Files
@ b27e515df83c
Branch filter:
Location: kallithea/kallithea/lib/ssh.py
b27e515df83c
4.9 KiB
text/x-python
ssh: introduce 'kallithea-cli ssh-update-authorized-keys' command for updating authorized_keys file
Based on work by Ilya Beda <ir4y.ix@gmail.com> on
https://bitbucket.org/ir4y/rhodecode/commits/branch/ssh_server_support ,
incorporating gearbox support by Anton Schur <tonich.sh@gmail.com> and also
heavily modified by Mads Kiilerich.
This commit also incorporates a fix for Windows by Dominik Ruf,
and better handling of the case where the parent dir of 'authorized_keys'
does not exist or is not writable, by Bradley M. Kuhn <bkuhn@ebb.org>.
Based on work by Ilya Beda <ir4y.ix@gmail.com> on
https://bitbucket.org/ir4y/rhodecode/commits/branch/ssh_server_support ,
incorporating gearbox support by Anton Schur <tonich.sh@gmail.com> and also
heavily modified by Mads Kiilerich.
This commit also incorporates a fix for Windows by Dominik Ruf,
and better handling of the case where the parent dir of 'authorized_keys'
does not exist or is not writable, by Bradley M. Kuhn <bkuhn@ebb.org>.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 | # -*- coding: utf-8 -*-
"""
kallithea.lib.ssh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:created_on: Dec 10, 2012
:author: ir4y
:copyright: (C) 2012 Ilya Beda <ir4y.ix@gmail.com>
:license: GPLv3, see COPYING for more details.
"""
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import logging
import binascii
import re
from tg.i18n import ugettext as _
log = logging.getLogger(__name__)
class SshKeyParseError(Exception):
"""Exception raised by parse_pub_key"""
def parse_pub_key(ssh_key):
r"""Parse SSH public key string, raise SshKeyParseError or return decoded keytype, data and comment
>>> getfixture('doctest_mock_ugettext')
>>> parse_pub_key('')
Traceback (most recent call last):
...
SshKeyParseError: SSH key is missing
>>> parse_pub_key('''AAAAB3NzaC1yc2EAAAALVGhpcyBpcyBmYWtlIQ''')
Traceback (most recent call last):
...
SshKeyParseError: Incorrect SSH key - it must have both a key type and a base64 part
>>> parse_pub_key('''abc AAAAB3NzaC1yc2EAAAALVGhpcyBpcyBmYWtlIQ''')
Traceback (most recent call last):
...
SshKeyParseError: Incorrect SSH key - it must start with 'ssh-(rsa|dss|ed25519)'
>>> parse_pub_key('''ssh-rsa AAAAB3NzaC1yc2EAAAALVGhpcyBpcyBmYWtlIQ''')
Traceback (most recent call last):
...
SshKeyParseError: Incorrect SSH key - failed to decode base64 part 'AAAAB3NzaC1yc2EAAAALVGhpcyBpcyBmYWtlIQ'
>>> parse_pub_key('''ssh-rsa AAAAB2NzaC1yc2EAAAALVGhpcyBpcyBmYWtlIQ==''')
Traceback (most recent call last):
...
SshKeyParseError: Incorrect SSH key - base64 part is not 'ssh-rsa' as claimed but 'csh-rsa'
>>> parse_pub_key('''ssh-rsa AAAAB3NzaC1yc2EAAAA'LVGhpcyBpcyBmYWtlIQ''')
Traceback (most recent call last):
...
SshKeyParseError: Incorrect SSH key - unexpected characters in base64 part "AAAAB3NzaC1yc2EAAAA'LVGhpcyBpcyBmYWtlIQ"
>>> parse_pub_key(''' ssh-rsa AAAAB3NzaC1yc2EAAAALVGhpcyBpcyBmYWtlIQ== and a comment
... ''')
('ssh-rsa', '\x00\x00\x00\x07ssh-rsa\x00\x00\x00\x0bThis is fake!', 'and a comment\n')
"""
if not ssh_key:
raise SshKeyParseError(_("SSH key is missing"))
parts = ssh_key.split(None, 2)
if len(parts) < 2:
raise SshKeyParseError(_("Incorrect SSH key - it must have both a key type and a base64 part"))
keytype, keyvalue, comment = (parts + [''])[:3]
if keytype not in ('ssh-rsa', 'ssh-dss', 'ssh-ed25519'):
raise SshKeyParseError(_("Incorrect SSH key - it must start with 'ssh-(rsa|dss|ed25519)'"))
if re.search(r'[^a-zA-Z0-9+/=]', keyvalue):
raise SshKeyParseError(_("Incorrect SSH key - unexpected characters in base64 part %r") % keyvalue)
try:
decoded = keyvalue.decode('base64')
except binascii.Error:
raise SshKeyParseError(_("Incorrect SSH key - failed to decode base64 part %r") % keyvalue)
if not decoded.startswith('\x00\x00\x00\x07' + str(keytype) + '\x00'):
raise SshKeyParseError(_("Incorrect SSH key - base64 part is not %r as claimed but %r") % (str(keytype), str(decoded[4:].split('\0', 1)[0])))
return keytype, decoded, comment
SSH_OPTIONS = 'no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding'
def authorized_keys_line(kallithea_cli_path, config_file, key):
"""
Return a line as it would appear in .authorized_keys
>>> from kallithea.model.db import UserSshKeys, User
>>> user = User(user_id=7, username='uu')
>>> key = UserSshKeys(user_ssh_key_id=17, user=user, description='test key')
>>> key.public_key='''ssh-rsa AAAAB3NzaC1yc2EAAAALVGhpcyBpcyBmYWtlIQ== and a comment'''
>>> authorized_keys_line('/srv/kallithea/venv/bin/kallithea-cli', '/srv/kallithea/my.ini', key)
'no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/srv/kallithea/venv/bin/kallithea-cli ssh-serve -c /srv/kallithea/my.ini 7 17" ssh-rsa AAAAB3NzaC1yc2EAAAALVGhpcyBpcyBmYWtlIQ==\\n'
"""
try:
keytype, decoded, comment = parse_pub_key(key.public_key)
except SshKeyParseError:
return '# Invalid Kallithea SSH key: %s %s\n' % (key.user.user_id, key.user_ssh_key_id)
mimekey = decoded.encode('base64').replace('\n', '')
return '%s,command="%s ssh-serve -c %s %s %s" %s %s\n' % (
SSH_OPTIONS, kallithea_cli_path, config_file,
key.user.user_id, key.user_ssh_key_id,
keytype, mimekey)
|