x[h+ UdZddlZddlZddlZddlZddlZddlmZmZm Z ddl m Z m Z m Z mZddlmZddlmZddlmZddlmZmZdd lmZd egegd Zeed <ej8eZgd ZdgZ dZ!dZ"gZ#ee$ed<iZ%iZ&eD]BZ'e%jQe'de!e'zdfe'de!e'zddfe'de!e'zddfie'de&e'd<DdZ)de$ddfdZ*de$deded e+ddf d!Z,d"Z-d%d#ee e$fd$Z.y)&zSSH: Configure SSH and SSH keysN)ListOptionalSequence) lifecyclessh_utilsubputil)Cloud)Config) MetaSchema) ALL_DISTROSug_util) PER_INSTANCEcc_ssh)iddistros frequencyactivate_by_schema_keysmeta)rsaecdsaed25519rz/etc/ssh/ssh_host_%s_keyTHOST_KEY_PUBLISH_BLACKLIST_private_public.pub _certificatez -cert.pubz;o=$(ssh-keygen -yf "%s") && echo "$o" root@localhost > "%s"keyfilereturnc0d}tj}|r|tjddkrd}nd}t j d}|dk7rt j|d|t j||t j|d|y ) a For fedora 37, centos 9 stream and below: - sshd version is earlier than version 9. - 'ssh_keys' group is present and owns the private keys. - private keys have permission 0o640. For fedora 38, centos 10 stream and above: - ssh version is atleast version 9. - 'ssh_keys' group is absent. 'root' group owns the keys. - private keys have permission 0o600, same as upstream. Public keys in all cases have permission 0o644. r rirssh_keysrN) rget_opensshd_upstream_versionrVersionr get_group_idoschownchmod)r permissions_public ssh_versionpermissions_privategids 9/usr/lib/python3/dist-packages/cloudinit/config/cc_ssh.pyset_redhat_keyfile_permsr1=s88:K{Y%6%6q!%<< $$   J 'C by "c"HHW)*HHy 12namecfgcloudargsc  |jddrPtjjdd}t j|D]} t j |d|vrag}|djD]\}}|tvr3tjd|rd} nd } tjd | |At|d } t|d } t j| || d |vsu|j!dt#| f|rt%j&|t(jD]\} } | |dvs| |dvrt| d t| d }}ddt*||fzg} t j,dd5t/j.|ddddtj1d||nt j2|dt4}t j6s|n|Dcgc] }|t8vr|c}}t;|j=|}|r%tj1ddj||D]}t>|z}tjjA|r-t jBtjjE|dd|ddd|g}t j,dd5 t/j.|dd d!i"\}}t jF|d#ds2tHjJjMt jN||jPjRd$k(r tU|dddd(|vr=t j2|d(d)t`}t jF|d(d*tb}n t`}tb}|r(te|+} |jfji| tkjl||jP\}}tkjn|\}} t jF|d-d}!t jp|d.t$jr}"g}#t jF|d/dr|juxsg}#ntj1d0d1|vr|d1}$|#jw|$ty|#||!|"y#t$rt jtd|YwxYw#1swYMxYw#t$r$t jtd|d|YwxYwcc}w#t.jV$r}t jN|jXj[}|j\d k(r6|j[j_d%rtj1d&|nt jtd'||Yd}~zd}~wwxYw#1swYxYw#t$rt jtd,Y3wxYw#t$rt jtd2YywxYw)3Nssh_deletekeysTz /etc/ssh/zssh_host_*key*zFailed deleting key file %sr$z4^(ecdsa-sk|ed25519-sk)_(private|public|certificate)$ unsupported unrecognizedz Skipping %s ssh_keys entry: "%s"rrHostCertificateshz-xcz/etc/ssh) recursiveF)capturezGenerated a key for %s from %szFailed generating a key for z from ssh_genkeytypesz5skipping keys that are not supported in fips mode: %s,z ssh-keygenz-tz-Nz-fLANGC)r? update_envssh_quiet_keygenredhatz unknown keyz!ssh-keygen: unknown key type '%s'z(Failed generating key type %s to file %sssh_publish_hostkeys blacklistenabled)rIzPublishing host keys failed! disable_rootdisable_root_optsallow_public_ssh_keyszSSkipping import of publish SSH keys per config setting: allow_public_ssh_keys=Falsessh_authorized_keysz Applying SSH credentials failed!)