From 86a68bf7f9bcf1d72969d132bcf9c34dd999126c Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Thu, 16 Apr 2020 10:08:27 -0400 Subject: [PATCH] Rework CA layout to file-per-CA Have the deployed system combine into known_hosts. This simplifies potential contention. --- confluent_server/confluent/sshutil.py | 26 ++++++++------------------ 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/confluent_server/confluent/sshutil.py b/confluent_server/confluent/sshutil.py index 509eba3d..aa949e31 100644 --- a/confluent_server/confluent/sshutil.py +++ b/confluent_server/confluent/sshutil.py @@ -15,6 +15,7 @@ def normalize_uid(): if os.getuid() != neededuid: raise Exception('Need to run as root or owner of /etc/confluent') + def initialize_ca(): normalize_uid() try: @@ -22,29 +23,18 @@ def initialize_ca(): except OSError as e: if e.errno != 17: raise - caname = '{0} SSH CA'.format(collective.get_myname()) + myname = collective.get_myname() + caname = '{0} SSH CA'.format(myname) subprocess.check_call(['ssh-keygen', '-C', caname, '-t', 'ed25519', '-f', '/etc/confluent/ssh/ca', '-N', '']) try: - os.makedirs('/var/lib/confluent/ssh', mode=0o755) + os.makedirs('/var/lib/confluent/public/site/ssh/', mode=0o755) except OSError as e: if e.errno != 17: raise - currknownhosts = [] - try: - with open('/var/lib/confluent/ssh/ssh_known_hosts', 'r') as skh: - for ent in skh: - descr = ent.split(' ', 4)[-1].strip() - if descr != caname: - currknownhosts.append(ent) - except OSError as e: - if e.errno != 2: - raise - with open('/etc/confluent/ssh/ca.pub', 'r') as capub: - newent = '@cert-authority * ' + capub.read() - currknownhosts.append(newent) - with open('/var/lib/confluent/ssh/ssh_known_hosts', 'w') as skh: - for ckh in currknownhosts: - skh.write(ckh) + cafilename = '/var/lib/confluent/public/site/ssh/{0}.ca'.format(myname) + shutil.copy('/etc/confluent/ssh/ca.pub', cafilename) + # newent = '@cert-authority * ' + capub.read() + def sign_host_key(pubkey, nodename): tmpdir = tempfile.mkdtemp()