This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository x2gobroker. commit 7b98c0514eaae794ce5880f86bab12f3a2bf9766 Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Tue Mar 31 06:00:59 2015 +0200 Provide x2gobroker system user public keys to broker agents with SSH options--strongly restricting the key usage--now. Modify x2gobroker- pubkeyauthorizer in a way that it replaces non-option keys with the newly provided optionized/restricted pubkeys. (Fixes: #685). --- debian/changelog | 4 ++++ sbin/x2gobroker-pubkeyauthorizer | 31 +++++++++++++++++++++++++++++-- x2gobroker/web/extras.py | 4 ++-- 3 files changed, 35 insertions(+), 4 deletions(-) diff --git a/debian/changelog b/debian/changelog index a0640e5..d13ad72 100644 --- a/debian/changelog +++ b/debian/changelog @@ -285,6 +285,10 @@ x2gobroker (0.0.3.0-0x2go1) UNRELEASED; urgency=low hand-back the system's hostname to X2Go Client / Python X2Go. - Add security notice / disclaimer to x2gbroker.1 man page as suggested by Stefan Baur. (Fixes: #666). + - Provide x2gobroker system user public keys to broker agents with SSH + options--strongly restricting the key usage--now. Modify x2gobroker- + pubkeyauthorizer in a way that it replaces non-option keys with the + newly provided optionized/restricted pubkeys. (Fixes: #685). * debian/control: + Provide separate bin:package for SSH brokerage: x2gobroker-ssh. + Replace LDAP support with session brokerage support in LONG_DESCRIPTION. diff --git a/sbin/x2gobroker-pubkeyauthorizer b/sbin/x2gobroker-pubkeyauthorizer index 8a85e3b..619fe20 100755 --- a/sbin/x2gobroker-pubkeyauthorizer +++ b/sbin/x2gobroker-pubkeyauthorizer @@ -155,6 +155,7 @@ if __name__ == '__main__': append_authorized_keys = open('{home}/.ssh/authorized_keys'.format(home=broker_home), 'ab') i = 0 + to_be_removed = [] for new_pubkey in new_pubkeys: # ignore empty lines @@ -163,15 +164,26 @@ if __name__ == '__main__': # check key integrity! is_key = False - if re.match(r'ssh-dss AAAAB3NzaC1kc3MA', new_pubkey): + if re.match(r'.*ssh-dss AAAAB3NzaC1kc3MA.*', new_pubkey): is_key = True - elif re.match(r'ssh-rsa AAAAB3NzaC1yc2EA', new_pubkey): + elif re.match(r'.*ssh-rsa AAAAB3NzaC1yc2EA.*', new_pubkey): is_key = True if is_key is False: continue else: i += 1 + + # legacy support for authorized_keys files containing SSH keys without options... + # if the remote server provides an already present pubkey with options, replace the + # non-option key in the authorized_keys file... + keytype, pubkey, owner = new_pubkey.rsplit(" ", 2) + keyopts = "" + if " " in keytype: + keyopts, keytype = keytype.rsplit(" ", 1) + if " ".join([keytype, pubkey, owner]) in already_authorized_keys: + to_be_removed.append(" ".join([keytype, pubkey, owner])) + if new_pubkey not in already_authorized_keys: append_authorized_keys.write('{k}\n'.format(k=new_pubkey)) logger_broker.info(' Adding new public key (counter={i}) to {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home))) @@ -180,6 +192,21 @@ if __name__ == '__main__': append_authorized_keys.close() + if to_be_removed: + cleanup_authorized_keys = open('{home}/.ssh/authorized_keys'.format(home=broker_home), 'r+') + lines = cleanup_authorized_keys.readlines() + cleanup_authorized_keys.seek(0) + i = 0 + for line in lines: + i += 1 + line = line.rstrip("\n") + if line not in to_be_removed: + cleanup_authorized_keys.write(line) + else: + logger_broker.info(' Dropping replaced non-option public key (counter={i}) from {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home))) + cleanup_authorized_keys.truncate() + cleanup_authorized_keys.close() + if i == 0: logger_broker.error('No public SSH key was processed.') logger_broker.error('Check the URL {url}'.format(url=cmdline_args.broker_url)) diff --git a/x2gobroker/web/extras.py b/x2gobroker/web/extras.py index a9fe3f9..d4e091f 100644 --- a/x2gobroker/web/extras.py +++ b/x2gobroker/web/extras.py @@ -73,10 +73,10 @@ class X2GoBrokerPubKeyService(_RequestHandler): if os.path.exists('{home}/.ssh/id_rsa.pub'.format(home=broker_home)): pubkey = paramiko.RSAKey(filename='{home}/.ssh/id_rsa'.format(home=broker_home)) - output += 'ssh-rsa {pubkey} {user}@{hostname}\n'.format(pubkey=str(pubkey.get_base64()), user=x2gobroker.defaults.X2GOBROKER_DAEMON_USER, hostname=x2gobroker.defaults.X2GOBROKER_HOSTNAME) + output += 'command=/usr/lib/x2go/x2gobroker-agent,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa {pubkey} {user}@{hostname}\n'.format(pubkey=str(pubkey.get_base64()), user=x2gobroker.defaults.X2GOBROKER_DAEMON_USER, hostname=x2gobroker.defaults.X2GOBROKER_HOSTNAME) if os.path.exists('{home}/.ssh/id_dsa.pub'.format(home=broker_home)): pubkey = paramiko.DSSKey(filename='{home}/.ssh/id_dsa'.format(home=broker_home)) - output += 'ssh-dss {pubkey} {user}@{hostname}\n'.format(pubkey=str(pubkey.get_base64()), user=x2gobroker.defaults.X2GOBROKER_DAEMON_USER, hostname=x2gobroker.defaults.X2GOBROKER_HOSTNAME) + output += 'command=/usr/lib/x2go/x2gobroker-agent,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss {pubkey} {user}@{hostname}\n'.format(pubkey=str(pubkey.get_base64()), user=x2gobroker.defaults.X2GOBROKER_DAEMON_USER, hostname=x2gobroker.defaults.X2GOBROKER_HOSTNAME) self.write(output) -- Alioth's /srv/git/code.x2go.org/x2gobroker.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git