shell bypass 403
a
����'�Dg,�������������������
���@���s���U�d�Z�ddlZddlZddlZddlZddlZddlmZmZm Z �ddl
m
Z
m
Z
m
Z
mZ�ddlmZ�ddlmZ�ddlmZ�ddlmZmZ�dd lmZ�d
egeg�d
�Zeed
<�e�
e
�Z
g�d
�Z dgZ e�!d�Z"dZ#dZ$g�Z%ee&�ed<�i�Z'i�Z(e D�]dZ)e'�*e)��d�e#e)�dfe)��d�e#e)���d�dfe)��d�e#e)���d�dfi��e)��d�e(e)��d�<�q�dZ+e&dd�d
d
�Z,e&eee-dd
�d d �Z.d!d"��Z/d&ee e&��d#�d$d%�Z0dS�)'z SSH: Configure SSH and SSH keys�����N)�List�Optional�Sequence)� lifecycle�ssh_util�subp�util)�Cloud)�Config)�
MetaSchema)�
ALL_DISTROS�ug_util)�
PER_INSTANCEZcc_ssh)�idZdistrosZ frequencyZactivate_by_schema_keys�meta)ZrsaZecdsa�ed25519r���z4^(ecdsa-sk|ed25519-sk)_(private|public|certificate)$z/etc/ssh/ssh_host_%s_keyT�HOST_KEY_PUBLISH_BLACKLISTZ_private���Z_public�.pub����
_certificatez -cert.pubz;o=$(ssh-keygen -yf "%s") && echo "$o" root@localhost > "%s")�keyfile�returnc�����������������C���sl���d}t����}|r&|t�dd�k�r&d}nd}t�d�}|dkrJt�|�d|��t�|�|��t�|���d�|��d S�)
a���
For fedora 37, centos 9 stream and below:
- sshd version is earlier than version 9.
- 'ssh_keys' group is present and owns the private keys.
- private keys have permission 0o640.
For fedora 38, centos 10 stream and above:
- ssh version is atleast version 9.
- 'ssh_keys' group is absent. 'root' group owns the keys.
- private keys have permission 0o600, same as upstream.
Public keys in all cases have permission 0o644.
r���� ���r���i���r����ssh_keys���r���N) r���Z
get_opensshd_upstream_versionr���ZVersionr���Z
get_group_id�os�chown�chmod)r���Zpermissions_publicZ
ssh_versionZpermissions_private�gid��r ����;/usr/lib/python3.9/site-packages/cloudinit/config/cc_ssh.py�set_redhat_keyfile_perms@���s����
r"���)�name�cfg�cloud�argsr���c�����������$���
���C���s���|��dd�rZtj�dd�}t�|�D�]4}zt�|��W�q$�tyV���t�t d|��Y�q$0�q$d|v��r�g�}|d��
��D�]t\}}|t
vr�t
�
|�r�d} nd} t �d | |��qtt
|�d
�}
t
|�d
�}
t�|
||
��d
|v�rt|�d
t|
�f��qt|r�t�|��t�
��D�]�\}
}
|
|d�v��s�|
|d�v�r(�q�t
|
�d
�t
|
�d
��}}ddt||f�g}zPtjddd��
�tj|dd��W�d�����n1��s�0����Y��t �d||��W�n,�t�y����t�t d|��d|�����Y�n0��q��n�t�|dt�}t����s�|n
dd��|D��}t
|��
|�}|�r*t �dd�|���|D��]<}t
|�}tj� |��rN�q.t� tj�!|���d
d
|d
d d |g}tjddd����zTtj|dd!d"id#�\}}t�"|d$d��s�t#j$�%t�&|���|j'j(d%k�r�t)|��W�nr�tj*�yH�}�zVt�&|j+��,��}|j-d
k�r$|�,���.d&��r$t �d'|��nt�t d(||��W�Y�d�}~n
d�}~0�0�W�d�����n1��s`0����Y���q.d)|v��r�t�|d)�d*t/�}t�"|d)�d+t0�}nt/}t0}|�r�t1|d,�}z|j2�3|��W�n �t�y����t�t d-��Y�n0�z�t4�5||j'�\}
}
t4�6|
�\}
} t�"|d.d�} t�7|d/tj8�}!g�}"t�"|d0d��rL|�9���pHg�}"n
t �d1��d2|v��rr|d2�}#|"�:|#��t;|"|
| |!��W�n �t�y����t�t d3��Y�n0�d�S�)4NZssh_deletekeysTz /etc/ssh/zssh_host_*key*zFailed deleting key file %sr���Z
unsupportedZ
unrecognizedz Skipping %s ssh_keys entry: "%s"r�������r���ZHostCertificate�shz-xcz/etc/ssh)� recursiveF)�capturez
Generated a key for %s from %sz
Failed generating a key for z from Zssh_genkeytypesc�����������������S���s���g�|�]}|t�vr|�qS�r ���)�FIPS_UNSUPPORTED_KEY_NAMES)�.0�namesr ���r ���r!����
