HEX

File: //proc/self/root/lib/python3/dist-packages/cloudinit/__pycache__/ssh_util.cpython-38.pyc
U

Ӈg�X�@slddlZddlZddlZddlmZddlmZmZmZddl	m
Z
mZmZe�
e�ZdZdZdZdee�d	ZGd
d�d�ZGdd
�d
�Zdd�Zdd�Zdd�Zdd�Zdd�Zdd�Zefdd�Zd7dd�ZGdd�d�Zeed �d!d"�Z eed �d#d$�Z!d%d&�Z"ee#d'�d(d)�Z$d*d+�Z%efd,d-�Z&d.d/�Z'efeeeefd0�d1d2�Z(d3d4�Z)d5d6�Z*dS)8�N)�suppress)�List�Sequence�Tuple)�	lifecycle�subp�utilz/etc/ssh/sshd_config)ZrsaZecdsaZed25519z(ecdsa-sha2-nistp256-cert-v01@openssh.comzecdsa-sha2-nistp256z(ecdsa-sha2-nistp384-cert-v01@openssh.comzecdsa-sha2-nistp384z(ecdsa-sha2-nistp521-cert-v01@openssh.comzecdsa-sha2-nistp521z+sk-ecdsa-sha2-nistp256-cert-v01@openssh.comz"sk-ecdsa-sha2-nistp256@openssh.comz#sk-ssh-ed25519-cert-v01@openssh.comzsk-ssh-ed25519@openssh.comz ssh-ed25519-cert-v01@openssh.comzssh-ed25519zssh-rsa-cert-v01@openssh.comzssh-rsazssh-xmss-cert-v01@openssh.comzssh-xmss@openssh.com�z�no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"$USER\" rather than the user \"$DISABLE_USER\".';echo;sleep 10;exit �"c@s&eZdZddd�Zdd�Zdd�ZdS)	�AuthKeyLineNcCs"||_||_||_||_||_dS�N)�base64�comment�options�keytype�source)�selfrrr
rr�r�4/usr/lib/python3/dist-packages/cloudinit/ssh_util.py�__init__Es
zAuthKeyLine.__init__cCs|jo
|jSr)r
r�rrrr�validNszAuthKeyLine.validcCsdg}|jr|�|j�|jr(|�|j�|jr:|�|j�|jrL|�|j�|sV|jSd�|�SdS�N� )r�appendrr
rr�join)r�toksrrr�__str__QszAuthKeyLine.__str__)NNNN)�__name__�
__module__�__qualname__rrrrrrrrDs�
	rc@s"eZdZdZdd�Zddd�ZdS)�AuthKeyLineParserau
    AUTHORIZED_KEYS FILE FORMAT
     AuthorizedKeysFile specifies the file containing public keys for public
     key authentication; if none is specified, the default is
     ~/.ssh/authorized_keys.  Each line of the file contains one key (empty
     (because of the size of the public key encoding) up to a limit of 8 kilo-
     bytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16
     kilobits.  You don't want to type them in; instead, copy the
     identity.pub or the id_rsa.pub file and edit it.

     sshd enforces a minimum RSA key modulus size for protocol 1 and protocol
     2 keys of 768 bits.

     The options (if present) consist of comma-separated option specifica-
     tions.  No spaces are permitted, except within double quotes.  The fol-
     lowing option specifications are supported (note that option keywords are
     case-insensitive):
    cCs�d}d}|t|�kr�|s$||dkr�||}|dt|�krF|d}q�||d}|dkrl|dkrl|d}n|dkrz|}|d}q|d|�}||d���}||fS)z�
        The options (if present) consist of comma-separated option specifica-
         tions.  No spaces are permitted, except within double quotes.
         Note that option keywords are case-insensitive.
        Fr)r�	��\r
N)�len�lstrip)r�entZquoted�iZcurcZnextcr�remainrrr�_extract_optionsus 

