Ejemplo n.º 1
0
def restrict_ssh(rollback=False):
    """
    Set some sensible restrictions in Ubuntu /etc/ssh/sshd_config and restart sshd
    UseDNS no #prevents dns spoofing sshd defaults to yes
    X11Forwarding no # defaults to no
    AuthorizedKeysFile  %h/.ssh/authorized_keys

    uncomments PasswordAuthentication no and restarts sshd
    """

    if not rollback:
        if server_state('ssh_restricted'):
            print env.host, 'Warning: sshd_config has already been modified. Skipping..'
            return False

        sshd_config = '/etc/ssh/sshd_config'
        if env.verbosity:
            print env.host, "RESTRICTING SSH with "+sshd_config
        filename = 'sshd_config'
        if not exists('/home/%s/.ssh/authorized_keys'% env.user): #do not pass go do not collect $200
            print env.host, 'You need to upload_ssh_key first.'
            return False
        _backup_file(sshd_config)
        context = {"HOST_SSH_PORT": env.HOST_SSH_PORT}
        
        upload_template('woven/ssh/sshd_config','/etc/ssh/sshd_config',context=context,use_sudo=True)
        # Restart sshd
        sudo('/etc/init.d/ssh restart')
        
        # The user can modify the sshd_config file directly but we save
        if env.INTERACTIVE and contains('#PasswordAuthentication no','/etc/ssh/sshd_config',use_sudo=True):
            c_text = 'Woven will now remove password login from ssh, and use only your ssh key. \n'
            c_text = c_text + 'CAUTION: please confirm that you can ssh %s@%s -p%s from a terminal without requiring a password before continuing.\n'% (env.user, env.host, env.port)
            c_text += 'If you cannot login, press enter to rollback your sshd_config file'
            proceed = confirm(c_text,default=False)
    
        if not env.INTERACTIVE or proceed:
            #uncomments PasswordAuthentication no and restarts
            uncomment(sshd_config,'#(\s?)PasswordAuthentication(\s*)no',use_sudo=True)
            sudo('/etc/init.d/ssh restart')
        else: #rollback
            print env.host, 'Rolling back sshd_config to default and proceeding without passwordless login'
            _restore_file('/etc/ssh/sshd_config', delete_backup=False)
            sed('/etc/ssh/sshd_config','Port '+ str(env.DEFAULT_SSH_PORT),'Port '+str(env.HOST_SSH_PORT),use_sudo=True)
            
            sudo('/etc/init.d/ssh restart')
            return False
        set_server_state('ssh_restricted')
        return True
    else: #Full rollback
        _restore_file('/etc/ssh/sshd_config')
        if server_state('ssh_port_changed'):
            sed('/etc/ssh/sshd_config','Port '+ str(env.DEFAULT_SSH_PORT),'Port '+str(env.HOST_SSH_PORT),use_sudo=True)
            sudo('/etc/init.d/ssh restart')
        sudo('/etc/init.d/ssh restart')
        set_server_state('ssh_restricted', delete=True)
        return True
Ejemplo n.º 2
0
def upload_ssh_key(rollback=False):
    """
    Upload your ssh key for passwordless logins
    """
    user_ssh_dir = os.path.join(deployment_user_home(), '.ssh')
    auth_keys = os.path.join(user_ssh_dir, 'authorized_keys')
    if not rollback:
        local_user = getpass.getuser()
        host = socket.gethostname()
        u = '@'.join([local_user,host])
        u = 'ssh-key-uploaded-%s'% u
        if not env.overwrite and server_state(u): return
        if not exists('.ssh'):
            run('mkdir .ssh')
           
        #determine local .ssh dir
        home = os.path.expanduser('~')
    
        ssh_dsa = os.path.join(home,'.ssh/id_dsa.pub')
        ssh_rsa =  os.path.join(home,'.ssh/id_rsa.pub')
        if env.KEY_FILENAME:
            if not os.path.exists(env.KEY_FILENAME):
                print "ERROR: The specified KEY_FILENAME (or SSH_KEY_FILENAME) %s does not exist"% env.KEY_FILENAME
                sys.exit(1)
            else:
                ssh_key = env.KEY_FILENAME
        elif os.path.exists(ssh_dsa):
            ssh_key = ssh_dsa
        elif os.path.exists(ssh_rsa):
            ssh_key = ssh_rsa
        else:
            ssh_key = ''
    
