def restrict_ssh(rollback=False):
"""
Set some sensible restrictions in Ubuntu /etc/ssh/sshd_config and restart sshd
UseDNS no #prevents dns spoofing sshd defaults to yes
X11Forwarding no # defaults to no
AuthorizedKeysFile %h/.ssh/authorized_keys
uncomments PasswordAuthentication no and restarts sshd
"""
if not rollback:
if server_state('ssh_restricted'):
print env.host, 'Warning: sshd_config has already been modified. Skipping..'
return False
sshd_config = '/etc/ssh/sshd_config'
if env.verbosity:
print env.host, "RESTRICTING SSH with "+sshd_config
filename = 'sshd_config'
if not exists('/home/%s/.ssh/authorized_keys'% env.user): #do not pass go do not collect $200
print env.host, 'You need to upload_ssh_key first.'
return False
_backup_file(sshd_config)
context = {"HOST_SSH_PORT": env.HOST_SSH_PORT}
upload_template('woven/ssh/sshd_config','/etc/ssh/sshd_config',context=context,use_sudo=True)
# Restart sshd
sudo('/etc/init.d/ssh restart')
# The user can modify the sshd_config file directly but we save
if env.INTERACTIVE and contains('#PasswordAuthentication no','/etc/ssh/sshd_config',use_sudo=True):
c_text = 'Woven will now remove password login from ssh, and use only your ssh key. \n'
c_text = c_text + 'CAUTION: please confirm that you can ssh %s@%s -p%s from a terminal without requiring a password before continuing.\n'% (env.user, env.host, env.port)
c_text += 'If you cannot login, press enter to rollback your sshd_config file'
proceed = confirm(c_text,default=False)
if not env.INTERACTIVE or proceed:
#uncomments PasswordAuthentication no and restarts
uncomment(sshd_config,'#(\s?)PasswordAuthentication(\s*)no',use_sudo=True)
sudo('/etc/init.d/ssh restart')
else: #rollback
print env.host, 'Rolling back sshd_config to default and proceeding without passwordless login'
_restore_file('/etc/ssh/sshd_config', delete_backup=False)
sed('/etc/ssh/sshd_config','Port '+ str(env.DEFAULT_SSH_PORT),'Port '+str(env.HOST_SSH_PORT),use_sudo=True)
sudo('/etc/init.d/ssh restart')
return False
set_server_state('ssh_restricted')
return True
else: #Full rollback
_restore_file('/etc/ssh/sshd_config')
if server_state('ssh_port_changed'):
sed('/etc/ssh/sshd_config','Port '+ str(env.DEFAULT_SSH_PORT),'Port '+str(env.HOST_SSH_PORT),use_sudo=True)
sudo('/etc/init.d/ssh restart')
sudo('/etc/init.d/ssh restart')
set_server_state('ssh_restricted', delete=True)
return True
def upload_ssh_key(rollback=False):
"""
Upload your ssh key for passwordless logins
"""
user_ssh_dir = os.path.join(deployment_user_home(), '.ssh')
auth_keys = os.path.join(user_ssh_dir, 'authorized_keys')
if not rollback:
local_user = getpass.getuser()
host = socket.gethostname()
u = '@'.join([local_user,host])
u = 'ssh-key-uploaded-%s'% u
if not env.overwrite and server_state(u): return
if not exists('.ssh'):
run('mkdir .ssh')
#determine local .ssh dir
home = os.path.expanduser('~')
ssh_dsa = os.path.join(home,'.ssh/id_dsa.pub')
ssh_rsa = os.path.join(home,'.ssh/id_rsa.pub')
if env.KEY_FILENAME:
if not os.path.exists(env.KEY_FILENAME):
print "ERROR: The specified KEY_FILENAME (or SSH_KEY_FILENAME) %s does not exist"% env.KEY_FILENAME
sys.exit(1)
else:
ssh_key = env.KEY_FILENAME
elif os.path.exists(ssh_dsa):
ssh_key = ssh_dsa
elif os.path.exists(ssh_rsa):
ssh_key = ssh_rsa
else:
ssh_key = ''
if ssh_key:
ssh_file = open(ssh_key,'r').read()