z"AuthKeyLineParser._extract_optionsNcCs�|�d�}|�d�s |��dkr(t|�Sdd�}|��}z||�\}}}Wnbtk
r�|�|�\}	}
|dkrt|	}z||
�\}}}Wn tk
r�t|�YYSXYnXt|||||d�S)Nz
�#�cSs^|�dd�}t|�dkr(tdt|���|dtkrDtd|d��t|�dkrZ|�d�|S)N�zTo few fields: %srzInvalid keytype %sr,)�splitr%�	TypeError�VALID_KEY_TYPESr)r'rrrr�
parse_ssh_key�s
z.AuthKeyLineParser.parse.<locals>.parse_ssh_key)rr
rr)�rstrip�
startswith�striprr/r*)rZsrc_liner�liner1r'rr
rZkeyoptsr)rrr�parse�s,
�zAuthKeyLineParser.parse)N)rrr �__doc__r*r6rrrrr!asr!c
Cs|g}t�}g}|D]d}z8tj�|�rLt�|���}|D]}|�|�|��q6Wqt	t
fk
rtt�td|�YqXq|S)NzError reading lines from %s)
r!�os�path�isfiler�load_text_file�
splitlinesrr6�IOError�OSError�logexc�LOG)�fnames�lines�parser�contents�fnamer5rrr�parse_authorized_keys�srFcCs�tdd�|D��}tt|��D]J}||}|��s4q|D]&}|j|jkr8|}||kr8|�|�q8|||<q|D]}|�|�qndd�|D�}|�d�d�|�S)NcSsg|]}|��r|�qSr)r��.0�krrr�
<listcomp>�sz*update_authorized_keys.<locals>.<listcomp>cSsg|]}t|��qSr��str)rH�brrrrJ�sr,�
)�list�ranger%rr
�removerr)Zold_entries�keysZto_addr(r'rI�keyrBrrr�update_authorized_keys�s 

rTcCs4t�|�}|r|js td|��tj�|jd�|fS)Nz"Unable to get SSH info for user %rz.ssh)�pwd�getpwnam�pw_dir�RuntimeErrorr8r9r)�username�pw_entrrr�users_ssh_info�s

r[c	Cspd|fd|fdf}|sd}|��}g}|D]@}|D]\}}|�||�}q2|�d�s`tj�||�}|�|�q*|S)N�%h�%u)z%%�%�%h/.ssh/authorized_keys�/)r.�replacer3r8r9rr)	�valueZhomedirrYZmacros�pathsZrenderedr9ZmacroZfieldrrr�render_authorizedkeysfile_paths�s
rdc
Cs�d}|rd}t�|�}|r@||kr@|dkr@t�d||||�dSt�|�}||kr\|dM}n.t�|�}t�|�}	||	kr�|dM}n|dM}||@d	kr�t�d
|||�dS|r�|d@d	kr�t�d||�dSd
S)aVCheck if the file/folder in @current_path has the right permissions.

    We need to check that:
    1. If StrictMode is enabled, the owner is either root or the user
    2. the user can access the file/folder, otherwise ssh won't use it
    3. If StrictMode is enabled, no write permission is given to group
       and world users (022)
    i�i��rootzXPath %s in %s must be own by user %s or by root, but instead is own by %s. Ignoring key.F��8�rzBPath %s in %s must be accessible by user %s, check its permissions�zRPath %s in %s must not give writepermission to group or world users. Ignoring key.T)rZ	get_ownerr@�debugZget_permissionsZ	get_groupZget_user_groups)
rYZcurrent_path�	full_path�is_file�strictmodesZminimal_permissions�ownerZparent_permissionZgroup_ownerZuser_groupsrrr�check_permissionssJ
�




