o

�Ad�R�@sN
dd
lZdd
l
Z
ddlmZmZmZ
ddlmZ
ddlm	Z	
e�
e�
ZdZ
dZdZdee�
d	ZGd
d�d�ZGdd
�d
�Zdd�Zdd�Zdd�Zdd�Zdd�Zdd�Ze
f
dd�
Zd3dd�
ZGdd�d�Zd eefd!d"�Zd eefd#d$�Zd%d&�Zd'ed e fd(d)�Z!d*d+�Z"e
f
d,d-�
Z#d.d/�Z$e
f
d0eeeeffd1d2�Z%d
S)4�N)�List�Sequence�Tuple)
�log)
�utilz/etc/ssh/sshd_config)�dsa�rsa�ecdsa�ed25519z(ecdsa-sha2-nistp256-cert-v01@openssh.comzecdsa-sha2-nistp256z(ecdsa-sha2-nistp384-cert-v01@openssh.comzecdsa-sha2-nistp384z(ecdsa-sha2-nistp521-cert-v01@openssh.comzecdsa-sha2-nistp521z+sk-ecdsa-sha2-nistp256-cert-v01@openssh.comz"sk-ecdsa-sha2-nistp256@openssh.comz#sk-ssh-ed25519-cert-v01@openssh.comzsk-ssh-ed25519@openssh.comzssh-dss-cert-v01@openssh.comzssh-dssz ssh-ed25519-cert-v01@openssh.comzssh-ed25519zssh-rsa-cert-v01@openssh.comzssh-rsazssh-xmss-cert-v01@openssh.comzssh-xmss@openssh.com�z�no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"$USER\" rather than the user \"$DISABLE_USER\".';echo;sleep 10;exit �
"c@s(eZ
dZ	
ddd�
Zdd�Zdd�Zd
S)	�AuthKeyLineNcCs"||_||_
||_||_|
|_dS�
N)�base64�comment�options�keytype�source)�selfrrrrr�r�4/usr/lib/python3/dist-packages/cloudinit/ssh_util.py�__init__Gs





zAuthKeyLine.__init__c


Cs|jo|j
Sr)rr�
rrrr�validPs
zAuthKeyLine.validc
Cs`g}
|jr|
�
|j�

|jr|
�
|j�

|jr|
�
|j�

|jr&|
�
|j�

|
s+|jSd
�|
�
S�N�
 )r�appendrrrr�join)r�toksrrr�__str__Ss











zAuthKeyLine.__str__)NNNN)�__name__�
__module__�__qualname__rrrrrrrr
Fs

�	r
c@s"eZ
dZd
Zdd�Zddd�
ZdS)�AuthKeyLineParsera�
    AUTHORIZED_KEYS FILE FORMAT
     AuthorizedKeysFile specifies the file containing public keys for public
     key authentication; if none is specified, the default is
     ~/.ssh/authorized_keys.  Each line of the file contains one key (empty
     (because of the size of the public key encoding) up to a limit of 8 kilo-
     bytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16
     kilobits.  You don't want to type them in; instead, copy the
     identity.pub, id_dsa.pub, or the id_rsa.pub file and edit it.

     sshd enforces a minimum RSA key modulus size for protocol 1 and protocol
     2 keys of 768 bits.

     The options (if present) consist of comma-separated option specifica-
     tions.  No spaces are permitted, except within double quotes.  The fol-
     lowing option specifications are supported (note that option keywords are
     case-insensitive):
    cCs�d
}d}|t|
�
krO|s|
|dv
rO|
|}|dt|
�
kr#|d}n,|
|d}|dkr6|dkr6|d}n|dkr=|}|d}|t|
�
krO|s|
|dv
s|
d|�}|
|d��
�}||fS)z�
        The options (if present) consist of comma-separated option specifica-
         tions.  No spaces are permitted, except within double quotes.
         Note that option keywords are case-insensitive.
        Fr
)r�
	�
�
\rN)�len�lstrip)r�ent�quoted�
i�curc�nextcr�remainrrr�_extract_optionsws"












