[config,populate_sshFingerprint] Si la clef est trop vielles, on génère à coté des clef de remplacement et on mets leurs hash dans le motd.
Ignore-this: b8ee0ed7e960aeb41593d1f67d9e90a darcs-hash:20130122010422-3a55a-5842aac4d5bb36731549738200e3043e32e68185.gz
This commit is contained in:
Valentin Samir
parent
a02504c66f
commit
70f5ff906a
2 changed files with 38 additions and 3 deletions
|
|
@ -125,6 +125,12 @@ sshfp_algo = {
|
||||||
"dsa" : (2,"ssh-dss"),
|
"dsa" : (2,"ssh-dss"),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sshkey_max_age=2*(365.25*24*3600)
|
||||||
|
sshkey_size = {
|
||||||
|
'rsa':4096,
|
||||||
|
'dsa':1024,
|
||||||
|
}
|
||||||
|
|
||||||
## Impression
|
## Impression
|
||||||
class impression:
|
class impression:
|
||||||
"""Cette classe contient toutes les variables
|
"""Cette classe contient toutes les variables
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,9 @@
|
||||||
import subprocess
|
import subprocess
|
||||||
import sys
|
import sys
|
||||||
import os
|
import os
|
||||||
|
import time
|
||||||
|
import base64
|
||||||
|
import hashlib
|
||||||
from socket import gethostname
|
from socket import gethostname
|
||||||
from netifaces import interfaces, ifaddresses, AF_INET
|
from netifaces import interfaces, ifaddresses, AF_INET
|
||||||
|
|
||||||
|
|
@ -31,6 +34,24 @@ def ssh_keyscan(host,algo):
|
||||||
key=ret[2]
|
key=ret[2]
|
||||||
return key
|
return key
|
||||||
|
|
||||||
|
def ssh_md5_hash(path):
|
||||||
|
key=base64.b64decode(open(path).read().split()[1])
|
||||||
|
fpr=hashlib.md5(key).hexdigest()
|
||||||
|
return ':'.join(a+b for a,b in zip(fpr[::2], fpr[1::2]))
|
||||||
|
|
||||||
|
def ssh_keygen(algo,size):
|
||||||
|
new_path='/etc/ssh/new/'
|
||||||
|
if not os.path.isdir(new_path):
|
||||||
|
os.mkdir(new_path)
|
||||||
|
key_path=new_path + 'ssh_host_%s_key' % algo
|
||||||
|
if not os.path.exists(key_path):
|
||||||
|
args=["/usr/bin/ssh-keygen", "-f", "%s" % key_path, "-b", "%s" % size,
|
||||||
|
"-t", "%s" % algo, "-N", ""]
|
||||||
|
p=subprocess.Popen(args,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
|
||||||
|
p.communicate()
|
||||||
|
fpr="Nouvelle clef ssh %s : %s\n" % (algo.upper(),ssh_md5_hash(key_path + '.pub'))
|
||||||
|
open('/etc/motd','a+').write(fpr)
|
||||||
|
print("Nouvelle clef %s générée" % key_path)
|
||||||
|
|
||||||
def get_machines():
|
def get_machines():
|
||||||
machines=[]
|
machines=[]
|
||||||
|
|
@ -38,11 +59,19 @@ def get_machines():
|
||||||
machines.extend(conn.search('ipHostNumber=%s' %ip,mode='rw'))
|
machines.extend(conn.search('ipHostNumber=%s' %ip,mode='rw'))
|
||||||
return machines
|
return machines
|
||||||
|
|
||||||
|
def check_keys_age(key_path,algo):
|
||||||
|
age=time.time()-os.path.getmtime(key_path)
|
||||||
|
if age > config.sshkey_max_age:
|
||||||
|
print("La clef ssh %s sur %s a plus de %s ans, il faudrait peut être penser à la changer." % (key_path,gethostname(),round(age/(365.25*24*3600),2)))
|
||||||
|
ssh_keygen(algo,config.sshkey_size[algo])
|
||||||
|
|
||||||
def get_local_keys():
|
def get_local_keys():
|
||||||
keys={}
|
keys={}
|
||||||
for algo in ssh_algo:
|
for algo in ssh_algo:
|
||||||
if os.path.isfile('/etc/ssh/ssh_host_%s_key.pub' % algo):
|
key_path='/etc/ssh/ssh_host_%s_key.pub' % algo
|
||||||
keys[algo]=open('/etc/ssh/ssh_host_%s_key.pub' % algo).read()
|
if os.path.isfile(key_path):
|
||||||
|
check_keys_age(key_path,algo)
|
||||||
|
keys[algo]=open(key_path).read()
|
||||||
return keys
|
return keys
|
||||||
|
|
||||||
def check_keys(keys):
|
def check_keys(keys):
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue