a 'Dg, @sUdZddlZddlZddlZddlZddlZddlmZmZm Z ddl m Z m Z m Z mZddlmZddlmZddlmZddlmZmZdd lmZd egegd Zeed <eeZgd ZdgZ e!dZ"dZ#dZ$gZ%ee&ed<iZ'iZ(eD]dZ)e'*e)de#e)dfe)de#e)ddfe)de#e)ddfie)de(e)d<qdZ+e&ddddZ,e&eee-dddd Z.d!d"Z/d&ee e&d#d$d%Z0dS)'zSSH: Configure SSH and SSH keysN)ListOptionalSequence) lifecyclessh_utilsubputil)Cloud)Config) MetaSchema) ALL_DISTROSug_util) PER_INSTANCEZcc_ssh)idZdistrosZ frequencyZactivate_by_schema_keysmeta)ZrsaZecdsaed25519rz4^(ecdsa-sk|ed25519-sk)_(private|public|certificate)$z/etc/ssh/ssh_host_%s_keyTHOST_KEY_PUBLISH_BLACKLISTZ_privateZ_public.pub _certificatez -cert.pubz;o=$(ssh-keygen -yf "%s") && echo "$o" root@localhost > "%s")keyfilereturncCsld}t}|r&|tddkr&d}nd}td}|dkrJt|d|t||t|d|d S) a For fedora 37, centos 9 stream and below: - sshd version is earlier than version 9. - 'ssh_keys' group is present and owns the private keys. - private keys have permission 0o640. For fedora 38, centos 10 stream and above: - ssh version is atleast version 9. - 'ssh_keys' group is absent. 'root' group owns the keys. - private keys have permission 0o600, same as upstream. Public keys in all cases have permission 0o644. r rirssh_keysrN) rZget_opensshd_upstream_versionrZVersionrZ get_group_idoschownchmod)rZpermissions_publicZ ssh_versionZpermissions_privategidr ;/usr/lib/python3.9/site-packages/cloudinit/config/cc_ssh.pyset_redhat_keyfile_perms@s   r")namecfgcloudargsrc$ Cs|ddrZtjdd}t|D]4}zt|Wq$tyVtt d|Yq$0q$d|vrg}|d D]t\}}|t vrt |rd} nd} t d | |qtt |d } t |d } t| || d |vrt|d t| fqt|rt|t D]\} } | |dvs| |dvr(qt | d t | d }}ddt||fg}zPtjdddtj|ddWdn1s0Yt d||Wn,tytt d|d|Yn0qnt|dt}ts|n dd|D}t||}|r*t dd||D]<}t|}tj|rNq.t tj!|dd|ddd |g}tjdddzTtj|dd!d"id#\}}t"|d$dst#j$%t&||j'j(d%krt)|Wnrtj*yH}zVt&|j+,}|j-d kr$|,.d&r$t d'|ntt d(||WYd}~n d}~00Wdn1s`0Yq.d)|vrt|d)d*t/}t"|d)d+t0}nt/}t0}|rt1|d,}z|j23|Wn tytt d-Yn0zt45||j'\}}t46|\}}t"|d.d} t7|d/tj8}!g}"t"|d0drL|9pHg}"n t d1d2|vrr|d2}#|":|#t;|"|| |!Wn tytt d3Yn0dS)4NZssh_deletekeysTz /etc/ssh/zssh_host_*key*zFailed deleting key file %srZ unsupportedZ unrecognizedz Skipping %s ssh_keys entry: "%s"rrZHostCertificateshz-xcz/etc/ssh) recursiveF)capturezGenerated a key for %s from %szFailed generating a key for z from Zssh_genkeytypescSsg|]}|tvr|qSr )FIPS_UNSUPPORTED_KEY_NAMES).0namesr r r! szhandle..z5skipping keys that are not supported in fips mode: %s,z ssh-keygenz-tz-Nz-fLANGC)r*Z update_envZssh_quiet_keygenZredhatz unknown keyz!ssh-keygen: unknown key type '%s'z(Failed generating key type %s to file %sZssh_publish_hostkeys blacklistZenabledr3zPublishing host keys failed! disable_rootdisable_root_optsZallow_public_ssh_keyszSSkipping import of publish SSH keys per config setting: allow_public_ssh_keys=FalseZssh_authorized_keysz Applying SSH credentials failed!)<getrpathjoinglobrZdel_file ExceptionZlogexcLOGitemsCONFIG_KEY_TO_FILEpattern_unsupported_config_keysmatchZwarningZ write_fileappendstrrZappend_ssh_config PRIV_TO_PUB KEY_GEN_TPLZ SeLinuxGuardrdebugZget_cfg_option_listGENERATE_KEY_NAMESZ fips_enabledset difference KEY_FILE_TPLexistsZ ensure_dirdirnameZget_cfg_option_boolsysstdoutwriteZ decode_binaryZdistroZosfamilyr"ZProcessExecutionErrorstderrlowerZ exit_code startswithrPUBLISH_HOST_KEYSget_public_host_keysZ datasourceZpublish_host_keysr Znormalize_users_groupsZextract_defaultZget_cfg_option_strZDISABLE_USER_OPTSZget_public_ssh_keysextendapply_credentials)$r#r$r%r&Zkey_pthfZ cert_configkeyvalreasonZtgt_fnZ tgt_permsZ private_typeZ public_typeZ private_fileZ public_filecmdZgenkeysZ key_namesZ skipped_keysZkeytyperouterreZhost_key_blacklistZpublish_hostkeysZhostkeysZusersZ_groupsuserZ _user_configr5r6keysZcfgkeysr r r!handleds           .    >     r`cCsVt|}|rt|||r>|s$d}|d|}|dd}nd}tj|d|ddS)NZNONEz$USERz $DISABLE_USERrootr0)options)rGrZsetup_user_keysreplace)r_r^r5r6Z key_prefixr r r!rUs  rUr4csdtfg}g|r(fdd|DfddtdD}|D]<}t|}|}|rHt|dkrH|t|ddqH|S) aRead host keys from /etc/ssh/*.pub files and return them as a list. @param blacklist: List of key types to ignore. e.g. ['rsa'] @returns: List of keys, each formatted as a two-element tuple. e.g. [('ssh-rsa', 'AAAAB3Nz...'), ('ssh-ed25519', 'AAAAC3Nx...')] z%s.pubcsg|]}|fqSr r )r,Zkey_type)public_key_file_tmplr r!r. sz(get_public_host_keys..csg|]}|vr|qSr r )r,Zhostfile)blacklist_filesr r!r.$s)*r'N)rIr:rZload_text_filesplitlenrAtuple)r3Zkey_listZ file_list file_nameZ file_contentsZkey_datar )rerdr!rSs      rS)N)1__doc__r:ZloggingrrerLtypingrrrZ cloudinitrrrrZcloudinit.cloudr Zcloudinit.configr Zcloudinit.config.schemar Zcloudinit.distrosr r Zcloudinit.settingsrr__annotations__Z getLogger__name__r<rFr+compiler?rIrRrrBr>rCkupdaterDr"listr`rUrSr r r r!sT     $