=getr)pathjoinglobr del_file ExceptionlogexcLOGitemsCONFIG_KEY_TO_FILErematchwarning write_fileappendstrrappend_ssh_config PRIV_TO_PUB KEY_GEN_TPL SeLinuxGuardrdebugget_cfg_option_listGENERATE_KEY_NAMES fips_enabledFIPS_UNSUPPORTED_KEY_NAMESset difference KEY_FILE_TPLexists ensure_dirdirnameget_cfg_option_boolsysstdoutwrite decode_binarydistroosfamilyr1ProcessExecutionErrorstderrlower exit_code startswithrPUBLISH_HOST_KEYSget_public_host_keys datasourcepublish_host_keysrnormalize_users_groupsextract_defaultget_cfg_option_strDISABLE_USER_OPTSget_public_ssh_keysextendapply_credentials)%r3r4r5r6key_pthf cert_configkeyvalreasontgt_fn tgt_perms private_type public_type private_file public_filecmdgenkeysnames key_names skipped_keyskeytyper outerrehost_key_blacklistpublish_hostkeyshostkeysusers_groupsuser _user_configrKrLkeyscfgkeyss% r0handleras ww&'',,{,<=7# CA C a  C S J--/ EHC,,88JC+F+F >L',Q/F*3/2I OOFC 3$""$5s6{#CD E"   & &{ 3)4):):)<  %L+s:.s:6"<03";/2&L |[.I IJC &&zTB2IIc512 4k< 4** "$6  $$& % :: 7|..y9  IIG&  ! G"g.Gww~~g& OOBGGOOG4 5wb$HC"":> #yyTvsm HC 33/ ((););C)@A||,,809   D$!55 & '  &   33 & '4E 8,'2DE =    . .x 8="99#u||L&66u=|//^TJ  33 $h&@&@   # #C)@$ G,,.4"D II>  !C '/0G KK $l4EFg C C!>B CN22   2"m6,9 B11 ,,QXX6<<>C{{a'CIIK,B,B%- "EwO F##    V = KK; < =2 = C;<=s S7S>S1&S>>T.W"B T3W/#C"X$S.-S.1S; 6S>>)T+*T+3WBWW"WW""W, /#XX#X?>X?ct|}|rtj|||r)|sd}|jd|}|jdd}nd}tj|d|y)NNONEz$USERz $DISABLE_USERrootrB)options)rhrsetup_user_keysreplace)rrrKrL key_prefixs r0rrsd t9D   t,D&..w= ''@   T6:>r2rIcftd}g}g}|r|Dcgc]}||fz }}tj|dzDcgc]}||vr| }}|D]V}tj|}|j } | s+t | dkDs:|j t| ddX|Scc}wcc}w)aRead host keys from /etc/ssh/*.pub files and return them as a list. @param blacklist: List of key types to ignore. e.g. ['rsa'] @returns: List of keys, each formatted as a two-element tuple. e.g. [('ssh-rsa', 'AAAAB3Nz...'), ('ssh-ed25519', 'AAAAC3Nx...')] r)*r;N)rjrRr load_text_filesplitlenr]tuple) rIpublic_key_file_tmplkey_listblacklist_fileskey_typehostfile file_list file_name file_contentskey_datas r0r{r{s(45HO@I 3; H; .   "6"?@  ? * I1 ++I6  &&( H ) OOE(2A,/ 0 1 O# s B) B.)N)/__doc__rRloggingr)rYrotypingrrr cloudinitrrrr cloudinit.cloudr cloudinit.configr cloudinit.config.schemar cloudinit.distrosr rcloudinit.settingsrr__annotations__ getLogger__name__rVrergrjrzrr^rXr`kupdaterar1listrrr{r2r0rs&  ++55!#.2+ }! jg!0'[) (*DI* 0AcN\A-u5cM|a/05u=c L1$4#5Y!? G &'Cw-K1#X0L !3c!3d!3H]=]=6]=%]=t]=]=@?"HXc]$;r2