def restrict_ssh(rollback=False): """ Set some sensible restrictions in Ubuntu /etc/ssh/sshd_config and restart sshd UseDNS no #prevents dns spoofing sshd defaults to yes X11Forwarding no # defaults to no AuthorizedKeysFile %h/.ssh/authorized_keys uncomments PasswordAuthentication no and restarts sshd """ if not rollback: if server_state('ssh_restricted'): print env.host, 'Warning: sshd_config has already been modified. Skipping..' return False sshd_config = '/etc/ssh/sshd_config' if env.verbosity: print env.host, "RESTRICTING SSH with "+sshd_config filename = 'sshd_config' if not exists('/home/%s/.ssh/authorized_keys'% env.user): #do not pass go do not collect $200 print env.host, 'You need to upload_ssh_key first.' return False _backup_file(sshd_config) context = {"HOST_SSH_PORT": env.HOST_SSH_PORT} upload_template('woven/ssh/sshd_config','/etc/ssh/sshd_config',context=context,use_sudo=True) # Restart sshd sudo('/etc/init.d/ssh restart') # The user can modify the sshd_config file directly but we save if env.INTERACTIVE and contains('#PasswordAuthentication no','/etc/ssh/sshd_config',use_sudo=True): c_text = 'Woven will now remove password login from ssh, and use only your ssh key. \n' c_text = c_text + 'CAUTION: please confirm that you can ssh %s@%s -p%s from a terminal without requiring a password before continuing.\n'% (env.user, env.host, env.port) c_text += 'If you cannot login, press enter to rollback your sshd_config file' proceed = confirm(c_text,default=False) if not env.INTERACTIVE or proceed: #uncomments PasswordAuthentication no and restarts uncomment(sshd_config,'#(\s?)PasswordAuthentication(\s*)no',use_sudo=True) sudo('/etc/init.d/ssh restart') else: #rollback print env.host, 'Rolling back sshd_config to default and proceeding without passwordless login' _restore_file('/etc/ssh/sshd_config', delete_backup=False) sed('/etc/ssh/sshd_config','Port '+ str(env.DEFAULT_SSH_PORT),'Port '+str(env.HOST_SSH_PORT),use_sudo=True) sudo('/etc/init.d/ssh restart') return False set_server_state('ssh_restricted') return True else: #Full rollback _restore_file('/etc/ssh/sshd_config') if server_state('ssh_port_changed'): sed('/etc/ssh/sshd_config','Port '+ str(env.DEFAULT_SSH_PORT),'Port '+str(env.HOST_SSH_PORT),use_sudo=True) sudo('/etc/init.d/ssh restart') sudo('/etc/init.d/ssh restart') set_server_state('ssh_restricted', delete=True) return True
def upload_ssh_key(rollback=False): """ Upload your ssh key for passwordless logins """ user_ssh_dir = os.path.join(deployment_user_home(), '.ssh') auth_keys = os.path.join(user_ssh_dir, 'authorized_keys') if not rollback: local_user = getpass.getuser() host = socket.gethostname() u = '@'.join([local_user,host]) u = 'ssh-key-uploaded-%s'% u if not env.overwrite and server_state(u): return if not exists('.ssh'): run('mkdir .ssh') #determine local .ssh dir home = os.path.expanduser('~') ssh_dsa = os.path.join(home,'.ssh/id_dsa.pub') ssh_rsa = os.path.join(home,'.ssh/id_rsa.pub') if env.KEY_FILENAME: if not os.path.exists(env.KEY_FILENAME): print "ERROR: The specified KEY_FILENAME (or SSH_KEY_FILENAME) %s does not exist"% env.KEY_FILENAME sys.exit(1) else: ssh_key = env.KEY_FILENAME elif os.path.exists(ssh_dsa): ssh_key = ssh_dsa elif os.path.exists(ssh_rsa): ssh_key = ssh_rsa else: ssh_key = '' if ssh_key: ssh_file = open(ssh_key,'r').read() ssh_file = ssh_file.strip() # remove any trailing \n's if exists(auth_keys): _backup_file(auth_keys) if env.verbosity: print env.host, "UPLOADING SSH KEY" append(ssh_file,auth_keys) #append prevents uploading twice set_server_state(u) return else: if exists(auth_keys+'.wovenbak'): _restore_file(auth_keys) else: #no pre-existing keys remove the .ssh directory sudo('rm -rf ' + user_ssh_dir) return
