author | Paul Crowley <paul@lshift.net> |
Fri, 20 Feb 2009 11:09:28 +0000 | |
changeset 41 | de0c61b778fa |
parent 39 | f5055ce263c7 |
child 42 | 0e77495e91e2 |
permissions | -rwxr-xr-x |
16
9fac559c3d55
don't assume Python path for refresh-auth
Paul Crowley <paul@ciphergoth.org>
parents:
15
diff
changeset
|
1 |
#!/usr/bin/env python |
0
41ecb5a3172c
separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
2 |
|
3
7e659a6870de
make more robus and less crufty
Paul Crowley <paul@lshift.net>
parents:
1
diff
changeset
|
3 |
# WARNING |
4
dcd195f3e52c
move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents:
3
diff
changeset
|
4 |
# This script completely destroys your ~/.ssh/authorized_keys |
3
7e659a6870de
make more robus and less crufty
Paul Crowley <paul@lshift.net>
parents:
1
diff
changeset
|
5 |
# file every time it is run |
7e659a6870de
make more robus and less crufty
Paul Crowley <paul@lshift.net>
parents:
1
diff
changeset
|
6 |
# WARNING |
7e659a6870de
make more robus and less crufty
Paul Crowley <paul@lshift.net>
parents:
1
diff
changeset
|
7 |
|
4
dcd195f3e52c
move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents:
3
diff
changeset
|
8 |
import sys |
0
41ecb5a3172c
separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
9 |
import os |
41ecb5a3172c
separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
10 |
import os.path |
29
87279134a212
Convert PuTTY-style public keys automatically
Paul Crowley <paul@lshift.net>
parents:
16
diff
changeset
|
11 |
import ruleset |
87279134a212
Convert PuTTY-style public keys automatically
Paul Crowley <paul@lshift.net>
parents:
16
diff
changeset
|
12 |
import subprocess |
0
41ecb5a3172c
separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
13 |
|
39
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
14 |
if len(sys.argv) <= 3: |
11 | 15 |
sys.stderr.write("refresh-auth: wrong number of arguments (%s)\n" % sys.argv) |
4
dcd195f3e52c
move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents:
3
diff
changeset
|
16 |
sys.exit(-1) |
dcd195f3e52c
move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents:
3
diff
changeset
|
17 |
|
30
98dbde5b13a1
refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents:
29
diff
changeset
|
18 |
akeyfile = sys.argv[1] |
98dbde5b13a1
refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents:
29
diff
changeset
|
19 |
wrappercommand = sys.argv[2] |
98dbde5b13a1
refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents:
29
diff
changeset
|
20 |
prefix='no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command=' |
98dbde5b13a1
refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents:
29
diff
changeset
|
21 |
|
98dbde5b13a1
refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents:
29
diff
changeset
|
22 |
if os.path.exists(akeyfile): |
98dbde5b13a1
refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents:
29
diff
changeset
|
23 |
f = open(akeyfile) |
98dbde5b13a1
refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents:
29
diff
changeset
|
24 |
try: |
98dbde5b13a1
refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents:
29
diff
changeset
|
25 |
for l in f: |
98dbde5b13a1
refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents:
29
diff
changeset
|
26 |
if not l.startswith(prefix): |
98dbde5b13a1
refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents:
29
diff
changeset
|
27 |
raise Exception("Safety check failed, delete %s to continue" % akeyfile) |
98dbde5b13a1
refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents:
29
diff
changeset
|
28 |
finally: |
98dbde5b13a1
refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents:
29
diff
changeset
|
29 |
f.close() |
0
41ecb5a3172c
separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
30 |
|
41ecb5a3172c
separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
31 |
akeys = open(akeyfile + "_new", "w") |
39
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
32 |
for keyroot in sys.argv[3:]: |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
33 |
kr = keyroot + "/" |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
34 |
#print "Processing keyroot", keyroot |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
35 |
for root, dirs, files in os.walk(keyroot): |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
36 |
for fn in files: |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
37 |
ffn = os.path.join(root, fn) |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
38 |
if not ffn.startswith(kr): |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
39 |
print "Weird, walk returned unexpected result" |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
40 |
continue |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
41 |
#print "Processing file", ffn |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
42 |
keyname = ffn[len(kr):] |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
43 |
if not ruleset.goodpath(keyname): |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
44 |
# ignore any path that contains dodgy characters |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
45 |
#print "Ignoring file", ffn |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
46 |
continue |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
47 |
p = subprocess.Popen(("ssh-keygen", "-i", "-f", ffn), |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
48 |
stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
49 |
newkey = p.communicate()[0] |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
50 |
if p.wait() == 0: |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
51 |
klines = [l.strip() for l in newkey.split("\n")] |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
52 |
else: |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
53 |
# Conversion failed, read it directly. |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
54 |
kf = open(ffn) |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
55 |
try: |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
56 |
klines = [l.strip() for l in kf] |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
57 |
finally: |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
58 |
kf.close() |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
59 |
for l in klines: |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
60 |
if len(l): |
f5055ce263c7
New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents:
33
diff
changeset
|
61 |
akeys.write('%s"%s %s" %s\n' % (prefix, wrappercommand, keyname, l)) |
29
87279134a212
Convert PuTTY-style public keys automatically
Paul Crowley <paul@lshift.net>
parents:
16
diff
changeset
|
62 |
|
15
f3654416d178
minor changes to README and script
Hubert Plociniczak <hubert@lshift.net>
parents:
11
diff
changeset
|
63 |
akeys.close() |
0
41ecb5a3172c
separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
64 |
|
41ecb5a3172c
separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
65 |
os.rename(akeyfile + "_new", akeyfile) |
41ecb5a3172c
separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
66 |