1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
# Copyright (C) 2011 Canonical Ltd.
# Copyright (C) 2012 Hewlett-Packard Development Company, L.P.
#
# Author: Scott Moser <scott.moser@canonical.com>
# Author: Juerg Haefliger <juerg.haefliger@hp.com>
#
# This file is part of cloud-init. See LICENSE file for license information.
"""Keys to Console: Control which SSH host keys may be written to console"""
import logging
import os
from textwrap import dedent
from cloudinit import subp, util
from cloudinit.cloud import Cloud
from cloudinit.config import Config
from cloudinit.config.schema import MetaSchema, get_meta_doc
from cloudinit.settings import PER_INSTANCE
# This is a tool that cloud init provides
HELPER_TOOL_TPL = "%s/cloud-init/write-ssh-key-fingerprints"
distros = ["all"]
meta: MetaSchema = {
"id": "cc_keys_to_console",
"name": "Keys to Console",
"title": "Control which SSH host keys may be written to console",
"description": (
"For security reasons it may be desirable not to write SSH host keys"
" and their fingerprints to the console. To avoid either being written"
" to the console the ``emit_keys_to_console`` config key under the"
" main ``ssh`` config key can be used. To avoid the fingerprint of"
" types of SSH host keys being written to console the"
" ``ssh_fp_console_blacklist`` config key can be used. By default,"
" all types of keys will have their fingerprints written to console."
" To avoid host keys of a key type being written to console the"
"``ssh_key_console_blacklist`` config key can be used. By default,"
" ``ssh-dss`` host keys are not written to console."
),
"distros": distros,
"examples": [
dedent(
"""\
# Do not print any SSH keys to system console
ssh:
emit_keys_to_console: false
"""
),
dedent(
"""\
# Do not print certain ssh key types to console
ssh_key_console_blacklist: [dsa, ssh-dss]
"""
),
dedent(
"""\
# Do not print specific ssh key fingerprints to console
ssh_fp_console_blacklist:
- E25451E0221B5773DEBFF178ECDACB160995AA89
- FE76292D55E8B28EE6DB2B34B2D8A784F8C0AAB0
"""
),
],
"frequency": PER_INSTANCE,
"activate_by_schema_keys": [],
}
__doc__ = get_meta_doc(meta)
LOG = logging.getLogger(__name__)
def _get_helper_tool_path(distro):
try:
base_lib = distro.usr_lib_exec
except AttributeError:
base_lib = "/usr/lib"
return HELPER_TOOL_TPL % base_lib
def handle(name: str, cfg: Config, cloud: Cloud, args: list) -> None:
if util.is_false(cfg.get("ssh", {}).get("emit_keys_to_console", True)):
LOG.debug(
"Skipping module named %s, logging of SSH host keys disabled", name
)
return
helper_path = _get_helper_tool_path(cloud.distro)
if not os.path.exists(helper_path):
LOG.warning(
"Unable to activate module %s, helper tool not found at %s",
name,
helper_path,
)
return
fp_blacklist = util.get_cfg_option_list(
cfg, "ssh_fp_console_blacklist", []
)
key_blacklist = util.get_cfg_option_list(
cfg, "ssh_key_console_blacklist", ["ssh-dss"]
)
try:
cmd = [helper_path, ",".join(fp_blacklist), ",".join(key_blacklist)]
(stdout, _stderr) = subp.subp(cmd)
util.multi_log("%s\n" % (stdout.strip()), stderr=False, console=True)
except Exception:
LOG.warning("Writing keys to the system console failed!")
raise
# vi: ts=4 expandtab
|