�
z"AuthKeyLineParser._extract_optionsNcCs�|
�d
�
}|�
d�
s|��dkrt|
�
Sdd�}|��}z	||�
\}}}Wn/tyT


|�|�
\}	}
|dur9|	}z	||
�
\}}}WntyQ


t|
�
YYSwYn
wt|
||||d�S)Nz
�
#�c
Ss^|�dd
�}
t
|
�
d
krtdt
|
�
�
�
|
dtv
r"td|
d�
�
t
|
�
d
kr-|
�d�

|
S)N�zTo few fields: %sr
zInvalid keytype %sr1)�splitr'�	TypeError�VALID_KEY_TYPESr)r)rrrr�
parse_ssh_key�s




z.AuthKeyLineParser.parse.<locals>.parse_ssh_key)rrrr)�rstrip�
startswith�stripr
r4r/)r�src_liner�liner6r)rrr�keyoptsr.rrr�parse�s2











���





�zAuthKeyLineParser.parser)r r!r"�__doc__r/r=rrrrr#cs
r#c

Csxg}
t�}g}|D]0}zt
j�|�
r&t�|�
��}
|
D]
}|�|�|�
�

qWq	t	t
fy9


t�td
|�
Yq	w|S)NzError reading lines from %s)
r#�os�path�isfiler�	load_file�
splitlinesrr=�IOError�OSError�logexc�LOG)�fnames�lines�parser�contents�fnamer;rrr�parse_authorized_keys�s








�

�rMcCs�td
d�|
D�
�
}t
dt|�
�D]%}||}|��sq|
D]}|j|jkr0|}||vr0|�|�

q|||<q|D]}|�|�

q8dd�|D�
}|�d�

d�|�
S)Nc
Ssg|]}
|
��r|
�qSr)
r��.0�
krrr�
<listcomp>��z*update_authorized_keys.<locals>.<listcomp>r
c
S�g|]}
t|
�
�qSr�
�str)rO�
brrrrQ��r1�

)�list�ranger'rr�removerr)�old_entries�keys�to_addr+r)rP�keyrIrrr�update_authorized_keys�s"







�





r`c
Cs4t�
|�
}
|
r
|
jstd
|�
�
tj�|
jd�|
fS)Nz"Unable to get SSH info for user %rz.ssh)�pwd�getpwnam�pw_dir�RuntimeErrorr?r@r)�username�pw_entrrr�users_ssh_info�s





rgc	Cspd
|
fd|fdf}|s
d}|��}g}|D] }|D]
\}}|�
||�}q|�d�
s0tj�|
|�}|�|�

q|S)N�%h�%u)z%%�
%�%h/.ssh/authorized_keys�
/)r3�replacer8r?r@rr)	�value�homedirre�macros�paths�renderedr@�macro�fieldrrr�render_authorizedkeysfile_paths�s











ruc
Cs�d
}|rd}t�
|
�
}|r ||kr |dkr t�d|
|||�
dSt�|
�
}||kr.|dM}nt�|
�
}t�|�
}	||	vrA|dM}n|dM}||@d	krUt�d
|
||�
dS|rf|d@d	krft�d|
|�
dSd
S)aV
Check if the file/folder in @current_path has the right permissions.

