mirror of
https://github.com/ovh/the-bastion.git
synced 2025-09-04 12:04:11 +08:00
nh: remove hardcoded .ssh/authorized_keys2 everywhere
This commit is contained in:
Stéphane Lesimple
parent
19d523c8c4
commit
4cb09a9570
10 changed files with 29 additions and 20 deletions
|
|
@ -645,14 +645,14 @@ if [ "$nothing" = 0 ]; then
|
|||
fi
|
||||
|
||||
# fix bad authorized_keys2 contents created in some cases before v2.30.00
|
||||
action_doing "Fixing potential buggy keys in authorized_keys2 contents"
|
||||
action_doing "Fixing potential buggy keys in $AK_FILE contents"
|
||||
at_least_one_changed=0
|
||||
for account in $(getent passwd | grep ":$basedir/bin/shell/osh.pl$" | cut -d: -f1); do
|
||||
test -f "/home/$account/.ssh/authorized_keys2" || continue
|
||||
grep -Eq '^from="[^ ]+"(ssh-|ecdsa-)' "/home/$account/.ssh/authorized_keys2" || continue
|
||||
test -f "/home/$account/$AK_FILE" || continue
|
||||
grep -Eq '^from="[^ ]+"(ssh-|ecdsa-)' "/home/$account/$AK_FILE" || continue
|
||||
at_least_one_changed=1
|
||||
action_detail "... $account"
|
||||
sed_compat 's/^(from="[^ ]+")(ssh-|ecdsa-)/\1 \2/g' "/home/$account/.ssh/authorized_keys2"
|
||||
sed_compat 's/^(from="[^ ]+")(ssh-|ecdsa-)/\1 \2/g' "/home/$account/$AK_FILE"
|
||||
done
|
||||
if [ "$at_least_one_changed" = 1 ]; then
|
||||
action_done
|
||||
|
|
|
|||
|
|
@ -84,8 +84,8 @@ do
|
|||
test -e "$grouphome/allowed.ip" && echo "$grouphome/allowed.ip"
|
||||
done
|
||||
# all authorized_keys files of bastion accounts:
|
||||
for accountssh in $(getent passwd | grep ":$basedir/bin/shell/osh.pl\$" | cut -d: -f1 | sed 's=^=/home/=;s=$=/.ssh/='); do
|
||||
find "$accountssh" -mindepth 1 -maxdepth 1 -name 'authorized_keys*' ! -name "*.backup*" -type f -print
|
||||
for accounthome in $(getent passwd | grep ":$basedir/bin/shell/osh.pl\$" | cut -d: -f6); do
|
||||
test -f "$accounthome/$AK_FILE" && echo "$accounthome/$AK_FILE"
|
||||
done
|
||||
} | head -"$maxfiles" | timeout "$timeout" inotifywait -e close_write -e moved_to -e create -e delete -e delete_self --quiet --recursive --csv --fromfile - ; ret=$?
|
||||
if [ "$ret" = 124 ] ; then
|
||||
|
|
|
|||
|
|
@ -217,11 +217,12 @@ mkdir $homedir . "/.ssh" if (!-d "$homedir/.ssh");
|
|||
chmod 0750, $homedir . "/.ssh";
|
||||
chown $uid, $uid, "$homedir/.ssh";
|
||||
|
||||
if (!OVH::Bastion::touch_file("$homedir/.ssh/authorized_keys2")) {
|
||||
my $akfile = $homedir . '/' . OVH::Bastion::AK_FILE;
|
||||
if (!OVH::Bastion::touch_file($akfile)) {
|
||||
HEXIT('ERR_CANNOT_CREATE_FILE', msg => "Failed to create authorized_keys file");
|
||||
}
|
||||
chmod 0640, $homedir . "/.ssh/authorized_keys2";
|
||||
chown $uid, $uid, "$homedir/.ssh/authorized_keys2";
|
||||
chmod 0640, $akfile;
|
||||
chown $uid, $uid, $akfile;
|
||||
|
||||
osh_info "Creating tty group of account...";
|
||||
$fnret = OVH::Bastion::sys_groupadd(noisy_stderr => 1, group => $ttygroup, gid => $ttygid);
|
||||
|
|
@ -349,16 +350,15 @@ osh_debug('user keyreader added to group');
|
|||
my $finalPrefix = $realmFrom ? sprintf('from="%s"', $realmFrom) : $from;
|
||||
$finalPrefix .= ' ' if $finalPrefix;
|
||||
|
||||
osh_info "Adding provided public key in authorized_keys...";
|
||||
my $allowedKeyFile = $homedir . '/.ssh/authorized_keys2';
|
||||
if (open(my $fh_keys, '>>', $allowedKeyFile)) {
|
||||
osh_info "Adding provided public key in authorized_keys file...";
|
||||
if (open(my $fh_keys, '>>', $akfile)) {
|
||||
foreach my $key (@vettedKeys) {
|
||||
print $fh_keys $finalPrefix . $key . "\n";
|
||||
}
|
||||
close($fh_keys);
|
||||
}
|
||||
else {
|
||||
HEXIT("ERR_CANNOT_ADD_KEY", msg => "Couldn't open $allowedKeyFile when trying to add provided public key");
|
||||
HEXIT("ERR_CANNOT_ADD_KEY", msg => "Couldn't open $akfile when trying to add provided public key");
|
||||
}
|
||||
|
||||
# push this flag to prevent ssh/telnet usage
|
||||
|
|
@ -369,7 +369,7 @@ if ($oshOnly) {
|
|||
|
||||
# chown to root so user can no longer touch it
|
||||
if ($immutableKey) {
|
||||
chown 0, -1, $allowedKeyFile;
