def test_7_compare_dss(self):
# verify that the private & public keys compare equal
key = DSSKey.from_private_key_file('tests/test_dss.key')
self.assertEquals(key, key)
pub = DSSKey(data=str(key))
self.assert_(key.can_sign())
self.assert_(not pub.can_sign())
self.assertEquals(key, pub)
def test_7_compare_dss(self):
# verify that the private & public keys compare equal
key = DSSKey.from_private_key_file('tests/test_dss.key')
self.assertEquals(key, key)
pub = DSSKey(data=str(key))
self.assert_(key.can_sign())
self.assert_(not pub.can_sign())
self.assertEquals(key, pub)
def test_7_compare_dss(self):
# verify that the private & public keys compare equal
key = DSSKey.from_private_key_file(test_path('test_dss.key'))
self.assertEqual(key, key)
pub = DSSKey(data=key.asbytes())
self.assertTrue(key.can_sign())
self.assertTrue(not pub.can_sign())
self.assertEqual(key, pub)
def test_7_compare_dss(self):
# verify that the private & public keys compare equal
key = DSSKey.from_private_key_file(_support("test_dss.key"))
self.assertEqual(key, key)
pub = DSSKey(data=key.asbytes())
self.assertTrue(key.can_sign())
self.assertTrue(not pub.can_sign())
self.assertEqual(key, pub)
def test_load_dss(self):
key = DSSKey.from_private_key_file(_support('test_dss.key'))
self.assert_key_values(key, 'ssh-dss', 1024, PUB_DSS,
FINGER_DSS.split()[1], FINGER_SHA256_DSS)
s = StringIO()
key.write_private_key(s)
self.assertEqual(DSS_PRIVATE_OUT, s.getvalue())
s.seek(0)
key2 = DSSKey.from_private_key(s)
self.assertEqual(key, key2)
def test_load_dss(self):
key = DSSKey.from_private_key_file(_support("test_dss.key"))
self.assertEqual("ssh-dss", key.get_name())
self.assert_key_fingerprints(key, FINGER_DSS)
self.assertEqual(PUB_DSS.split()[1], key.get_base64())
self.assertEqual(1024, key.get_bits())
s = StringIO()
key.write_private_key(s)
self.assertEqual(DSS_PRIVATE_OUT, s.getvalue())
s.seek(0)
key2 = DSSKey.from_private_key(s)
self.assertEqual(key, key2)
def test_9_sign_dss(self):
# verify that the dss private key can sign and verify
key = DSSKey.from_private_key_file('tests/test_dss.key')
msg = key.sign_ssh_data(randpool, 'ice weasels')
self.assert_(type(msg) is Message)
msg.rewind()
self.assertEquals('ssh-dss', msg.get_string())
# can't do the same test as we do for RSA, because DSS signatures
# are usually different each time. but we can test verification
# anyway so it's ok.
self.assertEquals(40, len(msg.get_string()))
msg.rewind()
pub = DSSKey(data=str(key))
self.assert_(pub.verify_ssh_sig('ice weasels', msg))
def test_9_sign_dss(self):
# verify that the dss private key can sign and verify
key = DSSKey.from_private_key_file('tests/test_dss.key')
msg = key.sign_ssh_data(rng, 'ice weasels')
self.assert_(type(msg) is Message)
msg.rewind()
self.assertEquals('ssh-dss', msg.get_string())
# can't do the same test as we do for RSA, because DSS signatures
# are usually different each time. but we can test verification
# anyway so it's ok.
self.assertEquals(40, len(msg.get_string()))
msg.rewind()
pub = DSSKey(data=str(key))
self.assert_(pub.verify_ssh_sig('ice weasels', msg))
def _check_keypair_from_file(self, ref_fingerprint, private_key_path):
"""Function to check if a certain keypair from a file matches the fingerprint
from a reference one
:param str ref_fingerprint: fingerprint to be compared
:raises: KeypairError: if the keypair is not valid, or if the fingerprint to check
and the one computed from the private key is not the same
:raises: KeyNotAccessible: if the private key is password protected
and the password provided is not correct
"""
pkey=None
# This block avoid repetition of checks after it is done for the first instance
if self._SSH_KEY_CHECKED==True:
if self._SSH_KEY_ACCESS_ERROR==True: # This avoid user entering the code right the second time
raise KeyNotAccessible#("Unable to access key file `"+private_key_path+": Invalid password")
else:
return
try:
pkey=DSSKey.from_private_key_file(private_key_path)
except PasswordRequiredException:
try:
asked_password = getpass.getpass('Enter passphrase for '+private_key_path+ ':')
pkey=DSSKey.from_private_key_file(private_key_path,asked_password)
except SSHException:
self._SSH_KEY_CHECKED=True
self._SSH_KEY_ACCESS_ERROR=True # This avoid user entering the code right the second time
raise KeyNotAccessible#("Unable to access key file `"+private_key_path+": Invalid password")
except SSHException:
try:
pkey=RSAKey.from_private_key_file(private_key_path)
except PasswordRequiredException:
try:
asked_password = getpass.getpass('Enter passphrase for '+private_key_path+ ':')
pkey=RSAKey.from_private_key_file(private_key_path,asked_password)
except SSHException:
self._SSH_KEY_CHECKED=True
self._SSH_KEY_ACCESS_ERROR=True # This avoid user entering the code right the second time
raise KeyNotAccessible#("Unable to access key file `"+private_key_path+": Invalid password")
except SSHException:
raise KeypairError('File `%s` is neither a valid DSA key '
'or RSA key' % private_key_path)
fingerprint = str.join(
':', (i.encode('hex') for i in pkey.get_fingerprint()))
if ref_fingerprint!=fingerprint:
raise KeypairError(
"Keypair from "+private_key_path+" is present but has "
"different fingerprint. Aborting!")
self._SSH_KEY_CHECKED=True
return
def test_9_sign_dss(self):
# verify that the dss private key can sign and verify
key = DSSKey.from_private_key_file(test_path('test_dss.key'))
msg = key.sign_ssh_data(b'ice weasels')
self.assertTrue(type(msg) is Message)
msg.rewind()
self.assertEqual('ssh-dss', msg.get_text())
# can't do the same test as we do for RSA, because DSS signatures
# are usually different each time. but we can test verification
# anyway so it's ok.
self.assertEqual(40, len(msg.get_binary()))
msg.rewind()
pub = DSSKey(data=key.asbytes())
self.assertTrue(pub.verify_ssh_sig(b'ice weasels', msg))
def test_9_sign_dss(self):
# verify that the dss private key can sign and verify
key = DSSKey.from_private_key_file(_support("test_dss.key"))
msg = key.sign_ssh_data(b"ice weasels")
self.assertTrue(type(msg) is Message)
msg.rewind()
self.assertEqual("ssh-dss", msg.get_text())
