// runSSHKeyImport uses ssh-import-id to find the ssh keys for the specified key ids.
func runSSHKeyImport(keyIds []string) map[string][]importedSSHKey {
importResults := make(map[string][]importedSSHKey, len(keyIds))
for _, keyId := range keyIds {
keyInfo := []importedSSHKey{}
output, err := RunSSHImportId(keyId)
if err != nil {
keyInfo = append(keyInfo, importedSSHKey{err: err})
continue
}
lines := strings.Split(output, "\n")
hasKey := false
for _, line := range lines {
if !strings.HasPrefix(line, "ssh-") {
continue
}
hasKey = true
// ignore key comment (e.g., user@host)
fingerprint, _, err := ssh.KeyFingerprint(line)
keyInfo = append(keyInfo, importedSSHKey{
key: line,
fingerprint: fingerprint,
err: errors.Annotatef(err, "invalid ssh key for %s", keyId),
})
}
if !hasKey {
keyInfo = append(keyInfo, importedSSHKey{
err: errors.Errorf("invalid ssh key id: %s", keyId),
})
}
importResults[keyId] = keyInfo
}
return importResults
}
// currentKeyDataForDelete gathers data used when deleting ssh keys.
func (api *KeyManagerAPI) currentKeyDataForDelete() (
keys map[string]string, invalidKeys []string, comments map[string]string, err error) {
cfg, err := api.state.EnvironConfig()
if err != nil {
return nil, nil, nil, fmt.Errorf("reading current key data: %v", err)
}
// For now, authorised keys are global, common to all users.
existingSSHKeys := ssh.SplitAuthorisedKeys(cfg.AuthorizedKeys())
// Build up a map of keys indexed by fingerprint, and fingerprints indexed by comment
// so we can easily get the key represented by each keyId, which may be either a fingerprint
// or comment.
keys = make(map[string]string)
comments = make(map[string]string)
for _, key := range existingSSHKeys {
fingerprint, comment, err := ssh.KeyFingerprint(key)
if err != nil {
logger.Debugf("keeping unrecognised existing ssh key %q: %v", key, err)
invalidKeys = append(invalidKeys, key)
continue
}
keys[fingerprint] = key
if comment != "" {
comments[comment] = fingerprint
}
}
return keys, invalidKeys, comments, nil
}
// currentKeyDataForDelete gathers data used when deleting ssh keys.
func (api *KeyManagerAPI) currentKeyDataForDelete() (
currentKeys []string, byFingerprint map[string]string, byComment map[string]string, err error) {
cfg, err := api.state.ModelConfig()
if err != nil {
return nil, nil, nil, fmt.Errorf("reading current key data: %v", err)
}
// For now, authorised keys are global, common to all users.
currentKeys = ssh.SplitAuthorisedKeys(cfg.AuthorizedKeys())
// Make two maps that index keys by fingerprint and by comment for fast
// lookup of keys to delete which may be given as either.
byFingerprint = make(map[string]string)
byComment = make(map[string]string)
for _, key := range currentKeys {
fingerprint, comment, err := ssh.KeyFingerprint(key)
if err != nil {
logger.Debugf("keeping unrecognised existing ssh key %q: %v", key, err)
continue
}
byFingerprint[fingerprint] = key
if comment != "" {
byComment[comment] = key
}
}
return currentKeys, byFingerprint, byComment, nil
}
func (s *FingerprintSuite) TestKeyFingerprint(c *gc.C) {
keys := []sshtesting.SSHKey{
sshtesting.ValidKeyOne,
sshtesting.ValidKeyTwo,
sshtesting.ValidKeyThree,
}
for _, k := range keys {
fingerprint, _, err := ssh.KeyFingerprint(k.Key)
c.Assert(err, jc.ErrorIsNil)
c.Assert(fingerprint, gc.Equals, k.Fingerprint)
}
}
// currentKeyDataForAdd gathers data used when adding ssh keys.
func (api *KeyManagerAPI) currentKeyDataForAdd() (keys []string, fingerprints set.Strings, err error) {
fingerprints = make(set.Strings)
cfg, err := api.state.EnvironConfig()
if err != nil {
return nil, nil, fmt.Errorf("reading current key data: %v", err)
}
keys = ssh.SplitAuthorisedKeys(cfg.AuthorizedKeys())
for _, key := range keys {
fingerprint, _, err := ssh.KeyFingerprint(key)
if err != nil {
logger.Warningf("ignoring invalid ssh key %q: %v", key, err)
}
fingerprints.Add(fingerprint)
}
return keys, fingerprints, nil
}
func parseKeys(keys []string, mode ssh.ListMode) (keyInfo []string) {
for _, key := range keys {
fingerprint, comment, err := ssh.KeyFingerprint(key)
if err != nil {
keyInfo = append(keyInfo, fmt.Sprintf("Invalid key: %v", key))
} else {
if mode == ssh.FullKeys {
keyInfo = append(keyInfo, key)
} else {
shortKey := fingerprint
if comment != "" {
shortKey += fmt.Sprintf(" (%s)", comment)
}
keyInfo = append(keyInfo, shortKey)
}
}
}
return keyInfo
}
// SetUp is defined on the worker.NotifyWatchHandler interface.
