def is_valid_ssh_key(ssh_key):
ssh = SSHKey(ssh_key)
try:
ssh.parse()
except (InvalidKeyException, NotImplementedError):
return False
return True
def get_agent_pubkeys() -> List[Tuple[Text, SSHKey, bool, Text]]:
pubkeyfile_path = None
keys_parsed: List[Tuple[Text, SSHKey, bool, Text]] = []
if self.session.agent is None:
return keys_parsed
keys = self.session.agent.get_keys()
for k in keys:
ssh_pub_key = SSHKey(f"{k.get_name()} {k.get_base64()}")
ssh_pub_key.parse()
keys_parsed.append(
(k.get_name(), ssh_pub_key, k.can_sign(), k.get_base64()))
if self.session.session_log_dir:
os.makedirs(self.session.session_log_dir, exist_ok=True)
pubkeyfile_path = os.path.join(self.session.session_log_dir,
'publickeys')
with open(pubkeyfile_path, 'a+') as pubkeyfile:
pubkeyfile.write("".join([
f"{k[0]} {k[3]} saved-from-agent\n"
for k in keys_parsed
]))
return keys_parsed
async def validate_ssh(ssh_pub: str):
ssh = SSHKey(ssh_pub)
try:
ssh.parse()
return True
except:
return False
def validate_key(self, key):
try:
ssh = SSHKey(key)
ssh.parse()
return ssh
except:
return False
def ssh_key(key_string):
import sshpubkeys
from sshpubkeys import SSHKey
key = SSHKey(key_string, strict_mode=True)
try:
key.parse()
except sshpubkeys.exceptions.InvalidTypeException as err:
print("Invalid/unrecognised key type:", err)
exit(1)
except sshpubkeys.exceptions.TooShortKeyException as err:
print("Key too short:", err)
exit(1)
except sshpubkeys.exceptions.InvalidKeyLengthException as err:
print("Key length too short or too long:", err)
exit(1)
except sshpubkeys.exceptions.TooLongKeyException as err:
print("Key too long:", err)
exit(1)
except sshpubkeys.exceptions.MalformedDataException as err:
print(
"Malformed data - key may be corrupted, truncated or include extra content:",
err)
exit(1)
except sshpubkeys.exceptions.InvalidKeyException as err:
print("Invalid key:", err)
exit(1)
except NotImplementedError as err:
print("Invalid/unsupported key type:", err)
exit(1)
def get_node_data():
count = db.session.query(func.count(Vm.id)) \
.filter_by(state='running').scalar()
n = (5 - count)
user = User.query.filter_by(username=g.user.username).first()
if request.method == "POST":
counts = request.form['counts']
name = request.form['node_name']
hours_ = request.form['hours']
key = request.form['pubkey']
# Validating the hours and node counts
if int(counts) > 5 or int(hours_) > 4 or int(counts) > n:
flash('Please enter the valid data')
logging.exception('User entered the invalid hours or counts value')
return render_template('form.html', n=n, pubkey=user.pubkey)
# checking if key is changed by user or not
if key != user.pubkey:
public_key = key
# Validating the new SSH public key
ssh = SSHKey(public_key, strict=True)
try:
ssh.parse()
except (exceptions.InvalidKeyError, exceptions.MalformedDataError):
logging.exception('Invalid or no key is passed')
flash('Please upload a valid SSH key')
return render_template('form.html', n=n, pubkey=user.pubkey)
else:
public_key = user.pubkey
# Validating the machine label
label = Vm.query.filter(Vm.state == 'running',
NodeRequest.node_name == name). \
join(NodeRequest).first()
if label is None:
if re.match("^[a-zA-Z0-9_]+$", str(name)):
node_request = NodeRequest(user_id=g.user.id,
node_name=name,
node_counts=counts,
hours=hours_)
db.session.add(node_request)
db.session.commit()
create_node.delay(counts, name, node_request.id, public_key)
flash('Creating your machine. Please wait for a moment.')
return redirect('/dashboard')
else:
flash('Invalid label entry.')
else:
flash('Machine label already exists.'
