arif/xcat-core
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

first installment of code to support ssh key setup for non-root users

Browse Source 
git-svn-id: https://svn.code.sf.net/p/xcat/code/xcat-core/trunk@3078 8638fb3e-16cb-4fca-ae20-7b5d299a9bcd
This commit is contained in:
lissav
2009-04-03 15:42:59 +00:00
parent 1b92a5c4a2
commit eaeb3d611f
2 changed files with 267 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
perl-xCAT/xCAT/DSHCLI.pm
View File

@@ -42,7 +42,7 @@ our @dsh_valid_env = (
'DSH_PATH', 'DSH_SYNTAX',
'DSH_TIMEOUT', 'DSH_REMOTE_PASSWORD',
'DSH_TO_USERID', 'DSH_FROM_USERID',
'DEVICETYPE',
'DEVICETYPE',
);
select(STDERR);
$| = 1;
@@ -1044,7 +1044,7 @@ sub fork_fanout_dsh
if (my $specified_usr =
($$target_properties{'user'} || $$options{'user'}))
{
my $current_usr = getlogin();
my $current_usr = getpwuid($>);
if ($specified_usr ne $current_usr)
{
delete $$target_properties{'localhost'};
@@ -3707,6 +3707,21 @@ sub parse_and_run_dsh
xCAT::DSHCLI->ignoreEnv($options{'ignore_env'});
}
# this was determined in the xdsh client code, because non-root user
# actions must be taken there.
# either -l option or current user
if (!($ENV{'DSH_TO_USERID'}))
{
my $rsp = ();
$rsp->{data}->[0] = "DSH_TO_USERID not setup./n";
xCAT::MsgUtils->message("E", $rsp, $::CALLBACK, 1);
return;
}
else
{
$options{'user'} = $ENV{'DSH_TO_USERID'};
}
#
# build list of nodes
my @nodelist;
@@ -3754,7 +3769,10 @@ sub parse_and_run_dsh
$options{'command'} = join ' ', @ARGV;
#
# -K option just sets up the ssh keys on the nodes and exits
#
if (defined $options{'ssh-setup'})
{
@@ -3770,8 +3788,6 @@ sub parse_and_run_dsh
# Rules: if (current userid running command) not eq touserid,
# the current running userid must be root
#
# if not set then the touserid will be defaulted to
# the current running userid.
# DSH_REMOTE_PASSWORD env variable must be set to the correct
# password for the key update. This was setup in xdsh client
# frontend. remoteshell.expect depends on this
@@ -3796,8 +3812,8 @@ sub parse_and_run_dsh
}
if (!($ENV{'DSH_TO_USERID'})) # id to logon to the node and update the
# keys
if (!($ENV{'DSH_TO_USERID'})) # id to logon to the node and update the
# keys
{
my $rsp = ();
$rsp->{data}->[0] =
@@ -3807,24 +3823,21 @@ sub parse_and_run_dsh
}
my $current_userid = $ENV{'DSH_FROM_USERID'};
my $to_userid = $ENV{'DSH_TO_USERID'};
my $to_userid = $ENV{'DSH_TO_USERID'};
# if current_userid ne touserid then current_userid
# must be root
if ( ($current_userid ne $to_userid)
&& ($current_userid ne "root"))
&& ($current_userid ne "root"))
{
my $rsp = ();
$rsp->{data}->[0] =
"When touserid:$to_userid is not the same as the current user:$current_userid. The the command must be run by root id.";
xCAT::MsgUtils->message("E", $rsp, $::CALLBACK, 1);
return;
my $rsp = ();
$rsp->{data}->[0] =
"When touserid:$to_userid is not the same as the current user:$current_userid. The the command must be run by root id.";
xCAT::MsgUtils->message("E", $rsp, $::CALLBACK, 1);
return;
}
# setting up IB switch ssh, different interface that ssh for
# userid on node. Must build special ssh command to be sent
# to the IB switch to setup ssh

295
perl-xCAT/xCAT/Utils.pm
View File

@@ -1063,9 +1063,12 @@ sub getHomeDir
{
my ($class, $username) = @_;
my @user;
if ($username) {
if ($username)
{
@user = getpwnam($username);
} else {
}
else
{
@user = getpwuid($>);
}
return $user[7];
@@ -1159,57 +1162,40 @@ sub setupSSH
}
$::REMOTE_SHELL = "/usr/bin/ssh";
# make the directory to hold keys to transfer to the nodes
if (!-d $SSHdir)
{
mkdir("/install", 0755);
mkdir("/install/postscripts", 0755);
mkdir("/install/postscripts/_ssh", 0755);
}
#
# if we are running as root
# for non-root users, keys were generated in the xdsh client code
#
# Generate the keys, if they do not already exist
my $rsp = {};
# Get the home directory
my $home = xCAT::Utils->getHomeDir($from_userid);
$ENV{'DSH_FROM_USERID_HOME'} = $home;
# generates new keys, if they do not already exist
xCAT::Utils->runcmd("$::REMOTESHELL_EXPECT -k", 0);
if ($::RUNCMD_RC != 0)
{ # error
$rsp->{data}->[0] = "remoteshell.expect failed generating keys.";
xCAT::MsgUtils->message("E", $rsp, $::CALLBACK);
if ($from_userid eq "root")
{
# make the directory to hold keys to transfer to the nodes
if (!-d $SSHdir)
{
mkdir("/install", 0755);
mkdir("/install/postscripts", 0755);
mkdir("/install/postscripts/_ssh", 0755);
}
# generates new keys for root, if they do not already exist
xCAT::Utils->runcmd("$::REMOTESHELL_EXPECT -k", 0);
if ($::RUNCMD_RC != 0)
{ # error
$rsp->{data}->[0] = "remoteshell.expect failed generating keys.";
xCAT::MsgUtils->message("E", $rsp, $::CALLBACK);
}
}
# build the perl copy script in $HOME/.ssh/copy.perl
#open(FILE, ">$home/.ssh/copy.perl")
# or die "cannot open file $home/.ssh/copy.perl\n";
#print FILE "#!/usr/bin/perl
#my (\$name,\$passwd,\$uid,\$gid,\$quota,\$comment,\$gcos,\$dir,\$shell,\$expire) = getpwnam($to_userid);
#my \$home = \$dir;
#umask(0077);
#\$dest_dir = \"\$home/.ssh/\";
#if (! -d \"\$dest_dir\" ) {
# create a local directory
# \$cmd = \"mkdir -p \$dest_dir\";
# system(\"\$cmd\");
# chmod 0700, \$dest_dir;
#}
#`cat /tmp/$to_userid/.ssh/authorized_keys >> \$home/.ssh/authorized_keys 2>&1`;
#`cat /tmp/$to_userid/.ssh/authorized_keys2 >> \$home/.ssh/authorized_keys2 2>&1`;
#`cp /tmp/$to_userid/.ssh/id_rsa \$home/.ssh/id_rsa 2>&1`;
#`cp /tmp/$to_userid/.ssh/id_dsa \$home/.ssh/id_dsa 2>&1`;
#`chmod 0600 \$home/.ssh/id_* 2>&1`;
#`rm -f /tmp/$to_userid/.ssh/* 2>&1`;
#rmdir(\"/tmp/$to_userid/.ssh\");
#rmdir(\"/tmp/$to_userid\");";
# close FILE;
# chmod 0744, "$home/.ssh/copy.perl";
# Replace the perl script with a shell script
# Shell is needed because the nodes may not have Perl installed
# build the shell copy script, needed Perl not always there
# for root and non-root ids
open(FILE, ">$home/.ssh/copy.sh")
or die "cannot open file $home/.ssh/copy.sh\n";
print FILE "#!/bin/sh
@@ -1227,12 +1213,13 @@ rmdir \"/tmp/$to_userid/.ssh\"
rmdir \"/tmp/$to_userid\"";
close FILE;
chmod 0744, "$home/.ssh/copy.sh";
chmod 0777,"$home/.ssh/copy.sh";
if (xCAT::Utils->isMN())
{ # if on Management Node
if ($from_userid eq "root")
{
my $rc = xCAT::Utils->cpSSHFiles($SSHdir);
if ($rc != 0)
{ # error
@@ -1259,6 +1246,11 @@ rmdir \"/tmp/$to_userid\"";
}
}
}
else
{ # from_userid is not root
# build the authorized key files for non-root user
xCAT::Utils->bldnonrootSSHFiles($from_userid);
}
}
# send the keys to the nodes for root or some other id
@@ -1272,12 +1264,12 @@ rmdir \"/tmp/$to_userid\"";
}
# Remove $home/.ssh/authorized_keys*
# Easy to remote this code, if we want
# The MN to be able to ssh to itself
#remove $home/.ssh/authorized_keys*
