CasperSecurity

Current Path : /lib/python3/dist-packages/cloudinit/__pycache__/
Current File : //lib/python3/dist-packages/cloudinit/__pycache__/ssh_util.cpython-310.pyc
o

쑛h�Y�@snddlZddlZddlZddlmZddlmZmZmZddl	m
Z
mZmZe�
e�ZdZdZdZdee�d	ZGd
d�d�ZGdd
�d
�Zdd�Zdd�Zdd�Zdd�Zdd�Zdd�Zefdd�Zd7dd�ZGdd�d�Zd eefd!d"�Z d eefd#d$�Z!d%d&�Z"d'ed e#fd(d)�Z$d*d+�Z%efd,d-�Z&d.d/�Z'efd0eeeeffd1d2�Z(d3d4�Z)d5d6�Z*dS)8�N)�suppress)�List�Sequence�Tuple)�	lifecycle�subp�utilz/etc/ssh/sshd_config)�rsa�ecdsa�ed25519z(ecdsa-sha2-nistp256-cert-v01@openssh.comzecdsa-sha2-nistp256z(ecdsa-sha2-nistp384-cert-v01@openssh.comzecdsa-sha2-nistp384z(ecdsa-sha2-nistp521-cert-v01@openssh.comzecdsa-sha2-nistp521z+sk-ecdsa-sha2-nistp256-cert-v01@openssh.comz"sk-ecdsa-sha2-nistp256@openssh.comz#sk-ssh-ed25519-cert-v01@openssh.comzsk-ssh-ed25519@openssh.comz ssh-ed25519-cert-v01@openssh.comzssh-ed25519zssh-rsa-cert-v01@openssh.comzssh-rsazssh-xmss-cert-v01@openssh.comzssh-xmss@openssh.com�z�no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"$USER\" rather than the user \"$DISABLE_USER\".';echo;sleep 10;exit �"c@s(eZdZ	ddd�Zdd�Zdd�ZdS)	�AuthKeyLineNcCs"||_||_||_||_||_dS�N)�base64�comment�options�keytype�source)�selfrrrrr�r�4/usr/lib/python3/dist-packages/cloudinit/ssh_util.py�__init__Es

zAuthKeyLine.__init__cCs|jo|jSr)rr�rrrr�validNszAuthKeyLine.validcCs`g}|jr|�|j�|jr|�|j�|jr|�|j�|jr&|�|j�|s+|jSd�|�S�N� )r�appendrrrr�join)r�toksrrr�__str__Qs
zAuthKeyLine.__str__)NNNN)�__name__�
__module__�__qualname__rrr rrrrrDs

�	rc@s"eZdZdZdd�Zddd�ZdS)�AuthKeyLineParserau
    AUTHORIZED_KEYS FILE FORMAT
     AuthorizedKeysFile specifies the file containing public keys for public
     key authentication; if none is specified, the default is
     ~/.ssh/authorized_keys.  Each line of the file contains one key (empty
     (because of the size of the public key encoding) up to a limit of 8 kilo-
     bytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16
     kilobits.  You don't want to type them in; instead, copy the
     identity.pub or the id_rsa.pub file and edit it.

     sshd enforces a minimum RSA key modulus size for protocol 1 and protocol
     2 keys of 768 bits.

     The options (if present) consist of comma-separated option specifica-
     tions.  No spaces are permitted, except within double quotes.  The fol-
     lowing option specifications are supported (note that option keywords are
     case-insensitive):
    cCs�d}d}|t|�krO|s||dvrO||}|dt|�kr#|d}n,||d}|dkr6|dkr6|d}n|dkr=|}|d}|t|�krO|s||dvs|d|�}||d���}||fS)z�
        The options (if present) consist of comma-separated option specifica-
         tions.  No spaces are permitted, except within double quotes.
         Note that option keywords are case-insensitive.
        Fr)r�	��\r
N)�len�lstrip)r�ent�quoted�i�curc�nextcr�remainrrr�_extract_optionsus"
�z"AuthKeyLineParser._extract_optionsNcCs�|�d�}|�d�s|��dkrt|�Sdd�}|��}z	||�\}}}Wn/tyT|�|�\}	}
|dur9|	}z	||
�\}}}WntyQt|�YYSwYnwt|||||d�S)Nz
�#�cSs^|�dd�}t|�dkrtdt|���|dtvr"td|d��t|�dkr-|�d�|S)N�zTo few fields: %srzInvalid keytype %sr2)�splitr(�	TypeError�VALID_KEY_TYPESr)r*rrrr�
parse_ssh_key�s
z.AuthKeyLineParser.parse.<locals>.parse_ssh_key)rrrr)�rstrip�
startswith�striprr5r0)r�src_liner�liner7r*rrr�keyoptsr/rrr�parse�s2
���
�zAuthKeyLineParser.parser)r!r"r#�__doc__r0r>rrrrr$asr$c
Csxg}t�}g}|D]0}ztj�|�r&t�|���}|D]
}|�|�|��qWq	t	t
fy9t�td|�Yq	w|S)NzError reading lines from %s)
r$�os�path�isfiler�load_text_file�
splitlinesrr>�IOError�OSError�logexc�LOG)�fnames�lines�parser�contents�fnamer<rrr�parse_authorized_keys�s��rNcCs�tdd�|D��}tt|��D]%}||}|��sq|D]}|j|jkr/|}||vr/|�|�q|||<q|D]}|�|�q7dd�|D�}|�d�d�|�S)NcSsg|]}|��r|�qSr)r��.0�krrr�
<listcomp>��z*update_authorized_keys.<locals>.<listcomp>cS�g|]}t|��qSr��str)rP�brrrrR��r2�
)�list�ranger(rr�removerr)�old_entries�keys�to_addr,r*rQ�keyrJrrr�update_authorized_keys�s"
�


racCs4t�|�}|r
|jstd|��tj�|jd�|fS)Nz"Unable to get SSH info for user %rz.ssh)�pwd�getpwnam�pw_dir�RuntimeErrorr@rAr)�username�pw_entrrr�users_ssh_info�s

rhc	Cspd|fd|fdf}|s
d}|��}g}|D] }|D]
\}}|�||�}q|�d�s0tj�||�}|�|�q|S)N�%h�%u)z%%�%�%h/.ssh/authorized_keys�/)r4�replacer9r@rArr)	�value�homedirrf�macros�paths�renderedrA�macro�fieldrrr�render_authorizedkeysfile_paths�s
rvc
Cs�d}|rd}t�|�}|r ||kr |dkr t�d||||�dSt�|�}||kr.|dM}nt�|�}t�|�}	||	vrA|dM}n|dM}||@d	krUt�d
|||�dS|rd|d@rdt�d||�dSd
S)aVCheck if the file/folder in @current_path has the right permissions.

    We need to check that:
    1. If StrictMode is enabled, the owner is either root or the user
    2. the user can access the file/folder, otherwise ssh won't use it
    3. If StrictMode is enabled, no write permission is given to group
       and world users (022)
    i�i��rootzXPath %s in %s must be own by user %s or by root, but instead is own by %s. Ignoring key.F��8�rzBPath %s in %s must be accessible by user %s, check its permissions�zRPath %s in %s must not give writepermission to group or world users. Ignoring key.T)r�	get_ownerrH�debug�get_permissions�	get_group�get_user_groups)
rf�current_path�	full_path�is_file�strictmodes�minimal_permissions�owner�parent_permission�group_owner�user_groupsrrr�check_permissionssJ
�




