def test_users_dict_extract(self):
distro = self._make_distro('ubuntu', bcfg)
ug_cfg = {
'users': [
'default',
],
}
(users, _groups) = self._norm(ug_cfg, distro)
self.assertIn('bob', users)
(name, config) = ug_util.extract_default(users)
self.assertEqual(name, 'bob')
expected_config = {}
def_config = None
try:
def_config = distro.get_default_user()
except NotImplementedError:
pass
if not def_config:
def_config = {}
expected_config.update(def_config)
# Ignore these for now
expected_config.pop('name', None)
expected_config.pop('groups', None)
config.pop('groups', None)
self.assertEqual(config, expected_config)
def handle(name, cfg, cloud, _log, _args):
(users, groups) = ug_util.normalize_users_groups(cfg, cloud.distro)
(default_user, _user_config) = ug_util.extract_default(users)
cloud_keys = cloud.get_public_ssh_keys() or []
for (name, members) in groups.items():
cloud.distro.create_group(name, members)
for (user, config) in users.items():
ssh_redirect_user = config.pop("ssh_redirect_user", False)
if ssh_redirect_user:
if 'ssh_authorized_keys' in config or 'ssh_import_id' in config:
raise ValueError(
'Not creating user %s. ssh_redirect_user cannot be'
' provided with ssh_import_id or ssh_authorized_keys' %
user)
if ssh_redirect_user not in (True, 'default'):
raise ValueError(
'Not creating user %s. Invalid value of'
' ssh_redirect_user: %s. Expected values: true, default'
' or false.' % (user, ssh_redirect_user))
if default_user is None:
LOG.warning(
'Ignoring ssh_redirect_user: %s for %s.'
' No default_user defined.'
' Perhaps missing cloud configuration users: '
' [default, ..].',
ssh_redirect_user, user)
else:
config['ssh_redirect_user'] = default_user
config['cloud_public_ssh_keys'] = cloud_keys
cloud.distro.create_user(user, **config)
def handle(name, cfg, cloud, _log, _args):
(users, groups) = ug_util.normalize_users_groups(cfg, cloud.distro)
(default_user, _user_config) = ug_util.extract_default(users)
cloud_keys = cloud.get_public_ssh_keys() or []
for (name, members) in groups.items():
cloud.distro.create_group(name, members)
for (user, config) in users.items():
ssh_redirect_user = config.pop("ssh_redirect_user", False)
if ssh_redirect_user:
if "ssh_authorized_keys" in config or "ssh_import_id" in config:
raise ValueError(
"Not creating user %s. ssh_redirect_user cannot be"
" provided with ssh_import_id or ssh_authorized_keys"
% user
)
if ssh_redirect_user not in (True, "default"):
raise ValueError(
"Not creating user %s. Invalid value of"
" ssh_redirect_user: %s. Expected values: true, default"
" or false." % (user, ssh_redirect_user)
)
if default_user is None:
LOG.warning(
"Ignoring ssh_redirect_user: %s for %s."
" No default_user defined."
" Perhaps missing cloud configuration users: "
" [default, ..].",
ssh_redirect_user,
user,
)
else:
config["ssh_redirect_user"] = default_user
config["cloud_public_ssh_keys"] = cloud_keys
cloud.distro.create_user(user, **config)
def test_users_dict_extract(self):
distro = self._make_distro('ubuntu', bcfg)
ug_cfg = {
'users': [
'default',
],
}
(users, _groups) = self._norm(ug_cfg, distro)
self.assertIn('bob', users)
(name, config) = ug_util.extract_default(users)
self.assertEqual(name, 'bob')
expected_config = {}
def_config = None
try:
def_config = distro.get_default_user()
except NotImplementedError:
pass
if not def_config:
def_config = {}
expected_config.update(def_config)
# Ignore these for now
expected_config.pop('name', None)
expected_config.pop('groups', None)
config.pop('groups', None)
self.assertEqual(config, expected_config)
def test_users_dict_extract(self):
distro = self._make_distro("ubuntu", bcfg)
ug_cfg = {
"users": [
"default",
],
}
(users, _groups) = self._norm(ug_cfg, distro)
self.assertIn("bob", users)
(name, config) = ug_util.extract_default(users)
self.assertEqual(name, "bob")
expected_config = {}
def_config = None
try:
def_config = distro.get_default_user()
except NotImplementedError:
pass
if not def_config:
def_config = {}
expected_config.update(def_config)
# Ignore these for now
expected_config.pop("name", None)
expected_config.pop("groups", None)
config.pop("groups", None)
self.assertEqual(config, expected_config)
def handle(name, cfg, cloud, log, args):
if len(args) != 0:
value = args[0]
else:
value = util.get_cfg_option_str(cfg, "byobu_by_default", "")
if not value:
log.debug("Skipping module named %s, no 'byobu' values found", name)
return
if value == "user" or value == "system":
value = "enable-%s" % value
valid = (
"enable-user",
"enable-system",
"enable",
"disable-user",
"disable-system",
"disable",
)
if value not in valid:
log.warning("Unknown value %s for byobu_by_default", value)
mod_user = value.endswith("-user")
mod_sys = value.endswith("-system")
if value.startswith("enable"):
bl_inst = "install"
dc_val = "byobu byobu/launch-by-default boolean true"
mod_sys = True
else:
if value == "disable":
mod_user = True
mod_sys = True
bl_inst = "uninstall"
dc_val = "byobu byobu/launch-by-default boolean false"
shcmd = ""
if mod_user:
(users, _groups) = ug_util.normalize_users_groups(cfg, cloud.distro)
(user, _user_config) = ug_util.extract_default(users)
if not user:
log.warning(
"No default byobu user provided, "
"can not launch %s for the default user",
bl_inst,
)
else:
shcmd += ' sudo -Hu "%s" byobu-launcher-%s' % (user, bl_inst)
shcmd += " || X=$(($X+1)); "
if mod_sys:
shcmd += 'echo "%s" | debconf-set-selections' % dc_val
shcmd += " && dpkg-reconfigure byobu --frontend=noninteractive"
shcmd += " || X=$(($X+1)); "
if len(shcmd):
cmd = ["/bin/sh", "-c", "%s %s %s" % ("X=0;", shcmd, "exit $X")]
log.debug("Setting byobu to %s", value)
subp.subp(cmd, capture=False)
def __init__(self, sys_cfg, distro, paths):
sources.DataSource.__init__(self, sys_cfg, distro, paths)
self.default_user = None
if distro:
(users, _groups) = ug_util.normalize_users_groups(sys_cfg, distro)
(self.default_user, _user_config) = ug_util.extract_default(users)
self.metadata = dict()
self.ds_cfg = util.mergemanydict([
util.get_cfg_by_path(sys_cfg, ["datasource", "GCE"], {}),
BUILTIN_DS_CONFIG])
self.metadata_address = self.ds_cfg['metadata_url']
def handle(name, cfg, cloud, log, args):
if len(args) != 0:
value = args[0]
else:
value = util.get_cfg_option_str(cfg, "byobu_by_default", "")
if not value:
log.debug("Skipping module named %s, no 'byobu' values found", name)
return
if value == "user" or value == "system":
value = "enable-%s" % value
valid = ("enable-user", "enable-system", "enable",
"disable-user", "disable-system", "disable")
if value not in valid:
log.warn("Unknown value %s for byobu_by_default", value)
mod_user = value.endswith("-user")
mod_sys = value.endswith("-system")
if value.startswith("enable"):
bl_inst = "install"
dc_val = "byobu byobu/launch-by-default boolean true"
mod_sys = True
else:
if value == "disable":
mod_user = True
mod_sys = True
bl_inst = "uninstall"
dc_val = "byobu byobu/launch-by-default boolean false"
shcmd = ""
if mod_user:
(users, _groups) = ug_util.normalize_users_groups(cfg, cloud.distro)
(user, _user_config) = ug_util.extract_default(users)
if not user:
log.warn(("No default byobu user provided, "
"can not launch %s for the default user"), bl_inst)
else:
shcmd += " sudo -Hu \"%s\" byobu-launcher-%s" % (user, bl_inst)
shcmd += " || X=$(($X+1)); "
if mod_sys:
shcmd += "echo \"%s\" | debconf-set-selections" % dc_val
shcmd += " && dpkg-reconfigure byobu --frontend=noninteractive"
shcmd += " || X=$(($X+1)); "
if len(shcmd):
cmd = ["/bin/sh", "-c", "%s %s %s" % ("X=0;", shcmd, "exit $X")]
log.debug("Setting byobu to %s", value)
util.subp(cmd, capture=False)
def set_installer_password(self):
if self.cloud is None:
return
passfile = self.state_path("installer-user-passwd")
if os.path.exists(passfile):
with open(passfile) as fp:
contents = fp.read()
self.installer_user_passwd_kind = PasswordKind.KNOWN
self.installer_user_name, self.installer_user_passwd = \
contents.split(':', 1)
return
def use_passwd(passwd):
self.installer_user_passwd = passwd
self.installer_user_passwd_kind = PasswordKind.KNOWN
with open(passfile, 'w') as fp:
fp.write(self.installer_user_name + ':' + passwd)
if self.opts.dry_run:
self.installer_user_name = os.environ['USER']
use_passwd(rand_user_password())
return
(users, _groups) = ug_util.normalize_users_groups(
self.cloud.cfg, self.cloud.distro)
(username, _user_config) = ug_util.extract_default(users)
self.installer_user_name = username
if self._user_has_password(username):
# Was the password set to a random password by a version of
# cloud-init that records the username in the log? (This is the
# case we hit on upgrading the subiquity snap)
passwd = get_installer_password_from_cloudinit_log()
if passwd:
use_passwd(passwd)
else:
self.installer_user_passwd_kind = PasswordKind.UNKNOWN
elif not user_key_fingerprints(username):
passwd = rand_user_password()
cp = run_command('chpasswd', input=username + ':'+passwd+'\n')
if cp.returncode == 0:
use_passwd(passwd)
else:
log.info("setting installer password failed %s", cp)
self.installer_user_passwd_kind = PasswordKind.NONE
else:
self.installer_user_passwd_kind = PasswordKind.NONE
def handle(name, cfg, cloud, log, _args):
logger.debug("Cloud-init config: {}".format(cfg))
# fetch all required data from Cloud-init
# Datasource name
dsname = cloud.datasource.dsname
logger.debug("Datasource: {}".format(dsname))
# Metadata (datasource specific)
metadata_ds = cloud.datasource.metadata
logger.debug("Meta-Data ds: {}".format(metadata_ds))
# Metadata in stable v1 format (the same structure for all datasources)
instance_data_json = load_json(load_file("{}/{}".format(cloud.datasource.paths.run_dir, INSTANCE_JSON_FILE)))
metadata_v1 = instance_data_json.get('v1')
logger.debug("Meta-Data v1: {}".format(metadata_v1))
# User-Data
userdata = cloud.datasource.userdata
logger.debug("User-Data: {}".format(userdata))
# Vendor-Data
vendordata = cloud.datasource.vendordata
logger.debug("Vendor-Data: {}".format(vendordata))
# Network-config
init_stage = Init()
(netcfg, netcfg_src) = init_stage._find_networking_config()
logger.debug("Network-config: {}".format(netcfg))
logger.debug("Network-config source: {}".format(netcfg_src))
# Hostname with FQDN (if exist)
(hostname, fqdn) = get_hostname_fqdn(cfg, cloud, metadata_only=True)
logger.debug("Hostname: {}, FQDN: {}".format(hostname, fqdn))
# Get users list
(users, _) = ug_util.normalize_users_groups(cfg, cloud.distro)
logger.debug("Users: {}".format(users))
(default_user, default_user_config) = ug_util.extract_default(users)
logger.debug("Default user: {}".format(default_user))
# Get OVF properties
if 'OVF' in dsname:
ovf_environment = ovf_get_properties(cloud.datasource.environment)
logger.debug("OVF environment: {}".format(ovf_environment))
# VyOS configuration file selection
cfg_file_name = '/opt/vyatta/etc/config/config.boot'
bak_file_name = '/opt/vyatta/etc/config.boot.default'
# open configuration file
if not path.exists(cfg_file_name):
file_name = bak_file_name
else:
file_name = cfg_file_name
logger.debug("Using configuration file: {}".format(file_name))
with open(file_name, 'r') as f:
config_file = f.read()
config = ConfigTree(config_file)
# Initialization of variables
DEFAULT_VYOS_USER = '******'
DEFAULT_VYOS_PASSWORD = '******'
logins_configured = False
network_configured = False
# configure system logins
# Prepare SSH public keys for default user, to be sure that global keys applied to the default account (if it exist)
ssh_keys = metadata_v1['public_ssh_keys']
# append SSH keys from cloud-config
ssh_keys.extend(cfg.get('ssh_authorized_keys', []))
# Configure authentication for default user account
if default_user:
# key-based
for ssh_key in ssh_keys:
if set_ssh_login(config, default_user, ssh_key):
logins_configured = True
# password-based
password = cfg.get('password')
if password:
if set_pass_login(config, default_user, password):
logins_configured = True
# Configure all users accounts
for user, user_cfg in users.items():
# Configure password-based authentication
password = user_cfg.get('passwd')
if password and password != '':
if set_pass_login(config, user, password):
logins_configured = True
# Configure key-based authentication
for ssh_key in user_cfg.get('ssh_authorized_keys', []):
if set_ssh_login(config, user, ssh_key):
logins_configured = True
# Create a fallback user if there was no others
if not logins_configured:
logger.debug("Adding fallback user: {}".format(DEFAULT_VYOS_USER))
set_pass_login(config, DEFAULT_VYOS_USER, DEFAULT_VYOS_PASSWORD)
# apply settings from OVF template
if 'OVF' in dsname:
set_config_ovf(config, ovf_environment)
# Empty hostname option may be interpreted as 'null' string by some hypervisors
# we need to replace it to the empty value to process it later properly
if hostname and hostname == 'null':
hostname = None
network_configured = True
# process networking configuration data
if netcfg and network_configured is False:
# check which one version of config we have
# version 1
if netcfg['version'] == 1:
for interface_config in netcfg['config']:
set_config_interfaces_v1(config, interface_config)
network_configured = True
# version 2
if netcfg['version'] == 2:
if 'ethernets' in netcfg:
for interface_name, interface_config in netcfg['ethernets'].items():
set_config_interfaces_v2(config, interface_name, interface_config)
network_configured = True
# enable DHCPv4 on eth0 if network still not configured
if network_configured is False:
set_config_dhcp(config)
# enable SSH service
set_config_ssh(config)
# configure hostname and domain
if hostname:
set_config_hostname(config, hostname, fqdn)
else:
set_config_hostname(config, 'vyos', None)
# save a new configuration file
try:
with open(cfg_file_name, 'w') as f:
f.write(config.to_string())
logger.debug("Configuration file saved: {}".format(cfg_file_name))
except Exception as e:
logger.error("Failed to write configs into file {}: {}".format(cfg_file_name, e))
def handle(_name, cfg, cloud, log, _args):
# remove the static keys from the pristine image
if cfg.get("ssh_deletekeys", True):
key_pth = os.path.join("/etc/ssh/", "ssh_host_*key*")
for f in glob.glob(key_pth):
try:
util.del_file(f)
except Exception:
util.logexc(log, "Failed deleting key file %s", f)
if "ssh_keys" in cfg:
# if there are keys and/or certificates in cloud-config, use them
for (key, val) in cfg["ssh_keys"].items():
# skip entry if unrecognized
if key not in CONFIG_KEY_TO_FILE:
continue
tgt_fn = CONFIG_KEY_TO_FILE[key][0]
tgt_perms = CONFIG_KEY_TO_FILE[key][1]
util.write_file(tgt_fn, val, tgt_perms)
# set server to present the most recently identified certificate
if "_certificate" in key:
cert_config = {"HostCertificate": tgt_fn}
ssh_util.update_ssh_config(cert_config)
for (priv, pub) in PRIV_TO_PUB.items():
if pub in cfg["ssh_keys"] or priv not in cfg["ssh_keys"]:
continue
pair = (CONFIG_KEY_TO_FILE[priv][0], CONFIG_KEY_TO_FILE[pub][0])
cmd = ["sh", "-xc", KEY_GEN_TPL % pair]
try:
# TODO(harlowja): Is this guard needed?
with util.SeLinuxGuard("/etc/ssh", recursive=True):
subp.subp(cmd, capture=False)
log.debug("Generated a key for %s from %s", pair[0], pair[1])
except Exception:
util.logexc(
log,
"Failed generated a key for %s from %s",
pair[0],
pair[1],
)
else:
# if not, generate them
genkeys = util.get_cfg_option_list(cfg, "ssh_genkeytypes",
GENERATE_KEY_NAMES)
lang_c = os.environ.copy()
lang_c["LANG"] = "C"
for keytype in genkeys:
keyfile = KEY_FILE_TPL % (keytype)
if os.path.exists(keyfile):
continue
util.ensure_dir(os.path.dirname(keyfile))
cmd = ["ssh-keygen", "-t", keytype, "-N", "", "-f", keyfile]
# TODO(harlowja): Is this guard needed?
with util.SeLinuxGuard("/etc/ssh", recursive=True):
try:
out, err = subp.subp(cmd, capture=True, env=lang_c)
if not util.get_cfg_option_bool(cfg, "ssh_quiet_keygen",
False):
sys.stdout.write(util.decode_binary(out))
gid = util.get_group_id("ssh_keys")
if gid != -1:
# perform same "sanitize permissions" as sshd-keygen
os.chown(keyfile, -1, gid)
os.chmod(keyfile, 0o640)
os.chmod(keyfile + ".pub", 0o644)
except subp.ProcessExecutionError as e:
err = util.decode_binary(e.stderr).lower()
if e.exit_code == 1 and err.lower().startswith(
"unknown key"):
log.debug("ssh-keygen: unknown key type '%s'", keytype)
else:
util.logexc(
log,
"Failed generating key type %s to file %s",
keytype,
keyfile,
)
if "ssh_publish_hostkeys" in cfg:
host_key_blacklist = util.get_cfg_option_list(
cfg["ssh_publish_hostkeys"],
"blacklist",
HOST_KEY_PUBLISH_BLACKLIST,
)
publish_hostkeys = util.get_cfg_option_bool(
cfg["ssh_publish_hostkeys"], "enabled", PUBLISH_HOST_KEYS)
else:
host_key_blacklist = HOST_KEY_PUBLISH_BLACKLIST
publish_hostkeys = PUBLISH_HOST_KEYS
if publish_hostkeys:
hostkeys = get_public_host_keys(blacklist=host_key_blacklist)
try:
cloud.datasource.publish_host_keys(hostkeys)
except Exception:
util.logexc(log, "Publishing host keys failed!")
try:
(users, _groups) = ug_util.normalize_users_groups(cfg, cloud.distro)
(user, _user_config) = ug_util.extract_default(users)
disable_root = util.get_cfg_option_bool(cfg, "disable_root", True)
disable_root_opts = util.get_cfg_option_str(cfg, "disable_root_opts",
ssh_util.DISABLE_USER_OPTS)
keys = []
if util.get_cfg_option_bool(cfg, "allow_public_ssh_keys", True):
keys = cloud.get_public_ssh_keys() or []
else:
log.debug("Skipping import of publish SSH keys per "
"config setting: allow_public_ssh_keys=False")
if "ssh_authorized_keys" in cfg:
cfgkeys = cfg["ssh_authorized_keys"]
keys.extend(cfgkeys)
apply_credentials(keys, user, disable_root, disable_root_opts)
except Exception:
util.logexc(log, "Applying SSH credentials failed!")
def handle(_name, cfg, cloud, log, args):
if len(args) != 0:
# if run from command line, and give args, wipe the chpasswd['list']
password = args[0]
if 'chpasswd' in cfg and 'list' in cfg['chpasswd']:
del cfg['chpasswd']['list']
else:
password = util.get_cfg_option_str(cfg, "password", None)
expire = True
plist = None
if 'chpasswd' in cfg:
chfg = cfg['chpasswd']
if 'list' in chfg and chfg['list']:
if isinstance(chfg['list'], list):
log.debug("Handling input for chpasswd as list.")
