nh: remove hardcoded .ssh/authorized_keys2 everywhere

5 years ago · 4cb09a9570
parent 19d523c8c4
commit 4cb09a9570
10 changed files with 29 additions and 20 deletions
--- a/bin/admin/install
+++ b/bin/admin/install
@ -645,14 +645,14 @@ if [ "$nothing" = 0 ]; then
    fi

    # fix bad authorized_keys2 contents created in some cases before v2.30.00
-    action_doing "Fixing potential buggy keys in authorized_keys2 contents"
+    action_doing "Fixing potential buggy keys in $AK_FILE contents"
    at_least_one_changed=0
    for account in $(getent passwd | grep ":$basedir/bin/shell/osh.pl$" | cut -d: -f1); do
-        test -f "/home/$account/.ssh/authorized_keys2" || continue
-        grep -Eq '^from="[^ ]+"(ssh-|ecdsa-)' "/home/$account/.ssh/authorized_keys2" || continue
+        test -f "/home/$account/$AK_FILE" || continue
+        grep -Eq '^from="[^ ]+"(ssh-|ecdsa-)' "/home/$account/$AK_FILE" || continue
        at_least_one_changed=1
        action_detail "... $account"
-        sed_compat 's/^(from="[^ ]+")(ssh-|ecdsa-)/\1 \2/g' "/home/$account/.ssh/authorized_keys2"
+        sed_compat 's/^(from="[^ ]+")(ssh-|ecdsa-)/\1 \2/g' "/home/$account/$AK_FILE"
    done
    if [ "$at_least_one_changed" = 1 ]; then
        action_done
--- a/bin/admin/osh-sync-watcher.sh
+++ b/bin/admin/osh-sync-watcher.sh
@ -84,8 +84,8 @@ do
                test -e "$grouphome/allowed.ip" && echo "$grouphome/allowed.ip"
            done
            # all authorized_keys files of bastion accounts:
-            for accountssh in $(getent passwd | grep ":$basedir/bin/shell/osh.pl\$" | cut -d: -f1 | sed 's=^=/home/=;s=$=/.ssh/='); do
-                find "$accountssh" -mindepth 1 -maxdepth 1 -name 'authorized_keys*' ! -name "*.backup*" -type f -print
+            for accounthome in $(getent passwd | grep ":$basedir/bin/shell/osh.pl\$" | cut -d: -f6); do
+                test -f "$accounthome/$AK_FILE" && echo "$accounthome/$AK_FILE"
            done
        } | head -"$maxfiles" | timeout "$timeout" inotifywait -e close_write -e moved_to -e create -e delete -e delete_self --quiet --recursive --csv --fromfile - ; ret=$?
        if [ "$ret" = 124 ] ; then
--- a/bin/helper/osh-accountCreate
+++ b/bin/helper/osh-accountCreate
@ -217,11 +217,12 @@ mkdir $homedir . "/.ssh" if (!-d "$homedir/.ssh");
 chmod 0750, $homedir . "/.ssh";
 chown $uid, $uid, "$homedir/.ssh";

-if (!OVH::Bastion::touch_file("$homedir/.ssh/authorized_keys2")) {
+my $akfile = $homedir . '/' . OVH::Bastion::AK_FILE;
+if (!OVH::Bastion::touch_file($akfile)) {
    HEXIT('ERR_CANNOT_CREATE_FILE', msg => "Failed to create authorized_keys file");
 }
-chmod 0640, $homedir . "/.ssh/authorized_keys2";
-chown $uid, $uid, "$homedir/.ssh/authorized_keys2";
+chmod 0640, $akfile;
+chown $uid, $uid, $akfile;

 osh_info "Creating tty group of account...";
 $fnret = OVH::Bastion::sys_groupadd(noisy_stderr => 1, group => $ttygroup, gid => $ttygid);
@ -349,16 +350,15 @@ osh_debug('user keyreader added to group');
 my $finalPrefix = $realmFrom ? sprintf('from="%s"', $realmFrom) : $from;
 $finalPrefix .= ' ' if $finalPrefix;

-osh_info "Adding provided public key in authorized_keys...";
-my $allowedKeyFile = $homedir . '/.ssh/authorized_keys2';
-if (open(my $fh_keys, '>>', $allowedKeyFile)) {
+osh_info "Adding provided public key in authorized_keys file...";
+if (open(my $fh_keys, '>>', $akfile)) {
    foreach my $key (@vettedKeys) {
        print $fh_keys $finalPrefix . $key . "\n";
    }
    close($fh_keys);
 }
 else {
-    HEXIT("ERR_CANNOT_ADD_KEY", msg => "Couldn't open $allowedKeyFile when trying to add provided public key");
+    HEXIT("ERR_CANNOT_ADD_KEY", msg => "Couldn't open $akfile when trying to add provided public key");
 }

