[config,populate_sshFingerprint] Si la clef est trop vielles, on génère à coté des clef de remplacement et on mets leurs hash dans le motd.

Ignore-this: b8ee0ed7e960aeb41593d1f67d9e90a darcs-hash:20130122010422-3a55a-5842aac4d5bb36731549738200e3043e32e68185.gz
2013-01-22 02:04:22 +01:00 · 2013-01-22 02:04:22 +01:00 · 70f5ff906a
commit 70f5ff906a
parent a02504c66f
2 changed files with 38 additions and 3 deletions
--- a/gestion/config.py
+++ b/gestion/config.py
@ -125,6 +125,12 @@ sshfp_algo = {
        "dsa" : (2,"ssh-dss"),
    }

+sshkey_max_age=2*(365.25*24*3600)
+sshkey_size = {
+    'rsa':4096,
+    'dsa':1024,
+}
+
 ## Impression
 class impression:
    """Cette classe contient toutes les variables
--- a/gestion/gen_confs/populate_sshFingerprint.py
+++ b/gestion/gen_confs/populate_sshFingerprint.py
@ -3,6 +3,9 @@
 import subprocess
 import sys
 import os
+import time
+import base64
+import hashlib
 from socket import gethostname
 from netifaces import interfaces, ifaddresses, AF_INET

@ -30,7 +33,25 @@ def ssh_keyscan(host,algo):
    ret=p.communicate()[0].split()
    key=ret[2]
    return key
-    
+
+def ssh_md5_hash(path):
+    key=base64.b64decode(open(path).read().split()[1])
+    fpr=hashlib.md5(key).hexdigest()
+    return ':'.join(a+b for a,b in zip(fpr[::2], fpr[1::2]))
+
+def ssh_keygen(algo,size):
+    new_path='/etc/ssh/new/'
+    if not os.path.isdir(new_path):
+        os.mkdir(new_path)
+    key_path=new_path + 'ssh_host_%s_key' % algo
+    if not os.path.exists(key_path):
+        args=["/usr/bin/ssh-keygen", "-f", "%s" % key_path, "-b",  "%s" %  size,
+              "-t", "%s" % algo, "-N", ""]
+        p=subprocess.Popen(args,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
+        p.communicate()
+        fpr="Nouvelle clef ssh %s : %s\n" % (algo.upper(),ssh_md5_hash(key_path + '.pub'))
+        open('/etc/motd','a+').write(fpr)
+	print("Nouvelle clef %s générée" % key_path)
    
 def get_machines():
    machines=[]
@ -38,11 +59,19 @@ def get_machines():
        machines.extend(conn.search('ipHostNumber=%s' %ip,mode='rw'))
    return machines
    
+def check_keys_age(key_path,algo):
+    age=time.time()-os.path.getmtime(key_path)
+    if  age > config.sshkey_max_age:
+        print("La clef ssh %s sur %s a plus de %s ans, il faudrait peut être penser à la changer." % (key_path,gethostname(),round(age/(365.25*24*3600),2)))
+        ssh_keygen(algo,config.sshkey_size[algo])
+    
 def get_local_keys():
    keys={}
    for algo in ssh_algo:
-        if os.path.isfile('/etc/ssh/ssh_host_%s_key.pub' % algo):
-            keys[algo]=open('/etc/ssh/ssh_host_%s_key.pub' % algo).read()
+        key_path='/etc/ssh/ssh_host_%s_key.pub' % algo
+        if os.path.isfile(key_path):
+            check_keys_age(key_path,algo)
+            keys[algo]=open(key_path).read()
    return keys
    
 def check_keys(keys):