From 4ecae144d97625883b27cf4ed5142ef8a5a050e3 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Thu, 2 Jul 2020 12:40:30 -0400 Subject: [PATCH] Attempt to have both short and long names In ssh, long or short name may matter and user may use short or long names as node names. Try to make ssh equipped to be apathetic about the choice. --- confluent_server/confluent/selfservice.py | 20 ++++++++++++++++++-- confluent_server/confluent/sshutil.py | 10 +++++++--- 2 files changed, 25 insertions(+), 5 deletions(-) diff --git a/confluent_server/confluent/selfservice.py b/confluent_server/confluent/selfservice.py index 76be184e..ecda26d9 100644 --- a/confluent_server/confluent/selfservice.py +++ b/confluent_server/confluent/selfservice.py @@ -145,14 +145,30 @@ def handle_request(env, start_response): start_response('500 Unconfigured', ()) yield 'CA is not configured on this system (run ...)' return - cert = sshutil.sign_host_key(reqbody, nodename) + dnsinfo = cfg.get_node_attributes(nodename, ('dns.*')) + dnsinfo = dnsinfo.get(nodename, {}).get('dns.domain', {}).get('value', + None) + if dnsinfo in nodename: + dnsinfo = '' + cert = sshutil.sign_host_key(reqbody, nodename, [dnsinfo]) start_response('200 OK', (('Content-Type', 'text/plain'),)) yield cert elif env['PATH_INFO'] == '/self/nodelist': nodes = set(cfg.list_nodes()) + domaininfo = cfg.get_node_attributes(nodes, 'dns.domain') + for node in list(util.natural_sort(nodes)): + domain = domaininfo.get(node, {}).get('dns.domain', {}).get( + 'value', None) + if domain and domain not in node: + nodes.add('{0}.{1}'.format(node, domain)) for mgr in configmanager.list_collective(): nodes.add(mgr) - nodes.add(collective.get_myname()) + if domain and domain not in mgr: + nodes.add('{0}.{1}'.format(mgr, domain)) + myname = collective.get_myname() + nodes.add(myname) + if domain and domain not in myname: + nodes.add('{0}.{1}'.format(myname, domain)) if isgeneric: start_response('200 OK', (('Content-Type', 'text/plain'),)) for node in util.natural_sort(nodes): diff --git a/confluent_server/confluent/sshutil.py b/confluent_server/confluent/sshutil.py index efe79d7f..935b53f5 100644 --- a/confluent_server/confluent/sshutil.py +++ b/confluent_server/confluent/sshutil.py @@ -41,15 +41,19 @@ def initialize_ca(): # newent = '@cert-authority * ' + capub.read() -def sign_host_key(pubkey, nodename): +def sign_host_key(pubkey, nodename, domains=()): tmpdir = tempfile.mkdtemp() try: pkeyname = os.path.join(tmpdir, 'hostkey.pub') with open(pkeyname, 'wb') as pubfile: pubfile.write(pubkey) + principals = [nodename] + for domain in domains: + principals.append('{0}.{1}'.format(nodename, domain)) + principals = ','.join(principals) subprocess.check_call( ['ssh-keygen', '-s', '/etc/confluent/ssh/ca', '-I', nodename, - '-n', nodename, '-h', pkeyname]) + '-n', principals, '-h', pkeyname]) certname = pkeyname.replace('.pub', '-cert.pub') with open(certname) as cert: return cert.read() @@ -95,4 +99,4 @@ if __name__ == '__main__': initialize_root_key(True) if not ca_exists(): initialize_ca() - print(repr(sign_host_key(open('/etc/ssh/ssh_host_ed25519_key.pub').read(), collective.get_myname()))) \ No newline at end of file + print(repr(sign_host_key(open('/etc/ssh/ssh_host_ed25519_key.pub').read(), collective.get_myname())))