func (kw *keyupdaterWorker) SetUp() (watcher.NotifyWatcher, error) {
// Record the keys Juju knows about.
jujuKeys, err := kw.st.AuthorisedKeys(kw.tag)
if err != nil {
err = errors.Annotatef(err, "reading Juju ssh keys for %q", kw.tag)
logger.Infof(err.Error())
return nil, err
}
kw.jujuKeys = set.NewStrings(jujuKeys...)
// Read the keys currently in ~/.ssh/authorised_keys.
sshKeys, err := ssh.ListKeys(SSHUser, ssh.FullKeys)
if err != nil {
err = errors.Annotatef(err, "reading ssh authorized keys for %q", kw.tag)
logger.Infof(err.Error())
return nil, err
}
// Record any keys not added by Juju.
for _, key := range sshKeys {
_, comment, err := ssh.KeyFingerprint(key)
// Also record keys which we cannot parse.
if err != nil || !strings.HasPrefix(comment, ssh.JujuCommentPrefix) {
kw.nonJujuKeys = append(kw.nonJujuKeys, key)
}
}
// Write out the ssh authorised keys file to match the current state of the world.
if err := kw.writeSSHKeys(jujuKeys); err != nil {
err = errors.Annotate(err, "adding current Juju keys to ssh authorised keys")
logger.Infof(err.Error())
return nil, err
}
w, err := kw.st.WatchAuthorisedKeys(kw.tag)
if err != nil {
err = errors.Annotate(err, "starting key updater worker")
logger.Infof(err.Error())
return nil, err
}
logger.Infof("%q key updater worker started", kw.tag)
return w, nil
}
// AddKeys adds new authorised ssh keys for the specified user.
func (api *KeyManagerAPI) AddKeys(arg params.ModifyUserSSHKeys) (params.ErrorResults, error) {
if err := api.check.ChangeAllowed(); err != nil {
return params.ErrorResults{}, errors.Trace(err)
}
result := params.ErrorResults{
Results: make([]params.ErrorResult, len(arg.Keys)),
}
if len(arg.Keys) == 0 {
return result, nil
}
if !api.canWrite(arg.User) {
return params.ErrorResults{}, common.ServerError(common.ErrPerm)
}
// For now, authorised keys are global, common to all users.
sshKeys, currentFingerprints, err := api.currentKeyDataForAdd()
if err != nil {
return params.ErrorResults{}, common.ServerError(fmt.Errorf("reading current key data: %v", err))
}
// Ensure we are not going to add invalid or duplicate keys.
result.Results = make([]params.ErrorResult, len(arg.Keys))
for i, key := range arg.Keys {
fingerprint, _, err := ssh.KeyFingerprint(key)
if err != nil {
result.Results[i].Error = common.ServerError(fmt.Errorf("invalid ssh key: %s", key))
continue
}
if currentFingerprints.Contains(fingerprint) {
result.Results[i].Error = common.ServerError(fmt.Errorf("duplicate ssh key: %s", key))
continue
}
sshKeys = append(sshKeys, key)
}
err = api.writeSSHKeys(sshKeys)
if err != nil {
return params.ErrorResults{}, common.ServerError(err)
}
return result, nil
}
func parseKeys(keys []string, mode ssh.ListMode) (keyInfo []string) {
for _, key := range keys {
fingerprint, comment, err := ssh.KeyFingerprint(key)
if err != nil {
keyInfo = append(keyInfo, fmt.Sprintf("Invalid key: %v", key))
continue
}
// Only including user added keys not internal ones.
if internalComments.Contains(comment) {
continue
}
if mode == ssh.FullKeys {
keyInfo = append(keyInfo, key)
} else {
shortKey := fingerprint
if comment != "" {
shortKey += fmt.Sprintf(" (%s)", comment)
}
keyInfo = append(keyInfo, shortKey)
}
}
return keyInfo
}
func (s *FingerprintSuite) TestKeyFingerprintError(c *gc.C) {
_, _, err := ssh.KeyFingerprint("invalid key")
c.Assert(err, gc.ErrorMatches, `generating key fingerprint: invalid authorized_key "invalid key"`)
}