subiquity/subiquitycore/ssh.py

# Copyright 2020 Canonical, Ltd.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import logging
import os
import pwd
from pathlib import Path

from subiquitycore.utils import run_command

log = logging.getLogger("subiquitycore.ssh")


def host_key_fingerprints():
    """Query sshd to find the host keys and then fingerprint them.

    Returns a sequence of (key-type, fingerprint) pairs.
    """
    try:
        config = run_command(["sshd", "-T"])
    except FileNotFoundError:
        log.debug("sshd not found")
        return []
    if config.returncode != 0:
        log.debug("sshd -T failed %r", config.stderr)
        return []
    keyfiles = []
    for line in config.stdout.splitlines():
        if line.startswith("hostkey "):
            keyfiles.append(line.split(None, 1)[1])
    info = []
    for keyfile in keyfiles:
        info.extend(fingerprints(keyfile))
    return info


def fingerprints(keyfile):
    info = []
    cp = run_command(["ssh-keygen", "-lf", keyfile])
    if cp.returncode != 0:
        log.debug("ssh-keygen -lf %s failed %r", keyfile, cp.stderr)
        return info
    for line in cp.stdout.splitlines():
        parts = line.strip().replace("\r", "").split()
        fingerprint = parts[1]
        keytype = parts[-1].strip("()")
        info.append((keytype, fingerprint))
    return info


host_keys_intro = _(
    """\
The host key fingerprints are:
"""
)

host_key_tmpl = """
    {keytype:{width}} {fingerprint}"""

single_host_key_tmpl = _(
    """\
The {keytype} host key fingerprint is:
    {fingerprint}
"""
)


def host_key_info(runtime_state_dir=None):
    if runtime_state_dir:
        # host fingerprints information may have already been prepared by the
        # platform glue
        host_fingerprints = Path(runtime_state_dir) / "host-fingerprints.txt"
        log.debug(
            "pre-made host finterprints %s present: %s",
            host_fingerprints,
            host_fingerprints.is_file(),
        )
        if host_fingerprints.is_file():
            with open(host_fingerprints, "r") as fp:
                return fp.read()

    return summarize_host_keys(host_key_fingerprints())


def summarize_host_keys(fingerprints):
    if len(fingerprints) == 0:
        return ""
    if len(fingerprints) == 1:
        [(keytype, fingerprint)] = fingerprints
        return _(single_host_key_tmpl).format(keytype=keytype, fingerprint=fingerprint)
    lines = [_(host_keys_intro)]
    longest_type = max([len(keytype) for keytype, _ in fingerprints])
    for keytype, fingerprint in fingerprints:
        lines.append(
            host_key_tmpl.format(
                keytype=keytype, fingerprint=fingerprint, width=longest_type
            )
        )
    return "".join(lines)


def user_key_fingerprints(username):
    try:
        user_info = pwd.getpwnam(username)
    except KeyError:
        log.exception("getpwnam(%s) failed", username)
        return []
    user_key_file = "{}/.ssh/authorized_keys".format(user_info.pw_dir)
    if os.path.exists(user_key_file):
        return fingerprints(user_key_file)
    else:
        return []


def get_ips_standalone():
    from probert.prober import Prober

    from subiquitycore.models.network import NETDEV_IGNORED_IFACE_TYPES

    prober = Prober()
    prober.probe_network()
    links = prober.get_results()["network"]["links"]
    ips = []
    for link in sorted(links, key=lambda link: link["netlink_data"]["name"]):
        if link["type"] in NETDEV_IGNORED_IFACE_TYPES:
            continue
        for addr in link["addresses"]:
            if addr["scope"] == "global":
                ips.append(addr["address"].split("/")[0])
    return ips
include ssh host key details in ssh help 2020-04-06 02:10:26 +00:00			`# Copyright 2020 Canonical, Ltd.`
			`#`
			`# This program is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU Affero General Public License as`
			`# published by the Free Software Foundation, either version 3 of the`
			`# License, or (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU Affero General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU Affero General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`

			`import logging`
do not set installer user password if it has password or authorized keys dearie me making a nice UI can involve a lot of typing. 2021-03-25 00:54:58 +00:00			`import os`
			`import pwd`
console_conf: identity: move strict confinement handling to ssh Signed-off-by: Ondrej Kubik <ondrej.kubik@canonical.com> 2024-01-05 18:15:57 +00:00			`from pathlib import Path`
include ssh host key details in ssh help 2020-04-06 02:10:26 +00:00
			`from subiquitycore.utils import run_command`

			`log = logging.getLogger("subiquitycore.ssh")`


			`def host_key_fingerprints():`
			`"""Query sshd to find the host keys and then fingerprint them.`

			`Returns a sequence of (key-type, fingerprint) pairs.`
			`"""`
fix getting ssh info when sshd is not installed 2022-11-27 23:40:49 +00:00			`try:`
			`config = run_command(["sshd", "-T"])`
			`except FileNotFoundError:`
			`log.debug("sshd not found")`
			`return []`
include ssh host key details in ssh help 2020-04-06 02:10:26 +00:00			`if config.returncode != 0:`
			`log.debug("sshd -T failed %r", config.stderr)`
			`return []`
			`keyfiles = []`
			`for line in config.stdout.splitlines():`
			`if line.startswith("hostkey "):`
			`keyfiles.append(line.split(None, 1)[1])`
			`info = []`
			`for keyfile in keyfiles:`
do not set installer user password if it has password or authorized keys dearie me making a nice UI can involve a lot of typing. 2021-03-25 00:54:58 +00:00			`info.extend(fingerprints(keyfile))`
			`return info`