'Please choose different name.')
else:
if count >= 5:
flash('All our available machines are in use.'
'Please wait until we have a slot available')
return redirect('/dashboard')
else:
flash('You can request upto {} machines'.format(n))
return render_template('form.html', n=n, pubkey=user.pubkey)
def ssh_key(key_string):
import sshpubkeys
from sshpubkeys import SSHKey
key = SSHKey(key_string, strict_mode=True)
try:
key.parse()
except sshpubkeys.exceptions.InvalidTypeException as err:
print("Invalid/unrecognised key type:", err)
exit(1)
except sshpubkeys.exceptions.TooShortKeyException as err:
print("Key too short:", err)
exit(1)
except sshpubkeys.exceptions.InvalidKeyLengthException as err:
print("Key length too short or too long:", err)
exit(1)
except sshpubkeys.exceptions.TooLongKeyException as err:
print("Key too long:", err)
exit(1)
except sshpubkeys.exceptions.MalformedDataException as err:
print("Malformed data - key may be corrupted, truncated or include extra content:", err)
exit(1)
except sshpubkeys.exceptions.InvalidKeyException as err:
print("Invalid key:", err)
exit(1)
except NotImplementedError as err:
print("Invalid/unsupported key type:", err)
exit(1)
def get_agent_pubkeys():
keys = self.session.agent.get_keys()
keys_parsed = []
for k in keys:
ssh_pub_key = SSHKey("{} {}".format(k.get_name(), k.get_base64()))
ssh_pub_key.parse()
keys_parsed.append((k.get_name(), ssh_pub_key, k.can_sign()))
return keys_parsed
def check_auth_publickey(self, username, key):
ssh_pub_key = SSHKey("{} {}".format(key.get_name(), key.get_base64()))
ssh_pub_key.parse()
logging.info("check_auth_publickey: username=%s, key=%s %s %sbits", username, key.get_name(), ssh_pub_key.hash_sha256(), ssh_pub_key.bits)
if self.args.disable_pubkey_auth:
logging.debug("Publickey login attempt, but publickey auth was disabled!")
return paramiko.AUTH_FAILED
return self.session.authenticator.authenticate(username, key=key)
def valid_sshkey(public_key):
ssh = SSHKey(public_key, strict=True)
try:
ssh.parse()
except InvalidKeyError:
return False
except NotImplementedError:
return False
return True
def _validate_public_key(value):
"""
Validates that the given key is a valid SSH public key.
"""
ssh_key = SSHKey(value, parse_options=False, strict_mode=True)
try:
ssh_key.parse()
except MalformedDataException as exc:
raise ValidationError(exc.message, code='invalid-key')
def _get_fingerprint(self, signing_key):
ssh_key = SSHKey("ssh-ed25519 {0}"
.format(signing_key.get_base64()))
try:
ssh_key.parse()
except:
self._raise_error("INVALID signing key type. ABORTING.")
return ssh_key.hash_sha256() # SHA256:xyz
def parse_ssh_key(key_string: str) -> SSHKey:
try:
key = SSHKey(key_string)
key.parse()
if not key.comment:
raise ValueError("No name set. Please add a name to your key.")