        if ssh_key:
            ssh_file = open(ssh_key,'r').read()
            ssh_file = ssh_file.strip() # remove any trailing \n's
            
            if exists(auth_keys):
                _backup_file(auth_keys)
            if env.verbosity:
                print env.host, "UPLOADING SSH KEY"
            append(ssh_file,auth_keys) #append prevents uploading twice
            set_server_state(u)
        return
    else:
        if exists(auth_keys+'.wovenbak'):
            _restore_file(auth_keys)
        else: #no pre-existing keys remove the .ssh directory
            sudo('rm -rf ' + user_ssh_dir)
        return    
Ejemplo n.º 3
0
def restrict_ssh(rollback=False):
    """
    Set some sensible restrictions in Ubuntu /etc/ssh/sshd_config and restart sshd
    UseDNS no #prevents dns spoofing sshd defaults to yes
    X11Forwarding no # defaults to no
    AuthorizedKeysFile  %h/.ssh/authorized_keys

    uncomments PasswordAuthentication no and restarts sshd
    """

    if not rollback:
        if server_state('ssh_restricted'):
            return False

        sshd_config = '/etc/ssh/sshd_config'
        if env.verbosity:
            print env.host, "RESTRICTING SSH with "+sshd_config
        filename = 'sshd_config'
        if not exists('/home/%s/.ssh/authorized_keys'% env.user): #do not pass go do not collect $200
            print env.host, 'You need to upload_ssh_key first.'
            return False
        _backup_file(sshd_config)
        context = {"HOST_SSH_PORT": env.HOST_SSH_PORT}
        
        upload_template('woven/ssh/sshd_config','/etc/ssh/sshd_config',context=context,use_sudo=True)
        # Restart sshd
        sudo('/etc/init.d/ssh restart')
        
        # The user can modify the sshd_config file directly but we save
        proceed = True
        if not env.key_filename and (env.DISABLE_SSH_PASSWORD or env.INTERACTIVE) and contains('/etc/ssh/sshd_config','#PasswordAuthentication no',use_sudo=True):
            print "WARNING: You may want to test your node ssh login at this point ssh %s@%s -p%s"% (env.user, env.host, env.port)
            c_text = 'Would you like to disable password login and use only ssh key authentication'
            proceed = confirm(c_text,default=False)
    
        if not env.INTERACTIVE or proceed or env.DISABLE_SSH_PASSWORD:
            #uncomments PasswordAuthentication no and restarts
            uncomment(sshd_config,'#(\s?)PasswordAuthentication(\s*)no',use_sudo=True)
            sudo('/etc/init.d/ssh restart')
        set_server_state('ssh_restricted')
        return True
    else: #Full rollback
        _restore_file('/etc/ssh/sshd_config')
        if server_state('ssh_port_changed'):
            sed('/etc/ssh/sshd_config','Port '+ str(env.DEFAULT_SSH_PORT),'Port '+str(env.HOST_SSH_PORT),use_sudo=True)
            sudo('/etc/init.d/ssh restart')
        sudo('/etc/init.d/ssh restart')
        set_server_state('ssh_restricted', delete=True)
        return True
Ejemplo n.º 4
0
def upload_ssh_key(rollback=False):
    """
    Upload your ssh key for passwordless logins
    """
    auth_keys = "/home/%s/.ssh/authorized_keys" % env.user
    if not rollback:
        local_user = getpass.getuser()
        host = socket.gethostname()
        u = "@".join([local_user, host])
        u = "ssh-key-uploaded-%s" % u
        if not env.overwrite and server_state(u):
            return
        if not exists(".ssh"):
            run("mkdir .ssh")

        # Determine local .ssh dir.
        home = os.path.expanduser("~")
        ssh_key = None
        upload_key = True
        ssh_dsa = os.path.join(home, ".ssh/id_dsa.pub")
        ssh_rsa = os.path.join(home, ".ssh/id_rsa.pub")
        if env.key_filename and env.INTERACTIVE:
            upload_key = confirm(
                "Would you like to upload your personal key " "in addition to %s" % str(env.key_filename), default=True
            )
        if upload_key:
            if os.path.exists(ssh_dsa):
                ssh_key = ssh_dsa
            elif os.path.exists(ssh_rsa):
                ssh_key = ssh_rsa

        if ssh_key:
            ssh_file = open(ssh_key, "r").read()

            if exists(auth_keys):
                _backup_file(auth_keys)
            if env.verbosity:
                print env.host, "UPLOADING SSH KEY"
            # Append prevents uploading twice.
            append(auth_keys, ssh_file)
            set_server_state(u)
        return
    else:
        if exists(auth_keys + ".wovenbak"):
            _restore_file("/home/%s/.ssh/authorized_keys" % env.user)
        else:
            # No pre-existing keys, so remove the .ssh directory.
            sudo("rm -rf /home/%s/.ssh")
        return
Ejemplo n.º 5
0
def upload_ssh_key(rollback=False):
    """
    Upload your ssh key for passwordless logins
    """
    auth_keys = '/home/%s/.ssh/authorized_keys'% env.user
    if not rollback:
        local_user = getpass.getuser()
        host = socket.gethostname()
        u = '@'.join([local_user,host])
        u = 'ssh-key-uploaded-%s'% u
        if not env.overwrite and server_state(u): return
        if not exists('.ssh'):
            run('mkdir .ssh')
           
        #determine local .ssh dir
        home = os.path.expanduser('~')
    
        ssh_dsa = os.path.join(home,'.ssh/id_dsa.pub')
        ssh_rsa =  os.path.join(home,'.ssh/id_rsa.pub')
        if env.KEY_FILENAME:
            if not os.path.exists(env.KEY_FILENAME):
                print "ERROR: The specified KEY_FILENAME (or SSH_KEY_FILENAME) %s does not exist"% env.KEY_FILENAME
                sys.exit(1)
            else:
                ssh_key = env.KEY_FILENAME
        elif os.path.exists(ssh_dsa):
            ssh_key = ssh_dsa
        elif os.path.exists(ssh_rsa):
            ssh_key = ssh_rsa
        else:
            ssh_key = ''
    
        if ssh_key:
            ssh_file = open(ssh_key,'r').read()
            
            if exists(auth_keys):
                _backup_file(auth_keys)
            if env.verbosity:
                print env.host, "UPLOADING SSH KEY"
            append(ssh_file,auth_keys) #append prevents uploading twice
            set_server_state(u)
        return
    else:
        if exists(auth_keys+'.wovenbak'):
            _restore_file('/home/%s/.ssh/authorized_keys'% env.user)
        else: #no pre-existing keys remove the .ssh directory
            sudo('rm -rf /home/%s/.ssh')
        return    
Ejemplo n.º 6
0
def set_timezone(rollback=False):
    """
    Set the time zone on the server using Django settings.TIME_ZONE
    """
    if not rollback:
        if contains(filename="/etc/timezone", text=env.TIME_ZONE, use_sudo=True):
            return False
        if env.verbosity:
            print env.host, "CHANGING TIMEZONE /etc/timezone to " + env.TIME_ZONE
        _backup_file("/etc/timezone")
        sudo("echo %s > /tmp/timezone" % env.TIME_ZONE)
        sudo("cp -f /tmp/timezone /etc/timezone")
        sudo("dpkg-reconfigure --frontend noninteractive tzdata")
    else:
        _restore_file("/etc/timezone")
        sudo("dpkg-reconfigure --frontend noninteractive tzdata")
    return True
Ejemplo n.º 7
0
def upload_ssh_key(rollback=False):
    """
    Upload your ssh key for passwordless logins
    """
    auth_keys = '/home/%s/.ssh/authorized_keys'% env.user
    if not rollback:
        local_user = getpass.getuser()
        host = socket.gethostname()
        u = '@'.join([local_user,host])
        u = 'ssh-key-uploaded-%s'% u
        if not env.overwrite and server_state(u): return
        if not exists('.ssh'):
            run('mkdir .ssh')
           
        #determine local .ssh dir
        home = os.path.expanduser('~')
        ssh_key = None
        upload_key = True
        ssh_dsa = os.path.join(home,'.ssh/id_dsa.pub')
        ssh_rsa =  os.path.join(home,'.ssh/id_rsa.pub')
        if env.key_filename and env.INTERACTIVE:
                upload_key = confirm('Would you like to upload your personal key in addition to %s'% str(env.key_filename), default=True)
        if upload_key:  
            if os.path.exists(ssh_dsa):
                ssh_key = ssh_dsa
            elif os.path.exists(ssh_rsa):
                ssh_key = ssh_rsa
    
        if ssh_key:
            ssh_file = open(ssh_key,'r').read()
            
