Freshen up ssh and tls helpers

TLS will now work from scratch SSH user key management updated to final design
2025-01-13 11:17:49 +00:00 · 2020-05-21 16:26:01 -04:00 · 2020-05-21 16:26:01 -04:00 · eda645b792
commit eda645b792
parent 8ce8f18f56
2 changed files with 19 additions and 26 deletions
--- a/confluent_server/confluent/certutil.py
+++ b/confluent_server/confluent/certutil.py
@ -89,8 +89,10 @@ def create_certificate(keyout=None, certout=None):
        ])
    finally:
        os.remove(tmpconfig)
+    # Could restart the webserver now?
    fname = '/var/lib/confluent/public/site/tls/{0}.pem'.format(
        collective.get_myname())
+    os.makedirs(os.path.dirname(fname))
    shutil.copy2(certout, fname)
    hv = subprocess.check_output(
        ['openssl', 'x509', '-in', certout, '-hash', '-noout'])
--- a/confluent_server/confluent/sshutil.py
+++ b/confluent_server/confluent/sshutil.py
@ -51,41 +51,32 @@ def sign_host_key(pubkey, nodename):
    finally:
        shutil.rmtree(tmpdir)

-def initialize_root_key():
+def initialize_root_key(generate):
    authorized = []
+    myname = collective.get_myname()
    for currkey in glob.glob('/root/.ssh/*.pub'):
-        authorized.append(open(currkey).read())
-    if not authorized:
+        authorized.append(currkey)
+    if generate and not authorized:
        subprocess.check_call(['ssh-keygen', '-t', 'ed25519', '-f', '/root/.ssh/id_ed25519', '-N', ''])
        for currkey in glob.glob('/root/.ssh/*.pub'):
-            authorized.append(open(currkey).read())
+            authorized.append(currkey)
    try:
-        os.makedirs('/var/lib/confluent/ssh', mode=0o755)
+        os.makedirs('/var/lib/confluent/public/site/ssh', mode=0o755)
        neededuid = os.stat('/etc/confluent').st_uid
-        os.chown('/var/lib/confluent/ssh', neededuid, -1)
+        os.chown('/var/lib/confluent/public/site/ssh', neededuid, -1)
    except OSError as e:
        if e.errno != 17:
            raise
    for auth in authorized:
-        if 'PRIVATE' in auth:
-            continue
-        currcomment = auth.split(' ', 2)[-1].strip()
-        curralgo = auth.split(' ', 1)[0]
-        authed = []
-        try:
-            with open('/var/lib/confluent/ssh/authorized_keys', 'r') as ak:
-                for keyline in ak:
-                    comment = keyline.split(' ', 2)[-1].strip()
-                    algo = keyline.split(' ', 1)[0]
-                    if currcomment != comment or algo != curralgo:
-                        authed.append(keyline)
-        except OSError as e:
-            if e.errno != 2:
-                raise
-        authed.append(auth)
-        with open('/var/lib/confluent/ssh/authorized_keys', 'w') as ak:
-            for auth in authed:
-                ak.write(auth)
+        shutil.copy(
+            auth,
+            '/var/lib/confluent/public/site/ssh/{0}.rootpubkey'.format(
+                    myname))
+        os.chmod('/var/lib/confluent/public/site/ssh/{0}.rootpubkey'.format(
+                myname), 0o644)
+        os.chown('/var/lib/confluent/public/site/ssh/{0}.rootpubkey'.format(
+                myname), neededuid, -1)
+


 def ca_exists():
@ -93,7 +84,7 @@ def ca_exists():


 if __name__ == '__main__':
-    initialize_root_key()
+    initialize_root_key(True)
    if not ca_exists():
        initialize_ca()
    print(repr(sign_host_key(open('/etc/ssh/ssh_host_ed25519_key.pub').read(), collective.get_myname())))