return key
except InvalidKeyError as err:
raise DatabaseError(f"Invalid SSH key: {err}")
def validate_public_key(path: str) -> Union[str, None]:
"""
:param str path: path to the public key
:return: str or None
"""
pub_key = helpers.read_path(path)
ssh = SSHPubKey(pub_key, strict=True)
if ssh.parse() is None:
return pub_key
def check_key(self, pubkey, bits, fingerprint_md5, fingerprint_sha256, options, comment, **kwargs): # pylint:disable=too-many-arguments
""" Checks valid key """
ssh = SSHKey(pubkey, **kwargs)
ssh.parse()
self.assertEqual(ssh.bits, bits)
self.assertEqual(ssh.hash_md5(), fingerprint_md5)
self.assertEqual(ssh.options_raw, options)
self.assertEqual(ssh.comment, comment)
if fingerprint_sha256 is not None:
self.assertEqual(ssh.hash_sha256(), fingerprint_sha256)
def parse_key(data):
key = {}
ssh_key = SSHKey(data.decode())
if ssh_key.bits is not None:
name = ssh_key.key_type.decode()
key[name + ":size"] = ssh_key.bits
key[name + ":sha256"] = ssh_key.hash_sha256()
return key
def sshkey_good_format(key):
"""Return False if the key hasn't a known format, else return a hash"""
sshkey = SSHKey(key, strict = True)
try:
sshkey.parse()
except:
return False
# We remove the "SHA256:" header and we add "=" at the end
return sshkey.hash_sha256()[7:] + "="
def pubkey_to_fingerprint(pubkey): # done
# converts pubkey in ssh-rsa BASE64SHIT to fingerprint
try:
msg_debug("Creating SSH key fingerprint")
ssh = SSHKey(pubkey)
fingerprint = ssh.hash()
return fingerprint
except Exception, e:
msg_debug(e)
msg_fail("ssh fingerprint generation failed.")
def pubkey_to_fingerprint(pubkey): # done
# converts pubkey in ssh-rsa BASE64SHIT to fingerprint
try:
msg_debug("Creating SSH key fingerprint")
ssh = SSHKey(pubkey)
fingerprint = ssh.hash()
return fingerprint
except Exception, e:
msg_debug(e)
msg_fail("ssh fingerprint generation failed.")
def clean_publish_ssh_key_for_authentication(self):
public_key = self.cleaned_data['publish_ssh_key_for_authentication']
if public_key:
ssh_key = SSHKey(public_key)
try:
ssh_key.parse()
except InvalidKeyError as err:
raise forms.ValidationError("Invalid key: {}".format(err))
except NotImplementedError as err:
raise forms.ValidationError("Invalid key type: {}".format(err))
return public_key
def hash(sshkey):
""" Return hash of sshkey """
key = SSHKey(sshkey, strict=True)
try:
key.parse()
except:
app.logger.error("ERROR: wrong sshkey format: " + sshkey,
file=sys.stderr)
return ("Wrong ssh key format - " + str(uuid.uuid4()))
# We remove the "SHA256:" header and we add "=" at the end
return key.hash_sha256()[7:] + "="
def check_ssh_key(key_name: str) -> bool:
client = boto3.client("ec2")
response = client.describe_key_pairs(KeyNames=[key_name])
fingerprint = dpath.util.get(response, "KeyPairs/0/KeyFingerprint")
path = str(Path.home() / ".ssh" / f"{key_name}.pub")
# try:
with open(path, "r") as file:
ssh = SSHKey(file.read(), strict=True)
ssh.parse()
assert (ssh.hash_md5() == fingerprint
), f"Local key {ssh.hash_md5()} does not match {fingerprint}"
return True
def generate_host_key(self) -> None:
key_algorithm_class: Optional[Type[PKey]] = None
key_algorithm_bits = None
if self.key_algorithm == 'dss':
key_algorithm_class = DSSKey
key_algorithm_bits = self.key_length
elif self.key_algorithm == 'rsa':
key_algorithm_class = RSAKey
key_algorithm_bits = self.key_length
elif self.key_algorithm == 'ecdsa':
key_algorithm_class = ECDSAKey
elif self.key_algorithm == 'ed25519':
key_algorithm_class = Ed25519Key
if not self.key_file:
logging.error(
"ed25519 requires a key file, please use also use --host-key parameter"
)
sys.exit(1)
else:
raise ValueError(
f"host key algorithm '{self.key_algorithm}' not supported!")
if not self.key_file:
try:
self._hostkey = key_algorithm_class.generate(
bits=key_algorithm_bits) # type: ignore
except ValueError as err:
logging.error(str(err))
raise KeyGenerationError()
else:
if not os.path.isfile(self.key_file):
raise FileNotFoundError(
f"host key '{self.key_file}' file does not exist")
for pkey_class in (RSAKey, DSSKey, ECDSAKey, Ed25519Key):
try:
key = self._key_from_filepath(self.key_file, pkey_class,
None)
self._hostkey = key
break
except SSHException:
pass
else:
logging.error('host key format not supported!')
