From 93d4847763ef2ea732b67cace5401d8dad61b9b9 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Tue, 18 May 2021 12:28:22 -0400 Subject: [PATCH] Conditionally apply agent to sshutil Older OSes (RHEL7/SLES12) cannot do ssh-keygen with an agent. Degrade to classic confluent behavior when that happens. --- confluent_server/confluent/sshutil.py | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/confluent_server/confluent/sshutil.py b/confluent_server/confluent/sshutil.py index 141f2c2a..29ff4442 100644 --- a/confluent_server/confluent/sshutil.py +++ b/confluent_server/confluent/sshutil.py @@ -11,6 +11,16 @@ import tempfile agent_pid = None ready_keys = {} +_sshver = None + +def sshver(): + global _sshver + if _sshver is None: + p = subprocess.Popen(['ssh', '-V'], stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + _, output = p.communicate() + _sshver = float(output.split()[0].split(b'_')[1].split(b'p')[0]) + return _sshver def normalize_uid(): curruid = os.geteuid() @@ -23,6 +33,8 @@ def normalize_uid(): def assure_agent(): + if sshver() <= 7.6: + return global agent_pid if agent_pid is None: sai = subprocess.check_output(['ssh-agent']) @@ -41,6 +53,8 @@ def assure_agent(): os.environ[k] = v def get_passphrase(): + if sshver() <= 7.6: + return '' # convert the master key to base64 # for use in ssh passphrase context if cfm._masterkey is None: @@ -106,8 +120,9 @@ def sign_host_key(pubkey, nodename, principals=()): principals = set(principals) principals.add(nodename) principals = ','.join(sorted(principals)) + flags = '-Us' if sshver() > 7.6 else '-s' subprocess.check_call( - ['ssh-keygen', '-Us', '/etc/confluent/ssh/ca.pub', '-I', nodename, + ['ssh-keygen', flags, '/etc/confluent/ssh/ca.pub', '-I', nodename, '-n', principals, '-h', pkeyname]) certname = pkeyname.replace('.pub', '-cert.pub') with open(certname) as cert: