+
−#!/usr/bin/env python
+
−
+
−# WARNING
+
−# This script completely destroys your ~/.ssh/authorized_keys
+
−# file every time it is run
+
−# WARNING
+
−
+
−import sys
+
−import os
+
−import os.path
+
−import ruleset
+
−import subprocess
+
−
+
−if len(sys.argv) != 3:
+
−    sys.stderr.write("refresh-auth: wrong number of arguments (%s)\n" % sys.argv)
+
−    sys.exit(-1)
+
−
+
−akeyfile = sys.argv[1]
+
−wrappercommand = sys.argv[2]
+
−prefix='no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command='
+
−
+
−if os.path.exists(akeyfile):
+
−    f = open(akeyfile)
+
−    try:
+
−        for l in f:
+
−            if not l.startswith(prefix):
+
−                raise Exception("Safety check failed, delete %s to continue" % akeyfile)
+
−    finally:
+
−        f.close()
+
−
+
−akeys = open(akeyfile + "_new", "w")
+
−for root, dirs, files in os.walk("keys"):
+
−    for fn in files:
+
−        ffn = os.path.join(root, fn)
+
−        if not ruleset.goodpath(ffn):
+
−            # ignore any path that contains dodgy characters
+
−            continue
+
−        keyname = ffn[5:]
+
−        if keyname == "root":
+
−            # No key can claim root privileges
+
−            continue
+
−        p = subprocess.Popen(("ssh-keygen", "-i", "-f", ffn), 
+
−            stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
−        newkey = p.communicate()[0]
+
−        if p.wait() == 0:
+
−            klines = [l.strip() for l in newkey.split("\n")]
+
−        else:
+
−            # Conversion failed, read it directly.
+
−            kf = open(ffn)
+
−            try:
+
−                klines = [l.strip() for l in kf]
+
−            finally:
+
−                kf.close()
+
−        for l in klines:
+
−            if len(l):
+
−                akeys.write('%s"%s %s" %s\n' % (prefix, wrappercommand, keyname, l))
+
−
+
−akeys.close()
+
−
+
−os.rename(akeyfile + "_new", akeyfile)
+
−