3
�~�fY������������������@���sh��d�dl�Z�d�dlZd�dlZd�dlmZ�d�dlmZmZmZ�d�dl m
Z
m
Z
�e�j
e
�ZdZdLZd
Zd
ee��d
�ZG�d d ��d �ZG�d!d"��d"�Zd#d$��Zd%d&��Zd'd(��Zd)d*��Zd+d,��Zd-d.��Zefd/d0�Z
dMd1d2�Z
G�d3d4��d4�Z
ee
�d5�d6d7�Z ee
�d5�d8d9�Z d:d;��Z!ee"d<�d=d>�Z#d?d@��Z$efdAdB�Z%dCdD��Z&efeeeef��dE�dFdG�Z'dHdI��Z(dJdK��Z)dS�)N�����N)�suppress)�List�Sequence�Tuple)�subp�utilz/etc/ssh/sshd_config�dsa�rsa�ecdsa�ed25519�(ecdsa-sha2-nistp256-cert-v01@openssh.com�ecdsa-sha2-nistp256�(ecdsa-sha2-nistp384-cert-v01@openssh.com�ecdsa-sha2-nistp384�(ecdsa-sha2-nistp521-cert-v01@openssh.com�ecdsa-sha2-nistp521�+sk-ecdsa-sha2-nistp256-cert-v01@openssh.com�"sk-ecdsa-sha2-nistp256@openssh.com�#sk-ssh-ed25519-cert-v01@openssh.com�sk-ssh-ed25519@openssh.com�
ssh-dss-cert-v01@openssh.com�ssh-dss� ssh-ed25519-cert-v01@openssh.com�
ssh-ed25519�
ssh-rsa-cert-v01@openssh.com�ssh-rsa�
ssh-xmss-cert-v01@openssh.com�ssh-xmss@openssh.com����z�no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"$USER\" rather than the user \"$DISABLE_USER\".';echo;sleep 10;exit �"c���������������@���s&���e�Zd�Zddd�Zdd��Zdd��ZdS�) �
AuthKeyLineNc�������������C���s"���||�_�||�_||�_||�_||�_d�S�)N)�base64�comment�options�keytype�source)�selfr%���r$���r!���r"���r#�����r'����
/usr/lib/python3.6/ssh_util.py�__init__H���s
����zAuthKeyLine.__init__c�������������C���s
���|�j�o
|�jS�)N)r!���r$���)r&���r'���r'���r(����validQ���s����zAuthKeyLine.validc�������������C���sd���g�}|�j�r|j|�j���|�jr(|j|�j��|�jr:|j|�j��|�jrL|j|�j��|sV|�jS�dj|�S�d�S�)N� )r#����appendr$���r!���r"���r%����join)r&����toksr'���r'���r(����__str__T���s����
zAuthKeyLine.__str__)NNNN)�__name__�
__module__�
__qualname__r)���r*���r/���r'���r'���r'���r(���r ���G���s���
r ���c���������������@���s"���e�Zd�ZdZdd��Zddd�ZdS�)�AuthKeyLineParsera���
AUTHORIZED_KEYS FILE FORMAT
AuthorizedKeysFile specifies the file containing public keys for public
key authentication; if none is specified, the default is
~/.ssh/authorized_keys. Each line of the file contains one key (empty
(because of the size of the public key encoding) up to a limit of 8 kilo-
bytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16
kilobits. You don't want to type them in; instead, copy the
identity.pub, id_dsa.pub, or the id_rsa.pub file and edit it.
sshd enforces a minimum RSA key modulus size for protocol 1 and protocol
2 keys of 768 bits.
The options (if present) consist of comma-separated option specifica-
tions. No spaces are permitted, except within double quotes. The fol-
lowing option specifications are supported (note that option keywords are
case-insensitive):
c�������������C���s����d}d}x~|t�|�k�r�|s&||�d kr�||�}|d�t�|�krH|d�}P�||d��}|dkrn|dkrn|d�}n|dkr||
�}|d�}q
W�|d|��}||d��j��}||fS�)
z�
The options (if present) consist of comma-separated option specifica-
tions. No spaces are permitted, except within double quotes.
Note that option keywords are case-insensitive.