<listcomp>����s����zhandle.<locals>.<listcomp>z5skipping keys that are not supported in fips mode: %s�,z
ssh-keygenz-tz-N��z-f�LANG�C)r*���Z
update_envZssh_quiet_keygenZredhatz
unknown keyz!ssh-keygen: unknown key type '%s'z(Failed generating key type %s to file %sZssh_publish_hostkeys� blacklistZenabled�r3���z
Publishing host keys failed!�
disable_root�disable_root_optsZallow_public_ssh_keyszSSkipping import of publish SSH keys per config setting: allow_public_ssh_keys=FalseZssh_authorized_keysz Applying SSH credentials failed!)<�getr
����path�join�globr���Zdel_file� ExceptionZlogexc�LOG�items�CONFIG_KEY_TO_FILE� pattern_unsupported_config_keys�matchZwarningZ
write_file�append�strr���Zappend_ssh_config�
PRIV_TO_PUB�
KEY_GEN_TPLZ
SeLinuxGuardr����debugZget_cfg_option_list�GENERATE_KEY_NAMESZ
fips_enabled�set�
difference�
KEY_FILE_TPL�existsZ
ensure_dir�dirnameZget_cfg_option_bool�sys�stdout�writeZ
decode_binaryZdistroZosfamilyr"���ZProcessExecutionError�stderr�lowerZ exit_code�
startswithr����PUBLISH_HOST_KEYS�get_public_host_keysZ
datasourceZpublish_host_keysr
���Znormalize_users_groupsZextract_defaultZget_cfg_option_strZDISABLE_USER_OPTSZget_public_ssh_keys�extend�apply_credentials)$r#���r$���r%���r&���Zkey_pth�fZ
cert_config�key�val�reasonZtgt_fnZ tgt_permsZ
private_typeZ
public_typeZ
private_fileZ
public_file�cmdZgenkeysZ key_namesZ
skipped_keysZkeytyper����out�err�eZhost_key_blacklistZpublish_hostkeysZhostkeysZusersZ_groups�userZ
_user_configr5���r6����keysZcfgkeysr ���r ���r!����handled���s����
�
�
�.�������� �
�
�
��>
�
�
��
r`���c�����������������C���sV���t�|��}�|rt�|�|��|r>|s$d}|�d|�}|�dd�}nd}tj|�d|d��d�S�)NZNONEz$USERz
$DISABLE_USER�rootr0���)�options)rG���r���Zsetup_user_keys�replace)r_���r^���r5���r6���Z
key_prefixr ���r ���r!���rU�����s����
rU���r4���c��������������������s����dt�f��g�}g���|�r(�fdd�|�D������fdd�t��d��D��}|D�]<}t�|�}|���}|rHt|�dkrH|�t|dd�����qH|S�) a��Read host keys from /etc/ssh/*.pub files and return them as a list.
@param blacklist: List of key types to ignore. e.g. ['rsa']
@returns: List of keys, each formatted as a two-element tuple.
e.g. [('ssh-rsa', 'AAAAB3Nz...'), ('ssh-ed25519', 'AAAAC3Nx...')]
z%s.pubc��������������������s���g�|�]}��|f��qS�r ���r ���)r,���Zkey_type)�public_key_file_tmplr ���r!���r.��� ��s���z(get_public_host_keys.<locals>.<listcomp>c��������������������s���g�|�]}|��vr|�qS�r ���r ���)r,���Zhostfile)�blacklist_filesr ���r!���r.���$��s����)�*r'���N����)rI���r:���r���Zload_text_file�split�lenrA����tuple)r3���Zkey_listZ file_list� file_nameZ
file_contentsZkey_datar ���)re���rd���r!���rS�����s ����
�
�
rS���)N)1�__doc__r:���Zloggingr
����rerL����typingr���r���r���Z cloudinitr���r���r���r���Zcloudinit.cloudr ���Zcloudinit.configr
���Zcloudinit.config.schemar
���Zcloudinit.distrosr
���r
���Zcloudinit.settingsr���r����__annotations__Z getLogger�__name__r<���rF���r+����compiler?���rI���rR���r���rB���r>���rC����k�updaterD���r"����listr`���rU���rS���r ���r ���r ���r!����<module>���sT���
�
���$