From ddfd8a2fd3f51072faa5bd1fb6c45b6e178f838a Mon Sep 17 00:00:00 2001 From: Anders Ingemann Date: Wed, 10 Feb 2016 21:56:52 +0100 Subject: [PATCH] admin_user: Allow pubkey & password to be used together Also change README a little, add some comments and get the code a little more in line with the style of bootstrap-vz --- bootstrapvz/plugins/admin_user/README.rst | 37 +++++++--- bootstrapvz/plugins/admin_user/__init__.py | 19 ++--- bootstrapvz/plugins/admin_user/tasks.py | 86 +++++++++------------- 3 files changed, 66 insertions(+), 76 deletions(-) diff --git a/bootstrapvz/plugins/admin_user/README.rst b/bootstrapvz/plugins/admin_user/README.rst index 3e5d0f8..dcf891e 100644 --- a/bootstrapvz/plugins/admin_user/README.rst +++ b/bootstrapvz/plugins/admin_user/README.rst @@ -4,27 +4,40 @@ Admin user This plugin creates a user with passwordless sudo privileges. It also disables the SSH root login. There are three ways to grant access to the admin user: -- Set a password for the user, or -- Provide a ssh public key to allow remote ssh login, or - Use the EC2 public key (EC2 machines only) +- Set a password for the user +- Provide a SSH public key to allow remote SSH login -If a password is provided, this plugin sets the admin password. This -also re-enables password login (off by default in Jessie). +If the EC2 init scripts are installed, the script for fetching the +SSH authorized keys will be adjusted to match the username +specified in ``username``. -If the optional argument pubkey is present (it should be a full path -to a ssh public key), it will ensure that the ssh public key is used -to set up password less remote login for the admin user. +If a password is provided (the ``password`` setting), +this plugin sets the admin password, which also re-enables +SSH password login (off by default in Jessie or newer). -Only one of these options (password, or pubkey) may be specified. +If the optional setting ``pubkey`` is present (it should be a full path +to a SSH public key), you will be able to log in to the admin user account +using the corresponding private key +(this disables the EC2 public key injection mechanism). -If neither the password not a ssh public key location are specified, -and if the EC2 init scripts are installed, the script for fetching the -SSH authorized keys will be adjust to match the username specified. +The ``password`` and ``pubkey`` settings can be used at the same time. Settings ~~~~~~~~ - ``username``: The username of the account to create. ``required`` - ``password``: An optional password for the account to create. ``optional`` -- ``pubkey``: The full path to an ssh public key to allow +- ``pubkey``: The full path to an SSH public key to allow remote access into the admin account. ``optional`` + +Example: + +.. code:: yaml + + --- + plugins: + admin_user: + username: admin + password: s3cr3t + pubkey: /home/bootstrap-vz/.ssh/id_rsa diff --git a/bootstrapvz/plugins/admin_user/__init__.py b/bootstrapvz/plugins/admin_user/__init__.py index b7e8696..051aa9c 100644 --- a/bootstrapvz/plugins/admin_user/__init__.py +++ b/bootstrapvz/plugins/admin_user/__init__.py @@ -4,14 +4,10 @@ def validate_manifest(data, validator, error): import os.path schema_path = os.path.normpath(os.path.join(os.path.dirname(__file__), 'manifest-schema.yml')) validator(data, schema_path) - if ('password' in data['plugins']['admin_user'] and 'pubkey' in data['plugins']['admin_user']): - msg = 'passwd and pubkey are mutually exclusive.' - error(msg, ['plugins', 'admin_user']) - if 'pubkey' in data['plugins']['admin_user']: - full_path = data['plugins']['admin_user']['pubkey'] - if not os.path.exists(full_path): - msg = 'Could not find public key at %s' % full_path - error(msg, ['plugins', 'admin_user']) + pubkey = data['plugins']['admin_user'].get('pubkey', None) + if pubkey is not None and not os.path.exists(pubkey): + msg = 'Could not find public key at %s' % pubkey + error(msg, ['plugins', 'admin_user', 'pubkey']) def resolve_tasks(taskset, manifest): @@ -25,11 +21,10 @@ def resolve_tasks(taskset, manifest): if 'password' in manifest.plugins['admin_user']: taskset.discard(ssh.DisableSSHPasswordAuthentication) taskset.add(tasks.AdminUserCredentialsPassword) + if 'pubkey' in manifest.plugins['admin_user']: + taskset.add(tasks.AdminUserCredentialsPublicKey) else: - if 'pubkey' in manifest.plugins['admin_user']: - taskset.add(tasks.AdminUserCredentialsPublicKey) - else: - taskset.add(tasks.AdminUserCredentialsEc2) + taskset.add(tasks.AdminUserCredentialsEc2) taskset.update([tasks.AddSudoPackage, tasks.CreateAdminUser, diff --git a/bootstrapvz/plugins/admin_user/tasks.py b/bootstrapvz/plugins/admin_user/tasks.py index 4293ee9..38a4cbf 100644 --- a/bootstrapvz/plugins/admin_user/tasks.py +++ b/bootstrapvz/plugins/admin_user/tasks.py @@ -3,8 +3,9 @@ from bootstrapvz.common