def restrict_ssh(rollback=False): """ Set some sensible restrictions in Ubuntu /etc/ssh/sshd_config and restart sshd UseDNS no #prevents dns spoofing sshd defaults to yes X11Forwarding no # defaults to no AuthorizedKeysFile %h/.ssh/authorized_keys uncomments PasswordAuthentication no and restarts sshd """ if not rollback: if server_state('ssh_restricted'): return False sshd_config = '/etc/ssh/sshd_config' if env.verbosity: print env.host, "RESTRICTING SSH with "+sshd_config filename = 'sshd_config' if not exists('/home/%s/.ssh/authorized_keys'% env.user): #do not pass go do not collect $200 print env.host, 'You need to upload_ssh_key first.' return False _backup_file(sshd_config) context = {"HOST_SSH_PORT": env.HOST_SSH_PORT} upload_template('woven/ssh/sshd_config','/etc/ssh/sshd_config',context=context,use_sudo=True) # Restart sshd sudo('/etc/init.d/ssh restart') # The user can modify the sshd_config file directly but we save proceed = True if not env.key_filename and (env.DISABLE_SSH_PASSWORD or env.INTERACTIVE) and contains('/etc/ssh/sshd_config','#PasswordAuthentication no',use_sudo=True): print "WARNING: You may want to test your node ssh login at this point ssh %s@%s -p%s"% (env.user, env.host, env.port) c_text = 'Would you like to disable password login and use only ssh key authentication' proceed = confirm(c_text,default=False) if not env.INTERACTIVE or proceed or env.DISABLE_SSH_PASSWORD: #uncomments PasswordAuthentication no and restarts uncomment(sshd_config,'#(\s?)PasswordAuthentication(\s*)no',use_sudo=True) sudo('/etc/init.d/ssh restart') set_server_state('ssh_restricted') return True else: #Full rollback _restore_file('/etc/ssh/sshd_config') if server_state('ssh_port_changed'): sed('/etc/ssh/sshd_config','Port '+ str(env.DEFAULT_SSH_PORT),'Port '+str(env.HOST_SSH_PORT),use_sudo=True) sudo('/etc/init.d/ssh restart') sudo('/etc/init.d/ssh restart') set_server_state('ssh_restricted', delete=True) return True
def upload_ssh_key(rollback=False): """ Upload your ssh key for passwordless logins """ auth_keys = "/home/%s/.ssh/authorized_keys" % env.user if not rollback: local_user = getpass.getuser() host = socket.gethostname() u = "@".join([local_user, host]) u = "ssh-key-uploaded-%s" % u if not env.overwrite and server_state(u): return if not exists(".ssh"): run("mkdir .ssh") # Determine local .ssh dir. home = os.path.expanduser("~") ssh_key = None upload_key = True ssh_dsa = os.path.join(home, ".ssh/id_dsa.pub") ssh_rsa = os.path.join(home, ".ssh/id_rsa.pub") if env.key_filename and env.INTERACTIVE: upload_key = confirm( "Would you like to upload your personal key " "in addition to %s" % str(env.key_filename), default=True ) if upload_key: if os.path.exists(ssh_dsa): ssh_key = ssh_dsa elif os.path.exists(ssh_rsa): ssh_key = ssh_rsa if ssh_key: ssh_file = open(ssh_key, "r").read() if exists(auth_keys): _backup_file(auth_keys) if env.verbosity: print env.host, "UPLOADING SSH KEY" # Append prevents uploading twice. append(auth_keys, ssh_file) set_server_state(u) return else: if exists(auth_keys + ".wovenbak"): _restore_file("/home/%s/.ssh/authorized_keys" % env.user) else: # No pre-existing keys, so remove the .ssh directory. sudo("rm -rf /home/%s/.ssh") return
def upload_ssh_key(rollback=False): """ Upload your ssh key for passwordless logins """ auth_keys = '/home/%s/.ssh/authorized_keys'% env.user if not rollback: local_user = getpass.getuser() host = socket.gethostname() u = '@'.join([local_user,host]) u = 'ssh-key-uploaded-%s'% u if not env.overwrite and server_state(u): return if not exists('.ssh'): run('mkdir .ssh') #determine local .ssh dir home = os.path.expanduser('~') ssh_dsa = os.path.join(home,'.ssh/id_dsa.pub') ssh_rsa = os.path.join(home,'.ssh/id_rsa.pub') if env.KEY_FILENAME: if not os.path.exists(env.KEY_FILENAME): print "ERROR: The specified KEY_FILENAME (or SSH_KEY_FILENAME) %s does not exist"% env.KEY_FILENAME sys.exit(1) else: ssh_key = env.KEY_FILENAME elif os.path.exists(ssh_dsa): ssh_key = ssh_dsa elif os.path.exists(ssh_rsa): ssh_key = ssh_rsa else: ssh_key = '' if ssh_key: ssh_file = open(ssh_key,'r').read() if exists(auth_keys): _backup_file(auth_keys) if env.verbosity: print env.host, "UPLOADING SSH KEY" append(ssh_file,auth_keys) #append prevents uploading twice set_server_state(u) return else: if exists(auth_keys+'.wovenbak'): _restore_file('/home/%s/.ssh/authorized_keys'% env.user) else: #no pre-existing keys remove the .ssh directory sudo('rm -rf /home/%s/.ssh') return
def set_timezone(rollback=False): """ Set the time zone on the server using Django settings.TIME_ZONE """ if not rollback: if contains(filename="/etc/timezone", text=env.TIME_ZONE, use_sudo=True): return False if env.verbosity: print env.host, "CHANGING TIMEZONE /etc/timezone to " + env.TIME_ZONE _backup_file("/etc/timezone") sudo("echo %s > /tmp/timezone" % env.TIME_ZONE) sudo("cp -f /tmp/timezone /etc/timezone") sudo("dpkg-reconfigure --frontend noninteractive tzdata") else: _restore_file("/etc/timezone") sudo("dpkg-reconfigure --frontend noninteractive tzdata") return True
