[X2Go-Commits] [x2gobroker] 06/06: sbin/x2gobroker-pubkeyauthorizer: Improve key integrity checker and move it further up. Plus one more Python2 -> Python3 issue fixed.
git-admin at x2go.org
git-admin at x2go.org
Mon Apr 16 13:43:01 CEST 2018
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch master
in repository x2gobroker.
commit a8610199904a6411a77f1086a4af8ba71a747f1a
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date: Mon Apr 16 13:42:46 2018 +0200
sbin/x2gobroker-pubkeyauthorizer: Improve key integrity checker and move it further up. Plus one more Python2 -> Python3 issue fixed.
---
sbin/x2gobroker-pubkeyauthorizer | 90 ++++++++++++++++++++++++----------------
1 file changed, 54 insertions(+), 36 deletions(-)
diff --git a/sbin/x2gobroker-pubkeyauthorizer b/sbin/x2gobroker-pubkeyauthorizer
index 0948f1e..e171c79 100755
--- a/sbin/x2gobroker-pubkeyauthorizer
+++ b/sbin/x2gobroker-pubkeyauthorizer
@@ -138,11 +138,44 @@ if __name__ == '__main__':
tmpfile_name, httpmsg = urllib.request.urlretrieve(cmdline_args.broker_url)
tmpfile = open(tmpfile_name, 'rb')
- new_pubkeys = [ k for k in tmpfile.read().decode().split('\n') if k ]
- if len(new_pubkeys) == 1:
- logger_broker.info(' Found {i} public key at URL {url}'.format(i=len(new_pubkeys), url=cmdline_args.broker_url))
+ new_pubkeys_raw = [ k for k in tmpfile.read().decode().split('\n') if k ]
+
+ i = 0
+ new_pubkeys = []
+ for new_pubkey in new_pubkeys_raw:
+
+ if not new_pubkey:
+ # fully ignore empty lines
+ continue
+
+ if re.match(r'^#.*', new_pubkey):
+ # fully ignore commented out lines
+ continue
+
+ # check key integrity!
+ is_key = False
+ if re.match(r'.*ssh-dss AAAAB3NzaC1kc3MA.*', new_pubkey):
+ is_key = True
+ elif re.match(r'.*ssh-rsa AAAAB3NzaC1yc2EA.*', new_pubkey):
+ is_key = True
+
+ if not is_key:
+ logger_broker.error('The broker returned something that does not look like SSH RSA/DSA keys.')
+ logger_broker.error('Check the URL {url}'.format(url=cmdline_args.broker_url))
+ logger_broker.error('manually from a webbrowser.')
+ sys.exit(-1)
+
+ i += 1
+ new_pubkeys.append(new_pubkey)
+
+ if i == 1:
+ logger_broker.info(' Found {n} public key at URL {url}'.format(n=len(new_pubkeys), url=cmdline_args.broker_url))
+ elif i > 1:
+ logger_broker.info(' Found {n} public keys at URL {url}'.format(n=len(new_pubkeys), url=cmdline_args.broker_url))
else:
- logger_broker.info(' Found {i} public keys at URL {url}'.format(i=len(new_pubkeys), url=cmdline_args.broker_url))
+ logger_broker.info(' No public keys found at URL {url}'.format(url=cmdline_args.broker_url))
+ sys.exit(0)
+
tmpfile.close()
append_newline = ""
@@ -156,48 +189,33 @@ if __name__ == '__main__':
except IOError:
already_authorized_keys = []
+ already_authorized_keys = [ k for k in already_authorized_keys if k ]
+
append_authorized_keys = open('{home}/.ssh/authorized_keys'.format(home=broker_home), 'ab')
if append_newline:
logger_broker.warning(' The file {authorized_keys} does not end with a newline character. Adding it.'.format(authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
append_authorized_keys.write(append_newline)
- i = 0
to_be_removed = []
for new_pubkey in new_pubkeys:
- # ignore empty lines
- if not new_pubkey:
- continue
-
- # check key integrity!
- is_key = False
- if re.match(r'.*ssh-dss AAAAB3NzaC1kc3MA.*', new_pubkey):
- is_key = True
- elif re.match(r'.*ssh-rsa AAAAB3NzaC1yc2EA.*', new_pubkey):
- is_key = True
-
- if is_key is False:
- continue
+ # legacy support for authorized_keys files containing SSH keys without options...
+ # if the remote server provides an already present pubkey with options, replace the
+ # non-option key in the authorized_keys file...
+ keytype, pubkey, owner = new_pubkey.rsplit(" ", 2)
+ keyopts = ""
+ if " " in keytype:
+ keyopts, keytype = keytype.rsplit(" ", 1)
+ for authorized_key in already_authorized_keys:
+ if authorized_key.endswith(" ".join([keytype, pubkey, owner])) and not authorized_key.startswith(keyopts):
+ to_be_removed.append(authorized_key)
+
+ if new_pubkey not in already_authorized_keys:
+ append_authorized_keys.write('{k}\n'.format(k=new_pubkey).encode())
+ logger_broker.info(' Adding new public key (counter={i}) to {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
else:
- i += 1
-
- # legacy support for authorized_keys files containing SSH keys without options...
- # if the remote server provides an already present pubkey with options, replace the
- # non-option key in the authorized_keys file...
- keytype, pubkey, owner = new_pubkey.rsplit(" ", 2)
- keyopts = ""
- if " " in keytype:
- keyopts, keytype = keytype.rsplit(" ", 1)
- for authorized_key in [ k for k in already_authorized_keys if k ]:
- if authorized_key.endswith(" ".join([keytype, pubkey, owner])) and not authorized_key.startswith(keyopts):
- to_be_removed.append(authorized_key)
-
- if new_pubkey not in already_authorized_keys:
- append_authorized_keys.write('{k}\n'.format(k=new_pubkey))
- logger_broker.info(' Adding new public key (counter={i}) to {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
- else:
- logger_broker.warning(' Skipping new public key (counter={i}), already in {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
+ logger_broker.warning(' Skipping new public key (counter={i}), already in {authorized_keys}.'.format(i=i, authorized_keys='{home}/.ssh/authorized_keys'.format(home=broker_home)))
append_authorized_keys.close()
--
Alioth's /home/x2go-admin/maintenancescripts/git/hooks/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git
More information about the x2go-commits
mailing list