Fr���r+���� �����\r ���N)r+���r4���)�len�lstrip)r&����entZquoted�iZcurcZnextcr#����remainr'���r'���r(����_extract_optionsx���s ����
z"AuthKeyLineParser._extract_optionsNc�������
������C���s����|j�d�}|jd�s |j��dkr(t|�S�dd��}|j��}y||�\}}}W�nZ�tk
r����|�j|�\} }
|d�krt| }y||
�\}}}W�n�tk
r����t|�S�X�Y�nX�t|||||d�S�)Nz
�#��c�������������S���s^���|�j�d�d�}t|�dk�r(tdt|����|d�tkrDtd|d����t|�dkrZ|jd��|S�)N����zTo few fields: %sr���zInvalid keytype %sr>���)�splitr7���� TypeError�VALID_KEY_TYPESr,���)r9���r.���r'���r'���r(����
parse_ssh_key����s����
z.AuthKeyLineParser.parse.<locals>.parse_ssh_key)r$���r!���r"���r#���)�rstrip�
startswith�stripr ���rA���r<���)
r&���Zsrc_liner#����linerC���r9���r$���r!���r"���Zkeyoptsr;���r'���r'���r(����parse����s*����
zAuthKeyLineParser.parse)N)r0���r1���r2����__doc__r<���rH���r'���r'���r'���r(���r3���d���s���r3���c����������
���C���s����g�}t���}g�}xp|�D�]h}y<tjj|�rRtj|�j��}x
|D�]}|j|j|���q:W�W�q�t t
fk
rz���tj
t
d|��Y�qX�qW�|S�)NzError reading lines from %s)
r3����os�path�isfiler���� load_file�
splitlinesr,���rH����IOError�OSError�logexc�LOG)�fnames�lines�parser�contents�fnamerG���r'���r'���r(����parse_authorized_keys����s����
rX���c�������������C���s����t�dd��|D���}x`tdt|���D�]N}|�|�}|j��s8q"x.|D�]&}|j|jkr>|}||kr>|j|��q>W�||�|<�q"W�x|D�]}|�j|��qzW�dd��|�D��}|jd��dj|�S�)Nc�������������S���s���g�|�]}|j���r|�qS�r'���)r*���)�.0�kr'���r'���r(����
<listcomp>����s����z*update_authorized_keys.<locals>.<listcomp>r���c�������������S���s���g�|�]
}t�|��qS�r'���)�str)rY����br'���r'���r(���r[�������s����r>����
)�list�ranger7���r*���r!����remover,���r-���)Z
old_entries�keysZto_addr:���r9���rZ����keyrT���r'���r'���r(����update_authorized_keys����s ����
rd���c�������������C���s8���t�j|��}|
�s|j
�r$td|����tjj|jd�|fS�)Nz"Unable to get SSH info for user %rz.ssh)�pwd�getpwnam�pw_dir�
RuntimeErrorrJ���rK���r-���)�username�pw_entr'���r'���r(����users_ssh_info����s����
rk���c������� ������C���sx���d|fd|fdf}|�sd}�|�j���}g�}xL|D�]D}x
|D�]\}}|j||�}q6W�|jd�sftjj||�}|j|��q,W�|S�)Nz%hz%u�%%�%z%h/.ssh/authorized_keys�/)rl���rm���)r@����replacerE���rJ���rK���r-���r,���) �valueZhomedirri���Zmacros�pathsZrenderedrK���ZmacroZfieldr'���r'���r(���� render_authorizedkeysfile_paths����s����
rr���c�������
������C���s����d}|r
d}t�j|�}|r@||�kr@|dkr@tjd|||�|��dS�t�j|�}||�kr\|dM�}n.t�j|�}t�j|��} || kr�|dM�}n|dM�}||@�d kr�tjd
|||���dS�|r�|d
@�d kr�tjd
||��dS�d
S�)aV��Check if the file/folder in @current_path has the right permissions.