��roc
Cs�t|�d}td�d}�z�|�d�dd�}d}tj�|j�}|D]�}|d|7}tj�|�rtt�d|�WdStj�	|�r�t�d|�WdS|�
|�sD||jkr�qDtj�|��st�
|��Pd	}	|j}
|j}|�
|j�r�d
}	|j}
|j}tj||	dd�t�||
|�W5QRXt|||d|�}|sDWdSqDtj�|��sRtj�|��rdt�d
|�WdStj�|��s�tj|dddd�t�||j|j�t|||d|�}|�s�WdSWn>ttfk
�r�}
zt�tt|
��WY�dSd}
~
XYnXdS)Nr#rer`���r,z-Invalid directory. Symlink exists in path: %sFz*Invalid directory. File exists in path: %s��rfT)�mode�exist_okz%s is not a file!�)rrZensure_dir_exists)r[r.r8r9�dirnamerW�islinkr@rjr:r3�existsr�SeLinuxGuardZpw_uidZpw_gid�makedirsZ	chownbyidro�isdir�
write_filer=r>r?rL)rY�filenamermZ
user_pwentZ
root_pwentZdirectoriesZ
parent_folderZhome_folderZ	directoryrrZuid�gidZpermissions�errr�check_create_pathGs������
�
rc
Cs t|�\}}tj�|d�}|}g}tj|dd��nz2t|�}|�dd�}|�dd�}	t||j	|�}Wn4t
tfk
r�||d<t�t
d	t|d�YnXW5QRXt|��|�D]H\}
}td
|
kd|
k|�d�|j	��g�r�t|||	dk�}|r�|}q�q�||k�rt
�d
|�|t|g�fS)NZauthorized_keysT��	recursiveZauthorizedkeysfiler_rmZyesrzhFailed extracting 'AuthorizedKeysFile' in SSH config from %r, using 'AuthorizedKeysFile' file %r insteadr]r\z{}/zAAuthorizedKeysFile has an user-specific authorized_keys, using %s)r[r8r9rrrx�parse_ssh_config_map�getrdrWr=r>r?r@�DEF_SSHD_CFG�zipr.�anyr3�formatrrjrF)
rYZ
sshd_cfg_file�ssh_dirrZZdefault_authorizedkeys_fileZuser_authorizedkeys_fileZauth_key_fnsZssh_cfgZ	key_pathsrmZkey_path�auth_key_fnZpermissions_okrrr�extract_authorized_keys�s`���
���
��r�c
	Cs|t�}g}|D]}|�|jt|�|d��qt|�\}}tj�|�}tj	|dd�� t
||�}	tj||	dd�W5QRXdS)N)rTr���
preserve_mode)r!rr6rLr�r8r9rurrxrTr{)
rRrYrrCZkey_entriesrIr�Zauth_key_entriesr��contentrrr�setup_user_keys�s
r�c@s*eZdZddd�Zedd��Zdd�ZdS)	�SshdConfigLineNcCs||_||_||_dSr)r5�_keyrb)rr5rI�vrrrr�szSshdConfigLine.__init__cCs|jdkrdS|j��Sr)r��lowerrrrrrS�s
zSshdConfigLine.keycCs>|jdkrt|j�St|j�}|jr6|dt|j�7}|SdSr)r�rLr5rb)rr�rrrr�s


zSshdConfigLine.__str__)NN)rrr r�propertyrSrrrrrr��s

r�)�returncCs"tj�|�sgStt�|����Sr)r8r9r:�parse_ssh_config_linesrr;r<�rErrr�parse_ssh_config�sr�cCs�g}|D]�}|��}|r"|�d�r2|�t|��qz|�dd�\}}WnPtk
r�z|�dd�\}}Wn&tk
r�t�d|�YYqYnXYnX|�t|||��q|S)Nr+r#�=z;sshd_config: option "%s" has no key/value pair, skipping it)r4r3rr�r.�
ValueErrorr@rj)rB�retr5rS�valrrrr��s&�r�cCs6t|�}|siSi}|D]}|js$q|j||j<q|Sr)r�rSrb)rErBr�r5rrrr�sr�)rEr�cCs@tj�|�sdSt�|���D]}|�d|�d��rdSqdS)NFzInclude z	.d/*.confT)r8r9r:rr;r<r3)rEr5rrr�_includes_dconf"sr�cCs^t|�rZtj�|�d��s.tj|�d�dd�tj�|�d�d�}tj�|�sZt�|d�|S)Nz.drq)rrz50-cloud-init.confrt)	r�r8r9rzrZ
ensure_dirrr:Zensure_filer�rrr�"_ensure_cloud_init_ssh_config_file+sr�cCsPt|�}t|�}t||d�}|rDtj|d�dd�|D��ddd�t|�dkS)z�Read fname, and update if changes are necessary.