# can't do the same test as we do for RSA, because DSS signatures
# are usually different each time. but we can test verification
# anyway so it's ok.
self.assertEqual(40, len(msg.get_binary()))
msg.rewind()
pub = DSSKey(data=key.asbytes())
self.assertTrue(pub.verify_ssh_sig(b"ice weasels", msg))
def test_4_load_dss(self):
key = DSSKey.from_private_key_file(_support("test_dss.key"))
self.assertEqual("ssh-dss", key.get_name())
exp_dss = b(FINGER_DSS.split()[1].replace(":", ""))
my_dss = hexlify(key.get_fingerprint())
self.assertEqual(exp_dss, my_dss)
self.assertEqual(PUB_DSS.split()[1], key.get_base64())
self.assertEqual(1024, key.get_bits())
s = StringIO()
key.write_private_key(s)
self.assertEqual(DSS_PRIVATE_OUT, s.getvalue())
s.seek(0)
key2 = DSSKey.from_private_key(s)
self.assertEqual(key, key2)
def test_4_load_dss(self):
key = DSSKey.from_private_key_file(_support("test_dss.key"))
self.assertEqual("ssh-dss", key.get_name())
exp_dss = b(FINGER_DSS.split()[1].replace(":", ""))
my_dss = hexlify(key.get_fingerprint())
self.assertEqual(exp_dss, my_dss)
self.assertEqual(PUB_DSS.split()[1], key.get_base64())
self.assertEqual(1024, key.get_bits())
s = StringIO()
key.write_private_key(s)
self.assertEqual(DSS_PRIVATE_OUT, s.getvalue())
s.seek(0)
key2 = DSSKey.from_private_key(s)
self.assertEqual(key, key2)
def test_4_load_dss(self):
key = DSSKey.from_private_key_file('tests/test_dss.key')
self.assertEquals('ssh-dss', key.get_name())
exp_dss = FINGER_DSS.split()[1].replace(':', '')
my_dss = hexlify(key.get_fingerprint())
self.assertEquals(exp_dss, my_dss)
self.assertEquals(PUB_DSS.split()[1], key.get_base64())
self.assertEquals(1024, key.get_bits())
s = StringIO.StringIO()
key.write_private_key(s)
self.assertEquals(DSS_PRIVATE_OUT, s.getvalue())
s.seek(0)
key2 = DSSKey.from_private_key(s)
self.assertEquals(key, key2)
def test_4_load_dss(self):
key = DSSKey.from_private_key_file('tests/test_dss.key')
self.assertEquals('ssh-dss', key.get_name())
exp_dss = FINGER_DSS.split()[1].replace(':', '')
my_dss = hexlify(key.get_fingerprint())
self.assertEquals(exp_dss, my_dss)
self.assertEquals(PUB_DSS.split()[1], key.get_base64())
self.assertEquals(1024, key.get_bits())
s = StringIO()
key.write_private_key(s)
self.assertEquals(DSS_PRIVATE_OUT, s.getvalue())
s.seek(0)
key2 = DSSKey.from_private_key(s)
self.assertEquals(key, key2)
def from_file(filename, password = '', keytype = None):
"""
Returns a new PrivateKey instance with the given attributes.
If keytype is None, we attempt to automatically detect the type.
@type filename: string
@param filename: The key file name.
@type password: string
@param password: The key password.
@type keytype: string
@param keytype: The key type.
@rtype: PrivateKey
@return: The new key.
"""
if keytype is None:
try:
key = RSAKey.from_private_key_file(filename)
keytype = 'rsa'
except SSHException, e:
try:
key = DSSKey.from_private_key_file(filename)
keytype = 'dss'
except SSHException, e:
msg = 'not a recognized private key: ' + repr(filename)
raise ValueError(msg)
def _set_authentication(self, password, private_key, private_key_pass):
'''Authenticate the transport. prefer password if given'''
if password is None:
# Use Private Key.
if not private_key:
# Try to use default key.
if os.path.exists(os.path.expanduser('~/.ssh/id_rsa')):
private_key = '~/.ssh/id_rsa'
elif os.path.exists(os.path.expanduser('~/.ssh/id_dsa')):
private_key = '~/.ssh/id_dsa'
else:
raise CredentialException("No password or key specified.")
if isinstance(private_key, (AgentKey, RSAKey)):
# use the paramiko agent or rsa key
self._tconnect['pkey'] = private_key
else:
# isn't a paramiko AgentKey or RSAKey, try to build a
# key from what we assume is a path to a key
private_key_file = os.path.expanduser(private_key)
try: # try rsa
self._tconnect['pkey'] = RSAKey.from_private_key_file(
private_key_file, private_key_pass)
except paramiko.SSHException: # if it fails, try dss
# pylint:disable=r0204
self._tconnect['pkey'] = DSSKey.from_private_key_file(
private_key_file, private_key_pass)
def __init__(self,
host,
user,
private_key_file,
private_key_passwd,
known_hosts_file,
port=22,
key_type="RSA"):
"""
Creates a new sftp connection. Currently only with auth over key-file
:param str host: host-name (dns/ip)
:param str user: user-name
:param str private_key_file: path to private key file
:param str private_key_passwd: password which protects your private key file
:param str known_hosts_file: path to known_hosts file
:param int port: port to server, default: 22
:param str key_type: RSA/DSA type of your private key file
"""
if key_type == "RSA":
p_key = RSAKey.from_private_key_file(private_key_file,
private_key_passwd)
elif key_type == "DSA":
p_key = DSSKey.from_private_key_file(private_key_file,
private_key_passwd)
self._ssh = SSHClient()
self._ssh.load_host_keys(known_hosts_file)
self._ssh.connect(hostname=host, username=user, port=port, pkey=p_key)
self._sftp = self._ssh.open_sftp()
def _set_authentication(self, password, private_key, private_key_pass):
'''Authenticate the transport. prefer password if given'''
if password is None:
# Use Private Key.
if not private_key:
# Try to use default key.
if os.path.exists(os.path.expanduser('~/.ssh/id_rsa')):
private_key = '~/.ssh/id_rsa'
elif os.path.exists(os.path.expanduser('~/.ssh/id_dsa')):
private_key = '~/.ssh/id_dsa'
else:
raise CredentialException("No password or key specified.")
if isinstance(private_key, (AgentKey, RSAKey)):
# use the paramiko agent or rsa key
self._tconnect['pkey'] = private_key
else:
# isn't a paramiko AgentKey or RSAKey, try to build a
# key from what we assume is a path to a key
private_key_file = os.path.expanduser(private_key)
try: # try rsa
self._tconnect['pkey'] = RSAKey.from_private_key_file(
private_key_file, private_key_pass)
except paramiko.SSHException: # if it fails, try dss
# pylint:disable=r0204
self._tconnect['pkey'] = DSSKey.from_private_key_file(
private_key_file, private_key_pass)
def test_load_dss_password(self):
key = DSSKey.from_private_key_file(_support("test_dss_password.key"),
"television")
self.assertEqual("ssh-dss", key.get_name())
self.assert_key_fingerprints(key, FINGER_DSS)
self.assertEqual(PUB_DSS.split()[1], key.get_base64())
self.assertEqual(1024, key.get_bits())
def key(self):
"""
:return: a subclass of PKey of the appropriate key type
"""
