKeyLineParser.parse)N)rrrÚ__doc__r(r4rrrrrcsrc Cs|g}tƒ}g}|D]d}z8tj |¡rLt |¡ ¡}|D]}| | |¡¡q6Wqt t fk rtt  t d|¡YqXq|S)NzError reading lines from %s) rÚosÚpathÚisfilerÚ load_fileÚ splitlinesrr4ÚIOErrorÚOSErrorÚlogexcÚLOG)ÚfnamesÚlinesÚparserÚcontentsÚfnamer3rrrÚparse_authorized_keys¼s rDcCs¢tdd„|Dƒƒ}tdt|ƒƒD]J}||}| ¡s6q |D]&}|j|jkr:|}||kr:| |¡q:|||<q |D]}| |¡qpdd„|Dƒ}| d¡d |¡S)NcSsg|]}| ¡r|‘qSr)r©Ú.0ÚkrrrÚ Ísz*update_authorized_keys..rcSsg|] }t|ƒ‘qSr©Ústr)rFÚbrrrrHásr*Ú )ÚlistÚranger#rr Úremoverr)Z old_entriesÚkeysZto_addr&r%rGÚkeyr@rrrÚupdate_authorized_keysÌs      rRcCs4t |¡}|r|js td|ƒ‚tj |jd¡|fS)Nz"Unable to get SSH info for user %rz.ssh)ÚpwdÚgetpwnamÚpw_dirÚ RuntimeErrorr6r7r)ÚusernameÚpw_entrrrÚusers_ssh_infoès   rYc Cspd|fd|fdf}|sd}| ¡}g}|D]@}|D]\}}| ||¡}q2| d¡s`tj ||¡}| |¡q*|S)Nú%hú%u)z%%ú%ú%h/.ssh/authorized_keysú/)r,Úreplacer1r6r7rr) ÚvalueZhomedirrWZmacrosÚpathsZrenderedr7ZmacroZfieldrrrÚrender_authorizedkeysfile_pathsïs   rbc CsÐd}|r d}t |¡}|r@||kr@|dkr@t d||||¡dSt |¡}||kr\|dM}n.t |¡}t |¡} || kr‚|dM}n|dM}||@d krªt d |||¡dS|rÌ|d @d krÌt d ||¡dSd S)aVCheck if the file/folder in @current_path has the right permissions. We need to check that: 1. If StrictMode is enabled, the owner is either root or the user 2. the user can access the file/folder, otherwise ssh won't use it 3. If StrictMode is enabled, no write permission is given to group and world users (022) iÉi¤ÚrootzXPath %s in %s must be own by user %s or by root, but instead is own by %s. Ignoring key.FéÀé8érzBPath %s in %s must be accessible by user %s, check its permissionsézRPath %s in %s must not give writepermission to group or world users. Ignoring key.T)rZ get_ownerr>ÚdebugZget_permissionsZ get_groupZget_user_groups) rWZ current_pathÚ full_pathÚis_fileÚ strictmodesZminimal_permissionsÚownerZparent_permissionZ group_ownerZ user_groupsrrrÚcheck_permissionssJ  ú      ûürmc Csøt|ƒd}tdƒd}zš| d¡dd…}d}tj |j¡}|D]ð}|d|7}tj |¡rtt d|¡WdStj  |¡r”t d|¡WdS|  |¡sD||jkrªqDtj  |¡st   |¡Pd } |j} |j} |  |j¡rðd } |j} |j} tj|| d d t  || | ¡W5QRXt|||d|ƒ} | sDWdSqDtj |¡sRtj |¡rdt d |¡WdStj  |¡s–t j|ddd dt  ||j|j¡t|||d |ƒ} | s²WdSWn>ttfk rò} zt  tt| ƒ¡WY¢dSd} ~ XYnXd S)Nr!rcr^éÿÿÿÿr*z-Invalid directory. Symlink exists in path: %sFz*Invalid directory. File exists in path: %séírdT)ÚmodeÚexist_okz%s is not a file!