import phases from bootstrapvz.common.tasks.initd import InstallInitScripts from bootstrapvz.providers.ec2.tasks.initd import AddEC2InitScripts -import logging import os +import logging +log = logging.getLogger(__name__) class AddSudoPackage(Task): @@ -44,85 +45,66 @@ class PasswordlessSudo(Task): os.chmod(sudo_admin_path, ug_read_only) -class AdminUserCredentialsPassword(Task): - description = 'Set up access credentials for the admin user with a given password' +class AdminUserPassword(Task): + description = 'Setting the admin user password' phase = phases.system_modification predecessors = [InstallInitScripts, CreateAdminUser] @classmethod def run(cls, info): from bootstrapvz.common.tools import log_check_call - log = logging.getLogger(__name__) - - log.debug('Setting the password for the admin user.') - log_check_call( - ['chroot', info.root, 'chpasswd'], - info.manifest.plugins['admin_user']['username'] + - ':' + info.manifest.plugins['admin_user']['password'] - ) - return + log_check_call(['chroot', info.root, 'chpasswd'], + info.manifest.plugins['admin_user']['username'] + + ':' + info.manifest.plugins['admin_user']['password']) -class AdminUserCredentialsPublicKey(Task): - description = 'Set up access credentials for the admin user with a given public key' +class AdminUserPublicKey(Task): + description = 'Installing the public key for the admin user' phase = phases.system_modification predecessors = [AddEC2InitScripts, CreateAdminUser] successors = [InstallInitScripts] @classmethod def run(cls, info): - from bootstrapvz.common.tools import log_check_call - - log = logging.getLogger(__name__) - - import stat - from shutil import copy - full_path = info.manifest.plugins['admin_user']['pubkey'] - log.debug('Copying public key from {path}'.format(path=full_path)) - if 'ec2-get-credentials' in info.initd['install']: - log.warn( - 'You are using a static public key for the admin account.' - ' This will conflict with the ec2 public key injection mechanisn.' - ' The ec2-get-credentials startup script has therefore been disabled.') + log.warn('You are using a static public key for the admin account.' + 'This will conflict with the ec2 public key injection mechanism.' + 'The ec2-get-credentials startup script will therefore not be enabled.') del info.initd['install']['ec2-get-credentials'] + # Get the stuff we need (username & public key) username = info.manifest.plugins['admin_user']['username'] + with open(info.manifest.plugins['admin_user']['pubkey']) as pubkey_handle: + pubkey = pubkey_handle.read() - ssh_file = os.path.join('/home', username, '.ssh/authorized_keys') - rel_ssh_file = os.path.join(info.root, 'home', username, '.ssh/authorized_keys') + # Create the ssh dir if nobody has created it yet + ssh_dir = os.path.join('/home', username, '.ssh') + if not os.path.exists(ssh_dir): + os.mkdir(ssh_dir, 0700) - ssh_dir = os.path.dirname(ssh_file) - rel_ssh_dir = os.path.dirname(rel_ssh_file) - if not os.path.exists(rel_ssh_dir): - log.debug('Creating %s.' % rel_ssh_dir) - os.mkdir(rel_ssh_dir) + # Create (or append to) the authorized keys file (and chmod u=rw,go=) + import stat + auth_keys_abs = os.path.join(info.root, 'home', username, '.ssh/authorized_keys') + with open(auth_keys_abs, 'a') as auth_keys_handle: + auth_keys_handle.write(pubkey + '\n') + os.chmod(auth_keys_abs, (stat.S_IRUSR | stat.S_IWUSR)) - log.debug('setting %s mode 700' % rel_ssh_dir) - mode = (stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR) - os.chmod(rel_ssh_dir, mode) - - copy(full_path, rel_ssh_file) - - mode = (stat.S_IRUSR | stat.S_IWUSR) - os.chmod(rel_ssh_file, mode) - - log_check_call(['chroot', info.root, 'chown', '-R', username, ssh_dir]) - return + # Set the owner of the authorized keys file + # (must be through chroot, the host system doesn't know about the user) + from bootstrapvz.common.tools import log_check_call + auth_keys_rel = os.path.join(ssh_dir, 'authorized_keys') + log_check_call(['chroot', info.root, + 'chown', '-R', username, auth_keys_rel]) -class AdminUserCredentialsEC2(Task): - description = 'Set up access credentials for the admin user using the EC2 credentials' +class AdminUserPublicKeyEC2(Task): + description = 'Modifying ec2-get-credentials to copy the ssh public key to the admin user' phase = phases.system_modification predecessors = [InstallInitScripts, CreateAdminUser] @classmethod def run(cls, info): from bootstrapvz.common.tools import sed_i - log = logging.getLogger(__name__) - getcreds_path = os.path.join(info.root, 'etc/init.d/ec2-get-credentials') - log.debug('Updating EC2 get credentials script.') username = info.manifest.plugins['admin_user']['username'] - sed_i(getcreds_path, "username='root'", - "username='{username}'".format(username=username)) + sed_i(getcreds_path, "username='root'", "username='{username}'".format(username=username))