plist = util.get_cfg_option_list(chfg, 'list', plist)
else:
log.debug("Handling input for chpasswd as multiline string.")
plist = util.get_cfg_option_str(chfg, 'list', plist)
if plist:
plist = plist.splitlines()
expire = util.get_cfg_option_bool(chfg, 'expire', expire)
if not plist and password:
(users, _groups) = ug_util.normalize_users_groups(cfg, cloud.distro)
(user, _user_config) = ug_util.extract_default(users)
if user:
plist = ["%s:%s" % (user, password)]
else:
log.warn("No default or defined user to change password for.")
errors = []
if plist:
plist_in = []
hashed_plist_in = []
hashed_users = []
randlist = []
users = []
prog = re.compile(r'\$(1|2a|2y|5|6)(\$.+){2}')
for line in plist:
u, p = line.split(':', 1)
if prog.match(p) is not None and ":" not in p:
hashed_plist_in.append("%s:%s" % (u, p))
hashed_users.append(u)
else:
if p == "R" or p == "RANDOM":
p = rand_user_password()
randlist.append("%s:%s" % (u, p))
plist_in.append("%s:%s" % (u, p))
users.append(u)
ch_in = '\n'.join(plist_in) + '\n'
if users:
try:
log.debug("Changing password for %s:", users)
util.subp(['chpasswd'], ch_in)
except Exception as e:
errors.append(e)
util.logexc(log,
"Failed to set passwords with chpasswd for %s",
users)
hashed_ch_in = '\n'.join(hashed_plist_in) + '\n'
if hashed_users:
try:
log.debug("Setting hashed password for %s:", hashed_users)
util.subp(['chpasswd', '-e'], hashed_ch_in)
except Exception as e:
errors.append(e)
util.logexc(
log, "Failed to set hashed passwords with chpasswd for %s",
hashed_users)
if len(randlist):
blurb = ("Set the following 'random' passwords\n",
'\n'.join(randlist))
sys.stderr.write("%s\n%s\n" % blurb)
if expire:
expired_users = []
for u in users:
try:
util.subp(['passwd', '--expire', u])
expired_users.append(u)
except Exception as e:
errors.append(e)
util.logexc(log, "Failed to set 'expire' for %s", u)
if expired_users:
log.debug("Expired passwords for: %s users", expired_users)
handle_ssh_pwauth(cfg.get('ssh_pwauth'),
service_cmd=cloud.distro.init_cmd,
service_name=cloud.distro.get_option(
'ssh_svcname', 'ssh'))
if len(errors):
log.debug("%s errors occured, re-raising the last one", len(errors))
raise errors[-1]
def handle(_name, cfg, cloud, log, args):
if args:
# if run from command line, and give args, wipe the chpasswd['list']
password = args[0]
if "chpasswd" in cfg and "list" in cfg["chpasswd"]:
del cfg["chpasswd"]["list"]
else:
password = util.get_cfg_option_str(cfg, "password", None)
expire = True
plist = None
if "chpasswd" in cfg:
chfg = cfg["chpasswd"]
if "list" in chfg and chfg["list"]:
if isinstance(chfg["list"], list):
log.debug("Handling input for chpasswd as list.")
plist = util.get_cfg_option_list(chfg, "list", plist)
else:
log.debug("Handling input for chpasswd as multiline string.")
plist = util.get_cfg_option_str(chfg, "list", plist)
if plist:
plist = plist.splitlines()
expire = util.get_cfg_option_bool(chfg, "expire", expire)
if not plist and password:
(users, _groups) = ug_util.normalize_users_groups(cfg, cloud.distro)
(user, _user_config) = ug_util.extract_default(users)
if user:
plist = ["%s:%s" % (user, password)]
else:
log.warning("No default or defined user to change password for.")
errors = []
if plist:
plist_in = []
hashed_plist_in = []
hashed_users = []
randlist = []
users = []