raise KeyGenerationError()
ssh_pub_key = SSHKey(
f"{self._hostkey.get_name()} {self._hostkey.get_base64()}")
ssh_pub_key.parse()
logging.info((
f"{'loaded' if self.key_file else 'generated temporary'} {key_algorithm_class.__name__} key with {self._hostkey.get_bits()} bit length and fingerprints:\n"
f" {stylize(ssh_pub_key.hash_md5(), fg('light_blue') + attr('bold'))}\n"
f" {stylize(ssh_pub_key.hash_sha256(),fg('light_blue') + attr('bold'))}"
))
def auth_publickey(self, username, host, port, key):
if key.can_sign():
ssh_pub_key = SSHKey("{} {}".format(key.get_name(), key.get_base64()))
ssh_pub_key.parse()
logging.info("AuthenticatorPassThrough.auth_publickey: username=%s, key=%s %s %sbits", username, key.get_name(), ssh_pub_key.hash_sha256(), ssh_pub_key.bits)
return self.connect(username, host, port, AuthenticationMethod.publickey, key=key)
if self.REQUEST_AGENT:
# Ein Publickey wird nur direkt von check_auth_publickey
# übergeben. In dem Fall müssen wir den Client authentifizieren,
# damit wir auf den Agent warten können!
logging.debug("authentication failed. accept connection and wait for agent.")
return paramiko.AUTH_SUCCESSFUL
return paramiko.AUTH_FAILED
def majora_clean_ssh_key(ssh_key):
if ssh_key:
ssh_key = "".join(ssh_key.splitlines()).strip()
key = SSHKey(ssh_key)
try:
key.parse()
except Exception as e:
raise forms.ValidationError("Unable to decode your key. Please ensure this is your public key and has been entered correctly.")
if key.key_type != b'ssh-ed25519':
raise forms.ValidationError("This system accepts ed25519 keys only.")
return ssh_key
def validate_public_key(value):
"""Raise a ValidationError if the value is not a valid SSH public key, of type RSA"""
try:
key = SSHKey(value, strict=True)
key.parse()
key_type = key.key_type.decode()
if key_type != "ssh-rsa":
raise ValidationError(
f"{key_type} keys are not supported. Please use RSA.")
except (InvalidKeyError, NotImplementedError):
raise ValidationError("Invalid SSH key")
return value
def add_key():
user = login_user
payload = request.get_json()
if not payload:
return jsonify({
'message': 'illegal params',
'code': 104000,
}), 400
public_key = payload.get('public_key')
name = payload.get('name')
if not public_key:
return jsonify({'message': 'invalid public key', 'code': 104000}), 400
ssh = SSHKey(public_key)
try:
ssh.parse()
except Exception as err:
return jsonify({
'message': 'invalid ssh key: {}'.format(str(err)),
'code': 104001,
}), 400
fingerprint = ssh.hash_md5()
existed = db.collection('public_keys').find_one(
{'fingerprint': fingerprint})
if existed:
return jsonify({
'message': 'ssh public key existed',
'code': 104003
}), 400
options = {'vault_pass': config.vault.get('secret')}
encode = Vault(options).encrypt_string(public_key)
data = {
'fingerprint': fingerprint,
'user_id': user.get('user_id'),
'content': encode,
'name': name,
'created_at': time.time()
}
result = db.collection('public_keys').insert_one(data)
data['_id'] = result.inserted_id
logger.info('add public_keys', extra={'record': data})
return jsonify({
'message': 'ok',
'code': 0,
})
def get(self, request, *args, **kwargs):
context = super(UpdateProfileView,
self).get_context_data(**kwargs) # get context data
# Add new record
new_key = request.GET.get('new_key')
if (new_key != None):
if (len(new_key) > 0):
try:
ssh = SSHKey(new_key)
ssh.parse() # make sure the key is ok
key = SSHPublicKey(user=get_current_user(),
comment=ssh.comment,
key=new_key)
key.save()
self.key_status = 'Added new key with ID: ' + ssh.comment
except:
self.key_status = 'Could not add key'
# Updating existing record
key_id = request.GET.get('key_id')
update_key = request.GET.get('update_key')
if ((update_key != None) and (key_id != None)):
try:
ssh = SSHKey(update_key)
ssh.parse() # make sure the key is ok
key = SSHPublicKey.objects.get(id=key_id)
key.key = update_key
key.comment = ssh.comment
key.save()
self.key_status = 'Updated key with ID: ' + ssh.comment
except:
self.key_status = 'Could not update key'
return super(UpdateProfileView, self).get(request, *args, **kwargs)
def validate_pks(key_list):
err = 0
msg = ""
for k in key_list:
if k == None:
return 1, "No Key was passed in."