We need to check that:
1. If StrictMode is enabled, the owner is either root or the user
2. the user can access the file/folder, otherwise ssh won't use it
3. If StrictMode is enabled, no write permission is given to group
and world users (022)
i���i����rootzXPath %s in %s must be own by user %s or by root, but instead is own by %s. Ignoring key.Fi����8�������r���zBPath %s in %s must be accessible by user %s, check its permissions����zRPath %s in %s must not give writepermission to group or world users. Ignoring key.T)r���Z get_ownerrR����debugZget_permissionsZ get_groupZget_user_groups)
ri���Z
current_path� full_path�is_file�
strictmodesZminimal_permissions�ownerZparent_permissionZ
group_ownerZ
user_groupsr'���r'���r(����check_permissions��sD����
r|���c�������������C���s���t�|��d�}t�d�d�}�y�|jd�dd��}d}tjj|j�}x�|D�]�}|d|�7�}tjj|�rrtjd|��dS�tjj |�r�tjd|��dS�|j
|�sF||jkr�qFtjj
|��st
j
|��P�d} |j}
|j}
|j
|j�r�d } |j}
|j}
tj|| d
d
��t
j||
|
��W�d�Q�R�X�t|�||d|�}
|
sFdS�qFW�tjj|��sJtjj|��rZtjd
|��dS�tjj
|��s�t
j|dd
d
d��t
j||j|j��t|�||d
|�}
|
�s�dS�W�n6�ttfk
�r��}
�zt
jtt|
���dS�d�}
~
X�nX�d
S�)Nr5���rs���rn���r>���z-Invalid directory. Symlink exists in path: %sFz*Invalid directory. File exists in path: %si���i���T)�mode�exist_okz%s is not a file!i���)r}���Zensure_dir_exists���)rk���r@���rJ���rK����dirnamerg����islinkrR���rw���rL���rE����existsr����
SeLinuxGuardZpw_uidZpw_gid�makedirsZ chownbyidr|����isdir�
write_filerO���rP���rQ���r\���)ri����filenamerz���Z
user_pwentZ
root_pwentZ
directoriesZ
parent_folderZ
home_folderZ directoryr}���Zuid�gidZ
permissions�er'���r'���r(����check_create_pathJ��sb����
r����c�������
������C���s"��t�|��\}}tjj|d�}|}g�}tj|dd��n�y2t|�}|jdd�}|jdd�} t||j |��}W�n4�t
t
fk
r����||d<�tj
t
d t|d���Y�nX�W�d�Q�R�X�xXt|j��|�D�]F\}
}
td
|
kd
|
k|
jd
j|j ��g�r�t|�|
| dk�}
|
r�|
}P�q�W�||k�rt
jd
|��|t|g�fS�)NZauthorized_keysT)� recursiveZauthorizedkeysfilez%h/.ssh/authorized_keysrz����yesr���zhFailed extracting 'AuthorizedKeysFile' in SSH config from %r, using 'AuthorizedKeysFile' file %r insteadz%uz%hz{}/zAAuthorizedKeysFile has an user-specific authorized_keys, using %s)rk���rJ���rK���r-���r���r�����parse_ssh_config_map�getrr���rg���rO���rP���rQ���rR����
DEF_SSHD_CFG�zipr@����anyrE����formatr����rw���rX���)
ri���Z
sshd_cfg_file�ssh_dirrj���Zdefault_authorizedkeys_fileZuser_authorizedkeys_fileZ
auth_key_fnsZssh_cfgZ key_pathsrz���Zkey_path�
auth_key_fnZpermissions_okr'���r'���r(����extract_authorized_keys���sF����
r����c�������
���
���C���s����t���}g�}x$|�D�]
}|j|jt|�|d���qW�t|�\}}tjj|�}tj |dd�� �t
||�} tj
|| dd��W�d�Q�R�X�d�S�)N)r#���T)r����)�
preserve_mode)
r3���r,���rH���r\���r����rJ���rK���r����r���r����rd���r����)
rb���ri���r#���rU���Z
key_entriesrZ���r����Zauth_key_entriesr�����contentr'���r'���r(����setup_user_keys���s����
r����c���������������@���s*���e�Zd�Zddd�Zedd���Zdd��ZdS�) �SshdConfigLineNc�������������C���s���||�_�||�_||�_d�S�)N)rG����_keyrp���)r&���rG���rZ����vr'���r'���r(���r)������s����zSshdConfigLine.__init__c�������������C���s���|�j�d�krd�S�|�j�j��S�)N)r�����lower)r&���r'���r'���r(���rc������s����
zSshdConfigLine.keyc�������������C���s>���|�j�d�krt|�j�S�t|�j��}|�jr6|dt|�j��7�}|S�d�S�)Nr+���)r����r\���rG���rp���)r&���r����r'���r'���r(���r/������s
����
zSshdConfigLine.__str__)NN)r0���r1���r2���r)����propertyrc���r/���r'���r'���r'���r(���r�������s���
r����)�returnc�������������C���s"���t�jj|��sg�S�ttj|��j���S�)N)rJ���rK���rL����parse_ssh_config_linesr���rM���rN���)rW���r'���r'���r(����parse_ssh_config���s����
r����c�������������C���s����g�}x�|�D�]�}|j���}|
�s&|jd�r6|jt|���q
y|jd�d�\}}W�nL�tk
r����y|jdd�\}}W�n"�tk
r����tjd|��w
Y�nX�Y�nX�|jt|||���q
W�|S�)Nr=���r5����=z;sshd_config: option "%s" has no key/value pair, skipping it)rF���rE���r,���r����r@����
ValueErrorrR���rw���)rT����retrG���rc����valr'���r'���r(���r�������s$����
r����c�������������C���s:���t�|��}|si�S�i�}x |D�]}|js&q|j||j<�qW�|S�)N)r����rc���rp���)rW���rT���r����rG���r'���r'���r(���r������s����
r����)rW���r����c����������
���C���sN���t�jj|��sdS�t|�d��*}x"|D�]}|jd|���d��r"dS�q"W�W�d�Q�R�X�dS�)NF�rzInclude z .d/*.confT)rJ���rK���rL����openrE���)rW����frG���r'���r'���r(����_includes_dconf%��s����
r����c�������������C���s^���t�|��rZtjj|���d��s.tj|���d�dd��tjj|���d�d�}�tjj|��sZtj|�d��|�S�)Nz.di���)r}���z50-cloud-init.confi���) r����rJ���rK���r����r���Z
ensure_dirr-���rL���Z
ensure_file)rW���r'���r'���r(����"_ensure_cloud_init_ssh_config_file/��s����
r����c�������������C���sP���t�|�}t|�}t||�d�}|rDtj|djdd��|D���d�dd��t|�dkS�)z�Read fname, and update if changes are necessary.