# N.B. This regex is included in the documentation (i.e. the module
# docstring), so any changes to it should be reflected there.
prog = re.compile(r"\$(1|2a|2y|5|6)(\$.+){2}")
for line in plist:
u, p = line.split(":", 1)
if prog.match(p) is not None and ":" not in p:
hashed_plist_in.append(line)
hashed_users.append(u)
else:
# in this else branch, we potentially change the password
# hence, a deviation from .append(line)
if p == "R" or p == "RANDOM":
p = rand_user_password()
randlist.append("%s:%s" % (u, p))
plist_in.append("%s:%s" % (u, p))
users.append(u)
ch_in = "\n".join(plist_in) + "\n"
if users:
try:
log.debug("Changing password for %s:", users)
chpasswd(cloud.distro, ch_in)
except Exception as e:
errors.append(e)
util.logexc(
log, "Failed to set passwords with chpasswd for %s", users
)
hashed_ch_in = "\n".join(hashed_plist_in) + "\n"
if hashed_users:
try:
log.debug("Setting hashed password for %s:", hashed_users)
chpasswd(cloud.distro, hashed_ch_in, hashed=True)
except Exception as e:
errors.append(e)
util.logexc(
log,
"Failed to set hashed passwords with chpasswd for %s",
hashed_users,
)
if len(randlist):
blurb = (
"Set the following 'random' passwords\n",
"\n".join(randlist),
)
util.multi_log(
"%s\n%s\n" % blurb, stderr=False, fallback_to_stdout=False
)
if expire:
expired_users = []
for u in users:
try:
cloud.distro.expire_passwd(u)
expired_users.append(u)
except Exception as e:
errors.append(e)
util.logexc(log, "Failed to set 'expire' for %s", u)
if expired_users:
log.debug("Expired passwords for: %s users", expired_users)
handle_ssh_pwauth(cfg.get("ssh_pwauth"), cloud.distro)
if len(errors):
log.debug("%s errors occured, re-raising the last one", len(errors))
raise errors[-1]
def handle(_name, cfg, cloud, log, _args):
# remove the static keys from the pristine image
if cfg.get("ssh_deletekeys", True):
key_pth = os.path.join("/etc/ssh/", "ssh_host_*key*")
for f in glob.glob(key_pth):
try:
util.del_file(f)
except Exception:
util.logexc(log, "Failed deleting key file %s", f)
if "ssh_keys" in cfg:
# if there are keys in cloud-config, use them
for (key, val) in cfg["ssh_keys"].items():
if key in CONFIG_KEY_TO_FILE:
tgt_fn = CONFIG_KEY_TO_FILE[key][0]
tgt_perms = CONFIG_KEY_TO_FILE[key][1]
util.write_file(tgt_fn, val, tgt_perms)
for (priv, pub) in PRIV_TO_PUB.items():
if pub in cfg['ssh_keys'] or priv not in cfg['ssh_keys']:
continue
pair = (CONFIG_KEY_TO_FILE[priv][0], CONFIG_KEY_TO_FILE[pub][0])
cmd = ['sh', '-xc', KEY_GEN_TPL % pair]
try:
# TODO(harlowja): Is this guard needed?
with util.SeLinuxGuard("/etc/ssh", recursive=True):
util.subp(cmd, capture=False)
log.debug("Generated a key for %s from %s", pair[0], pair[1])
except Exception:
util.logexc(log, "Failed generated a key for %s from %s",
pair[0], pair[1])
else:
# if not, generate them
genkeys = util.get_cfg_option_list(cfg,
'ssh_genkeytypes',
GENERATE_KEY_NAMES)
lang_c = os.environ.copy()
lang_c['LANG'] = 'C'
for keytype in genkeys:
keyfile = KEY_FILE_TPL % (keytype)
if os.path.exists(keyfile):
continue
util.ensure_dir(os.path.dirname(keyfile))
cmd = ['ssh-keygen', '-t', keytype, '-N', '', '-f', keyfile]
# TODO(harlowja): Is this guard needed?
with util.SeLinuxGuard("/etc/ssh", recursive=True):
try:
out, err = util.subp(cmd, capture=True, env=lang_c)
sys.stdout.write(util.decode_binary(out))
except util.ProcessExecutionError as e:
err = util.decode_binary(e.stderr).lower()
if (e.exit_code == 1 and
err.lower().startswith("unknown key")):
log.debug("ssh-keygen: unknown key type '%s'", keytype)
else:
util.logexc(log, "Failed generating key type %s to "
"file %s", keytype, keyfile)
try:
(users, _groups) = ug_util.normalize_users_groups(cfg, cloud.distro)
(user, _user_config) = ug_util.extract_default(users)
disable_root = util.get_cfg_option_bool(cfg, "disable_root", True)
disable_root_opts = util.get_cfg_option_str(cfg, "disable_root_opts",
DISABLE_ROOT_OPTS)
keys = cloud.get_public_ssh_keys() or []
if "ssh_authorized_keys" in cfg:
cfgkeys = cfg["ssh_authorized_keys"]
keys.extend(cfgkeys)
apply_credentials(keys, user, disable_root, disable_root_opts)
except Exception:
util.logexc(log, "Applying ssh credentials failed!")
def handle(_name, cfg, cloud, log, args):
if len(args) != 0:
# if run from command line, and give args, wipe the chpasswd['list']
password = args[0]
if 'chpasswd' in cfg and 'list' in cfg['chpasswd']:
del cfg['chpasswd']['list']
else:
password = util.get_cfg_option_str(cfg, "password", None)
expire = True
plist = None
if 'chpasswd' in cfg:
chfg = cfg['chpasswd']
if 'list' in chfg and chfg['list']:
if isinstance(chfg['list'], list):
log.debug("Handling input for chpasswd as list.")
plist = util.get_cfg_option_list(chfg, 'list', plist)
else:
log.debug("Handling input for chpasswd as multiline string.")
plist = util.get_cfg_option_str(chfg, 'list', plist)
if plist:
plist = plist.splitlines()
expire = util.get_cfg_option_bool(chfg, 'expire', expire)
if not plist and password:
(users, _groups) = ug_util.normalize_users_groups(cfg, cloud.distro)
(user, _user_config) = ug_util.extract_default(users)
if user:
plist = ["%s:%s" % (user, password)]
else:
log.warn("No default or defined user to change password for.")