 # push this flag to prevent ssh/telnet usage
@ -369,7 +369,7 @@ if ($oshOnly) {

 # chown to root so user can no longer touch it
 if ($immutableKey) {
-    chown 0, -1, $allowedKeyFile;
+    chown 0, -1, $akfile;
 }

 osh_info "Generating account personal bastion key...";
--- a/bin/helper/osh-accountListIngressKeys
+++ b/bin/helper/osh-accountListIngressKeys
@ -80,7 +80,7 @@ else {
 #<PARAMS:ACCOUNT

 my @keys;
-foreach my $file ("$accounthome/.ssh/authorized_keys2", "$accounthome/.ssh/authorized_keys") {
+foreach my $file ($accounthome . '/' . OVH::Bastion::AK_FILE) {
    $fnret = OVH::Bastion::get_authorized_keys_from_file(file => $file);
    push @keys, @{$fnret->value} if ($fnret && $fnret->value);
 }
--- a/bin/plugin/open/selfAddIngressKey
+++ b/bin/plugin/open/selfAddIngressKey
@ -42,7 +42,7 @@ if ($fnret && $fnret->value eq 'yes') {
    osh_exit R('ERR_ACCESS_DENIED', msg => "PIV-only policy is enabled for your account, you can't add new keys this way");
 }

-my $allowedKeyFile = $HOME . '/.ssh/authorized_keys2';
+my $allowedKeyFile = $HOME . '/' . OVH::Bastion::AK_FILE;

 if (not defined $pubKey) {
    $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress');
--- a/bin/plugin/open/selfDelIngressKey
+++ b/bin/plugin/open/selfDelIngressKey
@ -38,7 +38,7 @@ if ($fingerprintToDelete and defined $lineNumberToDelete) {
    osh_exit 'ERR_INCOMPATIBLE_PARAMETERS', "You can't specify a line to delete AND a fingerprint to delete at the same time";
 }

-my $allowedKeyFile = "$HOME/.ssh/authorized_keys2";
+my $allowedKeyFile = $HOME . '/' . OVH::Bastion::AK_FILE;
 $fnret = OVH::Bastion::get_authorized_keys_from_file(file => $allowedKeyFile, includeInvalid => 1);
 $fnret or osh_exit $fnret;

--- a/bin/plugin/open/selfListIngressKeys
+++ b/bin/plugin/open/selfListIngressKeys
@ -24,7 +24,7 @@ EOF

 my $fnret;

-$fnret = OVH::Bastion::get_authorized_keys_from_file(file => "$HOME/.ssh/authorized_keys2", includeInvalid => 1);
+$fnret = OVH::Bastion::get_authorized_keys_from_file(file => $HOME . '/' . OVH::Bastion::AK_FILE, includeInvalid => 1);
 $fnret or osh_exit $fnret;

 my @result;
--- a/lib/perl/OVH/Bastion.pm
+++ b/lib/perl/OVH/Bastion.pm
@ -106,6 +106,10 @@ use constant {
    TOTP_FILENAME => '.otp',
    TOTP_BASEDIR  => '/var/otp',

+    # authorized_keys file, relative to the user's HOME directory.
+    # if you change this, also change it in lib/shell/functions.inc
+    AK_FILE => '.ssh/authorized_keys2',
+
    OPT_ACCOUNT_INGRESS_PIV_POLICY => 'ingress_piv_policy',
    OPT_ACCOUNT_INGRESS_PIV_GRACE  => 'ingress_piv_grace',
    OPT_ACCOUNT_ALWAYS_ACTIVE      => 'always_active',
--- a/lib/perl/OVH/Bastion/ssh.inc
+++ b/lib/perl/OVH/Bastion/ssh.inc
@ -765,7 +765,7 @@ sub ssh_ingress_keys_piv_apply {
    $account = $fnret->value->{'account'};
    my $dir = $fnret->value->{'dir'};

-    $fnret = OVH::Bastion::get_authorized_keys_from_file(account => $account, file => "$dir/.ssh/authorized_keys2", includePivDisabled => 1);
+    $fnret = OVH::Bastion::get_authorized_keys_from_file(account => $account, file => $dir . '/' . OVH::Bastion::AK_FILE(), includePivDisabled => 1);
    $fnret or return $fnret;

    my $keys = $fnret->value();
@ -808,7 +808,7 @@ sub ssh_ingress_keys_piv_apply {
        return R('ERR_INVALID_PARAMETER', msg => "Argument 'action' must be either 'enable' or 'disable'");
    }

-    $fnret = OVH::Bastion::put_authorized_keys_to_file(account => $account, file => "$dir/.ssh/authorized_keys2", data => \@keysToWrite);
+    $fnret = OVH::Bastion::put_authorized_keys_to_file(account => $account, file => $dir . '/' . OVH::Bastion::AK_FILE(), data => \@keysToWrite);
    $fnret or return $fnret;

    OVH::Bastion::syslogFormatted(
--- a/lib/shell/functions.inc
+++ b/lib/shell/functions.inc
@ -4,6 +4,11 @@
 # shellcheck source=lib/shell/colors.inc disable=SC2128
 . "$(dirname "$BASH_SOURCE")"/colors.inc

+# authorized_keys file, relative to the user's HOME directory.
+# if you change this, also change it in lib/perl/OVH/Bastion.pm
+# shellcheck disable=SC2034
+AK_FILE=".ssh/authorized_keys2"
+
 OS_FAMILY=$(uname -s)
 LINUX_DISTRO=unknown
 DISTRO_VERSION=''