			`def fingerprints(keyfile):`
			`info = []`
			`cp = run_command(["ssh-keygen", "-lf", keyfile])`
			`if cp.returncode != 0:`
			`log.debug("ssh-keygen -lf %s failed %r", keyfile, cp.stderr)`
			`return info`
			`for line in cp.stdout.splitlines():`
			`parts = line.strip().replace("\r", "").split()`
			`fingerprint = parts[1]`
			`keytype = parts[-1].strip("()")`
include ssh host key details in ssh help 2020-04-06 02:10:26 +00:00			`info.append((keytype, fingerprint))`
			`return info`


			`host_keys_intro = _(`
			`"""\`
			`The host key fingerprints are:`
			`"""`
			`)`

			`host_key_tmpl = """`
			`{keytype:{width}} {fingerprint}"""`

			`single_host_key_tmpl = _(`
			`"""\`
do not set installer user password if it has password or authorized keys dearie me making a nice UI can involve a lot of typing. 2021-03-25 00:54:58 +00:00			`The {keytype} host key fingerprint is:`
include ssh host key details in ssh help 2020-04-06 02:10:26 +00:00			`{fingerprint}`
			`"""`
			`)`


subiquitycore: use a premade host key fingerprints info if present It is possible that the platform integration glue may have already prepared a summary of host key fingerprints at the state directory. If so, use it otherwise, try to build the summary directly. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> 2024-02-06 13:55:04 +00:00			`def host_key_info(runtime_state_dir=None):`
			`if runtime_state_dir:`
			`# host fingerprints information may have already been prepared by the`
			`# platform glue`
			`host_fingerprints = Path(runtime_state_dir) / "host-fingerprints.txt"`
			`log.debug(`
			`"pre-made host finterprints %s present: %s",`
			`host_fingerprints,`
			`host_fingerprints.is_file(),`
			`)`
console_conf: identity: move strict confinement handling to ssh Signed-off-by: Ondrej Kubik <ondrej.kubik@canonical.com> 2024-01-05 18:15:57 +00:00			`if host_fingerprints.is_file():`
ssh: fix unclosed file 2024-02-08 05:45:06 +00:00			`with open(host_fingerprints, "r") as fp:`
			`return fp.read()`
subiquitycore: use a premade host key fingerprints info if present It is possible that the platform integration glue may have already prepared a summary of host key fingerprints at the state directory. If so, use it otherwise, try to build the summary directly. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> 2024-02-06 13:55:04 +00:00
			`return summarize_host_keys(host_key_fingerprints())`
do not set installer user password if it has password or authorized keys dearie me making a nice UI can involve a lot of typing. 2021-03-25 00:54:58 +00:00

			`def summarize_host_keys(fingerprints):`
include ssh host key details in ssh help 2020-04-06 02:10:26 +00:00			`if len(fingerprints) == 0:`
			`return ""`
			`if len(fingerprints) == 1:`
			`[(keytype, fingerprint)] = fingerprints`
			`return _(single_host_key_tmpl).format(keytype=keytype, fingerprint=fingerprint)`
			`lines = [_(host_keys_intro)]`
			`longest_type = max([len(keytype) for keytype, _ in fingerprints])`
			`for keytype, fingerprint in fingerprints:`
			`lines.append(`
			`host_key_tmpl.format(`
			`keytype=keytype, fingerprint=fingerprint, width=longest_type`
			`)`
format with black + isort 2023-07-25 21:26:25 +00:00			`)`
include ssh host key details in ssh help 2020-04-06 02:10:26 +00:00			`return "".join(lines)`
Review comments 2020-04-15 23:22:52 +00:00

do not set installer user password if it has password or authorized keys dearie me making a nice UI can involve a lot of typing. 2021-03-25 00:54:58 +00:00			`def user_key_fingerprints(username):`
			`try:`
			`user_info = pwd.getpwnam(username)`
			`except KeyError:`
			`log.exception("getpwnam(%s) failed", username)`
			`return []`
			`user_key_file = "{}/.ssh/authorized_keys".format(user_info.pw_dir)`
			`if os.path.exists(user_key_file):`
			`return fingerprints(user_key_file)`
			`else:`
			`return []`


Review comments 2020-04-15 23:22:52 +00:00			`def get_ips_standalone():`
			`from probert.prober import Prober`
format with black + isort 2023-07-25 21:26:25 +00:00
Review comments 2020-04-15 23:22:52 +00:00			`from subiquitycore.models.network import NETDEV_IGNORED_IFACE_TYPES`
format with black + isort 2023-07-25 21:26:25 +00:00
Review comments 2020-04-15 23:22:52 +00:00			`prober = Prober()`
			`prober.probe_network()`
			`links = prober.get_results()["network"]["links"]`
			`ips = []`
fix some lint found by new version of flake8 2020-05-11 22:41:54 +00:00			`for link in sorted(links, key=lambda link: link["netlink_data"]["name"]):`
			`if link["type"] in NETDEV_IGNORED_IFACE_TYPES:`
Review comments 2020-04-15 23:22:52 +00:00			`continue`
fix some lint found by new version of flake8 2020-05-11 22:41:54 +00:00			`for addr in link["addresses"]:`
Review comments 2020-04-15 23:22:52 +00:00			`if addr["scope"] == "global":`
			`ips.append(addr["address"].split("/")[0])`
			`return ips`