    @param updates: dictionary of desired values {Option: value}
    @return: boolean indicating if an update was done.)rB�updatesrNcSsg|]}t|��qSrrK)rHr5rrrrJAsz%update_ssh_config.<locals>.<listcomp>Tr�r)r�r��update_ssh_config_linesrr{rr%)r�rErB�changedrrr�update_ssh_config6s�r�c	Cst�}g}tdd�|��D��}t|dd�D]v\}}|js<q,|j|kr,||j}||}|�|�|j|kr~t�d|||�q,|�	|�t�d|||j|�||_q,t
|�t
|�k�r|��D]B\}}||kr�q�|�	|�|�	td||��t�dt
|�||�q�|S)	z�Update the SSH config lines per updates.

    @param lines: array of SshdConfigLine.  This array is updated in place.
    @param updates: dictionary of desired values {Option: value}
    @return: A list of keys in updates that were changed.cSsg|]}|��|f�qSr)r�rGrrrrJQsz+update_ssh_config_lines.<locals>.<listcomp>r#)�startz$line %d: option %s already set to %sz#line %d: option %s updated %s -> %sr,z line %d: option %s added with %s)
�set�dictrR�	enumeraterS�addrbr@rjrr%�itemsr�)	rBr��foundr�Zcasemapr(r5rSrbrrrr�GsN



�
�
�r�)rBcCs>|sdSt|�}dd�|D�}tj|d�|�dddd�dS)Ncss |]\}}|�d|��VqdS)rNr)rHrIr�rrr�	<genexpr>ysz$append_ssh_config.<locals>.<genexpr>rNZabT)Zomoder�)r�rr{r)rBrEr�rrr�append_ssh_configus�r�c	Cspd}ttj�� tjddgddgd�\}}W5QRXd}|�d�D](}|�|�rB|t|�|�d	��SqBd
S)z�Get the full version of the OpenSSH sshd daemon on the system.

    On an ubuntu system, this would look something like:
    1.2p1 Ubuntu-1ubuntu0.1

    If we can't find `sshd` or parse the version number, return None.
    r,Zsshdz-Vrr#)ZrcsZOpenSSH_rN�,N)rrZProcessExecutionErrorr.r3r%�find)�err�_�prefixr5rrr�get_opensshd_version�s
$
r�c	Cs�d}t�}|dkrtj�|�Sd|kr:|d|�d��}n d|krV|d|�d��}n|}ztj�|�}|WSttfk
r�t�d|�YnXdS)z�Get the upstream version of the OpenSSH sshd daemon on the system.

    This will NOT include the portable number, so if the Ubuntu version looks
    like `1.2p1 Ubuntu-1ubuntu0.1`, then this function would return
    `1.2`
    z9.0N�prz Could not parse sshd version: %s)	r�rZVersionZfrom_strr�r�r/r@Zwarning)Zupstream_versionZfull_versionrrr�get_opensshd_upstream_version�sr�)N)+Zloggingr8rU�
contextlibr�typingrrrZ	cloudinitrrrZ	getLoggerrr@r�r0Z_DISABLE_USER_SSH_EXITrLZDISABLE_USER_OPTSrr!rFrTr[rdrorr�r�r�r�r�r��boolr�r�r�r�r�r�r�rrrr�<module>	sH
���YEO9
	.