def restrict_ssh(rollback=False): """ Set some sensible restrictions in Ubuntu /etc/ssh/sshd_config and restart sshd UseDNS no #prevents dns spoofing sshd defaults to yes X11Forwarding no # defaults to no AuthorizedKeysFile %h/.ssh/authorized_keys uncomments PasswordAuthentication no and restarts sshd """ if not rollback: if server_state('ssh_restricted'): print env.host, 'Warning: sshd_config has already been modified. Skipping..' return False sshd_config = '/etc/ssh/sshd_config' if env.verbosity: print env.host, "RESTRICTING SSH with "+sshd_config filename = 'sshd_config' if not exists('/home/%s/.ssh/authorized_keys'% env.user): #do not pass go do not collect $200 print env.host, 'You need to upload_ssh_key first.' return False backup_file(sshd_config) context = {"HOST_SSH_PORT": env.HOST_SSH_PORT} upload_template('woven/ssh/sshd_config','/etc/ssh/sshd_config',context=context,use_sudo=True) # Restart sshd sudo('/etc/init.d/ssh restart') # The user can modify the sshd_config file directly but we save if env.INTERACTIVE and contains('#PasswordAuthentication no','/etc/ssh/sshd_config',use_sudo=True): c_text = 'Woven will now remove password login from ssh, and use only your ssh key. \n' c_text = c_text + 'CAUTION: please confirm that you can ssh %s@%s -p%s from a terminal without requiring a password before continuing.\n'% (env.user, env.host, env.port) c_text += 'If you cannot login, press enter to rollback your sshd_config file' proceed = confirm(c_text,default=False) if not env.INTERACTIVE or proceed: #uncomments PasswordAuthentication no and restarts uncomment(sshd_config,'#(\s?)PasswordAuthentication(\s*)no',use_sudo=True) sudo('/etc/init.d/ssh restart') else: #rollback print env.host, 'Rolling back sshd_config to default and proceeding without passwordless login' restore_file('/etc/ssh/sshd_config', delete_backup=False) sed('/etc/ssh/sshd_config','Port '+ str(env.DEFAULT_SSH_PORT),'Port '+str(env.HOST_SSH_PORT),use_sudo=True) sudo('/etc/init.d/ssh restart') return False set_server_state('ssh_restricted') return True else: #Full rollback restore_file('/etc/ssh/sshd_config') if server_state('ssh_port_changed'): sed('/etc/ssh/sshd_config','Port '+ str(env.DEFAULT_SSH_PORT),'Port '+str(env.HOST_SSH_PORT),use_sudo=True) sudo('/etc/init.d/ssh restart') sudo('/etc/init.d/ssh restart') set_server_state('ssh_restricted', delete=True) return True
def uncomment_sources(rollback=False): """ Uncomments universe sources in /etc/apt/sources.list if necessary #(.?)deb(.*)http:(.*)universe """ if not rollback: if contains(filename='/etc/apt/sources.list',text='#(.?)deb(.*)http:(.*)universe'): if env.verbosity: print env.host, "UNCOMMENTING universe SOURCES in /etc/apt/sources.list" backup_file('/etc/apt/sources.list') uncomment('/etc/apt/sources.list','#(.?)deb(.*)http:(.*)universe',use_sudo=True) else: restore_file('/etc/apt/sources.list')
def set_timezone(rollback=False): """ Set the time zone on the server using Django settings.TIME_ZONE """ if not rollback: if contains(text=env.TIME_ZONE,filename='/etc/timezone',use_sudo=True): if env.verbosity: print env.host, 'Time Zone already set to '+env.TIME_ZONE return False if env.verbosity: print env.host, "CHANGING TIMEZONE /etc/timezone to "+env.TIME_ZONE backup_file('/etc/timezone') sudo('echo %s > /tmp/timezone'% env.TIME_ZONE) sudo('cp -f /tmp/timezone /etc/timezone') sudo('dpkg-reconfigure --frontend noninteractive tzdata') else: restore_file('/etc/timezone') sudo('dpkg-reconfigure --frontend noninteractive tzdata') return True
def upload_ssh_key(rollback=False): """ Upload your ssh key for passwordless logins """ auth_keys = '/home/%s/.ssh/authorized_keys'% env.user if not rollback: if not exists('.ssh'): run('mkdir .ssh') #determine local .ssh dir home = os.path.expanduser('~') ssh_dsa = os.path.join(home,'.ssh/id_dsa.pub') ssh_rsa = os.path.join(home,'.ssh/id_rsa.pub') if os.path.exists(ssh_dsa): ssh_key = ssh_dsa elif os.path.exists(ssh_rsa): ssh_key = ssh_rsa else: ssh_key = '' if ssh_key: ssh_file = open(ssh_key,'r').read() if exists(auth_keys): backup_file(auth_keys) if env.verbosity: print env.host, "UPLOADING SSH KEY if it doesn't already exist on host" append(ssh_file,auth_keys) #append prevents uploading twice return else: if exists(auth_keys+'.wovenbak'): restore_file('/home/%s/.ssh/authorized_keys'% env.user) else: #no pre-existing keys remove the .ssh directory sudo('rm -rf /home/%s/.ssh') return