é€)rpZensure_dir_exists)rYr,r6r7ÚdirnamerUÚislinkr>rhr8r1ÚexistsrÚ SeLinuxGuardÚpw_uidÚpw_gidÚmakedirsZ chownbyidrmÚisdirÚ write_filer;r<r=rJ)rWÚfilenamerkZ user_pwentZ root_pwentZ directoriesZ parent_folderZ home_folderZ directoryrpZuidÚgidZ permissionsÚerrrÚcheck_create_pathIs€    þ ÿÿþ  ÿ  ÿ rc Cs t|ƒ\}}tj |d¡}|}g}tj|ddnz2t|ƒ}| dd¡}| dd¡} t||j |ƒ}Wn4t t fk r˜||d<t  t d t|d¡YnXW5QRXt| ¡|ƒD]H\} } td | kd | k|  d  |j ¡¡gƒr²t|| | dkƒ} | r²| }qüq²||krt  d |¡|t|gƒfS)NZauthorized_keysT©Ú recursiveZauthorizedkeysfiler]rkZyesrzhFailed extracting 'AuthorizedKeysFile' in SSH config from %r, using 'AuthorizedKeysFile' file %r insteadr[rZz{}/zAAuthorizedKeysFile has an user-specific authorized_keys, using %s)rYr6r7rrrvÚparse_ssh_config_mapÚgetrbrUr;r<r=r>Ú DEF_SSHD_CFGÚzipr,Úanyr1ÚformatrrhrD) rWZ sshd_cfg_fileÚssh_dirrXZdefault_authorizedkeys_fileZuser_authorizedkeys_fileZ auth_key_fnsZssh_cfgZ key_pathsrkZkey_pathÚ auth_key_fnZpermissions_okrrrÚextract_authorized_keys˜s` ÿ ÿú ýÿÿ ýþrŠc Cs|tƒ}g}|D]}| |jt|ƒ|d¡qt|ƒ\}}tj |¡}tj |dd t ||ƒ} tj || ddW5QRXdS)N)r Tr€©Ú preserve_mode) rrr4rJrŠr6r7rsrrvrRr{) rPrWr rAZ key_entriesrGr‰Zauth_key_entriesrˆÚcontentrrrÚsetup_user_keysÑs   rŽc@s*eZdZddd„Zedd„ƒZdd„ZdS) ÚSshdConfigLineNcCs||_||_||_dSr )r3Ú_keyr`)rr3rGÚvrrrrászSshdConfigLine.__init__cCs|jdkrdS|j ¡Sr )rÚlowerrrrrrQæs zSshdConfigLine.keycCs>|jdkrt|jƒSt|jƒ}|jr6|dt|jƒ7}|SdSr)rrJr3r`)rr‘rrrrís    zSshdConfigLine.__str__)NN)rrrrÚpropertyrQrrrrrràs  r)ÚreturncCs"tj |¡sgStt |¡ ¡ƒSr )r6r7r8Úparse_ssh_config_linesrr9r:©rCrrrÚparse_ssh_config÷s r—c Cs°g}|D]¢}| ¡}|r"| d¡r2| t|ƒ¡qz| dd¡\}}WnPtk r–z| dd¡\}}Wn&tk rt d|¡YYqYnXYnX| t|||ƒ¡q|S)Nr)r!ú=z;sshd_config: option "%s" has no key/value pair, skipping it)r2r1rrr,Ú ValueErrorr>rh)r@Úretr3rQÚvalrrrr•ýs&ýr•cCs6t|ƒ}|siSi}|D]}|js$q|j||j<q|Sr )r—rQr`)rCr@ršr3rrrr‚sr‚)rCr”c CsVtj |¡sdSt|dƒ2}|D]&}| d|›d¡r W5QR£dSq W5QRXdS)NFÚrzInclude z .d/*.confT)r6r7r8Úopenr1)rCÚfr3rrrÚ_includes_dconf$s  rŸcCs^t|ƒrZtj |›d¡s.tj|›dddtj |›dd¡}tj |¡sZt |d¡|S)Nz.dro)rpz50-cloud-init.confrr) rŸr6r7rzrZ ensure_dirrr8Z ensure_filer–rrrÚ"_ensure_cloud_init_ssh_config_file.s  r cCsPt|ƒ}t|ƒ}t||d}|rDtj|d dd„|Dƒ¡dddt|ƒdkS)z©Read fname, and update if changes are necessary. @param updates: dictionary of desired values {Option: value} @return: boolean indicating if an update was done.)r@ÚupdatesrLcSsg|] }t|ƒ‘qSrrI)rFr3rrrrHDsz%update_ssh_config..Tr‹r)r r—Úupdate_ssh_config_linesrr{rr#)r¡rCr@ÚchangedrrrÚupdate_ssh_config9s ýr¤c Cstƒ}g}tdd„| ¡Dƒƒ}t|ddD]v\}}|js.r!)Ústartz$line %d: option %s already set to %sz#line %d: option %s updated %s -> %sr*z line %d: option %s added with %s) ÚsetÚdictrPÚ enumeraterQÚaddr`r>rhrr#Úitemsr) r@r¡Úfoundr£Zcasemapr&r3rQr`rrrr¢JsN    ÿ û ÿr¢)r@cCs>|sdSt|ƒ}dd„|Dƒ}tj|d |¡dddddS)Ncss |]\}}|›d|›VqdS)rNr)rFrGr‘rrrÚ |sz$append_ssh_config..rLZabT)ZomoderŒ)r rr{r)r@rCrrrrÚappend_ssh_configxs ür­)N)&r6rSÚtypingrrrZ cloudinitrZloggingrZ getLoggerrr>r„r.Z_DISABLE_USER_SSH_EXITrJZDISABLE_USER_OPTSr rrDrRrYrbrmrrŠrŽrr—r•r‚ÚboolrŸr r¤r¢r­rrrrÚ sB   ýýÿYEO 9    .