2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-12-24 12:11:52 +00:00

Attempt to have both short and long names

In ssh, long or short name may matter and user may use short
or long names as node names.

Try to make ssh equipped to be apathetic about the choice.
This commit is contained in:
Jarrod Johnson 2020-07-02 12:40:30 -04:00
parent f70a3daf9a
commit 4ecae144d9
2 changed files with 25 additions and 5 deletions

View File

@ -145,14 +145,30 @@ def handle_request(env, start_response):
start_response('500 Unconfigured', ())
yield 'CA is not configured on this system (run ...)'
return
cert = sshutil.sign_host_key(reqbody, nodename)
dnsinfo = cfg.get_node_attributes(nodename, ('dns.*'))
dnsinfo = dnsinfo.get(nodename, {}).get('dns.domain', {}).get('value',
None)
if dnsinfo in nodename:
dnsinfo = ''
cert = sshutil.sign_host_key(reqbody, nodename, [dnsinfo])
start_response('200 OK', (('Content-Type', 'text/plain'),))
yield cert
elif env['PATH_INFO'] == '/self/nodelist':
nodes = set(cfg.list_nodes())
domaininfo = cfg.get_node_attributes(nodes, 'dns.domain')
for node in list(util.natural_sort(nodes)):
domain = domaininfo.get(node, {}).get('dns.domain', {}).get(
'value', None)
if domain and domain not in node:
nodes.add('{0}.{1}'.format(node, domain))
for mgr in configmanager.list_collective():
nodes.add(mgr)
nodes.add(collective.get_myname())
if domain and domain not in mgr:
nodes.add('{0}.{1}'.format(mgr, domain))
myname = collective.get_myname()
nodes.add(myname)
if domain and domain not in myname:
nodes.add('{0}.{1}'.format(myname, domain))
if isgeneric:
start_response('200 OK', (('Content-Type', 'text/plain'),))
for node in util.natural_sort(nodes):

View File

@ -41,15 +41,19 @@ def initialize_ca():
# newent = '@cert-authority * ' + capub.read()
def sign_host_key(pubkey, nodename):
def sign_host_key(pubkey, nodename, domains=()):
tmpdir = tempfile.mkdtemp()
try:
pkeyname = os.path.join(tmpdir, 'hostkey.pub')
with open(pkeyname, 'wb') as pubfile:
pubfile.write(pubkey)
principals = [nodename]
for domain in domains:
principals.append('{0}.{1}'.format(nodename, domain))
principals = ','.join(principals)
subprocess.check_call(
['ssh-keygen', '-s', '/etc/confluent/ssh/ca', '-I', nodename,
'-n', nodename, '-h', pkeyname])
'-n', principals, '-h', pkeyname])
certname = pkeyname.replace('.pub', '-cert.pub')
with open(certname) as cert:
return cert.read()
@ -95,4 +99,4 @@ if __name__ == '__main__':
initialize_root_key(True)
if not ca_exists():
initialize_ca()
print(repr(sign_host_key(open('/etc/ssh/ssh_host_ed25519_key.pub').read(), collective.get_myname())))
print(repr(sign_host_key(open('/etc/ssh/ssh_host_ed25519_key.pub').read(), collective.get_myname())))