x2gobroker.git - master (branch) updated: 0.0.2.3-47-g96a80de - x2go-commits

2 Oct 2013

The branch, master has been updated
       via  96a80ded18ff40b118ea265a59f61239010f823b (commit)
      from  12e0e180bbfe0a10924edbb950bb859f2c576757 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 96a80ded18ff40b118ea265a59f61239010f823b
Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date:   Wed Oct 2 15:24:36 2013 +0200

    Add sanity checks to x2gobroker-pubkeyauthorizer.

-----------------------------------------------------------------------

Summary of changes:
 debian/changelog                 |    1 +
 sbin/x2gobroker-pubkeyauthorizer |   44 +++++++++++++++++++++++++++-----------
 2 files changed, 32 insertions(+), 13 deletions(-)

The diff of changes is:

diff --git a/debian/changelog b/debian/changelog
index 0a39a49..7cb7c77 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -33,6 +33,7 @@ x2gobroker (0.0.3.0-0~x2go1) UNRELEASED; urgency=low
       is down).
     - Catch RequestHandler errors and write them to the error log channel.
     - Raised verbosity level to INFO for session broker utilities.
+    - Add sanity checks to x2gobroker-pubkeyauthorizer.
   * /debian/control:
     + Replace LDAP support with session brokerage support in LONG_DESCRIPTION.
   * /debian/x2gobroker-agent.dirs:
diff --git a/sbin/x2gobroker-pubkeyauthorizer b/sbin/x2gobroker-pubkeyauthorizer
index 9588af0..d507cd8 100755
--- a/sbin/x2gobroker-pubkeyauthorizer
+++ b/sbin/x2gobroker-pubkeyauthorizer
@@ -27,11 +27,11 @@ import setproctitle
 import argparse
 import logging
 import binascii
-import paramiko
 import urllib
 import getpass
 import logging
 import logging.config
+import re
 
 from pwd import getpwnam
 from grp import getgrnam
@@ -130,7 +130,7 @@ if __name__ == '__main__':
         sys.exit(-2)
 
     logger_broker.info('Authorizing access to this X2Go server for X2Go Session Broker')
-    logger_broker.info('  at URL {url}'.format(url=cmdline_args.broker_url))
+    logger_broker.info('at URL {url}'.format(url=cmdline_args.broker_url))
 
     if not os.path.exists('{home}/.ssh'.format(home=broker_home)):
         os.mkdir('{home}/.ssh'.format(home=broker_home))
@@ -138,9 +138,7 @@ if __name__ == '__main__':
         os.chmod('{home}/.ssh'.format(home=broker_home), 0750)
         logger_broker.info('  Created {home}/.ssh'.format(home=broker_home))
 
-    # FIXME: this probably needs some sanity checks(?)
     tmpfile_name, httpmsg = urllib.urlretrieve(cmdline_args.broker_url)
-
     tmpfile = open(tmpfile_name, 'rb')
     new_pubkeys = [ k for k in tmpfile.read().split('\n') if k ]
     logger_broker.info('  Found {i} public keys at URL {url}'.format(i=len(new_pubkeys), url=cmdline_args.broker_url))
@@ -157,17 +155,37 @@ if __name__ == '__main__':
 
     i = 0
     for new_pubkey in new_pubkeys:
-        i += 1
-        if new_pubkey not in already_authorized_keys:
-            append_authorized_keys.write('{k}\n'.format(k=new_pubkey))
-            logger_broker.info('  Adding new public key (counter={i}) to {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
+
+        # ignore empty lines
+        if not new_pubkey:
+            continue
+
+        # check key integrity!
+        is_key = False
+        if re.match(r'ssh-dss AAAAB3NzaC1kc3MA', new_pubkey):
+            is_key = True
+        elif re.match(r'ssh-rsa AAAAB3NzaC1yc2EA', new_pubkey):
+            is_key = True
+
+        if is_key is False:
+            continue
         else:
-            logger_broker.warning('  Skipping new public key (counter={i}), already in {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
+            i += 1
+            if new_pubkey not in already_authorized_keys:
+                append_authorized_keys.write('{k}\n'.format(k=new_pubkey))
+                logger_broker.info('  Adding new public key (counter={i}) to {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
+            else:
+                logger_broker.warning('  Skipping new public key (counter={i}), already in {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
 
     append_authorized_keys.close()
 
-    # set proper file permissions
-    os.chown('{home}/.ssh/authorized_keys'.format(home=broker_home), broker_uidnumber, broker_gidnumber)
-    os.chmod('{home}/.ssh/authorized_keys'.format(home=broker_home), 0644)
+    if i == 0:
+        logger_broker.error('No public SSH key was processed.')
+        logger_broker.error('Check the URL {url}'.format(url=cmdline_args.broker_url))
+        logger_broker.error('manually from a webbrowser.')
+    else:
+        # set proper file permissions
+        os.chown('{home}/.ssh/authorized_keys'.format(home=broker_home), broker_uidnumber, broker_gidnumber)
+        os.chmod('{home}/.ssh/authorized_keys'.format(home=broker_home), 0644)
 
-    logger_broker.info('Completed successfully: X2Go Session Broker\'s PubKey Authorizer.'.format(url=cmdline_args.broker_url))
+        logger_broker.info('Completed successfully: X2Go Session Broker\'s PubKey Authorizer.'.format(url=cmdline_args.broker_url))


hooks/post-receive
-- 
x2gobroker.git (HTTP(S) Session broker for X2Go)

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "x2gobroker.git" (HTTP(S) Session broker for X2Go).

    