[X2Go-Commits] [x2gobroker] 01/01: Provide x2gobroker system user public keys to broker agents with SSH options--strongly restricting the key usage--now. Modify x2gobroker- pubkeyauthorizer in a way that it replaces non-option keys with the newly provided optionized/restricted pubkeys. (Fixes: #685).
git-admin at x2go.org
git-admin at x2go.org
Tue Mar 31 06:01:08 CEST 2015
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch master
in repository x2gobroker.
commit 7b98c0514eaae794ce5880f86bab12f3a2bf9766
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date: Tue Mar 31 06:00:59 2015 +0200
Provide x2gobroker system user public keys to broker agents with SSH options--strongly restricting the key usage--now. Modify x2gobroker- pubkeyauthorizer in a way that it replaces non-option keys with the newly provided optionized/restricted pubkeys. (Fixes: #685).
---
debian/changelog | 4 ++++
sbin/x2gobroker-pubkeyauthorizer | 31 +++++++++++++++++++++++++++++--
x2gobroker/web/extras.py | 4 ++--
3 files changed, 35 insertions(+), 4 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index a0640e5..d13ad72 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -285,6 +285,10 @@ x2gobroker (0.0.3.0-0x2go1) UNRELEASED; urgency=low
hand-back the system's hostname to X2Go Client / Python X2Go.
- Add security notice / disclaimer to x2gbroker.1 man page as suggested
by Stefan Baur. (Fixes: #666).
+ - Provide x2gobroker system user public keys to broker agents with SSH
+ options--strongly restricting the key usage--now. Modify x2gobroker-
+ pubkeyauthorizer in a way that it replaces non-option keys with the
+ newly provided optionized/restricted pubkeys. (Fixes: #685).
* debian/control:
+ Provide separate bin:package for SSH brokerage: x2gobroker-ssh.
+ Replace LDAP support with session brokerage support in LONG_DESCRIPTION.
diff --git a/sbin/x2gobroker-pubkeyauthorizer b/sbin/x2gobroker-pubkeyauthorizer
index 8a85e3b..619fe20 100755
--- a/sbin/x2gobroker-pubkeyauthorizer
+++ b/sbin/x2gobroker-pubkeyauthorizer
@@ -155,6 +155,7 @@ if __name__ == '__main__':
append_authorized_keys = open('{home}/.ssh/authorized_keys'.format(home=broker_home), 'ab')
i = 0
+ to_be_removed = []
for new_pubkey in new_pubkeys:
# ignore empty lines
@@ -163,15 +164,26 @@ if __name__ == '__main__':
# check key integrity!
is_key = False
- if re.match(r'ssh-dss AAAAB3NzaC1kc3MA', new_pubkey):
+ if re.match(r'.*ssh-dss AAAAB3NzaC1kc3MA.*', new_pubkey):
is_key = True
- elif re.match(r'ssh-rsa AAAAB3NzaC1yc2EA', new_pubkey):
+ elif re.match(r'.*ssh-rsa AAAAB3NzaC1yc2EA.*', new_pubkey):
is_key = True
if is_key is False:
continue
else:
i += 1
+
+ # legacy support for authorized_keys files containing SSH keys without options...
+ # if the remote server provides an already present pubkey with options, replace the
+ # non-option key in the authorized_keys file...
+ keytype, pubkey, owner = new_pubkey.rsplit(" ", 2)
+ keyopts = ""
+ if " " in keytype:
+ keyopts, keytype = keytype.rsplit(" ", 1)
+ if " ".join([keytype, pubkey, owner]) in already_authorized_keys:
+ to_be_removed.append(" ".join([keytype, pubkey, owner]))
+
if new_pubkey not in already_authorized_keys:
append_authorized_keys.write('{k}\n'.format(k=new_pubkey))
logger_broker.info(' Adding new public key (counter={i}) to {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
@@ -180,6 +192,21 @@ if __name__ == '__main__':
append_authorized_keys.close()
+ if to_be_removed:
+ cleanup_authorized_keys = open('{home}/.ssh/authorized_keys'.format(home=broker_home), 'r+')
+ lines = cleanup_authorized_keys.readlines()
+ cleanup_authorized_keys.seek(0)
+ i = 0
+ for line in lines:
+ i += 1
+ line = line.rstrip("\n")
+ if line not in to_be_removed:
+ cleanup_authorized_keys.write(line)
+ else:
+ logger_broker.info(' Dropping replaced non-option public key (counter={i}) from {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
+ cleanup_authorized_keys.truncate()
+ cleanup_authorized_keys.close()
+
if i == 0:
logger_broker.error('No public SSH key was processed.')
logger_broker.error('Check the URL {url}'.format(url=cmdline_args.broker_url))
diff --git a/x2gobroker/web/extras.py b/x2gobroker/web/extras.py
index a9fe3f9..d4e091f 100644
--- a/x2gobroker/web/extras.py
+++ b/x2gobroker/web/extras.py
@@ -73,10 +73,10 @@ class X2GoBrokerPubKeyService(_RequestHandler):
if os.path.exists('{home}/.ssh/id_rsa.pub'.format(home=broker_home)):
pubkey = paramiko.RSAKey(filename='{home}/.ssh/id_rsa'.format(home=broker_home))
- output += 'ssh-rsa {pubkey} {user}@{hostname}\n'.format(pubkey=str(pubkey.get_base64()), user=x2gobroker.defaults.X2GOBROKER_DAEMON_USER, hostname=x2gobroker.defaults.X2GOBROKER_HOSTNAME)
+ output += 'command=/usr/lib/x2go/x2gobroker-agent,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa {pubkey} {user}@{hostname}\n'.format(pubkey=str(pubkey.get_base64()), user=x2gobroker.defaults.X2GOBROKER_DAEMON_USER, hostname=x2gobroker.defaults.X2GOBROKER_HOSTNAME)
if os.path.exists('{home}/.ssh/id_dsa.pub'.format(home=broker_home)):
pubkey = paramiko.DSSKey(filename='{home}/.ssh/id_dsa'.format(home=broker_home))
- output += 'ssh-dss {pubkey} {user}@{hostname}\n'.format(pubkey=str(pubkey.get_base64()), user=x2gobroker.defaults.X2GOBROKER_DAEMON_USER, hostname=x2gobroker.defaults.X2GOBROKER_HOSTNAME)
+ output += 'command=/usr/lib/x2go/x2gobroker-agent,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss {pubkey} {user}@{hostname}\n'.format(pubkey=str(pubkey.get_base64()), user=x2gobroker.defaults.X2GOBROKER_DAEMON_USER, hostname=x2gobroker.defaults.X2GOBROKER_HOSTNAME)
self.write(output)
--
Alioth's /srv/git/code.x2go.org/x2gobroker.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git
More information about the x2go-commits
mailing list