def upload_ssh_key(rollback=False): """ Upload your ssh key for passwordless logins """ auth_keys = '/home/%s/.ssh/authorized_keys'% env.user if not rollback: local_user = getpass.getuser() host = socket.gethostname() u = '@'.join([local_user,host]) u = 'ssh-key-uploaded-%s'% u if not env.overwrite and server_state(u): return if not exists('.ssh'): run('mkdir .ssh') #determine local .ssh dir home = os.path.expanduser('~') ssh_key = None upload_key = True ssh_dsa = os.path.join(home,'.ssh/id_dsa.pub') ssh_rsa = os.path.join(home,'.ssh/id_rsa.pub') if env.key_filename and env.INTERACTIVE: upload_key = confirm('Would you like to upload your personal key in addition to %s'% str(env.key_filename), default=True) if upload_key: if os.path.exists(ssh_dsa): ssh_key = ssh_dsa elif os.path.exists(ssh_rsa): ssh_key = ssh_rsa if ssh_key: ssh_file = open(ssh_key,'r').read() if exists(auth_keys): _backup_file(auth_keys) if env.verbosity: print env.host, "UPLOADING SSH KEY" append(auth_keys,ssh_file) #append prevents uploading twice set_server_state(u) return else: if exists(auth_keys+'.wovenbak'): _restore_file('/home/%s/.ssh/authorized_keys'% env.user) else: #no pre-existing keys remove the .ssh directory sudo('rm -rf /home/%s/.ssh') return
def upload_ssh_key(rollback=False): """ Upload your ssh key for passwordless logins """ auth_keys = '/home/%s/.ssh/authorized_keys'% env.user if not rollback: if not exists('.ssh'): run('mkdir .ssh') #determine local .ssh dir home = os.path.expanduser('~') ssh_dsa = os.path.join(home,'.ssh/id_dsa.pub') ssh_rsa = os.path.join(home,'.ssh/id_rsa.pub') if os.path.exists(ssh_dsa): ssh_key = ssh_dsa elif os.path.exists(ssh_rsa): ssh_key = ssh_rsa else: ssh_key = '' if ssh_key: ssh_file = open(ssh_key,'r').read() if exists(auth_keys): _backup_file(auth_keys) if env.verbosity: print env.host, "UPLOADING SSH KEY if it doesn't already exist on host" append(ssh_file,auth_keys) #append prevents uploading twice return else: if exists(auth_keys+'.wovenbak'): _restore_file('/home/%s/.ssh/authorized_keys'% env.user) else: #no pre-existing keys remove the .ssh directory sudo('rm -rf /home/%s/.ssh') return
def restrict_ssh(rollback=False): """ Set some sensible restrictions in Ubuntu /etc/ssh/sshd_config and restart sshd. UseDNS no # Prevents dns spoofing sshd defaults to yes X11Forwarding no # Defaults to no AuthorizedKeysFile %h/.ssh/authorized_keys Also uncomment PasswordAuthentication no and restart sshd. """ if not rollback: if server_state("ssh_restricted"): return False sshd_config = "/etc/ssh/sshd_config" if env.verbosity: print env.host, "RESTRICTING SSH with " + sshd_config if not exists("/home/%s/.ssh/authorized_keys" % env.user): # Do not pass go, do not collect $200. print env.host, "You need to upload_ssh_key first." return False _backup_file(sshd_config) context = {"HOST_SSH_PORT": env.HOST_SSH_PORT} upload_template("woven/ssh/sshd_config", "/etc/ssh/sshd_config", context=context, use_sudo=True) # Restart sshd. sudo("/etc/init.d/ssh restart") # The user can modify the sshd_config file directly but we save. proceed = True if ( not env.key_filename and (env.DISABLE_SSH_PASSWORD or env.INTERACTIVE) and contains("/etc/ssh/sshd_config", "#PasswordAuthentication no", use_sudo=True) ): print "WARNING: You may want to test your node ssh login " "at this point ssh %s@%s -p%s" % ( env.user, env.host, env.port, ) c_text = "Would you like to disable password login and use " "only ssh key authentication" proceed = confirm(c_text, default=False) if not env.INTERACTIVE or proceed or env.DISABLE_SSH_PASSWORD: # Uncomments PasswordAuthentication no and restarts. uncomment(sshd_config, "#(\s?)PasswordAuthentication(\s*)no", use_sudo=True) sudo("/etc/init.d/ssh restart") set_server_state("ssh_restricted") return True else: # Full rollback. _restore_file("/etc/ssh/sshd_config") if server_state("ssh_port_changed"): sed( "/etc/ssh/sshd_config", "Port " + str(env.DEFAULT_SSH_PORT), "Port " + str(env.HOST_SSH_PORT), use_sudo=True, ) sudo("/etc/init.d/ssh restart") sudo("/etc/init.d/ssh restart") set_server_state("ssh_restricted", delete=True) return True