From 4cb09a95708ef488dcb873cba08d3153416f3548 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= <stephane.lesimple@corp.ovh.com>
Date: Thu, 26 Nov 2020 10:40:14 +0000
Subject: [PATCH] nh: remove hardcoded .ssh/authorized_keys2 everywhere

---
 bin/admin/install                     |  8 ++++----
 bin/admin/osh-sync-watcher.sh         |  4 ++--
 bin/helper/osh-accountCreate          | 16 ++++++++--------
 bin/helper/osh-accountListIngressKeys |  2 +-
 bin/plugin/open/selfAddIngressKey     |  2 +-
 bin/plugin/open/selfDelIngressKey     |  2 +-
 bin/plugin/open/selfListIngressKeys   |  2 +-
 lib/perl/OVH/Bastion.pm               |  4 ++++
 lib/perl/OVH/Bastion/ssh.inc          |  4 ++--
 lib/shell/functions.inc               |  5 +++++
 10 files changed, 29 insertions(+), 20 deletions(-)

diff --git a/bin/admin/install b/bin/admin/install
index 1ae92da..c0f826c 100755
--- a/bin/admin/install
+++ b/bin/admin/install
@@ -645,14 +645,14 @@ if [ "$nothing" = 0 ]; then
     fi
 
     # fix bad authorized_keys2 contents created in some cases before v2.30.00
-    action_doing "Fixing potential buggy keys in authorized_keys2 contents"
+    action_doing "Fixing potential buggy keys in $AK_FILE contents"
     at_least_one_changed=0
     for account in $(getent passwd | grep ":$basedir/bin/shell/osh.pl$" | cut -d: -f1); do
-        test -f "/home/$account/.ssh/authorized_keys2" || continue
-        grep -Eq '^from="[^ ]+"(ssh-|ecdsa-)' "/home/$account/.ssh/authorized_keys2" || continue
+        test -f "/home/$account/$AK_FILE" || continue
+        grep -Eq '^from="[^ ]+"(ssh-|ecdsa-)' "/home/$account/$AK_FILE" || continue
         at_least_one_changed=1
         action_detail "... $account"
-        sed_compat 's/^(from="[^ ]+")(ssh-|ecdsa-)/\1 \2/g' "/home/$account/.ssh/authorized_keys2"
+        sed_compat 's/^(from="[^ ]+")(ssh-|ecdsa-)/\1 \2/g' "/home/$account/$AK_FILE"
     done
     if [ "$at_least_one_changed" = 1 ]; then
         action_done
diff --git a/bin/admin/osh-sync-watcher.sh b/bin/admin/osh-sync-watcher.sh
index cf26f95..c21d54e 100755
--- a/bin/admin/osh-sync-watcher.sh
+++ b/bin/admin/osh-sync-watcher.sh
@@ -84,8 +84,8 @@ do
                 test -e "$grouphome/allowed.ip" && echo "$grouphome/allowed.ip"
             done
             # all authorized_keys files of bastion accounts:
-            for accountssh in $(getent passwd | grep ":$basedir/bin/shell/osh.pl\$" | cut -d: -f1 | sed 's=^=/home/=;s=$=/.ssh/='); do
-                find "$accountssh" -mindepth 1 -maxdepth 1 -name 'authorized_keys*' ! -name "*.backup*" -type f -print
+            for accounthome in $(getent passwd | grep ":$basedir/bin/shell/osh.pl\$" | cut -d: -f6); do
+                test -f "$accounthome/$AK_FILE" && echo "$accounthome/$AK_FILE"
             done
         } | head -"$maxfiles" | timeout "$timeout" inotifywait -e close_write -e moved_to -e create -e delete -e delete_self --quiet --recursive --csv --fromfile - ; ret=$?
         if [ "$ret" = 124 ] ; then
diff --git a/bin/helper/osh-accountCreate b/bin/helper/osh-accountCreate
index a0b2c9a..a87d9a1 100755
--- a/bin/helper/osh-accountCreate
+++ b/bin/helper/osh-accountCreate
@@ -217,11 +217,12 @@ mkdir $homedir . "/.ssh" if (!-d "$homedir/.ssh");
 chmod 0750, $homedir . "/.ssh";
 chown $uid, $uid, "$homedir/.ssh";
 
-if (!OVH::Bastion::touch_file("$homedir/.ssh/authorized_keys2")) {
+my $akfile = $homedir . '/' . OVH::Bastion::AK_FILE;
+if (!OVH::Bastion::touch_file($akfile)) {
     HEXIT('ERR_CANNOT_CREATE_FILE', msg => "Failed to create authorized_keys file");
 }
-chmod 0640, $homedir . "/.ssh/authorized_keys2";
-chown $uid, $uid, "$homedir/.ssh/authorized_keys2";
+chmod 0640, $akfile;
+chown $uid, $uid, $akfile;
 
 osh_info "Creating tty group of account...";
 $fnret = OVH::Bastion::sys_groupadd(noisy_stderr => 1, group => $ttygroup, gid => $ttygid);
@@ -349,16 +350,15 @@ osh_debug('user keyreader added to group');
 my $finalPrefix = $realmFrom ? sprintf('from="%s"', $realmFrom) : $from;
 $finalPrefix .= ' ' if $finalPrefix;
 
-osh_info "Adding provided public key in authorized_keys...";
-my $allowedKeyFile = $homedir . '/.ssh/authorized_keys2';
-if (open(my $fh_keys, '>>', $allowedKeyFile)) {
+osh_info "Adding provided public key in authorized_keys file...";
+if (open(my $fh_keys, '>>', $akfile)) {
     foreach my $key (@vettedKeys) {
         print $fh_keys $finalPrefix . $key . "\n";
     }
     close($fh_keys);
 }
 else {
-    HEXIT("ERR_CANNOT_ADD_KEY", msg => "Couldn't open $allowedKeyFile when trying to add provided public key");
+    HEXIT("ERR_CANNOT_ADD_KEY", msg => "Couldn't open $akfile when trying to add provided public key");
 }
 
 # push this flag to prevent ssh/telnet usage
@@ -369,7 +369,7 @@ if ($oshOnly) {
 
 # chown to root so user can no longer touch it
 if ($immutableKey) {
-    chown 0, -1, $allowedKeyFile;
+    chown 0, -1, $akfile;
 }
 
 osh_info "Generating account personal bastion key...";
diff --git a/bin/helper/osh-accountListIngressKeys b/bin/helper/osh-accountListIngressKeys
index 251a199..2de7399 100755
--- a/bin/helper/osh-accountListIngressKeys
+++ b/bin/helper/osh-accountListIngressKeys
@@ -80,7 +80,7 @@ else {
 #<PARAMS:ACCOUNT
 
 my @keys;
-foreach my $file ("$accounthome/.ssh/authorized_keys2", "$accounthome/.ssh/authorized_keys") {
+foreach my $file ($accounthome . '/' . OVH::Bastion::AK_FILE) {
     $fnret = OVH::Bastion::get_authorized_keys_from_file(file => $file);
     push @keys, @{$fnret->value} if ($fnret && $fnret->value);
 }
diff --git a/bin/plugin/open/selfAddIngressKey b/bin/plugin/open/selfAddIngressKey
index 852e8bf..5fb3aa9 100755
--- a/bin/plugin/open/selfAddIngressKey
+++ b/bin/plugin/open/selfAddIngressKey
@@ -42,7 +42,7 @@ if ($fnret && $fnret->value eq 'yes') {
     osh_exit R('ERR_ACCESS_DENIED', msg => "PIV-only policy is enabled for your account, you can't add new keys this way");
 }
 
-my $allowedKeyFile = $HOME . '/.ssh/authorized_keys2';
+my $allowedKeyFile = $HOME . '/' . OVH::Bastion::AK_FILE;
 
 if (not defined $pubKey) {
     $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress');
diff --git a/bin/plugin/open/selfDelIngressKey b/bin/plugin/open/selfDelIngressKey
index 58f2942..d975a32 100755
--- a/bin/plugin/open/selfDelIngressKey
+++ b/bin/plugin/open/selfDelIngressKey
@@ -38,7 +38,7 @@ if ($fingerprintToDelete and defined $lineNumberToDelete) {
     osh_exit 'ERR_INCOMPATIBLE_PARAMETERS', "You can't specify a line to delete AND a fingerprint to delete at the same time";
 }
 