#Easy to remote this code, if we want
#The MN to be able to ssh to itself and nodes to ssh to the MN
if (xCAT::Utils->isMN())
{
$cmd = "rm $home/.ssh/authorized_keys*";
$cmd = "rm $home/.ssh/authorized_keys*";
xCAT::Utils->runcmd($cmd, 0);
my $rsp = {};
if ($::RUNCMD_RC != 0)
@@ -1326,7 +1318,7 @@ rmdir \"/tmp/$to_userid\"";
and for root and puts them in /install/postscripts/_ssh
Arguments:
directory path
install directory path
Returns:
Globals:
@@ -1334,7 +1326,7 @@ rmdir \"/tmp/$to_userid\"";
Error:
Example:
xCAT::Utils->cpSSHFiles;
xCAT::Utils->cpSSHFiles($dir);
Comments:
none
@@ -1355,14 +1347,15 @@ sub cpSSHFiles
}
my $home = xCAT::Utils->getHomeDir("root");
my $authorized_keys = "$SSHdir/authorized_keys";
my $authorized_keys2 = "$SSHdir/authorized_keys2";
if ( !(-e "$home/.ssh/identity.pub")
|| !(-e "$home/.ssh/id_rsa.pub")
|| !(-e "$home/.ssh/id_dsa.pub"))
{
return 1;
}
# copy to install directory
my $authorized_keys = "$SSHdir/authorized_keys";
$cmd = " cp $home/.ssh/identity.pub $authorized_keys";
xCAT::Utils->runcmd($cmd, 0);
my $rsp = {};
@@ -1381,6 +1374,8 @@ sub cpSSHFiles
xCAT::MsgUtils->message("I", $rsp, $::CALLBACK);
}
}
# copy to home ssh directory
$cmd = " cp $home/.ssh/identity.pub $home/.ssh/authorized_keys";
xCAT::Utils->runcmd($cmd, 0);
my $rsp = {};
@@ -1401,6 +1396,8 @@ sub cpSSHFiles
}
}
# copy to install directory
my $authorized_keys2 = "$SSHdir/authorized_keys2";
$cmd = "cp $home/.ssh/id_rsa.pub $authorized_keys2";
xCAT::Utils->runcmd($cmd, 0);
if ($::RUNCMD_RC != 0)
@@ -1418,6 +1415,8 @@ sub cpSSHFiles
xCAT::MsgUtils->message("I", $rsp, $::CALLBACK);
}
}
# copy to home ssh directory
$cmd = "cp $home/.ssh/id_rsa.pub $home/.ssh/authorized_keys2";
xCAT::Utils->runcmd($cmd, 0);
if ($::RUNCMD_RC != 0)
@@ -1437,6 +1436,7 @@ sub cpSSHFiles
}
}
# add dsa key to install directory
my $rsp = {};
$cmd = "cat $home/.ssh/id_dsa.pub >> $authorized_keys2";
xCAT::Utils->runcmd($cmd, 0);
@@ -1456,6 +1456,26 @@ sub cpSSHFiles
}
}
# add dsa key to home ssh directory
my $rsp = {};
$cmd = "cat $home/.ssh/id_dsa.pub >> $home/.ssh/authorized_keys2";
xCAT::Utils->runcmd($cmd, 0);
if ($::RUNCMD_RC != 0)
{
$rsp->{data}->[0] = "$cmd failed.\n";
xCAT::MsgUtils->message("E", $rsp, $::CALLBACK);
return (1);
}
else
{
if ($::VERBOSE)
{
$rsp->{data}->[0] = "$cmd succeeded.\n";
xCAT::MsgUtils->message("I", $rsp, $::CALLBACK);
}
}
if (!(-e "$authorized_keys") || !(-e "$authorized_keys2"))
{
return 1;
@@ -1463,6 +1483,169 @@ sub cpSSHFiles
return (0);
}
#--------------------------------------------------------------------------------
=head3 bldnonrootSSHFiles
Builds authorized_keyfiles for the non-root id
It must not only contain the public keys for the non-root id
but also the public keys for root
Arguments:
from_userid -current id running xdsh from the command line
Returns:
Globals:
$::CALLBACK
Error:
Example:
xCAT::Utils->bldnonrootSSHFiles;
Comments:
none
=cut
#--------------------------------------------------------------------------------
sub bldnonrootSSHFiles
{
my ($class, $from_userid) = @_;
my ($cmd, $rc);
my $rsp = {};
if ($::VERBOSE)
{
$rsp->{data}->[0] = "Building SSH Keys for $from_userid";
xCAT::MsgUtils->message("I", $rsp, $::CALLBACK);
}
my $home = xCAT::Utils->getHomeDir($from_userid);
my $roothome = xCAT::Utils->getHomeDir("root");
if ( !(-e "$home/.ssh/identity.pub")
|| !(-e "$home/.ssh/id_rsa.pub")
|| !(-e "$home/.ssh/id_dsa.pub"))
{
return 1;
}
$cmd = " cp $home/.ssh/identity.pub $home/.ssh/authorized_keys";
xCAT::Utils->runcmd($cmd, 0);
my $rsp = {};
if ($::RUNCMD_RC != 0)
{
$rsp->{data}->[0] = "$cmd failed.\n";
xCAT::MsgUtils->message("E", $rsp, $::CALLBACK);
return (1);
}
else
{
chmod 0600, "$home/.ssh/authorized_keys";
if ($::VERBOSE)
{
$rsp->{data}->[0] = "$cmd succeeded.\n";
xCAT::MsgUtils->message("I", $rsp, $::CALLBACK);
}
}
my $rsp = {};
$cmd = "cp $home/.ssh/id_rsa.pub $home/.ssh/authorized_keys2";
xCAT::Utils->runcmd($cmd, 0);
if ($::RUNCMD_RC != 0)
{
$rsp->{data}->[0] = "$cmd failed.\n";
xCAT::MsgUtils->message("E", $rsp, $::CALLBACK);
return (1);
}
else
{
chmod 0600, "$home/.ssh/authorized_keys2";
if ($::VERBOSE)
{
$rsp->{data}->[0] = "$cmd succeeded.\n";
xCAT::MsgUtils->message("I", $rsp, $::CALLBACK);
}
}
my $rsp = {};
$cmd = "cat $home/.ssh/id_dsa.pub >> $home/.ssh/authorized_keys2";
xCAT::Utils->runcmd($cmd, 0);
if ($::RUNCMD_RC != 0)
{
$rsp->{data}->[0] = "$cmd failed.\n";
xCAT::MsgUtils->message("E", $rsp, $::CALLBACK);
return (1);
}
else
{
if ($::VERBOSE)
{
$rsp->{data}->[0] = "$cmd succeeded.\n";
xCAT::MsgUtils->message("I", $rsp, $::CALLBACK);
}
}
# add roots keys
# if cannot access, warn and continue
my $rsp = {};
$cmd = "cat $roothome/.ssh/identity.pub >> $home/.ssh/authorized_keys";
xCAT::Utils->runcmd($cmd, 0);
if ($::RUNCMD_RC != 0)
{
$rsp->{data}->[0] = "Warning: Cannot give $from_userid root ssh authority. \n";
xCAT::MsgUtils->message("I", $rsp, $::CALLBACK);
}
else
{
if ($::VERBOSE)
{
$rsp->{data}->[0] = "$cmd succeeded.\n";
xCAT::MsgUtils->message("I", $rsp, $::CALLBACK);
}
}
my $rsp = {};
$cmd = "cat $roothome/.ssh/id_rsa.pub >> $home/.ssh/authorized_keys2";
xCAT::Utils->runcmd($cmd, 0);
if ($::RUNCMD_RC != 0)
{
$rsp->{data}->[0] = "Warning: Cannot give $from_userid root ssh authority. \n";
xCAT::MsgUtils->message("I", $rsp, $::CALLBACK);
}
else
{
if ($::VERBOSE)
{
$rsp->{data}->[0] = "$cmd succeeded.\n";
xCAT::MsgUtils->message("I", $rsp, $::CALLBACK);
}
}
my $rsp = {};
$cmd = "cat $roothome/.ssh/id_dsa.pub >> $home/.ssh/authorized_keys2";
xCAT::Utils->runcmd($cmd, 0);
if ($::RUNCMD_RC != 0)
{
$rsp->{data}->[0] = "Warning: Cannot give $from_userid root ssh authority. \n";
xCAT::MsgUtils->message("E", $rsp, $::CALLBACK);
return (1);
}
else
{
if ($::VERBOSE)
{
$rsp->{data}->[0] = "$cmd succeeded.\n";
xCAT::MsgUtils->message("I", $rsp, $::CALLBACK);
}
}
return (0);
}
#-------------------------------------------------------------------------------
=head3 isServiceNode
@@ -3496,12 +3679,11 @@ sub checkCredFiles
$rsp->{data}->[0] = "Error: $dir is missing.";
xCAT::MsgUtils->message("I", $rsp, $cb);
}
my $dir = "/etc/xcat/cert";
if (-d $dir)
{
my $file = "$dir/server-cred.pem"; # from getcredentials
my $file = "$dir/server-cred.pem"; # from getcredentials
if (!(-e $file))
{
@@ -3516,7 +3698,6 @@ sub checkCredFiles
$rsp->{data}->[0] = "Error: $dir is missing.";
xCAT::MsgUtils->message("I", $rsp, $cb);
}
my $dir = "/install/postscripts/ca";
if (-d $dir)
@@ -3558,8 +3739,8 @@ sub checkCredFiles
my $file = "$dir/ca.pem";
if (-e $file)
{
my $file2 = "$dir/*" ;
my $cmd = "/bin/chmod 0644 $file2";
my $file2 = "$dir/*";
my $cmd = "/bin/chmod 0644 $file2";
my $outref = xCAT::Utils->runcmd("$cmd", 0);
if ($::RUNCMD_RC != 0)
{