[X2Go-Commits] x2gobroker.git - master (branch) updated: 0.0.2.3-47-g96a80de
X2Go dev team
git-admin at x2go.org
Wed Oct 2 15:24:45 CEST 2013
The branch, master has been updated
via 96a80ded18ff40b118ea265a59f61239010f823b (commit)
from 12e0e180bbfe0a10924edbb950bb859f2c576757 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 96a80ded18ff40b118ea265a59f61239010f823b
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date: Wed Oct 2 15:24:36 2013 +0200
Add sanity checks to x2gobroker-pubkeyauthorizer.
-----------------------------------------------------------------------
Summary of changes:
debian/changelog | 1 +
sbin/x2gobroker-pubkeyauthorizer | 44 +++++++++++++++++++++++++++-----------
2 files changed, 32 insertions(+), 13 deletions(-)
The diff of changes is:
diff --git a/debian/changelog b/debian/changelog
index 0a39a49..7cb7c77 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -33,6 +33,7 @@ x2gobroker (0.0.3.0-0~x2go1) UNRELEASED; urgency=low
is down).
- Catch RequestHandler errors and write them to the error log channel.
- Raised verbosity level to INFO for session broker utilities.
+ - Add sanity checks to x2gobroker-pubkeyauthorizer.
* /debian/control:
+ Replace LDAP support with session brokerage support in LONG_DESCRIPTION.
* /debian/x2gobroker-agent.dirs:
diff --git a/sbin/x2gobroker-pubkeyauthorizer b/sbin/x2gobroker-pubkeyauthorizer
index 9588af0..d507cd8 100755
--- a/sbin/x2gobroker-pubkeyauthorizer
+++ b/sbin/x2gobroker-pubkeyauthorizer
@@ -27,11 +27,11 @@ import setproctitle
import argparse
import logging
import binascii
-import paramiko
import urllib
import getpass
import logging
import logging.config
+import re
from pwd import getpwnam
from grp import getgrnam
@@ -130,7 +130,7 @@ if __name__ == '__main__':
sys.exit(-2)
logger_broker.info('Authorizing access to this X2Go server for X2Go Session Broker')
- logger_broker.info(' at URL {url}'.format(url=cmdline_args.broker_url))
+ logger_broker.info('at URL {url}'.format(url=cmdline_args.broker_url))
if not os.path.exists('{home}/.ssh'.format(home=broker_home)):
os.mkdir('{home}/.ssh'.format(home=broker_home))
@@ -138,9 +138,7 @@ if __name__ == '__main__':
os.chmod('{home}/.ssh'.format(home=broker_home), 0750)
logger_broker.info(' Created {home}/.ssh'.format(home=broker_home))
- # FIXME: this probably needs some sanity checks(?)
tmpfile_name, httpmsg = urllib.urlretrieve(cmdline_args.broker_url)
-
tmpfile = open(tmpfile_name, 'rb')
new_pubkeys = [ k for k in tmpfile.read().split('\n') if k ]
logger_broker.info(' Found {i} public keys at URL {url}'.format(i=len(new_pubkeys), url=cmdline_args.broker_url))
@@ -157,17 +155,37 @@ if __name__ == '__main__':
i = 0
for new_pubkey in new_pubkeys:
- i += 1
- if new_pubkey not in already_authorized_keys:
- append_authorized_keys.write('{k}\n'.format(k=new_pubkey))
- logger_broker.info(' Adding new public key (counter={i}) to {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
+
+ # ignore empty lines
+ if not new_pubkey:
+ continue
+
+ # check key integrity!
+ is_key = False
+ if re.match(r'ssh-dss AAAAB3NzaC1kc3MA', new_pubkey):
+ is_key = True
+ elif re.match(r'ssh-rsa AAAAB3NzaC1yc2EA', new_pubkey):
+ is_key = True
+
+ if is_key is False:
+ continue
else:
- logger_broker.warning(' Skipping new public key (counter={i}), already in {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
+ i += 1
+ if new_pubkey not in already_authorized_keys:
+ append_authorized_keys.write('{k}\n'.format(k=new_pubkey))
+ logger_broker.info(' Adding new public key (counter={i}) to {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
+ else:
+ logger_broker.warning(' Skipping new public key (counter={i}), already in {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
append_authorized_keys.close()
- # set proper file permissions
- os.chown('{home}/.ssh/authorized_keys'.format(home=broker_home), broker_uidnumber, broker_gidnumber)
- os.chmod('{home}/.ssh/authorized_keys'.format(home=broker_home), 0644)
+ if i == 0:
+ logger_broker.error('No public SSH key was processed.')
+ logger_broker.error('Check the URL {url}'.format(url=cmdline_args.broker_url))
+ logger_broker.error('manually from a webbrowser.')
+ else:
+ # set proper file permissions
+ os.chown('{home}/.ssh/authorized_keys'.format(home=broker_home), broker_uidnumber, broker_gidnumber)
+ os.chmod('{home}/.ssh/authorized_keys'.format(home=broker_home), 0644)
- logger_broker.info('Completed successfully: X2Go Session Broker\'s PubKey Authorizer.'.format(url=cmdline_args.broker_url))
+ logger_broker.info('Completed successfully: X2Go Session Broker\'s PubKey Authorizer.'.format(url=cmdline_args.broker_url))
hooks/post-receive
--
x2gobroker.git (HTTP(S) Session broker for X2Go)
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "x2gobroker.git" (HTTP(S) Session broker for X2Go).
More information about the x2go-commits
mailing list