# Check if the key pair exists: at least a public or private part of
# the key is required, as well as the key type.
if not self.key_type:
return None
if not self.public_key and not self.private_key:
return None
public_key = None
private_key = None
if self.public_key:
public_key = base64.b64decode(self.public_key)
if self.private_key:
private_key = StringIO(self.private_key)
if self.key_type == 'ssh-dss':
pkey = DSSKey(data=public_key, file_obj=private_key)
elif self.key_type == 'ssh-rsa':
pkey = RSAKey(data=public_key, file_obj=private_key)
elif self.key_type.startswith('ecdsa'):
pkey = ECDSAKey(data=public_key, file_obj=private_key)
elif self.key_type == '*****@*****.**':
pkey = RSACert(data=public_key, privkey_file_obj=private_key)
else:
raise ValidationError('Unsupported key type: ' + self.key_type)
return pkey
class NullServer (ServerInterface):
paranoid_did_password = False
paranoid_did_public_key = False
paranoid_key = DSSKey.from_private_key_file(test_path('test_dss.key'))
def get_allowed_auths(self, username):
if username == 'slowdive':
return 'publickey,password'
if username == 'paranoid':
if not self.paranoid_did_password and not self.paranoid_did_public_key:
return 'publickey,password'
elif self.paranoid_did_password:
return 'publickey'
else:
return 'password'
if username == 'commie':
return 'keyboard-interactive'
if username == 'utf8':
return 'password'
if username == 'non-utf8':
return 'password'
return 'publickey'
def check_auth_password(self, username, password):
if (username == 'slowdive') and (password == 'pygmalion'):
return AUTH_SUCCESSFUL
if (username == 'paranoid') and (password == 'paranoid'):
# 2-part auth (even openssh doesn't support this)
self.paranoid_did_password = True
if self.paranoid_did_public_key:
return AUTH_SUCCESSFUL
return AUTH_PARTIALLY_SUCCESSFUL
if (username == 'utf8') and (password == _pwd):
return AUTH_SUCCESSFUL
if (username == 'non-utf8') and (password == '\xff'):
return AUTH_SUCCESSFUL
if username == 'bad-server':
raise Exception("Ack!")
return AUTH_FAILED
def check_auth_publickey(self, username, key):
if (username == 'paranoid') and (key == self.paranoid_key):
# 2-part auth
self.paranoid_did_public_key = True
if self.paranoid_did_password:
return AUTH_SUCCESSFUL
return AUTH_PARTIALLY_SUCCESSFUL
return AUTH_FAILED
def check_auth_interactive(self, username, submethods):
if username == 'commie':
self.username = username
return InteractiveQuery('password', 'Please enter a password.', ('Password', False))
return AUTH_FAILED
def check_auth_interactive_response(self, responses):
if self.username == 'commie':
if (len(responses) == 1) and (responses[0] == 'cat'):
return AUTH_SUCCESSFUL
return AUTH_FAILED
def from_file(filename, password='', keytype=None):
"""
Returns a new PrivateKey instance with the given attributes.
If keytype is None, we attempt to automatically detect the type.
:type filename: string
:param filename: The key file name.
:type password: string
:param password: The key password.
:type keytype: string
:param keytype: The key type.
:rtype: PrivateKey
:return: The new key.
"""
if keytype is None:
try:
key = RSAKey.from_private_key_file(filename)
keytype = 'rsa'
except SSHException as e:
try:
key = DSSKey.from_private_key_file(filename)
keytype = 'dss'
except SSHException as e:
msg = 'not a recognized private key: ' + repr(filename)
raise ValueError(msg)
key = PrivateKey(keytype)
key.filename = filename
key.password = password
return key
def test_5_load_dss_password(self):
key = DSSKey.from_private_key_file(test_path("test_dss_password.key"), "television")
self.assertEqual("ssh-dss", key.get_name())
exp_dss = b(FINGER_DSS.split()[1].replace(":", ""))
my_dss = hexlify(key.get_fingerprint())
self.assertEqual(exp_dss, my_dss)
self.assertEqual(PUB_DSS.split()[1], key.get_base64())
self.assertEqual(1024, key.get_bits())
def test_5_load_dss_password(self):
key = DSSKey.from_private_key_file('tests/test_dss_password.key', 'television')
self.assertEquals('ssh-dss', key.get_name())
exp_dss = FINGER_DSS.split()[1].replace(':', '')
my_dss = hexlify(key.get_fingerprint())
self.assertEquals(exp_dss, my_dss)
self.assertEquals(PUB_DSS.split()[1], key.get_base64())
self.assertEquals(1024, key.get_bits())
def test_5_load_dss_password(self):
key = DSSKey.from_private_key_file(test_path('test_dss_password.key'), 'television')
self.assertEqual('ssh-dss', key.get_name())
exp_dss = b(FINGER_DSS.split()[1].replace(':', ''))
my_dss = hexlify(key.get_fingerprint())
self.assertEqual(exp_dss, my_dss)
self.assertEqual(PUB_DSS.split()[1], key.get_base64())
self.assertEqual(1024, key.get_bits())
def compute_fingerprint(self):
data = base64.b64decode(self.key)
if self.key_type == "ssh-rsa":
pkey = RSAKey(data=data)
elif self.key_type == "ssh-dss":
pkey = DSSKey(data=data)
return ":".join(re.findall(r"..", hexlify(pkey.get_fingerprint())))
def test_load_openssh_format_DSS_key(self):
key = DSSKey.from_private_key_file(_support("test_dss_openssh.key"),
b"television")
self.assertEqual("ssh-dss", key.get_name())
self.assertEqual(PUB_DSS_1K_OPENSSH.split()[1], key.get_base64())
self.assertEqual(1024, key.get_bits())
exp_rsa = b(FINGER_DSS_1K_OPENSSH.split()[1].replace(":", ""))
my_rsa = hexlify(key.get_fingerprint())
self.assertEqual(exp_rsa, my_rsa)
def test_load_DSS_key_new_format(self):
key = DSSKey.from_private_key_file(_support('test_dss_1k_o.key'),
b'television')
self.assertEqual('ssh-dss', key.get_name())
self.assertEqual(PUB_DSS_1K_OPENSSH.split()[1], key.get_base64())
self.assertEqual(1024, key.get_bits())
exp_rsa = b(FINGER_DSS_1K_OPENSSH.split()[1].replace(':', ''))
my_rsa = hexlify(key.get_fingerprint())
self.assertEqual(exp_rsa, my_rsa)
class NullServer(ServerInterface):
paranoid_did_password = False
paranoid_did_public_key = False
paranoid_key = DSSKey.from_private_key_file(_support('test_dss.key'))
def get_allowed_auths(self, username):
if username == 'slowdive':
return 'publickey,password'
return 'publickey'
def check_auth_password(self, username, password):
if (username == 'slowdive') and (password == 'pygmalion'):
return AUTH_SUCCESSFUL
return AUTH_FAILED
def check_channel_request(self, kind, chanid):
if kind == 'bogus':
return OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED
return OPEN_SUCCEEDED
def check_channel_exec_request(self, channel, command):
if command != b'yes':
return False
return True
def check_channel_shell_request(self, channel):
return True
def check_global_request(self, kind, msg):
self._global_request = kind
# NOTE: for w/e reason, older impl of this returned False always, even
# tho that's only supposed to occur if the request cannot be served.
# For now, leaving that the default unless test supplies specific
# 'acceptable' request kind
return kind == 'acceptable'
def check_channel_x11_request(self, channel, single_connection,
auth_protocol, auth_cookie, screen_number):
self._x11_single_connection = single_connection
self._x11_auth_protocol = auth_protocol
self._x11_auth_cookie = auth_cookie
self._x11_screen_number = screen_number
return True
def check_port_forward_request(self, addr, port):
self._listen = socket.socket()
self._listen.bind(('127.0.0.1', 0))
self._listen.listen(1)
return self._listen.getsockname()[1]
def cancel_port_forward_request(self, addr, port):
self._listen.close()
self._listen = None
def check_channel_direct_tcpip_request(self, chanid, origin, destination):
self._tcpip_dest = destination
return OPEN_SUCCEEDED
def test_load_dss_password(self):
key = DSSKey.from_private_key_file(_support("test_dss_password.key"),
"television")
self.assertEqual("ssh-dss", key.get_name())
exp_dss = b(FINGER_DSS.split()[1].replace(":", ""))
my_dss = hexlify(key.get_fingerprint())
self.assertEqual(exp_dss, my_dss)
self.assertEqual(PUB_DSS.split()[1], key.get_base64())
self.assertEqual(1024, key.get_bits())
def keygen(keyname, keytype, bits, passphrase):
""" Generates a private/public keypair and returns it.
