// currentKeyDataForDelete gathers data used when deleting ssh keys. func (api *KeyManagerAPI) currentKeyDataForDelete() ( keys map[string]string, invalidKeys []string, comments map[string]string, err error) { cfg, err := api.state.EnvironConfig() if err != nil { return nil, nil, nil, fmt.Errorf("reading current key data: %v", err) } // For now, authorised keys are global, common to all users. existingSSHKeys := ssh.SplitAuthorisedKeys(cfg.AuthorizedKeys()) // Build up a map of keys indexed by fingerprint, and fingerprints indexed by comment // so we can easily get the key represented by each keyId, which may be either a fingerprint // or comment. keys = make(map[string]string) comments = make(map[string]string) for _, key := range existingSSHKeys { fingerprint, comment, err := ssh.KeyFingerprint(key) if err != nil { logger.Debugf("keeping unrecognised existing ssh key %q: %v", key, err) invalidKeys = append(invalidKeys, key) continue } keys[fingerprint] = key if comment != "" { comments[comment] = fingerprint } } return keys, invalidKeys, comments, nil }
// SetUp is defined on the worker.NotifyWatchHandler interface. func (kw *keyupdaterWorker) SetUp() (watcher.NotifyWatcher, error) { // Record the keys Juju knows about. jujuKeys, err := kw.st.AuthorisedKeys(kw.tag) if err != nil { return nil, errors.LoggedErrorf(logger, "reading Juju ssh keys for %q: %v", kw.tag, err) } kw.jujuKeys = set.NewStrings(jujuKeys...) // Read the keys currently in ~/.ssh/authorised_keys. sshKeys, err := ssh.ListKeys(SSHUser, ssh.FullKeys) if err != nil { return nil, errors.LoggedErrorf(logger, "reading ssh authorized keys for %q: %v", kw.tag, err) } // Record any keys not added by Juju. for _, key := range sshKeys { _, comment, err := ssh.KeyFingerprint(key) // Also record keys which we cannot parse. if err != nil || !strings.HasPrefix(comment, ssh.JujuCommentPrefix) { kw.nonJujuKeys = append(kw.nonJujuKeys, key) } } // Write out the ssh authorised keys file to match the current state of the world. if err := kw.writeSSHKeys(jujuKeys); err != nil { return nil, errors.LoggedErrorf(logger, "adding current Juju keys to ssh authorised keys: %v", err) } w, err := kw.st.WatchAuthorisedKeys(kw.tag) if err != nil { return nil, errors.LoggedErrorf(logger, "starting key updater worker: %v", err) } logger.Infof("%q key updater worker started", kw.tag) return w, nil }
func (s *FingerprintSuite) TestKeyFingerprint(c *gc.C) { keys := []sshtesting.SSHKey{ sshtesting.ValidKeyOne, sshtesting.ValidKeyTwo, sshtesting.ValidKeyThree, } for _, k := range keys { fingerprint, _, err := ssh.KeyFingerprint(k.Key) c.Assert(err, gc.IsNil) c.Assert(fingerprint, gc.Equals, k.Fingerprint) } }
func (s *keyManagerSuite) TestCallSSHImportId(c *gc.C) { c.Skip("the landing bot does not run ssh-import-id successfully") output, err := keymanager.RunSSHImportId("lp:wallyworld") c.Assert(err, gc.IsNil) lines := strings.Split(output, "\n") var key string for _, line := range lines { if !strings.HasPrefix(line, "ssh-") { continue } _, _, err := ssh.KeyFingerprint(line) if err == nil { key = line } } c.Assert(key, gc.Not(gc.Equals), "") }
// currentKeyDataForAdd gathers data used when adding ssh keys. func (api *KeyManagerAPI) currentKeyDataForAdd() (keys []string, fingerprints *set.Strings, err error) { fp := set.NewStrings() fingerprints = &fp cfg, err := api.state.EnvironConfig() if err != nil { return nil, nil, fmt.Errorf("reading current key data: %v", err) } keys = ssh.SplitAuthorisedKeys(cfg.AuthorizedKeys()) for _, key := range keys { fingerprint, _, err := ssh.KeyFingerprint(key) if err != nil { logger.Warningf("ignoring invalid ssh key %q: %v", key, err) } fingerprints.Add(fingerprint) } return keys, fingerprints, nil }
func parseKeys(keys []string, mode ssh.ListMode) (keyInfo []string) { for _, key := range keys { fingerprint, comment, err := ssh.KeyFingerprint(key) if err != nil { keyInfo = append(keyInfo, fmt.Sprintf("Invalid key: %v", key)) } else { if mode == ssh.FullKeys { keyInfo = append(keyInfo, key) } else { shortKey := fingerprint if comment != "" { shortKey += fmt.Sprintf(" (%s)", comment) } keyInfo = append(keyInfo, shortKey) } } } return keyInfo }
// AddKeys adds new authorised ssh keys for the specified user. func (api *KeyManagerAPI) AddKeys(arg params.ModifyUserSSHKeys) (params.ErrorResults, error) { result := params.ErrorResults{ Results: make([]params.ErrorResult, len(arg.Keys)), } if len(arg.Keys) == 0 { return result, nil } canWrite, err := api.getCanWrite() if err != nil { return params.ErrorResults{}, common.ServerError(err) } if !canWrite(arg.User) { return params.ErrorResults{}, common.ServerError(common.ErrPerm) } // For now, authorised keys are global, common to all users. sshKeys, currentFingerprints, err := api.currentKeyDataForAdd() if err != nil { return params.ErrorResults{}, common.ServerError(fmt.Errorf("reading current key data: %v", err)) } // Ensure we are not going to add invalid or duplicate keys. result.Results = make([]params.ErrorResult, len(arg.Keys)) for i, key := range arg.Keys { fingerprint, _, err := ssh.KeyFingerprint(key) if err != nil { result.Results[i].Error = common.ServerError(fmt.Errorf("invalid ssh key: %s", key)) continue } if currentFingerprints.Contains(fingerprint) { result.Results[i].Error = common.ServerError(fmt.Errorf("duplicate ssh key: %s", key)) continue } sshKeys = append(sshKeys, key) } err = api.writeSSHKeys(sshKeys) if err != nil { return params.ErrorResults{}, common.ServerError(err) } return result, nil }
// runSSHKeyImport uses ssh-import-id to find the ssh keys for the specified key ids. func runSSHKeyImport(keyIds []string) []importedSSHKey { keyInfo := make([]importedSSHKey, len(keyIds)) for i, keyId := range keyIds { output, err := RunSSHImportId(keyId) if err != nil { keyInfo[i].err = err continue } lines := strings.Split(output, "\n") for _, line := range lines { if !strings.HasPrefix(line, "ssh-") { continue } keyInfo[i].fingerprint, _, keyInfo[i].err = ssh.KeyFingerprint(line) if err == nil { keyInfo[i].key = line } } if keyInfo[i].key == "" { keyInfo[i].err = fmt.Errorf("invalid ssh key id: %s", keyId) } } return keyInfo }
func (s *FingerprintSuite) TestKeyFingerprintError(c *gc.C) { _, _, err := ssh.KeyFingerprint("invalid key") c.Assert(err, gc.ErrorMatches, `generating key fingerprint: invalid authorized_key "invalid key"`) }