-my $allowedKeyFile = "$HOME/.ssh/authorized_keys2";
+my $allowedKeyFile = $HOME . '/' . OVH::Bastion::AK_FILE;
 $fnret = OVH::Bastion::get_authorized_keys_from_file(file => $allowedKeyFile, includeInvalid => 1);
 $fnret or osh_exit $fnret;
 
diff --git a/bin/plugin/open/selfListIngressKeys b/bin/plugin/open/selfListIngressKeys
index 88c9dfb..ab0b7ee 100755
--- a/bin/plugin/open/selfListIngressKeys
+++ b/bin/plugin/open/selfListIngressKeys
@@ -24,7 +24,7 @@ EOF
 
 my $fnret;
 
-$fnret = OVH::Bastion::get_authorized_keys_from_file(file => "$HOME/.ssh/authorized_keys2", includeInvalid => 1);
+$fnret = OVH::Bastion::get_authorized_keys_from_file(file => $HOME . '/' . OVH::Bastion::AK_FILE, includeInvalid => 1);
 $fnret or osh_exit $fnret;
 
 my @result;
diff --git a/lib/perl/OVH/Bastion.pm b/lib/perl/OVH/Bastion.pm
index 5c0a1fa..34414fa 100644
--- a/lib/perl/OVH/Bastion.pm
+++ b/lib/perl/OVH/Bastion.pm
@@ -106,6 +106,10 @@ use constant {
     TOTP_FILENAME => '.otp',
     TOTP_BASEDIR  => '/var/otp',
 
+    # authorized_keys file, relative to the user's HOME directory.
+    # if you change this, also change it in lib/shell/functions.inc
+    AK_FILE => '.ssh/authorized_keys2',
+
     OPT_ACCOUNT_INGRESS_PIV_POLICY => 'ingress_piv_policy',
     OPT_ACCOUNT_INGRESS_PIV_GRACE  => 'ingress_piv_grace',
     OPT_ACCOUNT_ALWAYS_ACTIVE      => 'always_active',
diff --git a/lib/perl/OVH/Bastion/ssh.inc b/lib/perl/OVH/Bastion/ssh.inc
index 3a3f217..2b3121c 100644
--- a/lib/perl/OVH/Bastion/ssh.inc
+++ b/lib/perl/OVH/Bastion/ssh.inc
@@ -765,7 +765,7 @@ sub ssh_ingress_keys_piv_apply {
     $account = $fnret->value->{'account'};
     my $dir = $fnret->value->{'dir'};
 
-    $fnret = OVH::Bastion::get_authorized_keys_from_file(account => $account, file => "$dir/.ssh/authorized_keys2", includePivDisabled => 1);
+    $fnret = OVH::Bastion::get_authorized_keys_from_file(account => $account, file => $dir . '/' . OVH::Bastion::AK_FILE(), includePivDisabled => 1);
     $fnret or return $fnret;
 
     my $keys = $fnret->value();
@@ -808,7 +808,7 @@ sub ssh_ingress_keys_piv_apply {
         return R('ERR_INVALID_PARAMETER', msg => "Argument 'action' must be either 'enable' or 'disable'");
     }
 
-    $fnret = OVH::Bastion::put_authorized_keys_to_file(account => $account, file => "$dir/.ssh/authorized_keys2", data => \@keysToWrite);
+    $fnret = OVH::Bastion::put_authorized_keys_to_file(account => $account, file => $dir . '/' . OVH::Bastion::AK_FILE(), data => \@keysToWrite);
     $fnret or return $fnret;
 
     OVH::Bastion::syslogFormatted(
diff --git a/lib/shell/functions.inc b/lib/shell/functions.inc
index 436db66..b291355 100644
--- a/lib/shell/functions.inc
+++ b/lib/shell/functions.inc
@@ -4,6 +4,11 @@
 # shellcheck source=lib/shell/colors.inc disable=SC2128
 . "$(dirname "$BASH_SOURCE")"/colors.inc
 
+# authorized_keys file, relative to the user's HOME directory.
+# if you change this, also change it in lib/perl/OVH/Bastion.pm
+# shellcheck disable=SC2034
+AK_FILE=".ssh/authorized_keys2"
+
 OS_FAMILY=$(uname -s)
 LINUX_DISTRO=unknown
 DISTRO_VERSION=''