"""
# Initialisations and sanity checks
retval = {"generation_messages": "", "generation_status": "success"}
if keytype not in ['rsa', 'dsa']:
retval["generation_messages"] = _("Invalid keytype: %s" % keytype)
retval["generation_status"] = "error"
if bits not in [1024, 2048, 3072, 4096]:
retval["generation_messages"] = \
_("Invalid number of bits: %s" % bits)
retval["generation_status"] = "error"
if keytype == "dsa" and bits != 1024:
retval["generation_messages"] = _("DSA only supports 1024 bits.")
retval["generation_status"] = "error"
if retval["generation_status"] == "success":
# Generate private key
if keytype == "rsa":
key = RSAKey.generate(bits=bits)
typestring = "ssh-rss "
else:
key = DSSKey.generate(bits=bits)
typestring = "ssh-dss "
# Format public key
keystring = "%s %s %s" % (
typestring,
key.get_base64(),
keyname
)
retval["public_key"] = keystring
tmp = StringIO.StringIO()
if passphrase == "":
passphrase = None
key.write_private_key(tmp, passphrase)
retval["private_key"] = tmp.getvalue()
return retval
def connect(self):
try:
# Build a public key object from the server (agent) key file
if self.publicKeyType == 'rsa':
agent_public_key = RSAKey(
data=base64.decodestring(self.publicKey))
elif self.publicKeyType == 'dss':
agent_public_key = DSSKey(
data=base64.decodestring(self.publicKey))
# Build a private key object from the manager key file, and connect to the agent:
if self.privateKeyFile != None:
# Using client (manager) private key to authenticate
if self.privateKeyType == "rsa":
user_private_key = RSAKey.from_private_key_file(
self.privateKeyFile)
elif self.privateKeyType == "dss":
user_private_key = DSSKey.from_private_key_file(
self.privateKeyFile)
self.ssh.connect(hostkey=agent_public_key,
username=self.username,
pkey=user_private_key)
else:
# Using client (manager) password to authenticate
self.ssh.connect(hostkey=agent_public_key,
username=self.username,
password=self.password)
# Request a new channel to the server, of type "session".
self.chan = self.ssh.open_session()
# Request a "netconf" subsystem on the server:
self.chan.invoke_subsystem(C.NETCONF_SSH_SUBSYSTEM)
except Exception, exp:
syslog.openlog("YencaP Manager")
syslog.syslog(syslog.LOG_ERR, str(exp))
syslog.closelog()
return C.FAILED
class NullServer(ServerInterface):
paranoid_did_password = False
paranoid_did_public_key = False
paranoid_key = DSSKey.from_private_key_file(test_path('test_dss.key'))
def get_allowed_auths(self, username):
if username == 'slowdive':
return 'publickey,password'
return 'publickey'
def check_auth_password(self, username, password):
if (username == 'slowdive') and (password == 'pygmalion'):
return AUTH_SUCCESSFUL
return AUTH_FAILED
def check_channel_request(self, kind, chanid):
if kind == 'bogus':
return OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED
return OPEN_SUCCEEDED
def check_channel_exec_request(self, channel, command):
if command != 'yes':
return False
return True
def check_channel_shell_request(self, channel):
return True
def check_global_request(self, kind, msg):
self._global_request = kind
return False
def check_channel_x11_request(self, channel, single_connection,
auth_protocol, auth_cookie, screen_number):
self._x11_single_connection = single_connection
self._x11_auth_protocol = auth_protocol
self._x11_auth_cookie = auth_cookie
self._x11_screen_number = screen_number
return True
def check_port_forward_request(self, addr, port):
self._listen = socket.socket()
self._listen.bind(('127.0.0.1', 0))
self._listen.listen(1)
return self._listen.getsockname()[1]
def cancel_port_forward_request(self, addr, port):
self._listen.close()
self._listen = None
def check_channel_direct_tcpip_request(self, chanid, origin, destination):
self._tcpip_dest = destination
return OPEN_SUCCEEDED
def test_3_multipart_auth(self):
"""
verify that multipart auth works.
"""
self.start_server()
self.tc.connect(hostkey=self.public_host_key)
remain = self.tc.auth_password(username='******', password='******')
self.assertEqual(['publickey'], remain)
key = DSSKey.from_private_key_file(test_path('test_dss.key'))
remain = self.tc.auth_publickey(username='******', key=key)
self.assertEqual([], remain)
self.verify_finished()
def test_multipart_auth(self):
"""
verify that multipart auth works.
"""
self.start_server()
self.tc.connect(hostkey=self.public_host_key)
remain = self.tc.auth_password(username='******', password='******')
self.assertEqual(['publickey'], remain)
key = DSSKey.from_private_key_file(_support('test_dss.key'))
remain = self.tc.auth_publickey(username='******', key=key)
self.assertEqual([], remain)
self.verify_finished()
def key(self):
"""
:return: a subclass of PKey of the appropriate key type
:rtype: PKey
:raises ValidationError:
"""
# Check if the key pair exists: at least a public or private part of
# the key is required, as well as the key type.
if not self.key_type:
return None
if not self.public_key and not self.private_key:
return None
public_key = None
private_key = None
if self.public_key:
public_key = base64.b64decode(self.public_key)
if self.private_key:
private_key = StringIO(self.private_key)
if self.key_type == 'ssh-dss':
pkey = DSSKey(data=public_key, file_obj=private_key)
elif self.key_type == 'ssh-rsa':
pkey = RSAKey(data=public_key, file_obj=private_key)
elif self.key_type.startswith('ecdsa'):
pkey = ECDSAKey(data=public_key, file_obj=private_key)
elif self.key_type == '*****@*****.**':
pkey = RSAKey(data=public_key, file_obj=private_key)
pkey.load_certificate(Message(public_key))
else:
raise ValidationError('Unsupported key type: ' + self.key_type)
return pkey
def _check_keypair(self, name, public_key_path, private_key_path):
connection = self._connect()
keypairs = connection.get_all_key_pairs()
keypairs = dict((k.name, k) for k in keypairs)
# decide if dsa or rsa key is provided
pkey = None
is_dsa_key = False
try:
pkey = DSSKey.from_private_key_file(private_key_path)
is_dsa_key = True
except PasswordRequiredException:
log.warning(
"Unable to check key file `%s` because it is encrypted with a "
"password. Please, ensure that you added it to the SSH agent "
"with `ssh-add %s`", private_key_path, private_key_path)
except SSHException:
try:
pkey = RSAKey.from_private_key_file(private_key_path)
except PasswordRequiredException:
log.warning(
"Unable to check key file `%s` because it is encrypted with a "
"password. Please, ensure that you added it to the SSH agent "
"with `ssh-add %s`", private_key_path, private_key_path)
except SSHException:
raise KeypairError('File `%s` is neither a valid DSA key '
'or RSA key.' % private_key_path)
# create keys that don't exist yet
if name not in keypairs:
log.warning(
"Keypair `%s` not found on resource `%s`, Creating a new one",
name, self._url)
with open(os.path.expanduser(public_key_path)) as f:
key_material = f.read()
try:
# check for DSA on amazon
if "amazon" in self._ec2host and is_dsa_key:
log.error(
"Apparently, amazon does not support DSA keys. "
"Please specify a valid RSA key.")
raise KeypairError(
"Apparently, amazon does not support DSA keys."