    We need to check that:
    1. If StrictMode is enabled, the owner is either root or the user
    2. the user can access the file/folder, otherwise ssh won't use it
    3. If StrictMode is enabled, no write permission is given to group
       and world users (022)
    i�
i�
�rootzXPath %s in %s must be own by user %s or by root, but instead is own by %s. Ignoring key.F�
�8�r
zBPath %s in %s must be accessible by user %s, check its permissions�zRPath %s in %s must not give writepermission to group or world users. Ignoring key.T)r�	get_ownerrG�debug�get_permissions�	get_group�get_user_groups)
re�current_path�	full_path�is_file�strictmodes�minimal_permissions�owner�parent_permission�group_owner�user_groupsrrr�check_permissions
sJ







�









�


�r�c
Cs�
t|�
d
}td�
d
}z�|
�
d�
d
d�}d}tj�|j�
}|D]�}|d|7}tj�|�
r9t�d|�

WdStj�	|�
rIt�d|�

WdS|�
|�
sS||jkrTq!tj�|�
s�t�
|�
�-
d	}	|j}
|j}|�
|j�
rvd
}	|j}
|j}tj||	dd�
t�||
|�
Wd�
n1s�w



Y
t|||
d|�}|s�
WdSq!tj�|
�
s�tj�|
�
r�t�d
|
�
WdStj�|
�
s�tj|
dddd�
t�|
|j|j�
t||
|
d|�}|s�WdSWdSttfy�
}

zt�tt|
�
�
WYd}
~
dSd}
~
w
w)Nr%rvrl���r1z-Invalid directory. Symlink exists in path: %sFz*Invalid directory. File exists in path: %s��
rwT)�mode�exist_okz%s is not a file!�
)r��ensure_dir_exists)rgr3r?r@�dirnamerc�islinkrGr|rAr8�existsr�SeLinuxGuard�pw_uid�pw_gid�makedirs�	chownbyidr��isdir�
write_filerDrErFrU)re�filenamer��
user_pwent�
root_pwent�directories�
parent_folder�home_folder�	directoryr��uid�gid�permissions�
errr�check_create_pathI
sx







�

���








�

�
�




�
��

��r�c
Cs0
t|�
\}}t
j�|d
�}|}g}tj|dd��;
zt|
�
}|�dd�}|�dd�}	t||j	|�}Wnt
tfyK


||d<t�t
d	t|d�
Yn
wWd�
n1sVw



Y
t|��|�D]$\}
}td
|
vd|
v|�d�|j	�
�
g�
r�t|||	dk�}|r�|}
n
qb||kr�t
�d
|�
|t|g
�
fS)N�authorized_keysT�
�	recursive�authorizedkeysfilerkr��yesr
zhFailed extracting 'AuthorizedKeysFile' in SSH config from %r, using 'AuthorizedKeysFile' file %r insteadrirhz{}/zAAuthorizedKeysFile has an user-specific authorized_keys, using %s)rgr?r@rrr��parse_ssh_config_map�getrurcrDrErFrG�DEF_SSHD_CFG�zipr3�anyr8�formatr�r|rM)
re�
sshd_cfg_file�ssh_dirrf�default_authorizedkeys_file�user_authorizedkeys_file�auth_key_fns�ssh_cfg�	key_pathsr��key_path�auth_key_fn�permissions_okrrr�extract_authorized_keys�
s^








�

�



����


��

�

�

�
�r�c
Cs�t�}g}|D]}|�
|jt|�
|d
��

qt|
�
\}}tj�|�
}tj	|dd��
t
||�}	tj||	dd�
Wd�
dS1sBw



Y
dS)N)
rTr��
�
preserve_mode)r#rr=rUr�r?r@r�rr�r`r�)
r]rerrJ�key_entriesrPr��auth_key_entriesr��contentrrr�setup_user_keys�
s