            if exists(auth_keys):
                _backup_file(auth_keys)
            if env.verbosity:
                print env.host, "UPLOADING SSH KEY"
            append(auth_keys,ssh_file) #append prevents uploading twice
            set_server_state(u)
        return
    else:
        if exists(auth_keys+'.wovenbak'):
            _restore_file('/home/%s/.ssh/authorized_keys'% env.user)
        else: #no pre-existing keys remove the .ssh directory
            sudo('rm -rf /home/%s/.ssh')
        return    
Ejemplo n.º 8
0
def upload_ssh_key(rollback=False):
    """
    Upload your ssh key for passwordless logins
    """
    auth_keys = '/home/%s/.ssh/authorized_keys'% env.user
    if not rollback:    
        if not exists('.ssh'):
            run('mkdir .ssh')
           
        #determine local .ssh dir
        home = os.path.expanduser('~')
    
        ssh_dsa = os.path.join(home,'.ssh/id_dsa.pub')
        ssh_rsa =  os.path.join(home,'.ssh/id_rsa.pub')
        if os.path.exists(ssh_dsa):
            ssh_key = ssh_dsa
        elif os.path.exists(ssh_rsa):
            ssh_key = ssh_rsa
        else:
            ssh_key = ''
    
        if ssh_key:
            ssh_file = open(ssh_key,'r').read()
            
            if exists(auth_keys):
                _backup_file(auth_keys)
            if env.verbosity:
                print env.host, "UPLOADING SSH KEY if it doesn't already exist on host"
            append(ssh_file,auth_keys) #append prevents uploading twice
        return
    else:
        if exists(auth_keys+'.wovenbak'):
            _restore_file('/home/%s/.ssh/authorized_keys'% env.user)
        else: #no pre-existing keys remove the .ssh directory
            sudo('rm -rf /home/%s/.ssh')
        return
Ejemplo n.º 9
0
def restrict_ssh(rollback=False):
    """
    Set some sensible restrictions in Ubuntu /etc/ssh/sshd_config and
    restart sshd.

        UseDNS no           # Prevents dns spoofing sshd defaults to yes
        X11Forwarding no    # Defaults to no
        AuthorizedKeysFile  %h/.ssh/authorized_keys

    Also uncomment PasswordAuthentication no and restart sshd.
    """

    if not rollback:
        if server_state("ssh_restricted"):
            return False

        sshd_config = "/etc/ssh/sshd_config"
        if env.verbosity:
            print env.host, "RESTRICTING SSH with " + sshd_config
        if not exists("/home/%s/.ssh/authorized_keys" % env.user):
            # Do not pass go, do not collect $200.
            print env.host, "You need to upload_ssh_key first."
            return False
        _backup_file(sshd_config)
        context = {"HOST_SSH_PORT": env.HOST_SSH_PORT}

        upload_template("woven/ssh/sshd_config", "/etc/ssh/sshd_config", context=context, use_sudo=True)
        # Restart sshd.
        sudo("/etc/init.d/ssh restart")

        # The user can modify the sshd_config file directly but we save.
        proceed = True
        if (
            not env.key_filename
            and (env.DISABLE_SSH_PASSWORD or env.INTERACTIVE)
            and contains("/etc/ssh/sshd_config", "#PasswordAuthentication no", use_sudo=True)
        ):
            print "WARNING: You may want to test your node ssh login " "at this point ssh %s@%s -p%s" % (
                env.user,
                env.host,
                env.port,
            )
            c_text = "Would you like to disable password login and use " "only ssh key authentication"
            proceed = confirm(c_text, default=False)

        if not env.INTERACTIVE or proceed or env.DISABLE_SSH_PASSWORD:
            # Uncomments PasswordAuthentication no and restarts.
            uncomment(sshd_config, "#(\s?)PasswordAuthentication(\s*)no", use_sudo=True)
            sudo("/etc/init.d/ssh restart")
        set_server_state("ssh_restricted")
        return True
    else:
        # Full rollback.
        _restore_file("/etc/ssh/sshd_config")
        if server_state("ssh_port_changed"):
            sed(
                "/etc/ssh/sshd_config",
                "Port " + str(env.DEFAULT_SSH_PORT),
                "Port " + str(env.HOST_SSH_PORT),
                use_sudo=True,
            )
            sudo("/etc/init.d/ssh restart")
        sudo("/etc/init.d/ssh restart")
        set_server_state("ssh_restricted", delete=True)
        return True