"Please specify a valid RSA key.")
connection.import_key_pair(name, key_material)
except Exception, ex:
log.error(
"Could not import key `%s` with name `%s` to `%s`",
name, public_key_path, self._url)
raise KeypairError(
"could not create keypair `%s`: %s" % (name, ex))
def _check_keypair(self, name, public_key_path, private_key_path):
connection = self._connect()
keypairs = connection.get_all_key_pairs()
keypairs = dict((k.name, k) for k in keypairs)
# decide if dsa or rsa key is provided
pkey = None
is_dsa_key = False
try:
pkey = DSSKey.from_private_key_file(private_key_path)
is_dsa_key = True
except PasswordRequiredException:
raise KeypairError(
"Key `%s` is encrypted with a password. Please, use"
"an unencrypted key or use ssh-agent" %
private_key_path)
except SSHException:
try:
pkey = RSAKey.from_private_key_file(private_key_path)
except PasswordRequiredException:
raise KeypairError(
"Key `%s` is encrypted with a password. Please, use"
"an unencrypted key or use ssh-agent" %
private_key_path)
except SSHException:
raise KeypairError('File `%s` is neither a valid DSA key '
'or RSA key.' % private_key_path)
# create keys that don't exist yet
if name not in keypairs:
log.warning(
"Keypair `%s` not found on resource `%s`, Creating a new one",
name, self._url)
with open(os.path.expanduser(public_key_path)) as f:
key_material = f.read()
try:
# check for DSA on amazon
if "amazon" in self._ec2host and is_dsa_key:
log.error(
"Apparently, amazon does not support DSA keys. "
"Please specify a valid RSA key.")
raise KeypairError(
"Apparently, amazon does not support DSA keys."
"Please specify a valid RSA key.")
connection.import_key_pair(name, key_material)
except Exception, ex:
log.error(
"Could not import key `%s` with name `%s` to `%s`",
name, public_key_path, self._url)
raise KeypairError(
"could not create keypair `%s`: %s" % (name, ex))
def test_multipart_auth(self, trans):
"""
verify that multipart auth works.
"""
trans.connect()
remains = trans.auth_password(
username='******',
password='******',
)
assert remains == ['publickey']
key = DSSKey.from_private_key_file(_support('test_dss.key'))
remains = trans.auth_publickey(username='******', key=key)
assert remains == []
def test_9_pubkey_probe(self):
"""
verify whether publickey would be accepted.
"""
self.start_server()
self.tc.connect(hostkey=self.public_host_key)
key = DSSKey.from_private_key_file(test_path('test_dss.key'))
self.tc.auth_publickey(username='******', key=key, probe=True)
self.assertEqual(True, self.tc.is_publickey_probe_ok())
self.assertEqual(False, self.tc.is_authenticated())
self.tc.auth_publickey(username='******', key=key)
self.assertEqual(False, self.tc.is_publickey_probe_ok())
self.assertEqual(False, self.tc.is_authenticated())
self.verify_finished()
def test_3_multipart_auth(self):
"""
verify that multipart auth works.
"""
self.start_server()
self.tc.connect(hostkey=self.public_host_key)
remain = self.tc.auth_password(
username="******", password="******"
)
self.assertEqual(["publickey"], remain)
key = DSSKey.from_private_key_file(_support("test_dss.key"))
remain = self.tc.auth_publickey(username="******", key=key)
self.assertEqual([], remain)
self.verify_finished()
def dehydrate(self, bundle):
if bundle.obj.key_type == "ssh-rsa":
key = RSAKey(data=base64.b64decode(bundle.obj.public_key))
elif bundle.obj.key_type == "ssh-dss":
key = DSSKey(data=base64.b64decode(bundle.obj.public_key))
elif bundle.obj.key_type.startswith("ecdsa"):
key = ECDSAKey(data=base64.b64decode(bundle.obj.public_key))
else:
raise HydrationError("Unknown key type: %s" %
bundle.object.key_type)
bundle.data['fingerprint'] = u(hexlify(key.get_fingerprint()))
return bundle
def clean_ssh_pubkey(self):
keydata = self.cleaned_data["ssh_pubkey"].strip()
keys = keydata.splitlines()
if not keys:
return keys
pubkeys = []
for pubkey in keys:
if not pubkey:
continue
fields = pubkey.split(None, 2)
if len(fields) < 2:
raise forms.ValidationError(
_("Malformed SSH key, must be in"
" OpenSSH format, RSA or DSA"))
key_type = fields[0].strip().lower()
key = fields[1].strip()
try:
comment = fields[2].strip()
except IndexError:
comment = None
try:
data = base64.b64decode(key)
except TypeError:
raise forms.ValidationError(_("Malformed SSH key"))
if key_type == "ssh-rsa":
try:
pkey = RSAKey(data=data)
except SSHException:
raise forms.ValidationError(_("Invalid RSA SSH key"))
elif key_type == "ssh-dss":
try:
pkey = DSSKey(data=data)
except SSHException:
raise forms.ValidationError(_("Invalid DSS SSH key"))
else:
raise forms.ValidationError(
_("Unknown key type '%s'") % fields[0])
pubkeys.append((key_type, key, comment))
return pubkeys
def test_8_multipart_auth(self):
"""
verify that multipart auth works.