|
||||
chown 0, -1, $akfile;
|
||||
}
|
||||
|
||||
osh_info "Generating account personal bastion key...";
|
||||
|
|
|
|||
|
|
@ -80,7 +80,7 @@ else {
|
|||
#<PARAMS:ACCOUNT
|
||||
|
||||
my @keys;
|
||||
foreach my $file ("$accounthome/.ssh/authorized_keys2", "$accounthome/.ssh/authorized_keys") {
|
||||
foreach my $file ($accounthome . '/' . OVH::Bastion::AK_FILE) {
|
||||
$fnret = OVH::Bastion::get_authorized_keys_from_file(file => $file);
|
||||
push @keys, @{$fnret->value} if ($fnret && $fnret->value);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ if ($fnret && $fnret->value eq 'yes') {
|
|||
osh_exit R('ERR_ACCESS_DENIED', msg => "PIV-only policy is enabled for your account, you can't add new keys this way");
|
||||
}
|
||||
|
||||
my $allowedKeyFile = $HOME . '/.ssh/authorized_keys2';
|
||||
my $allowedKeyFile = $HOME . '/' . OVH::Bastion::AK_FILE;
|
||||
|
||||
if (not defined $pubKey) {
|
||||
$fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress');
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ if ($fingerprintToDelete and defined $lineNumberToDelete) {
|
|||
osh_exit 'ERR_INCOMPATIBLE_PARAMETERS', "You can't specify a line to delete AND a fingerprint to delete at the same time";
|
||||
}
|
||||
|
||||
my $allowedKeyFile = "$HOME/.ssh/authorized_keys2";
|
||||
my $allowedKeyFile = $HOME . '/' . OVH::Bastion::AK_FILE;
|
||||
$fnret = OVH::Bastion::get_authorized_keys_from_file(file => $allowedKeyFile, includeInvalid => 1);
|
||||
$fnret or osh_exit $fnret;
|
||||
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ EOF
|
|||
|
||||
my $fnret;
|
||||
|
||||
$fnret = OVH::Bastion::get_authorized_keys_from_file(file => "$HOME/.ssh/authorized_keys2", includeInvalid => 1);
|
||||
$fnret = OVH::Bastion::get_authorized_keys_from_file(file => $HOME . '/' . OVH::Bastion::AK_FILE, includeInvalid => 1);
|
||||
$fnret or osh_exit $fnret;
|
||||
|
||||
my @result;
|
||||
|
|
|
|||
|
|
@ -106,6 +106,10 @@ use constant {
|
|||
TOTP_FILENAME => '.otp',
|
||||
TOTP_BASEDIR => '/var/otp',
|
||||
|
||||
# authorized_keys file, relative to the user's HOME directory.
|
||||
# if you change this, also change it in lib/shell/functions.inc
|
||||
AK_FILE => '.ssh/authorized_keys2',
|
||||
|
||||
OPT_ACCOUNT_INGRESS_PIV_POLICY => 'ingress_piv_policy',
|
||||
OPT_ACCOUNT_INGRESS_PIV_GRACE => 'ingress_piv_grace',
|
||||
OPT_ACCOUNT_ALWAYS_ACTIVE => 'always_active',
|
||||
|
|
|
|||
|
|
@ -765,7 +765,7 @@ sub ssh_ingress_keys_piv_apply {
|
|||
$account = $fnret->value->{'account'};
|
||||
my $dir = $fnret->value->{'dir'};
|
||||
|
||||
$fnret = OVH::Bastion::get_authorized_keys_from_file(account => $account, file => "$dir/.ssh/authorized_keys2", includePivDisabled => 1);
|
||||
$fnret = OVH::Bastion::get_authorized_keys_from_file(account => $account, file => $dir . '/' . OVH::Bastion::AK_FILE(), includePivDisabled => 1);
|
||||
$fnret or return $fnret;
|
||||
|
||||
my $keys = $fnret->value();
|
||||
|
|
@ -808,7 +808,7 @@ sub ssh_ingress_keys_piv_apply {
|
|||
return R('ERR_INVALID_PARAMETER', msg => "Argument 'action' must be either 'enable' or 'disable'");
|
||||
}
|
||||
|
||||
$fnret = OVH::Bastion::put_authorized_keys_to_file(account => $account, file => "$dir/.ssh/authorized_keys2", data => \@keysToWrite);
|
||||
$fnret = OVH::Bastion::put_authorized_keys_to_file(account => $account, file => $dir . '/' . OVH::Bastion::AK_FILE(), data => \@keysToWrite);
|
||||
$fnret or return $fnret;
|
||||
|
||||
OVH::Bastion::syslogFormatted(
|
||||
|
|
|
|||
|
|
@ -4,6 +4,11 @@
|
|||
# shellcheck source=lib/shell/colors.inc disable=SC2128
|
||||
. "$(dirname "$BASH_SOURCE")"/colors.inc
|
||||
|
||||
# authorized_keys file, relative to the user's HOME directory.
|
||||
# if you change this, also change it in lib/perl/OVH/Bastion.pm
|
||||
# shellcheck disable=SC2034
|
||||
AK_FILE=".ssh/authorized_keys2"
|
||||
|
||||
OS_FAMILY=$(uname -s)
|
||||
LINUX_DISTRO=unknown
|
||||
DISTRO_VERSION=''
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue