Changeset 2045 in ProjectBuilder for devel/pb


Ignore:
Timestamp:
Feb 19, 2016, 2:52:23 AM (8 years ago)
Author:
Bruno Cornec
Message:
  • pb now scans VM or RM to detect whether they support ECDSA. If yes, then use the pb_ecdsa key file, if not, back to DSA. But that forces also to change the cleanup of the authorized_keys file on the VM|RM to be done once the VM is launched to have the scan working.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • devel/pb/bin/pb

    r2035 r2045  
    25382538        $cptarget = "CPAN";
    25392539    } else {
    2540         my $keyfile = pb_ssh_get(0);
     2540        my $keyfile = pb_ssh_get(0,$mac,$nport);
    25412541        my $keyopt = "";
    25422542        $keyopt = "-i $keyfile" if ((defined $keyfile) && ($cmt !~ /Packages/));
     
    35693569        print SCRIPT "pb_system('rm -f /dev/null; mknod /dev/null c 1 3; chmod 777 /dev/null');\n" unless (($pbos->{'name'} =~ /^redhat/) && ($pbos->{'version'} =~ /^6/));
    35703570    } elsif ($vtype =~ /(v|r)m/) {
    3571         my $keyfile;
    3572         my ($zero0,$zero1,$zero2);
    3573    
    3574         # Prepare the key to be used and transfered remotely
    3575         $keyfile = pb_ssh_get(1);
    3576    
    3577         # Store the pub key part in a variable
    3578         open(FILE,"$keyfile.pub") || die "Unable to open $keyfile.pub";
    3579         ($zero0,$zero1,$zero2) = split(/ /,<FILE>);
    3580         close(FILE);
    3581    
    3582         $key = "\Q$zero1";
     3571        # Nothing to do now.
     3572        my $useless = 0;
    35833573    } else {
    35843574        die "Unknown virtual type $vtype";
    35853575    }
    35863576
    3587     if ($vtype =~ /(v|r)m/) {
    3588         print SCRIPT << 'EOF';
    3589 # Removes duplicate in .ssh/authorized_keys of our key if needed
    3590 #
    3591 my $file1="$ENV{'HOME'}/.ssh/authorized_keys";
    3592 open(PBFILE,$file1) || die "Unable to open $file1";
    3593 open(PBOUT,"> $file1.new") || die "Unable to open $file1.new";
    3594 my $count = 0;
    3595 while (<PBFILE>) {
    3596 
    3597 EOF
    3598         print SCRIPT << "EOF";
    3599     if (/ $key /) {
    3600         \$count++;
    3601     }
    3602 print PBOUT \$_ if ((\$count <= 1) || (\$_ !~ / $key /));
    3603 }
    3604 close(PBFILE);
    3605 close(PBOUT);
    3606 rename("\$file1.new",\$file1);
    3607 chmod 0600,\$file1;
    3608 
    3609 EOF
    3610     }
    36113577    print SCRIPT << 'EOF';
    36123578
     
    45084474
    45094475my $create = shift || 0;    # Do not create keys by default
     4476my $target = shift || "localhost";
     4477my $nport = shift || "22";
    45104478
    45114479my ($pbagent) = pb_conf_get_if("pbusesshagent");
     
    45154483# Check the SSH environment
    45164484my $keyfile = undef;
     4485
     4486# Check whether ecdsa is accepted by the remote host
     4487my $ecdsa = 0;
     4488open(SCAN,"ssh-keyscan -p $nport -t ecdsa $target|") || pb_log(0,"Unable to check ECDSA support for $target");
     4489while(<SCAN>) {
     4490    $ecdsa = 1 if ($_ =~ /ecdsa-/);
     4491}
     4492close(SCAN);
    45174493
    45184494# We have specific keys by default
     
    45304506$keyfile = "$ENV{'HOME'}/.ssh/id_dsa" if (-s "$ENV{'HOME'}/.ssh/id_dsa");
    45314507$keyfile = "$ENV{'HOME'}/.ssh/pb_dsa" if (-s "$ENV{'HOME'}/.ssh/pb_dsa");
    4532 $keyfile = "$ENV{'HOME'}/.ssh/pb_ecdsa" if (-s "$ENV{'HOME'}/.ssh/pb_ecdsa");
     4508$keyfile = "$ENV{'HOME'}/.ssh/pb_ecdsa" if ((-s "$ENV{'HOME'}/.ssh/pb_ecdsa") && ($ecdsa != 0));
    45334509die "Unable to find your public ssh key under $ENV{'HOME'}/.ssh" if (not defined $keyfile);
    45344510return($keyfile);
     
    49474923($vmhost) = pb_conf_get($vtype."host");
    49484924# Prepare the key to be used and transfered remotely
    4949 $keyfile = pb_ssh_get(1);
     4925$keyfile = pb_ssh_get(1,$vmhost->{$ENV{'PBPROJ'}},$nport);
    49504926
    49514927# We call true to avoid problems if SELinux is not activated, but chcon is present and returns in that case 1
    49524928pb_system("cat $keyfile.pub | ssh -q -o UserKnownHostsFile=/dev/null -p $nport -i $keyfile root\@$vmhost->{$ENV{'PBPROJ'}} \"mkdir -p .ssh ; chmod 700 .ssh ; cat >> .ssh/authorized_keys ; chmod 600 .ssh/authorized_keys ; if [ -x /usr/bin/chcon ]; then /usr/bin/chcon -Rt home_ssh_t .ssh 2> /dev/null; /bin/true; fi\"","Copying local keys to $vtype. This may require the root password");
    49534929# once this is done, we can do what we need on the VM/RM remotely
     4930
     4931# in particular we can remove duplicate in .ssh/authorized_keys of our key if needed
     4932# Store the pub key part in a variable
     4933open(FILE,"$keyfile.pub") || die "Unable to open $keyfile.pub";
     4934my ($zero0,$zero1,$zero2) = split(/ /,<FILE>);
     4935close(FILE);
     4936my $key = "\Q$zero1";
     4937my $perls = "$ENV{'PBTMP'}/perls.$$";
     4938       
     4939open(FILE,"> $perls") || die "Unable to open $perls";
     4940print FILE << 'EOF';
     4941my $file1="$ENV{'HOME'}/.ssh/authorized_keys";
     4942open(PBFILE,$file1) || die "Unable to open $file1";
     4943open(PBOUT,"> $file1.new") || die "Unable to open $file1.new";
     4944my $count = 0;
     4945while (<PBFILE>) {
     4946EOF
     4947print FILE << "EOF";
     4948    if (/ $key /) {
     4949        \$count++;
     4950    }
     4951    print PBOUT \$_ if ((\$count <= 1) || (\$_ !~ / $key /));
     4952}
     4953close(PBFILE);
     4954close(PBOUT);
     4955rename("\$file1.new",\$file1);
     4956chmod 0600,\$file1;
     4957EOF
     4958close(FILE);
     4959pb_system("cat $perls | ssh -q -o UserKnownHostsFile=/dev/null -p $nport -i $keyfile root\@$vmhost->{$ENV{'PBPROJ'}} perl","","quiet");
    49544960return;
    49554961}
Note: See TracChangeset for help on using the changeset viewer.