"""
host_key = RSAKey.from_private_key_file('tests/test_rsa.key')
public_host_key = RSAKey(data=str(host_key))
self.ts.add_server_key(host_key)
event = threading.Event()
server = NullServer()
self.assert_(not event.isSet())
self.ts.start_server(event, server)
self.tc.ultra_debug = True
self.tc.connect(hostkey=public_host_key)
remain = self.tc.auth_password(username='******', password='******')
self.assertEquals(['publickey'], remain)
key = DSSKey.from_private_key_file('tests/test_dss.key')
remain = self.tc.auth_publickey(username='******', key=key)
self.assertEquals([], remain)
event.wait(1.0)
self.assert_(event.isSet())
self.assert_(self.ts.is_active())
def testRSAKey(self):
with self.get_session() as session:
rpkey = pRSAKey.generate(256)
rkey = Key.build_from_paramiko_key('rsa', rpkey)
nrkey = rkey.get_paramiko_key()
self.assertEqual(rpkey.e, nrkey.e)
self.assertEqual(rpkey.n, nrkey.n)
self.assertEqual(nrkey, rpkey)
dpkey = DSSKey.generate(1024)
dkey = Key.build_from_paramiko_key('dsa', dpkey)
self.assertEqual(dpkey, dkey.get_paramiko_key())
session.add(rkey)
session.add(dkey)
session.commit()
qrkey = session.query(Key).filter(Key.name=='rsa')[0]
self.assertTrue(isinstance(qrkey,RSAKey))
pepe = session.query(Computer).filter_by(name='test_computer')[0]
pepe.key = qrkey
session.commit()
pepe = session.query(Computer).filter_by(name='test_computer')[0]
self.assertEqual(pepe.key.get_paramiko_key(), rpkey)
def generate_fingerprint(key):
fingerprint = None
_type, _key, _name = split_ssh_key(key)
try:
if _type == 'ssh-rsa':
_key = RSAKey(data=decodestring(_key))
elif _type == 'ssh-dss':
_key = DSSKey(data=decodestring(_key))
else:
return fingerprint
hash = hexlify(_key.get_fingerprint())
fingerprint = ":".join([hash[i:2 + i] for i in range(0, len(hash), 2)])
except SSHException as e:
# Invalid key
# raise ValueError(str(e))
return None
except Error:
# Incorrect padding
# report "Invalid key" error to user
# raise ValueError("Invalid key")
return None
return fingerprint
def test_8_multipart_auth(self):
"""
verify that multipart auth works.
"""
host_key = RSAKey.from_private_key_file('tests/test_rsa.key')
public_host_key = RSAKey(data=str(host_key))
self.ts.add_server_key(host_key)
event = threading.Event()
server = NullServer()
self.assert_(not event.isSet())
self.ts.start_server(event, server)
self.tc.ultra_debug = True
self.tc.connect(hostkey=public_host_key)
remain = self.tc.auth_password(username='******',
password='******')
self.assertEquals(['publickey'], remain)
key = DSSKey.from_private_key_file('tests/test_dss.key')
remain = self.tc.auth_publickey(username='******', key=key)
self.assertEquals([], remain)
event.wait(1.0)
self.assert_(event.isSet())
self.assert_(self.ts.is_active())
def __init__(self, \
timeout, \
remoteMachine, \
port, \
username, \
password, \
loggerName, \
pk, \
bufsize = 8192):
import logging
self.logger = logging.getLogger(loggerName)
self.timeout = timeout
self.remoteMachine = remoteMachine
self.port = port
self.username = username
self.password = password
self.bufsize = bufsize
self.pk = DSSKey.from_private_key_file(expanduser(pk))
self.logger.info('Object succesfully created')
self.logger.debug ('timeout = %s, remoteMachine = %s, port = %s, username = %s'%(self.timeout, self.remoteMachine, self.port, self.username))
def submitJobToFramework(self, **kwargs):
jobCommand = 'job'
daemonArgs = DaemonArgs(self.config)
daemonArgs.command = jobCommand
unScheduledJob = kwargs['unScheduledJob']
is_fileFeeder = False
fileFeederUploadedFile = None
del daemonArgs.param[:]
# go through all parameters
for parameter in unScheduledJob.parameters.all():
# add parameter to daemonArgs.param
if parameter.service and parameter.param_key and parameter.param_value:
# check if a file feeder is used
if parameter.service == settings.FILE_FEEDER_ID:
is_fileFeeder = True
fileFeederUploadedFile = parameter.param_value
remoteFeederFile = os.path.join(self.sftpRemotePath, parameter.param_value)
parameterString = '%s.%s=%s' % ( parameter.service, parameter.param_key, remoteFeederFile )
else:
parameterString = '%s.%s=%s' % ( parameter.service, parameter.param_key, parameter.param_value )
self.logger.debug("add parameter string: %s" % parameterString)
daemonArgs.param.append([parameterString])
# in case of a filefeeder upload file to framework server
if is_fileFeeder:
self.logger.debug("is file feeder")
sftp = None
transport = None
try:
transport = Transport((self.sftpHost, self.sftpPort))
if self.sftpPassword:
transport.connect(username=self.sftpUsername, password=self.sftpPassword)
else:
privateKey = None
if self.sftpPrivateKeyType and self.sftpPrivateKeyType.lower() == 'rsa':
privateKey = RSAKey.from_private_key_file(self.sftpPrivateKey, password=self.sftpPrivateKeyPassword )
if self.sftpPrivateKeyType and self.sftpPrivateKeyType.lower() == 'dss':
privateKey = DSSKey.from_private_key_file(self.sftpPrivateKey, password=self.sftpPrivateKeyPassword )
transport.connect(username=self.sftpUsername, pkey=privateKey)
sftp = SFTPClient.from_transport(transport)
filePath = os.path.join( settings.MEDIA_ROOT, fileFeederUploadedFile )
remotePath = os.path.join( self.sftpRemotePath, fileFeederUploadedFile )
self.logger.debug("uploading file from %s to %s on remote machine" % (filePath, remotePath))
sftp.put(filePath, remotePath)
# sftp.put(filePath, remotePath, confirm=False)
sftp.chmod( remotePath, 0644 )
self.logger.debug("put OK")
except IOError as e:
self.logger.error("IOError: %s. Will continue with next scheduled job." % e)
self.saveJob(Job.FAILED_STATUS, None, unScheduledJob)
except PasswordRequiredException as e:
self.logger.error("PasswordRequiredException: %s. Will continue with next scheduled job." % e)
self.saveJob(Job.FAILED_STATUS, None, unScheduledJob)
except SSHException as e:
self.logger.error("SSH Exception: %s. Will continue with next scheduled job." % e)
self.saveJob(Job.FAILED_STATUS, None, unScheduledJob)
except Exception as e:
self.logger.error("Unkown SFTP problem. Will continue with next scheduled job. %s" % e)
self.saveJob(Job.FAILED_STATUS, None, unScheduledJob)
finally:
if sftp is not None:
sftp.close()
if transport is not None:
transport.close()
# set job workflow
daemonArgs.jd_workflow = unScheduledJob.workflow.name
frameworkJobId = None
try:
setattr(daemonArgs, jobCommand, 'submit')
frameworkJobId = self.sendFrameworkCommand(jobCommand, daemonArgs)
self.saveJob(Job.PROCESSING_STATUS, frameworkJobId, unScheduledJob)
except WorkflowNotDeployedException:
# The workflow is not deployed in the framework. To prevent the scheduler retrying continuously
# we disable this job
unScheduledJob.status = Schedule.DEACTIVATE_STATUS
unScheduledJob.save()
except:
self.saveJob(Job.FAILED_STATUS, None, unScheduledJob)
finally:
daemonArgs.clean(jobCommand)
if unScheduledJob.scheduled_start is not None:
unScheduledJob.status = Schedule.DEACTIVATED_STATUS
unScheduledJob.save()
def _check_keypair(self, name, public_key_path, private_key_path):
"""First checks if the keypair is valid, then checks if the keypair
is registered with on the cloud. If not the keypair is added to the
users ssh keys.
:param str name: name of the ssh key
:param str public_key_path: path to the ssh public key file
:param str private_key_path: path to the ssh private key file
:raises: `KeypairError` if key is not a valid RSA or DSA key,
the key could not be uploaded or the fingerprint does not
match to the one uploaded to the cloud.
"""
connection = self._connect()
keypairs = connection.get_all_key_pairs()
keypairs = dict((k.name, k) for k in keypairs)
# decide if dsa or rsa key is provided
pkey = None
is_dsa_key = False
try:
pkey = DSSKey.from_private_key_file(private_key_path)
is_dsa_key = True
except PasswordRequiredException:
log.warning(
"Unable to check key file `%s` because it is encrypted with a "
"password. Please, ensure that you added it to the SSH agent "
"with `ssh-add %s`", private_key_path, private_key_path)
except SSHException:
try:
pkey = RSAKey.from_private_key_file(private_key_path)
except PasswordRequiredException:
log.warning(
"Unable to check key file `%s` because it is encrypted with a "
"password. Please, ensure that you added it to the SSH agent "
"with `ssh-add %s`", private_key_path, private_key_path)
except SSHException:
raise KeypairError('File `%s` is neither a valid DSA key '
'or RSA key.' % private_key_path)
# create keys that don't exist yet
if name not in keypairs:
log.warning(
"Keypair `%s` not found on resource `%s`, Creating a new one",
name, self._url)
with open(os.path.expanduser(public_key_path)) as f:
key_material = f.read()
try:
# check for DSA on amazon
if "amazon" in self._ec2host and is_dsa_key:
log.error(
"Apparently, amazon does not support DSA keys. "
"Please specify a valid RSA key.")
raise KeypairError(
"Apparently, amazon does not support DSA keys."
"Please specify a valid RSA key.")
connection.import_key_pair(name, key_material)
except Exception, ex:
log.error(
"Could not import key `%s` with name `%s` to `%s`",
name, public_key_path, self._url)
raise KeypairError(
"could not create keypair `%s`: %s" % (name, ex))
def __init__(self, args):
self.knownfile = ''
self.keytype = ''
self.pubfile = ''
self.privfile = ''
self.signfile = ''
self.blob = ''
self.host = ''
self.hhost = ''
self.privkey = ''
self.pubkey = ''
self.signkey = ''
self.knownkey = ''
if 'known' in args:
self.knownfile = args['known']
if 'pub' in args:
self.pubfile = args['pub']
if 'priv' in args:
self.privfile = args['priv']
if 'sign' in args:
self.signfile = args['sign']
if 'host' in args:
self.host = args['host']
if 'blob' in args:
self.blob = args['blob']
# for decryption
if self.privfile != '':
rsakey = ''
try:
f = open(self.privfile, 'r')
for line in f:
rsakey += line
except:
error('No private key file found.')
f.close()
try:
self.privkey = RSA.importKey(rsakey)
except:
error('No valid private RSA key found.')
# to sign files
if self.signfile != '':
try:
f = open(self.signfile, 'r')
line = f.readline()
f.close()
if line.find('RSA') != -1 or line.find('rsa') != -1:
self.signkey = RSAKey.from_private_key_file(self.signfile)
else:
self.signkey = DSSKey.from_private_key_file(self.signfile)
except:
error('No valid signature key found.')
# to encrypt files
if self.pubfile != '':
try:
s = subprocess.check_output(['ssh-keygen', '-e', '-m', 'PKCS8', '-f',
self.pubfile], shell = False)
self.pubkey = RSA.importKey(s)
except:
error('No valid public RSA key found.')
def test_B_generate_dss(self):
key = DSSKey.generate(1024)
msg = key.sign_ssh_data(b"jerri blank")
msg.rewind()
self.assertTrue(key.verify_ssh_sig(b"jerri blank", msg))
def _check_keypair(self, name, public_key_path, private_key_path):
"""First checks if the keypair is valid, then checks if the keypair
is registered with on the cloud. If not the keypair is added to the
users ssh keys.
:param str name: name of the ssh key
:param str public_key_path: path to the ssh public key file
:param str private_key_path: path to the ssh private key file
:raises: `KeypairError` if key is not a valid RSA or DSA key,
the key could not be uploaded or the fingerprint does not
match to the one uploaded to the cloud.
"""
connection = self._connect()
keypairs = connection.get_all_key_pairs()
keypairs = dict((k.name, k) for k in keypairs)
# decide if dsa or rsa key is provided
pkey = None
is_dsa_key = False
try:
pkey = DSSKey.from_private_key_file(private_key_path)
is_dsa_key = True
except PasswordRequiredException:
warn("Unable to check key file `{0}` because it is encrypted with a "
"password. Please, ensure that you added it to the SSH agent "
"with `ssh-add {1}`"
.format(private_key_path, private_key_path))
except SSHException:
try:
pkey = RSAKey.from_private_key_file(private_key_path)
except PasswordRequiredException:
warn("Unable to check key file `{0}` because it is encrypted with a "
"password. Please, ensure that you added it to the SSH agent "
"with `ssh-add {1}`"
.format(private_key_path, private_key_path))
except SSHException:
raise KeypairError('File `%s` is neither a valid DSA key '
'or RSA key.' % private_key_path)
# create keys that don't exist yet
if name not in keypairs:
log.warning(
"Keypair `%s` not found on resource `%s`, Creating a new one",
name, self._url)
with open(os.path.expanduser(public_key_path)) as f:
key_material = f.read()
try:
# check for DSA on amazon
if "amazon" in self._ec2host and is_dsa_key:
log.error(
"Apparently, amazon does not support DSA keys. "
"Please specify a valid RSA key.")
raise KeypairError(
"Apparently, amazon does not support DSA keys."
"Please specify a valid RSA key.")
connection.import_key_pair(name, key_material)
except Exception as ex:
log.error(
"Could not import key `%s` with name `%s` to `%s`",
name, public_key_path, self._url)
raise KeypairError(
"could not create keypair `%s`: %s" % (name, ex))
else:
# check fingerprint
cloud_keypair = keypairs[name]
if pkey:
if "amazon" in self._ec2host:
# AWS takes the MD5 hash of the key's DER representation.
key = RSA.importKey(open(private_key_path).read())
der = key.publickey().exportKey('DER')
m = hashlib.md5()
m.update(der)
digest = m.hexdigest()
fingerprint = ':'.join(digest[i:(i + 2)]
for i in range(0, len(digest), 2))
else:
fingerprint = ':'.join(byte_to_hex(byte)
for byte in pkey.get_fingerprint())
if fingerprint != cloud_keypair.fingerprint:
if "amazon" in self._ec2host:
log.error(
"Apparently, Amazon does not compute the RSA key "
"fingerprint as we do! We cannot check if the "
"uploaded keypair is correct!")
else:
raise KeypairError(
"Keypair `%s` is present but has "
"different fingerprint. Aborting!" % name)
def test_B_generate_dss(self):
key = DSSKey.generate(1024)
msg = key.sign_ssh_data(rng, 'jerri blank')
msg.rewind()
self.assert_(key.verify_ssh_sig('jerri blank', msg))
def _check_keypair(self, name, public_key_path, private_key_path):
"""First checks if the keypair is valid, then checks if the keypair
is registered with on the cloud. If not the keypair is added to the
users ssh keys.
:param str name: name of the ssh key
:param str public_key_path: path to the ssh public key file
:param str private_key_path: path to the ssh private key file
:raises: `KeypairError` if key is not a valid RSA or DSA key,
the key could not be uploaded or the fingerprint does not
match to the one uploaded to the cloud.