��r�c
Cs�t|�d}td�d}z�|�d�dd�}d}tj�|j�}|D]�}|d|7}tj�|�r9t�d|�WdStj�	|�rIt�d|�WdS|�
|�sS||jkrTq!tj�|�s�t�
|��-d	}	|j}
|j}|�
|j�rvd
}	|j}
|j}tj||	dd�t�||
|�Wd�n1s�wYt|||d|�}|s�WdSq!tj�|�s�tj�|�r�t�d
|�WdStj�|�s�tj|dddd�t�||j|j�t|||d|�}|s�WdSWdSttfy�}
zt�tt|
��WYd}
~
dSd}
~
ww)Nr&rwrm���r2z-Invalid directory. Symlink exists in path: %sFz*Invalid directory. File exists in path: %s��rxT)�mode�exist_okz%s is not a file!�)r��ensure_dir_exists)rhr4r@rA�dirnamerd�islinkrHr}rBr9�existsr�SeLinuxGuard�pw_uid�pw_gid�makedirs�	chownbyidr��isdir�
write_filerErFrGrV)rf�filenamer��
user_pwent�
root_pwent�directories�
parent_folder�home_folder�	directoryr��uid�gid�permissions�errr�check_create_pathGsv���
�
��
�����r�c
Cs0t|�\}}tj�|d�}|}g}tj|dd��;zt|�}|�dd�}|�dd�}	t||j	|�}Wnt
tfyK||d<t�t
d	t|d�YnwWd�n1sVwYt|��|�D]$\}
}td
|
vd|
v|�d�|j	��g�r�t|||	dk�}|r�|}nqb||kr�t
�d
|�|t|g�fS)N�authorized_keysT��	recursive�authorizedkeysfilerlr��yesrzhFailed extracting 'AuthorizedKeysFile' in SSH config from %r, using 'AuthorizedKeysFile' file %r insteadrjriz{}/zAAuthorizedKeysFile has an user-specific authorized_keys, using %s)rhr@rArrr��parse_ssh_config_map�getrvrdrErFrGrH�DEF_SSHD_CFG�zipr4�anyr9�formatr�r}rN)
rf�
sshd_cfg_file�ssh_dirrg�default_authorizedkeys_file�user_authorizedkeys_file�auth_key_fns�ssh_cfg�	key_pathsr��key_path�auth_key_fn�permissions_okrrr�extract_authorized_keys�s^��������
����r�c
Cs�t�}g}|D]}|�|jt|�|d��qt|�\}}tj�|�}tj	|dd��t
||�}	tj||	dd�Wd�dS1sBwYdS)N)rTr���
preserve_mode)r$rr>rVr�r@rAr�rr�rar�)
r^rfrrK�key_entriesrQr��auth_key_entriesr��contentrrr�setup_user_keys�s
"�r�c@s*eZdZddd�Zedd��Zdd�ZdS)	�SshdConfigLineNcCs||_||_||_dSr)r<�_keyro)rr<rQ�vrrrr�s
zSshdConfigLine.__init__cCs|jdurdS|j��Sr)r��lowerrrrrr`�s

zSshdConfigLine.keycCs:|jdur
t|j�St|j�}|jr|dt|j�7}|Sr)r�rVr<ro)rr�rrrr �s


zSshdConfigLine.__str__)NN)r!r"r#r�propertyr`r rrrrr��s


r��returncCs"tj�|�sgStt�|����Sr)r@rArB�parse_ssh_config_linesrrCrD�rMrrr�parse_ssh_config�sr�cCs�g}|D]M}|��}|r|�d�r|�t|��qz
|�dd�\}}Wn$tyGz
|�dd�\}}WntyDt�d|�YYqwYnw|�t|||��q|S)Nr1r&�=z;sshd_config: option "%s" has no key/value pair, skipping it)r:r9rr�r4�
ValueErrorrHr})rJ�retr<r`�valrrrr��s,����
r�cCs6t|�}|siSi}|D]}|jsq|j||j<q|Sr)r�r`ro)rMrJr�r<rrrr�sr�rMcCsbtj�|�stj�|�d��rdStj�|�sdSt�|���D]}|�d|�d��r.dSq dS)N�.dTFzInclude z	.d/*.conf)r@rAr�rBrrCrDr9)rMr<rrr�_includes_dconf"s�r�cCs^t|�r-tj�|�d��stj|�d�dd�tj�|�d�d�}tj�|�s-t�|d�|S)Nr�r�)r�z50-cloud-init.confr�)	r�r@rAr�r�
ensure_dirrrB�ensure_filer�rrr�"_ensure_cloud_init_ssh_config_file/sr�cCsPt|�}t|�}t||d�}|r"tj|d�dd�|D��ddd�t|�dkS)z�Read fname, and update if changes are necessary.

