[X2Go-Commits] [x2gobroker] 06/06: sbin/x2gobroker-pubkeyauthorizer: Improve key integrity checker and move it further up. Plus one more Python2 -> Python3 issue fixed.

git-admin at x2go.org git-admin at x2go.org
Mon Apr 16 13:43:01 CEST 2018


This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch master
in repository x2gobroker.

commit a8610199904a6411a77f1086a4af8ba71a747f1a
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date:   Mon Apr 16 13:42:46 2018 +0200

    sbin/x2gobroker-pubkeyauthorizer: Improve key integrity checker and move it further up. Plus one more Python2 -> Python3 issue fixed.
---
 sbin/x2gobroker-pubkeyauthorizer | 90 ++++++++++++++++++++++++----------------
 1 file changed, 54 insertions(+), 36 deletions(-)

diff --git a/sbin/x2gobroker-pubkeyauthorizer b/sbin/x2gobroker-pubkeyauthorizer
index 0948f1e..e171c79 100755
--- a/sbin/x2gobroker-pubkeyauthorizer
+++ b/sbin/x2gobroker-pubkeyauthorizer
@@ -138,11 +138,44 @@ if __name__ == '__main__':
 
     tmpfile_name, httpmsg = urllib.request.urlretrieve(cmdline_args.broker_url)
     tmpfile = open(tmpfile_name, 'rb')
-    new_pubkeys = [ k for k in tmpfile.read().decode().split('\n') if k ]
-    if len(new_pubkeys) == 1:
-        logger_broker.info('  Found {i} public key at URL {url}'.format(i=len(new_pubkeys), url=cmdline_args.broker_url))
+    new_pubkeys_raw = [ k for k in tmpfile.read().decode().split('\n') if k ]
+
+    i = 0
+    new_pubkeys = []
+    for new_pubkey in new_pubkeys_raw:
+
+        if not new_pubkey:
+            # fully ignore empty lines
+            continue
+
+        if re.match(r'^#.*', new_pubkey):
+            # fully ignore commented out lines
+            continue
+
+        # check key integrity!
+        is_key = False
+        if re.match(r'.*ssh-dss AAAAB3NzaC1kc3MA.*', new_pubkey):
+            is_key = True
+        elif re.match(r'.*ssh-rsa AAAAB3NzaC1yc2EA.*', new_pubkey):
+            is_key = True
+
+        if not is_key:
+           logger_broker.error('The broker returned something that does not look like SSH RSA/DSA keys.')
+           logger_broker.error('Check the URL {url}'.format(url=cmdline_args.broker_url))
+           logger_broker.error('manually from a webbrowser.')
+           sys.exit(-1)
+
+        i += 1
+        new_pubkeys.append(new_pubkey)
+
+    if i == 1:
+        logger_broker.info('  Found {n} public key at URL {url}'.format(n=len(new_pubkeys), url=cmdline_args.broker_url))
+    elif i > 1:
+        logger_broker.info('  Found {n} public keys at URL {url}'.format(n=len(new_pubkeys), url=cmdline_args.broker_url))
     else:
-        logger_broker.info('  Found {i} public keys at URL {url}'.format(i=len(new_pubkeys), url=cmdline_args.broker_url))
+        logger_broker.info('  No public keys found at URL {url}'.format(url=cmdline_args.broker_url))
+        sys.exit(0)
+
     tmpfile.close()
 
     append_newline = ""
@@ -156,48 +189,33 @@ if __name__ == '__main__':
     except IOError:
         already_authorized_keys = []
 
+    already_authorized_keys = [ k for k in already_authorized_keys if k ]
+
     append_authorized_keys = open('{home}/.ssh/authorized_keys'.format(home=broker_home), 'ab')
 
     if append_newline:
         logger_broker.warning('  The file {authorized_keys} does not end with a newline character. Adding it.'.format(authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
         append_authorized_keys.write(append_newline)
 
-    i = 0
     to_be_removed = []
     for new_pubkey in new_pubkeys:
 
-        # ignore empty lines
-        if not new_pubkey:
-            continue
-
-        # check key integrity!
-        is_key = False
-        if re.match(r'.*ssh-dss AAAAB3NzaC1kc3MA.*', new_pubkey):
-            is_key = True
-        elif re.match(r'.*ssh-rsa AAAAB3NzaC1yc2EA.*', new_pubkey):
-            is_key = True
-
-        if is_key is False:
-            continue
+        # legacy support for authorized_keys files containing SSH keys without options...
+        # if the remote server provides an already present pubkey with options, replace the
+        # non-option key in the authorized_keys file...
+        keytype, pubkey, owner = new_pubkey.rsplit(" ", 2)
+        keyopts = ""
+        if " " in keytype:
+            keyopts, keytype = keytype.rsplit(" ", 1)
+        for authorized_key in already_authorized_keys:
+            if authorized_key.endswith(" ".join([keytype, pubkey, owner])) and not authorized_key.startswith(keyopts):
+                to_be_removed.append(authorized_key)
+
+        if new_pubkey not in already_authorized_keys:
+            append_authorized_keys.write('{k}\n'.format(k=new_pubkey).encode())
+            logger_broker.info('  Adding new public key (counter={i}) to {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
         else:
-            i += 1
-
-            # legacy support for authorized_keys files containing SSH keys without options...
-            # if the remote server provides an already present pubkey with options, replace the
-            # non-option key in the authorized_keys file...
-            keytype, pubkey, owner = new_pubkey.rsplit(" ", 2)
-            keyopts = ""
-            if " " in keytype:
-                keyopts, keytype = keytype.rsplit(" ", 1)
-            for authorized_key in [ k for k in already_authorized_keys if k ]:
-                if authorized_key.endswith(" ".join([keytype, pubkey, owner])) and not authorized_key.startswith(keyopts):
-                    to_be_removed.append(authorized_key)
-
-            if new_pubkey not in already_authorized_keys:
-                append_authorized_keys.write('{k}\n'.format(k=new_pubkey))
-                logger_broker.info('  Adding new public key (counter={i}) to {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
-            else:
-                logger_broker.warning('  Skipping new public key (counter={i}), already in {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
+            logger_broker.warning('  Skipping new public key (counter={i}), already in {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
 
     append_authorized_keys.close()
 

--
Alioth's /home/x2go-admin/maintenancescripts/git/hooks/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git


More information about the x2go-commits mailing list