errors = []
if plist:
plist_in = []
hashed_plist_in = []
hashed_users = []
randlist = []
users = []
prog = re.compile(r'\$(1|2a|2y|5|6)(\$.+){2}')
for line in plist:
u, p = line.split(':', 1)
if prog.match(p) is not None and ":" not in p:
hashed_plist_in.append("%s:%s" % (u, p))
hashed_users.append(u)
else:
if p == "R" or p == "RANDOM":
p = rand_user_password()
randlist.append("%s:%s" % (u, p))
plist_in.append("%s:%s" % (u, p))
users.append(u)
ch_in = '\n'.join(plist_in) + '\n'
if users:
try:
log.debug("Changing password for %s:", users)
util.subp(['chpasswd'], ch_in)
except Exception as e:
errors.append(e)
util.logexc(
log, "Failed to set passwords with chpasswd for %s", users)
hashed_ch_in = '\n'.join(hashed_plist_in) + '\n'
if hashed_users:
try:
log.debug("Setting hashed password for %s:", hashed_users)
util.subp(['chpasswd', '-e'], hashed_ch_in)
except Exception as e:
errors.append(e)
util.logexc(
log, "Failed to set hashed passwords with chpasswd for %s",
hashed_users)
if len(randlist):
blurb = ("Set the following 'random' passwords\n",
'\n'.join(randlist))
sys.stderr.write("%s\n%s\n" % blurb)
if expire:
expired_users = []
for u in users:
try:
util.subp(['passwd', '--expire', u])
expired_users.append(u)
except Exception as e:
errors.append(e)
util.logexc(log, "Failed to set 'expire' for %s", u)
if expired_users:
log.debug("Expired passwords for: %s users", expired_users)
handle_ssh_pwauth(
cfg.get('ssh_pwauth'), service_cmd=cloud.distro.init_cmd,
service_name=cloud.distro.get_option('ssh_svcname', 'ssh'))
if len(errors):
log.debug("%s errors occured, re-raising the last one", len(errors))
raise errors[-1]
def handle(_name, cfg, cloud, log, _args):
# remove the static keys from the pristine image
if cfg.get("ssh_deletekeys", True):
key_pth = os.path.join("/etc/ssh/", "ssh_host_*key*")
for f in glob.glob(key_pth):
try:
util.del_file(f)
except Exception:
util.logexc(log, "Failed deleting key file %s", f)
if "ssh_keys" in cfg:
# if there are keys in cloud-config, use them
for (key, val) in cfg["ssh_keys"].items():
if key in CONFIG_KEY_TO_FILE:
tgt_fn = CONFIG_KEY_TO_FILE[key][0]
tgt_perms = CONFIG_KEY_TO_FILE[key][1]
util.write_file(tgt_fn, val, tgt_perms)
for (priv, pub) in PRIV_TO_PUB.items():
if pub in cfg['ssh_keys'] or priv not in cfg['ssh_keys']:
continue
pair = (CONFIG_KEY_TO_FILE[priv][0], CONFIG_KEY_TO_FILE[pub][0])
cmd = ['sh', '-xc', KEY_GEN_TPL % pair]
try:
# TODO(harlowja): Is this guard needed?
with util.SeLinuxGuard("/etc/ssh", recursive=True):
subp.subp(cmd, capture=False)
log.debug("Generated a key for %s from %s", pair[0], pair[1])
except Exception:
util.logexc(log, "Failed generated a key for %s from %s",
pair[0], pair[1])
else:
# if not, generate them
genkeys = util.get_cfg_option_list(cfg, 'ssh_genkeytypes',
GENERATE_KEY_NAMES)
lang_c = os.environ.copy()
lang_c['LANG'] = 'C'
for keytype in genkeys:
keyfile = KEY_FILE_TPL % (keytype)
if os.path.exists(keyfile):
continue
util.ensure_dir(os.path.dirname(keyfile))
cmd = ['ssh-keygen', '-t', keytype, '-N', '', '-f', keyfile]
# TODO(harlowja): Is this guard needed?
with util.SeLinuxGuard("/etc/ssh", recursive=True):
try:
out, err = subp.subp(cmd, capture=True, env=lang_c)
sys.stdout.write(util.decode_binary(out))
except subp.ProcessExecutionError as e:
err = util.decode_binary(e.stderr).lower()
if (e.exit_code == 1
and err.lower().startswith("unknown key")):
log.debug("ssh-keygen: unknown key type '%s'", keytype)
else:
util.logexc(
log, "Failed generating key type %s to "
"file %s", keytype, keyfile)
if "ssh_publish_hostkeys" in cfg:
host_key_blacklist = util.get_cfg_option_list(
cfg["ssh_publish_hostkeys"], "blacklist",
HOST_KEY_PUBLISH_BLACKLIST)
publish_hostkeys = util.get_cfg_option_bool(
cfg["ssh_publish_hostkeys"], "enabled", PUBLISH_HOST_KEYS)
else:
host_key_blacklist = HOST_KEY_PUBLISH_BLACKLIST
publish_hostkeys = PUBLISH_HOST_KEYS
if publish_hostkeys:
hostkeys = get_public_host_keys(blacklist=host_key_blacklist)
try:
cloud.datasource.publish_host_keys(hostkeys)
except Exception:
util.logexc(log, "Publishing host keys failed!")