"�r�c@s*eZ
dZddd�
Zedd��
Zdd�Zd
S)	�SshdConfigLineNcCs|
|_||_
||_dSr)r;�_keyrn)rr;rP�
vrrrr�
s



zSshdConfigLine.__init__c

Cs|jdurdS|j�
�Sr)r��lowerrrrrr_�
s


zSshdConfigLine.keyc
Cs:|jdur
t
|j�
St
|j�
}
|jr|
d
t
|j�
7}
|
Sr)r�rUr;rn)rr�rrrr�
s







zSshdConfigLine.__str__)NN)r r!r"r�propertyr_rrrrrr��
s




r��returnc

Cs"tj
�|�
sgStt�|�
���
Sr)r?r@rA�parse_ssh_config_linesrrBrC�
rLrrr�parse_ssh_config�
s


r�c
Cs�g}
|D]M}|��}|r|�
d
�
r|
�t|�
�

qz
|�dd�\}}Wn$tyG


z
|�dd�\}}WntyD


t�d|�
YYqwYn
w|
�t|||��

q|
S)Nr0r%�
=z;sshd_config: option "%s" has no key/value pair, skipping it)r9r8rr�r3�
ValueErrorrGr|)rI�retr;r_�valrrrr��
s,












����

r�c
Cs6t|�
}
|
siSi}|
D]}|j
sq|j||j
<q|Sr)r�r_rn)rLrIr�r;rrrr�s








r�rLc
Csntj
�|�
sd
St|d�� }
|
D]}|�d|�d��
r$
Wd�
dSqWd�
d
S1s0w



Y
d
S)NF�
rzInclude z	.d/*.confT)r?r@rA�openr8)rL�
fr;rrr�_includes_dconf$s





��
��r�c

Cs^t|�
r-t
j�|�d
��
stj|�d
�dd�
t
j�|�d
�d�}t
j�|�
s-t�|d�
|S)Nz.dr�)
r�z50-cloud-init.confr�)	r�r?r@r�r�
ensure_dirrrA�ensure_filer�rrr�"_ensure_cloud_init_ssh_config_file.s





r�cCsPt|
�
}
t
|
�
}t||d
�}|r"tj|
d�dd�|D�
�
ddd�
t|�
dkS)z�Read fname, and update if changes are necessary.

    @param updates: dictionary of desired values {Option: value}
    @return: boolean indicating if an update was done.)rI�updatesrXc
SrSrrT)rOr;rrrrQDrWz%update_ssh_config.<locals>.<listcomp>Tr�r
)r�r��update_ssh_config_linesrr�rr')r�rLrI�changedrrr�update_ssh_config9s






�r�c	Cs
t�}g}t
d
d�|
��D�
�
}t|dd�D];\}}|jsq|j|vrQ||j}|
|}|�|�

|j|kr?t�d|||�
q|�	|�

t�d|||j|�
||_qt
|�
t
|
�
kr�|
��D]!\}}||vrgq^|�	|�

|�	td||��

t�dt
|�
||�
q^|S)	z�Update the SSH config lines per updates.

    @param lines: array of SshdConfigLine.  This array is updated in place.
    @param updates: dictionary of desired values {Option: value}
    @return: A list of keys in updates that were changed.c
Ssg|]}
|
��|
f�qSr)
r�rNrrrrQTrRz+update_ssh_config_lines.<locals>.<listcomp>r%)
�startz$line %d: option %s already set to %sz#line %d: option %s updated %s -> %sr1z line %d: option %s added with %s)
�set�dictr]�	enumerater_�addrnrGr|rr'�itemsr�)	rIr��foundr��casemapr+r;r_rnrrrr�JsD













�






��







�r�rIcCs>|sdSt|
�
}
d
d�|D�
}t
j|
d�|�
dddd�
dS)Nc
ss"�|]\}
}|
�d|��V
qd
S)rNr)rOrPr�rrr�	<genexpr>|s� z$append_ssh_config.<locals>.<genexpr>rX�abT)�omoder�)r�rr�r)rIrLr�rrr�append_ssh_configxs









�r�r)&r?ra�typingrrr�	cloudinitr�loggingr�	getLoggerr rGr�r5�_DISABLE_USER_SSH_EXITrU�DISABLE_USER_OPTSr
r#rMr`rgrur�r�r�r�r�r�r�r��boolr�r�r�r�r�rrrr�<module>
sD



���YEO
9
".