src/refresh-auth
changeset 33 18e93dbdaf12
parent 32 4059dbe9f26a
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/refresh-auth	Mon Jun 16 17:12:20 2008 +0100
@@ -0,0 +1,61 @@
+#!/usr/bin/env python
+
+# WARNING
+# This script completely destroys your ~/.ssh/authorized_keys
+# file every time it is run
+# WARNING
+
+import sys
+import os
+import os.path
+import ruleset
+import subprocess
+
+if len(sys.argv) != 3:
+    sys.stderr.write("refresh-auth: wrong number of arguments (%s)\n" % sys.argv)
+    sys.exit(-1)
+
+akeyfile = sys.argv[1]
+wrappercommand = sys.argv[2]
+prefix='no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command='
+
+if os.path.exists(akeyfile):
+    f = open(akeyfile)
+    try:
+        for l in f:
+            if not l.startswith(prefix):
+                raise Exception("Safety check failed, delete %s to continue" % akeyfile)
+    finally:
+        f.close()
+
+akeys = open(akeyfile + "_new", "w")
+for root, dirs, files in os.walk("keys"):
+    for fn in files:
+        ffn = os.path.join(root, fn)
+        if not ruleset.goodpath(ffn):
+            # ignore any path that contains dodgy characters
+            continue
+        keyname = ffn[5:]
+        if keyname == "root":
+            # No key can claim root privileges
+            continue
+        p = subprocess.Popen(("ssh-keygen", "-i", "-f", ffn), 
+            stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+        newkey = p.communicate()[0]
+        if p.wait() == 0:
+            klines = [l.strip() for l in newkey.split("\n")]
+        else:
+            # Conversion failed, read it directly.
+            kf = open(ffn)
+            try:
+                klines = [l.strip() for l in kf]
+            finally:
+                kf.close()
+        for l in klines:
+            if len(l):
+                akeys.write('%s"%s %s" %s\n' % (prefix, wrappercommand, keyname, l))
+
+akeys.close()
+
+os.rename(akeyfile + "_new", akeyfile)
+