1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
import os
import yaml
HOST_ID_CONF = "host_id.conf"
USER_CA_CONF = "user_id.conf"
USER_CA_KEYS = "user-ca-keys"
AUTH_KEYS_CONF = "authorized_keys.conf"
ETC = "/etc/ssh"
CONFIG = "sshd_config"
CONFIG_D = "sshd_config.d"
LOGFILE = "/tmp/vmadm.script"
USER_DATA = "/var/lib/cloud/instance/user-data.txt"
def etc_join(*paths):
return os.path.join(etc, *paths)
def log(msg):
logfile.write(msg)
logfile.write("\n")
logfile.flush()
logfile = open(LOGFILE, "w")
log("vmadm cloud-init script starting")
if os.environ.get("VMADM_TESTING"):
filename = "smoke/user-data"
etc = "x"
else:
filename = USER_DATA
etc = ETC
key_types = ("rsa", "dsa", "ecdsa", "ed25519")
log(f"loading user-data from {filename}")
obj = yaml.safe_load(open(filename))
ssh_keys = obj.get("ssh_keys", {})
user_ca_pubkey = obj.get("user_ca_pubkey", {})
allow_authorized_keys = obj.get("allow_authorized_keys", True)
keys = []
certs = []
for key_type in key_types:
filename = etc_join(f"ssh_host_{key_type}_key.pub")
if os.path.exists(filename):
log(f"removing {filename}")
os.remove(filename)
else:
log(f"file {filename} does not exist")
for key_type in key_types:
key = ssh_keys.get(f"{key_type}_private")
cert = ssh_keys.get(f"{key_type}_certificate")
log(f"key {key_type} {key}")
log(f"cert {key_type} {cert }")
if key:
filename = etc_join(f"ssh_host_{key_type}_key")
log(f"writing key {filename}")
keys.append(filename)
with open(filename, "w") as f:
f.write(key)
if cert:
filename = etc_join(f"ssh_host_{key_type}_key-cert.pub")
log(f"writing cert {filename}")
certs.append(filename)
with open(filename, "w") as f:
f.write(cert)
user_ca_filename = etc_join(USER_CA_KEYS)
if user_ca_pubkey:
with open(user_ca_filename, "w") as f:
f.write(user_ca_pubkey)
config = etc_join(CONFIG)
data = ""
if os.path.exists(config):
data = open(config).read()
with open(config, "w") as f:
f.write(data)
log(f"configuring sshd {config}")
log(f"keys {keys}")
log(f"certs {certs}")
config_d = etc_join(CONFIG_D)
log(f"config.d {CONFIG_D}")
if not os.path.exists(config_d):
log(f"mkdir {config_d}")
os.mkdir(config_d)
host_id_conf = etc_join(CONFIG_D, HOST_ID_CONF)
log(f"write {host_id_conf}")
with open(host_id_conf, "w") as f:
for filename in keys:
log(f"hostkey {filename}")
f.write(f"hostkey {filename}\n")
for filename in certs:
log(f"hostcert {filename}")
f.write(f"hostcertificate {filename}\n")
if user_ca_pubkey:
user_ca_conf = etc_join(CONFIG_D, USER_CA_CONF)
log(f"write {user_ca_conf}")
with open(user_ca_conf, "w") as f:
log(f"trustedusercakeys {user_ca_filename}")
f.write(f"trustedusercakeys {user_ca_filename}\n")
if not allow_authorized_keys:
authz_keys_conf = etc_join(CONFIG_D, AUTHZ_KEYS_CONF)
log(f"write {authz_keys_conf}")
with open(auth_keys_conf, "w") as f:
f.write("authorizedkeysfile none\n")
log("vmadm cloud-init script ending")
logfile.close()
|