ssh_file = ssh_file.strip() # remove any trailing \n's
if exists(auth_keys):
_backup_file(auth_keys)
if env.verbosity:
print env.host, "UPLOADING SSH KEY"
append(ssh_file,auth_keys) #append prevents uploading twice
set_server_state(u)
return
else:
if exists(auth_keys+'.wovenbak'):
_restore_file(auth_keys)
else: #no pre-existing keys remove the .ssh directory
sudo('rm -rf ' + user_ssh_dir)
return
def restrict_ssh(rollback=False):
"""
Set some sensible restrictions in Ubuntu /etc/ssh/sshd_config and restart sshd
UseDNS no #prevents dns spoofing sshd defaults to yes
X11Forwarding no # defaults to no
AuthorizedKeysFile %h/.ssh/authorized_keys
uncomments PasswordAuthentication no and restarts sshd
"""
if not rollback:
if server_state('ssh_restricted'):
return False
sshd_config = '/etc/ssh/sshd_config'
if env.verbosity:
print env.host, "RESTRICTING SSH with "+sshd_config
filename = 'sshd_config'
if not exists('/home/%s/.ssh/authorized_keys'% env.user): #do not pass go do not collect $200
print env.host, 'You need to upload_ssh_key first.'
return False
_backup_file(sshd_config)
context = {"HOST_SSH_PORT": env.HOST_SSH_PORT}
upload_template('woven/ssh/sshd_config','/etc/ssh/sshd_config',context=context,use_sudo=True)
# Restart sshd
sudo('/etc/init.d/ssh restart')
# The user can modify the sshd_config file directly but we save
proceed = True
if not env.key_filename and (env.DISABLE_SSH_PASSWORD or env.INTERACTIVE) and contains('/etc/ssh/sshd_config','#PasswordAuthentication no',use_sudo=True):
print "WARNING: You may want to test your node ssh login at this point ssh %s@%s -p%s"% (env.user, env.host, env.port)
c_text = 'Would you like to disable password login and use only ssh key authentication'
proceed = confirm(c_text,default=False)
if not env.INTERACTIVE or proceed or env.DISABLE_SSH_PASSWORD:
#uncomments PasswordAuthentication no and restarts
uncomment(sshd_config,'#(\s?)PasswordAuthentication(\s*)no',use_sudo=True)
sudo('/etc/init.d/ssh restart')
set_server_state('ssh_restricted')
return True
else: #Full rollback
_restore_file('/etc/ssh/sshd_config')
if server_state('ssh_port_changed'):
sed('/etc/ssh/sshd_config','Port '+ str(env.DEFAULT_SSH_PORT),'Port '+str(env.HOST_SSH_PORT),use_sudo=True)
sudo('/etc/init.d/ssh restart')
sudo('/etc/init.d/ssh restart')
set_server_state('ssh_restricted', delete=True)
return True
def upload_ssh_key(rollback=False):
"""
Upload your ssh key for passwordless logins
"""
auth_keys = "/home/%s/.ssh/authorized_keys" % env.user
if not rollback:
local_user = getpass.getuser()
host = socket.gethostname()
u = "@".join([local_user, host])
u = "ssh-key-uploaded-%s" % u
if not env.overwrite and server_state(u):
return
if not exists(".ssh"):
run("mkdir .ssh")
# Determine local .ssh dir.
home = os.path.expanduser("~")
ssh_key = None
upload_key = True
ssh_dsa = os.path.join(home, ".ssh/id_dsa.pub")
ssh_rsa = os.path.join(home, ".ssh/id_rsa.pub")
if env.key_filename and env.INTERACTIVE:
upload_key = confirm(
"Would you like to upload your personal key " "in addition to %s" % str(env.key_filename), default=True
)
if upload_key:
if os.path.exists(ssh_dsa):
ssh_key = ssh_dsa
elif os.path.exists(ssh_rsa):
ssh_key = ssh_rsa
if ssh_key:
ssh_file = open(ssh_key, "r").read()
if exists(auth_keys):
_backup_file(auth_keys)
if env.verbosity:
print env.host, "UPLOADING SSH KEY"
# Append prevents uploading twice.
append(auth_keys, ssh_file)
set_server_state(u)
return
else:
if exists(auth_keys + ".wovenbak"):
_restore_file("/home/%s/.ssh/authorized_keys" % env.user)
else:
# No pre-existing keys, so remove the .ssh directory.
sudo("rm -rf /home/%s/.ssh")
return
def upload_ssh_key(rollback=False):
"""
Upload your ssh key for passwordless logins
"""
auth_keys = '/home/%s/.ssh/authorized_keys'% env.user
if not rollback:
local_user = getpass.getuser()
host = socket.gethostname()
u = '@'.join([local_user,host])
u = 'ssh-key-uploaded-%s'% u
if not env.overwrite and server_state(u): return
if not exists('.ssh'):
run('mkdir .ssh')
#determine local .ssh dir
home = os.path.expanduser('~')
ssh_dsa = os.path.join(home,'.ssh/id_dsa.pub')
ssh_rsa = os.path.join(home,'.ssh/id_rsa.pub')
if env.KEY_FILENAME:
if not os.path.exists(env.KEY_FILENAME):
print "ERROR: The specified KEY_FILENAME (or SSH_KEY_FILENAME) %s does not exist"% env.KEY_FILENAME
sys.exit(1)
else:
ssh_key = env.KEY_FILENAME
elif os.path.exists(ssh_dsa):
ssh_key = ssh_dsa
elif os.path.exists(ssh_rsa):
ssh_key = ssh_rsa
else:
ssh_key = ''
if ssh_key:
ssh_file = open(ssh_key,'r').read()
if exists(auth_keys):
_backup_file(auth_keys)
if env.verbosity:
print env.host, "UPLOADING SSH KEY"
append(ssh_file,auth_keys) #append prevents uploading twice
set_server_state(u)
return
else:
if exists(auth_keys+'.wovenbak'):
_restore_file('/home/%s/.ssh/authorized_keys'% env.user)
else: #no pre-existing keys remove the .ssh directory
sudo('rm -rf /home/%s/.ssh')
return
def set_timezone(rollback=False):
"""
Set the time zone on the server using Django settings.TIME_ZONE
"""
if not rollback:
if contains(filename="/etc/timezone", text=env.TIME_ZONE, use_sudo=True):
return False
if env.verbosity:
print env.host, "CHANGING TIMEZONE /etc/timezone to " + env.TIME_ZONE
_backup_file("/etc/timezone")
sudo("echo %s > /tmp/timezone" % env.TIME_ZONE)
sudo("cp -f /tmp/timezone /etc/timezone")
sudo("dpkg-reconfigure --frontend noninteractive tzdata")
else:
_restore_file("/etc/timezone")
sudo("dpkg-reconfigure --frontend noninteractive tzdata")
return True
def upload_ssh_key(rollback=False):
"""
Upload your ssh key for passwordless logins
"""
auth_keys = '/home/%s/.ssh/authorized_keys'% env.user
if not rollback:
local_user = getpass.getuser()
host = socket.gethostname()
u = '@'.join([local_user,host])
u = 'ssh-key-uploaded-%s'% u
if not env.overwrite and server_state(u): return
if not exists('.ssh'):
run('mkdir .ssh')
#determine local .ssh dir
home = os.path.expanduser('~')
ssh_key = None
upload_key = True
ssh_dsa = os.path.join(home,'.ssh/id_dsa.pub')
ssh_rsa = os.path.join(home,'.ssh/id_rsa.pub')
if env.key_filename and env.INTERACTIVE:
upload_key = confirm('Would you like to upload your personal key in addition to %s'% str(env.key_filename), default=True)
if upload_key:
if os.path.exists(ssh_dsa):
ssh_key = ssh_dsa
elif os.path.exists(ssh_rsa):
ssh_key = ssh_rsa
if ssh_key:
ssh_file = open(ssh_key,'r').read()
if exists(auth_keys):
_backup_file(auth_keys)
if env.verbosity:
print env.host, "UPLOADING SSH KEY"
append(auth_keys,ssh_file) #append prevents uploading twice
set_server_state(u)
return
else:
if exists(auth_keys+'.wovenbak'):
_restore_file('/home/%s/.ssh/authorized_keys'% env.user)
else: #no pre-existing keys remove the .ssh directory
sudo('rm -rf /home/%s/.ssh')
return
def upload_ssh_key(rollback=False):
"""
Upload your ssh key for passwordless logins
"""
auth_keys = '/home/%s/.ssh/authorized_keys'% env.user
if not rollback:
if not exists('.ssh'):
run('mkdir .ssh')
#determine local .ssh dir
home = os.path.expanduser('~')
ssh_dsa = os.path.join(home,'.ssh/id_dsa.pub')
ssh_rsa = os.path.join(home,'.ssh/id_rsa.pub')
if os.path.exists(ssh_dsa):
ssh_key = ssh_dsa
elif os.path.exists(ssh_rsa):
ssh_key = ssh_rsa
else:
ssh_key = ''
if ssh_key:
ssh_file = open(ssh_key,'r').read()
if exists(auth_keys):
_backup_file(auth_keys)
if env.verbosity:
print env.host, "UPLOADING SSH KEY if it doesn't already exist on host"
append(ssh_file,auth_keys) #append prevents uploading twice
return
else:
if exists(auth_keys+'.wovenbak'):
_restore_file('/home/%s/.ssh/authorized_keys'% env.user)
else: #no pre-existing keys remove the .ssh directory
sudo('rm -rf /home/%s/.ssh')
return
def restrict_ssh(rollback=False):
"""
Set some sensible restrictions in Ubuntu /etc/ssh/sshd_config and
restart sshd.
UseDNS no # Prevents dns spoofing sshd defaults to yes
X11Forwarding no # Defaults to no
AuthorizedKeysFile %h/.ssh/authorized_keys
Also uncomment PasswordAuthentication no and restart sshd.
"""
if not rollback:
if server_state("ssh_restricted"):
return False
sshd_config = "/etc/ssh/sshd_config"
if env.verbosity:
print env.host, "RESTRICTING SSH with " + sshd_config
if not exists("/home/%s/.ssh/authorized_keys" % env.user):
# Do not pass go, do not collect $200.
print env.host, "You need to upload_ssh_key first."
return False
_backup_file(sshd_config)
context = {"HOST_SSH_PORT": env.HOST_SSH_PORT}
upload_template("woven/ssh/sshd_config", "/etc/ssh/sshd_config", context=context, use_sudo=True)
# Restart sshd.
sudo("/etc/init.d/ssh restart")
# The user can modify the sshd_config file directly but we save.
proceed = True
if (
not env.key_filename
and (env.DISABLE_SSH_PASSWORD or env.INTERACTIVE)
and contains("/etc/ssh/sshd_config", "#PasswordAuthentication no", use_sudo=True)
):
print "WARNING: You may want to test your node ssh login " "at this point ssh %s@%s -p%s" % (
env.user,
env.host,
env.port,
)
c_text = "Would you like to disable password login and use " "only ssh key authentication"
proceed = confirm(c_text, default=False)
if not env.INTERACTIVE or proceed or env.DISABLE_SSH_PASSWORD:
# Uncomments PasswordAuthentication no and restarts.
uncomment(sshd_config, "#(\s?)PasswordAuthentication(\s*)no", use_sudo=True)
sudo("/etc/init.d/ssh restart")
set_server_state("ssh_restricted")
return True
else:
# Full rollback.
_restore_file("/etc/ssh/sshd_config")
if server_state("ssh_port_changed"):
sed(
"/etc/ssh/sshd_config",
"Port " + str(env.DEFAULT_SSH_PORT),
"Port " + str(env.HOST_SSH_PORT),
use_sudo=True,
)
sudo("/etc/init.d/ssh restart")
sudo("/etc/init.d/ssh restart")
set_server_state("ssh_restricted", delete=True)
return True