try:
(users, _groups) = ug_util.normalize_users_groups(cfg, cloud.distro)
(user, _user_config) = ug_util.extract_default(users)
disable_root = util.get_cfg_option_bool(cfg, "disable_root", True)
disable_root_opts = util.get_cfg_option_str(cfg, "disable_root_opts",
ssh_util.DISABLE_USER_OPTS)
keys = []
if util.get_cfg_option_bool(cfg, 'allow_public_ssh_keys', True):
keys = cloud.get_public_ssh_keys() or []
else:
log.debug('Skipping import of publish SSH keys per '
'config setting: allow_public_ssh_keys=False')
if "ssh_authorized_keys" in cfg:
cfgkeys = cfg["ssh_authorized_keys"]
keys.extend(cfgkeys)
apply_credentials(keys, user, disable_root, disable_root_opts)
except Exception:
util.logexc(log, "Applying SSH credentials failed!")
def handle(_name, cfg, cloud, log, args):
if len(args) != 0:
# if run from command line, and give args, wipe the chpasswd['list']
password = args[0]
if 'chpasswd' in cfg and 'list' in cfg['chpasswd']:
del cfg['chpasswd']['list']
else:
password = util.get_cfg_option_str(cfg, "password", None)
expire = True
plist = None
if 'chpasswd' in cfg:
chfg = cfg['chpasswd']
plist = util.get_cfg_option_str(chfg, 'list', plist)
expire = util.get_cfg_option_bool(chfg, 'expire', expire)
if not plist and password:
(users, _groups) = ug_util.normalize_users_groups(cfg, cloud.distro)
(user, _user_config) = ug_util.extract_default(users)
if user:
plist = "%s:%s" % (user, password)
else:
log.warn("No default or defined user to change password for.")
errors = []
if plist:
plist_in = []
randlist = []
users = []
for line in plist.splitlines():
u, p = line.split(':', 1)
if p == "R" or p == "RANDOM":
p = rand_user_password()
randlist.append("%s:%s" % (u, p))
plist_in.append("%s:%s" % (u, p))
users.append(u)
ch_in = '\n'.join(plist_in) + '\n'
try:
log.debug("Changing password for %s:", users)
util.subp(['chpasswd'], ch_in)
except Exception as e:
errors.append(e)
util.logexc(log, "Failed to set passwords with chpasswd for %s",
users)
if len(randlist):
blurb = ("Set the following 'random' passwords\n",
'\n'.join(randlist))
sys.stderr.write("%s\n%s\n" % blurb)
if expire:
expired_users = []
for u in users:
try:
util.subp(['passwd', '--expire', u])
expired_users.append(u)
except Exception as e:
errors.append(e)
util.logexc(log, "Failed to set 'expire' for %s", u)
if expired_users:
log.debug("Expired passwords for: %s users", expired_users)
change_pwauth = False
pw_auth = None
if 'ssh_pwauth' in cfg:
if util.is_true(cfg['ssh_pwauth']):
change_pwauth = True
pw_auth = 'yes'
elif util.is_false(cfg['ssh_pwauth']):
change_pwauth = True
pw_auth = 'no'
elif str(cfg['ssh_pwauth']).lower() == 'unchanged':
log.debug('Leaving auth line unchanged')
change_pwauth = False
elif not str(cfg['ssh_pwauth']).strip():
log.debug('Leaving auth line unchanged')
change_pwauth = False
elif not cfg['ssh_pwauth']:
log.debug('Leaving auth line unchanged')
change_pwauth = False
else:
msg = 'Unrecognized value %s for ssh_pwauth' % cfg['ssh_pwauth']
util.logexc(log, msg)
if change_pwauth:
replaced_auth = False
# See: man sshd_config
old_lines = ssh_util.parse_ssh_config(ssh_util.DEF_SSHD_CFG)
new_lines = []
i = 0
for (i, line) in enumerate(old_lines):
# Keywords are case-insensitive and arguments are case-sensitive
if line.key == 'passwordauthentication':
log.debug("Replacing auth line %s with %s", i + 1, pw_auth)
replaced_auth = True
line.value = pw_auth
new_lines.append(line)
if not replaced_auth:
log.debug("Adding new auth line %s", i + 1)
replaced_auth = True
new_lines.append(ssh_util.SshdConfigLine('',
'PasswordAuthentication',
pw_auth))
lines = [str(l) for l in new_lines]
util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines))
try:
cmd = cloud.distro.init_cmd # Default service
cmd.append(cloud.distro.get_option('ssh_svcname', 'ssh'))
cmd.append('restart')
if 'systemctl' in cmd: # Switch action ordering
cmd[1], cmd[2] = cmd[2], cmd[1]
cmd = filter(None, cmd) # Remove empty arguments
util.subp(cmd)
log.debug("Restarted the ssh daemon")
except Exception:
util.logexc(log, "Restarting of the ssh daemon failed")
if len(errors):
log.debug("%s errors occured, re-raising the last one", len(errors))
raise errors[-1]
