From 7b9c89305506824ef5919370f87f9c8e53f41462 Mon Sep 17 00:00:00 2001 From: lissav Date: Mon, 3 Mar 2014 13:29:02 -0500 Subject: [PATCH] support getting zone ssh keys --- xCAT/postscripts/remoteshell | 101 +++++++++++++++++++++++++++++++---- 1 file changed, 91 insertions(+), 10 deletions(-) diff --git a/xCAT/postscripts/remoteshell b/xCAT/postscripts/remoteshell index ea7492a16..928e7bcf5 100755 --- a/xCAT/postscripts/remoteshell +++ b/xCAT/postscripts/remoteshell @@ -100,7 +100,7 @@ getcredentials.awk ssh_dsa_hostkey | grep -E -v '|' /tmp/ssh_dsa_hostkey if [ $? -ne 0 ]; then #the message received is the data - cat /tmp/ssh_dsa_hostkey | grep -E -v '||' >/etc/ssh/ssh_host_dsa_key + cat /tmp/ssh_dsa_hostkey | grep -E -v '|/{0,1}data>||' >/etc/ssh/ssh_host_dsa_key logger -t xCAT -p local4.info "remoteshell: getting ssh_host_dsa_key" MAX_RETRIES=10 RETRY=0 @@ -164,7 +164,7 @@ getcredentials.awk ssh_rsa_hostkey | grep -E -v '|' /tmp/ssh_rsa_hostkey if [ $? -ne 0 ]; then #the message received is the data we request - cat /tmp/ssh_rsa_hostkey | grep -E -v '||' >/etc/ssh/ssh_host_rsa_key + cat /tmp/ssh_rsa_hostkey | grep -E -v '|/{0,1}data>||' >/etc/ssh/ssh_host_rsa_key logger -t xCAT -p local4.info ssh_rsa_hostkey MYCONT=`cat /etc/ssh/ssh_host_rsa_key` MAX_RETRIES=10 @@ -216,12 +216,88 @@ if [[ $NTYPE = service ]]; then cp /etc/ssh/ssh* /etc/xcat/hostkeys/. fi - -umask 0077 - +umask 0077 +# This is where we start getting root ssh keys +# This tells credentials.pm where to get the root .ssh keys. If no zone then old path of ~.ssh +#rootsshpvtkey=ssh_root_key:$zonename mkdir -p /root/.ssh/ +# this is for obtaining non-zone keys +rootsshpvtkey=ssh_root_key +rootsshpubkey=ssh_root_pub_key +if [ $ZONENAME ]; +then +# This tells credentials.pm where to get the root .ssh keys. If no zone then old path of ~/.ssh + zonename=$ZONENAME + rootsshpvtkey=ssh_root_key:$zonename + rootsshpubkey=ssh_root_pub_key:$zonename + logger -t xCAT -p local4.info "remoteshell: gathering root ssh keys for $zonename" + +fi + +# always get the id_rsa.pub key for the node and put in authorized_keys +if [ $useflowcontrol = "1" ]; then + #first contact daemon xcatflowrequest 3001 + logger -t xCAT -p local4.info "remoteshell: sending xcatflowrequest $master 3001" + /$xcatpost/xcatflowrequest $master 3001 + rc=$? + logger -t xCAT -p local4.info "remoteshell:xcatflowrequest return=$rc" + if [ $rc -ne 0 ]; then + logger -t xCAT -p local4.info "remoteshell: error from xcatflowrequest, will not use flow control" + useflowcontrol=0 + fi +fi + + getcredentials.awk $rootsshpubkey | grep -E -v '|'|sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" > /tmp/ssh_root_pub_key + + logger -t xCAT -p local4.info "remoteshell: gathering $rootsshpubkey " + #check whether the message is an error or not + grep -E '' /tmp/ssh_root_pub_key +if [ $? -ne 0 ]; then + #The message contains the data we request + cat /tmp/ssh_root_pub_key | grep -E -v '|||' > /root/.ssh/id_rsa.pub + # no add to authorized_keys, so the node can ssh to itself + cat /tmp/ssh_root_pub_key | grep -E -v '|||' >> /root/.ssh/authorized_keys + logger -t xCAT -p local4.info ssh_root_pub_key + MYCONT=`cat /root/.ssh/id_rsa.pub` + MAX_RETRIES=10 + RETRY=0 + while [ -z "$MYCONT" ]; do + if [ $useflowcontrol = "0" ]; then + let SLI=$RANDOM%10 + let SLI=SLI+10 + sleep $SLI + fi + RETRY=$(($RETRY+1)) + if [ $RETRY -eq $MAX_RETRIES ] + then + break + fi + if [ $useflowcontrol = "1" ]; then + #first contact daemon xcatflowrequest 3001 + logger -t xCAT -p local4.info "remoteshell: sending xcatflowrequest $master 3001" + /$xcatpost/xcatflowrequest $master 3001 + rc=$? + logger -t xCAT -p local4.info "remoteshell:xcatflowrequest return=$rc" + if [ $rc -ne 0 ]; then + logger -t xCAT -p local4.info "remoteshell: error from xcatflowrequest, will not use flow control" + useflowcontrol=0 + fi + fi + getcredentials.awk $rootsshpubkey | grep -v '<'|sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" > /root/.ssh/id_rsa.pub + getcredentials.awk $rootsshpubkey | grep -v '<'|sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" >> /root/.ssh/authorized_keys + MYCONT=`cat /root/.ssh/id_rsa.pub` + done +else + #This is an error message + ERR_MSG=`sed -n 's%.*\(.*\).*%\1%p' /tmp/ssh_root_pub_key` + logger -t xCAT -p local4.err $rootsshpubkey Error: $ERR_MSG +fi +rm /tmp/ssh_root_pub_key + +# if sshbetweennodes is enabled then we get id_rsa ( private key) if [ $ENABLESSHBETWEENNODES = "YES" ]; # want nodes to be able to ssh to each other without password then + logger -t xCAT -p local4.info "remoteshell:sshbetweennodes is yes" if [ $useflowcontrol = "1" ]; then #first contact daemon xcatflowrequest 3001 logger -t xCAT -p local4.info "remoteshell: sending xcatflowrequest $master 3001" @@ -233,13 +309,14 @@ then useflowcontrol=0 fi fi - getcredentials.awk ssh_root_key | grep -E -v '|'|sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" > /tmp/ssh_root_key + getcredentials.awk $rootsshpvtkey | grep -E -v '|'|sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" > /tmp/ssh_root_key + logger -t xCAT -p local4.info "remoteshell: gathering $rootsshpvtkey " #check whether the message is an error or not grep -E '' /tmp/ssh_root_key if [ $? -ne 0 ]; then #The message contains the data we request - cat /tmp/ssh_root_key | grep -E -v '||' > /root/.ssh/id_rsa + cat /tmp/ssh_root_key | grep -E -v '|/{0,1}data>||' > /root/.ssh/id_rsa logger -t xCAT -p local4.info ssh_root_key MYCONT=`cat /root/.ssh/id_rsa` MAX_RETRIES=10 @@ -266,21 +343,25 @@ then useflowcontrol=0 fi fi - getcredentials.awk ssh_root_key | grep -v '<'|sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" > /root/.ssh/id_rsa + getcredentials.awk $rootsshpvtkey | grep -v '<'|sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" > /root/.ssh/id_rsa MYCONT=`cat /root/.ssh/id_rsa` done else #This is an error message ERR_MSG=`sed -n 's%.*\(.*\).*%\1%p' /tmp/ssh_root_key` - logger -t xCAT -p local4.err ssh_root_key Error: $ERR_MSG + logger -t xCAT -p local4.err $rootsshpvtkey Error: $ERR_MSG fi rm /tmp/ssh_root_key if ! grep "PRIVATE KEY" /root/.ssh/id_rsa > /dev/null 2>&1 ; then rm /root/.ssh/id_rsa fi - if [ -r /root/.ssh/id_rsa ]; then + # if public key does not exist then generate one from the private key + if [ ! -f /root/.ssh/id_rsa.pub ]; then + if [ -r /root/.ssh/id_rsa ]; then ssh-keygen -y -f /root/.ssh/id_rsa > /root/.ssh/id_rsa.pub + logger -t xCAT -p local4.err remoteshell:transfer of the id_rsa.pub key failed. Had to generate a public key. + fi fi fi