ssh = SSHKey(k, strict_mode=True)
try:
ssh.parse()
except InvalidKeyException as err:
err += 1
msg = msg + "\nInvalid SSH Public Key:" % k
return err, msg
def _get_fingerprint(self, signing_key):
# This is hard-coded for now, until we figure out
# a way to do this properly:
encoding = self._add_encoding(b'ssh-ed25519') +\
self._add_encoding(signing_key)
ssh_key_text: str = base64.b64encode(encoding).decode("utf-8")
ssh_key = SSHKey("ssh-ed25519 {0}".format(ssh_key_text))
try:
ssh_key.parse()
except Exception:
self._raise_error("INVALID signing key type. ABORTING.")
return ssh_key.hash_sha256() # SHA256:xyz
def get_pub_key_from_string(key: str) -> Optional[str]:
if key is None or key == '':
return None
ssh_key = SSHKey(key, strict=True)
try:
ssh_key.parse()
except InvalidKeyError as err:
print(f'Invalid key: {err}')
return None
except NotImplementedError as err:
print(f'Invalid key type: {err}')
return None
# Library can return some hash functions of the key
# I'm just using it for checking - if valid key, return it
return key
def add_ssh_key(self, ssh_key, user_email):
""" Adds ssh key to group """
try:
ssh_key = SSHKey(ssh_key.replace("\r\n", "\n"))
except:
return "Not a valid SSH key! Please ensure that everything from the .pub file has been copied."
with open(self._ssh_file, "a+") as ssh_file:
if ssh_key.key_comment is not None:
commented_key = "{0} {1} {2} {3}\n".format(
ssh_key.key_type, ssh_key.key_content, ssh_key.key_comment, user_email
)
else:
commented_key = "{0} {1} {2}\n".format(ssh_key.key_type, ssh_key.key_content, user_email)
ssh_file.write(commented_key)
def add(self, username, user_api, filename=None):
"""
Add SSH public key to a user's profile.
Args:
username: Username to attach SSH public key to
filename: Filename containing keys to add (optional)
Raises:
ldap3.core.exceptions.LDAPNoSuchAttributeResult:
ldapPublicKey isn't attached to objectClass
"""
keys = API.__get_keys(filename)
user = user_api.find(username)[0]
distinguished_name = user.entry_dn
if 'ldapPublicKey' not in user.objectClass:
raise ldap3.core.exceptions.LDAPNoSuchAttributeResult(
'LDAP Public Key Object Class not found. ' +
'Please ensure user was created correctly.')
else:
for key in list(set(keys)): # prevents duplicate insertion
print(key)
try:
SSHKey(key).parse()
except Exception as err:
raise err from None
else:
operation = {'sshPublicKey': [(ldap3.MODIFY_ADD, [key])]}
self.client.modify(distinguished_name, operation)
def is_valid_ssh(ssh_key):
try:
SSHKey(ssh_key)
return True
except (InvalidKeyException, TooShortKeyException, TooLongKeyException,
InvalidTypeException, MalformedDataException):
return False
def check_valid_option(self, option, parsed_option):
ssh = SSHKey()
parsed = ssh.parse_options(option)
self.assertEqual(parsed, parsed_option)
def verify_openssh_public_key(s):
try:
ssh = SSHKey(s)
return (ssh.bits >= SECURE_KEY_BITS and ssh.hash())
except:
return False