"""
# Read key. We do it as first thing because we need it either
# way, to check the fingerprint of the remote keypair if it
# exists already, or to create a new keypair.
pkey = None
try:
pkey = DSSKey.from_private_key_file(private_key_path)
except PasswordRequiredException:
warn("Unable to check key file `{0}` because it is encrypted with a "
"password. Please, ensure that you added it to the SSH agent "
"with `ssh-add {1}`"
.format(private_key_path, private_key_path))
except SSHException:
try:
pkey = RSAKey.from_private_key_file(private_key_path)
except PasswordRequiredException:
warn("Unable to check key file `{0}` because it is encrypted with a "
"password. Please, ensure that you added it to the SSH agent "
"with `ssh-add {1}`"
.format(private_key_path, private_key_path))
except SSHException:
raise KeypairError('File `%s` is neither a valid DSA key '
'or RSA key.' % private_key_path)
try:
# Check if a keypair `name` exists on the cloud.
keypair = self.nova_client.keypairs.get(name)
# Check if it has the correct keypair, but only if we can read the local key
if pkey:
fingerprint = str.join(
':', (i.encode('hex') for i in pkey.get_fingerprint()))
if fingerprint != keypair.fingerprint:
raise KeypairError(
"Keypair `%s` is present but has "
"different fingerprint. Aborting!" % name)
else:
warn("Unable to check if the keypair is using the correct key.")
except NotFound:
log.warning(
"Keypair `%s` not found on resource `%s`, Creating a new one",
name, self._os_auth_url)
# Create a new keypair
with open(os.path.expanduser(public_key_path)) as f:
key_material = f.read()
try:
self.nova_client.keypairs.create(name, key_material)
except Exception as ex:
log.error(
"Could not import key `%s` with name `%s` to `%s`",
name, public_key_path, self._os_auth_url)
raise KeypairError(
"could not create keypair `%s`: %s" % (name, ex))
def apply_config(self, user, timestamp, passphrase):
""" Apply the configuration
This will check the Affectedlog and generates proper authorized_keys
file for each host affected.
"""
retval = {
"status": "success",
"ssh_messages": []
}
# Add note about that.
ActionLog(
timestamp=timestamp,
user=user,
action="APPLY"
).save()
# Do some initialisation
affected_hosts = self.all()
public_key = Configuration.objects.get(
key="sshkey_public"
)
private_key_config = Configuration.objects.get(
key="sshkey_private"
)
keytype = Configuration.objects.get(
key="sshkey_type"
)
if not public_key or not private_key_config or not keytype:
raise _("Invalid configuration. Did you run setup already?")
if passphrase == "":
passphrase = None
private_key = None
try:
# Generate private key to use
private_key_file = StringIO.StringIO(
str(private_key_config.value)
)
if keytype.value == "dsa":
# noinspection PyTypeChecker
private_key = DSSKey.from_private_key(
private_key_file, passphrase
)
else:
# noinspection PyTypeChecker
private_key = RSAKey.from_private_key(
private_key_file, passphrase
)
private_key_file.close()
except SSHException:
retval['ssh_messages'].append(_(
"Cannot open skd private key. Perhaps you specified the "
"wrong passphrase?"
))
retval['status'] = "error"
hosts_applied = []
if private_key:
client = SSHClient()
client.load_system_host_keys()
client.set_missing_host_key_policy(AutoAddPolicy)
for apply_line in affected_hosts:
host = apply_line.host
if host in hosts_applied:
continue
workload = []
# Find all users, that have access to this host.
user_keys = UserKey.objects.filter(
**{
"user__useringroup__group__"
"usergroupinhostgroup__hostgroup__"
"hostingroup__host__id": host.id
}
)
if not user_keys:
# This seems to be an old entry. Obviously, no one
# has access to the host anymore. Skip it.
hosts_applied.append(host)
retval['ssh_messages'].append(
_(
"Removing seemingly orphaned host %(host)s "
"from workload" %
{
'host': host.name
}
)
)
continue
if host.user == '*':
# This host is a wildcard host.
# Build up workload using the usernames of the
# assigned users and include optional username mappings
assigned_users = User.objects.filter(
**{
"useringroup__group__usergroupinhostgroup__"
"hostgroup__hostingroup__host__id": host.id
}
)
for assigned_user in assigned_users:
namemaps = UserMap.objects.filter(
user=assigned_user,
host=host
)
assigned_username = assigned_user.name
if namemaps:
assigned_username = namemaps[0].username
# Find all users, that also share this username,
# either inside their user data or via a username
# mapping.
# Namemaps
all_users = []
same_namemap = UserMap.objects.filter(
host=host,
username=assigned_username
)
for mapping in same_namemap:
all_users.append(mapping.user)
# User data
same_users = User.objects.filter(
**{
"name": assigned_username,
"useringroup__group__"
"usergroupinhostgroup__hostgroup__"
"hostingroup__host__id": host.id
}
)
for found_user in same_users:
all_users.append(found_user)
user_keys = UserKey.objects.filter(
user__in=all_users
)
workload.append(
{
'host': host,
'user': assigned_username,
'user_keys': user_keys
}
)
else:
# No wildcard host, just us.
workload = [
{
'host': host,
'user': host.user,
'user_keys': user_keys
}
]
error_in_workload = False
for step in workload:
# Build up authorized_keys-filecontent
authorized_keys = []
for key in user_keys:
authorized_keys.append("# %s (%s)" % (
key.user.fullname,
key.name
))
authorized_keys.append(key.key)
# Add our own public key to the keys
authorized_keys.append("# Generated by skd")
authorized_keys.append(
public_key.value
)
# Connect to the server
is_connected = False
try:
client.connect(
hostname=str(step['host'].fqdn),
username=str(step['user']),
pkey=private_key
)
is_connected = True
except AuthenticationException:
retval['ssh_messages'].append(_(
"Cannot connect to host %(name)s as user "
"%(user)s. Perhaps the skd-key hasn't been "
"added to it's authorized_keys-file" %
{
"name": step['host'].name,
"user": step['user']
}
))
retval['status'] = "error"
except (SSHException, socket.error, socket.gaierror):
retval['ssh_messages'].append(_(
"System failure connecting to SSH host "
"%(host)s as user %(user)s: %(error)s" %
{
"error": sys.exc_info()[1],
"host": step['host'].name,
"user": step['user']
}
))
retval['status'] = "error"
if is_connected:
try:
# Deploy the authorized_keys file onto the
# server.
def noAscii(k):
return ''.join(
[x for x in k if ord(x) < 128]
)
command = 'echo -e "%s" > ~/' \
'.ssh/authorized_keys' % \
(
noAscii(
"\n".join(authorized_keys)
)
)
client.exec_command(command=command)
retval['ssh_messages'].append(_(
"Host %(host)s with user %(user)s "
"completed." %
{
"host": step['host'].name,
"user": step['user']
}
))
except SSHException:
retval['ssh_messages'].append(_(
"Error deploying the authorized_keys-file "
"of host %(host)s / user %(user)s: "
"%(error)s" %
{
"error": sys.exc_info()[1],
"host": host.name,
"user": host.user
}
))
retval['status'] = "error"
error_in_workload = True
if not error_in_workload:
# All went well, delete host from apply-Log.
hosts_applied.append(host)
client.close()
# Remove succesful hosts from applylog
self.filter(host__in=hosts_applied).delete()
return retval