@param updates: dictionary of desired values {Option: value}
@return: boolean indicating if an update was done.)rT����updatesr^���c�������������S���s���g�|�]
}t�|��qS�r'���)r\���)rY���rG���r'���r'���r(���r[���E��s����z%update_ssh_config.<locals>.<listcomp>T)r����r���)r����r�����update_ssh_config_linesr���r����r-���r7���)r����rW���rT����changedr'���r'���r(����update_ssh_config:��s����
r����c������� ������C���s��t���}g�}tdd��|j��D���}x�t|�dd�D�]v\}}|js>q.|j|kr.||j�}||�}|j|��|j|kr�tjd|||��q.|j |��tjd|||j|��||_q.W�t
|�t
|�k�r
xN|j
��D�]B\}}||kr�q�|j |��|�j t
d||���tjdt
|��||��q�W�|S�) z�Update the SSH config lines per updates.
@param lines: array of SshdConfigLine. This array is updated in place.
@param updates: dictionary of desired values {Option: value}
@return: A list of keys in updates that were changed.c�������������S���s���g�|�]}|j���|f�qS�r'���)r����)rY���rZ���r'���r'���r(���r[���U��s����z+update_ssh_config_lines.<locals>.<listcomp>r5���)�startz$line %d: option %s already set to %sz#line %d: option %s updated %s -> %sr>���z line %d: option %s added with %s)
�set�dictrb���� enumeraterc����addrp���rR���rw���r,���r7����itemsr����) rT���r�����foundr����Zcasemapr:���rG���rc���rp���r'���r'���r(���r����K��s<����
r����)rT���c�������������C���s>���|�sd�S�t�|�}dd��|�D��}tj|dj|�d�ddd��d�S�)Nc�������������s���s ���|�]\}}|��d�|���V��qdS�)r+���Nr'���)rY���rZ���r����r'���r'���r(���� <genexpr>}��s����z$append_ssh_config.<locals>.<genexpr>r^���ZabT)Zomoder����)r����r���r����r-���)rT���rW���r����r'���r'���r(����append_ssh_configy��s����
r����c�����������
���C���sp���d}�t�tj�� �tjddgddgd�\}}�W�dQ�R�X�d}x2|�jd �D�]$}|j|�rD|t|�|jd
���S�qDW�dS�)
z�Get the full version of the OpenSSH sshd daemon on the system.
On an ubuntu system, this would look something like:
1.2p1 Ubuntu-1ubuntu0.1
If we can't find `sshd` or parse the version number, return None.
r>���Zsshdz-Vr���r5���)�rcsNZOpenSSH_r^����,)r���r���ZProcessExecutionErrorr@���rE���r7����find)�err�_�prefixrG���r'���r'���r(����get_opensshd_version���s����
$
r����c�����������
���C���s����d}�t���}|dkr
tjj|��S�d|kr:|d|jd���}�n d|krV|d|jd���}�n|}�ytjj|��}�|�S��ttfk
r����tjd|���Y�nX�dS�)z�Get the upstream version of the OpenSSH sshd dameon on the system.
This will NOT include the portable number, so if the Ubuntu version looks
like `1.2p1 Ubuntu-1ubuntu0.1`, then this function would return
`1.2`
z9.0N�pr+���z Could not parse sshd version: %s) r����r���ZVersionZfrom_strr����r����rA���rR���Zwarning)Zupstream_versionZ
full_versionr'���r'���r(����
get_opensshd_upstream_version���s
����
r����)r���r ���r
���r
���r
���r
���r���r���r���r���r���r���r���r���r���r���r���r���r���r���r
���r
���)N)*ZloggingrJ���re����
contextlibr���Ztypingr���r���r���Z cloudinitr���r���Z getLoggerr0���rR���r����rB���Z_DISABLE_USER_SSH_EXITr\���ZDISABLE_USER_OPTSr ���r3���rX���rd���rk���rr���r|���r����r����r����r����r����r����r�����boolr����r����r����r����r����r����r����r'���r'���r'���r(����<module> ���sh���
���������������������
Y
EO
9
.