    @param updates: dictionary of desired values {Option: value}
    @return: boolean indicating if an update was done.)rJ�updatesrYcSrTrrU)rPr<rrrrRErXz%update_ssh_config.<locals>.<listcomp>Tr�r)r�r��update_ssh_config_linesrr�rr()r�rMrJ�changedrrr�update_ssh_config:s�r�c	Cst�}g}tdd�|��D��}t|dd�D];\}}|jsq|j|vrQ||j}||}|�|�|j|kr?t�d|||�q|�	|�t�d|||j|�||_qt
|�t
|�kr�|��D]!\}}||vrgq^|�	|�|�	td||��t�dt
|�||�q^|S)	z�Update the SSH config lines per updates.

    @param lines: array of SshdConfigLine.  This array is updated in place.
    @param updates: dictionary of desired values {Option: value}
    @return: A list of keys in updates that were changed.cSsg|]}|��|f�qSr)r�rOrrrrRUrSz+update_ssh_config_lines.<locals>.<listcomp>r&)�startz$line %d: option %s already set to %sz#line %d: option %s updated %s -> %sr2z line %d: option %s added with %s)
�set�dictr^�	enumerater`�addrorHr}rr(�itemsr�)	rJr��foundr��casemapr,r<r`rorrrr�KsD



�
��
�r�rJcCs>|sdSt|�}dd�|D�}tj|d�|�dddd�dS)Ncss"�|]\}}|�d|��VqdS)rNr)rPrQr�rrr�	<genexpr>}s� z$append_ssh_config.<locals>.<genexpr>rY�abT)�omoder�)r�rr�r)rJrMr�rrr�append_ssh_configys
�r�cCs�d}ttj��tjddgddgd�\}}Wd�n1swYd}|�d	�D]}|�|�r?|t|�|�d
��Sq+dS)z�Get the full version of the OpenSSH sshd daemon on the system.

    On an ubuntu system, this would look something like:
    1.2p1 Ubuntu-1ubuntu0.1

    If we can't find `sshd` or parse the version number, return None.
    r2�sshdz-Vrr&)�rcsN�OpenSSH_rY�,)rr�ProcessExecutionErrorr4r9r(�find)�err�_�prefixr<rrr�get_opensshd_version�s
�
�r�c	Cs�d}t�}|durtj�|�Sd|vr|d|�d��}nd|vr+|d|�d��}n|}z	tj�|�}|WSttfyHt�d|�YdSw)z�Get the upstream version of the OpenSSH sshd daemon on the system.

    This will NOT include the portable number, so if the Ubuntu version looks
    like `1.2p1 Ubuntu-1ubuntu0.1`, then this function would return
    `1.2`
    z9.0N�prz Could not parse sshd version: %s)	r�r�Version�from_strr�r�r5rH�warning)�upstream_version�full_versionrrr�get_opensshd_upstream_version�s�r�r)+�loggingr@rb�
contextlibr�typingrrr�	cloudinitrrr�	getLoggerr!rHr�r6�_DISABLE_USER_SSH_EXITrV�DISABLE_USER_OPTSrr$rNrarhrvr�r�r�r�r�r�r�r��boolr�r�r�r�r�r�r�rrrr�<module>sJ
���YEO
9
.
CasperSecurity

Telegram @BIBIL_0DAY
