crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[config.py,bind.py,populate_sshFingerprint.py] Configuration pour sshfp dans config.py, ajout d'un script pour ajouter les clef des serveur dans ldap

Browse source 
Ignore-this: 5fe4b7490ca1f97168b6ce457374ffb5

darcs-hash:20130118011803-3a55a-2fb24947d4f3807082ae5f0da41741e0ef0086c8.gz
This commit is contained in:
Valentin Samir 2013-01-18 02:18:03 +01:00
parent 4c206f8649
commit b844853894
3 changed files with 85 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

13
gestion/config.py
View file

@ -116,6 +116,15 @@ cfengine_main = bcfg2_main
ISCSI_MAP_FILE = "/usr/scripts/var/iscsi_names.py" ISCSI_MAP_FILE = "/usr/scripts/var/iscsi_names.py"
ISCSI_MAP_FILE_TEMPLATE = "/usr/scripts/var/iscsi_names_%s.py" ISCSI_MAP_FILE_TEMPLATE = "/usr/scripts/var/iscsi_names_%s.py"
# format: { algorithm : (IANA_id, ssh_algo) }
# où algorithm est tel qu'il apparait dans les fichiers /etc/ssh/ssh_host_%s_key.pub % algorithm
# IANA_id correspond à l'entier attribué par l'IANA pour l'algorithm dans les champs dns SSHFP
# ssh_algo correspond a la première chaine de charactère donnant le nom de l'algorithme de chiffrement lorsque la clef ssh est dans le format openssh (algo key comment)
sshfp_algo = {
"rsa" : (1,"ssh-rsa"),
"dsa" : (2,"ssh-dss"),
}
## Impression ## Impression
class impression: class impression:
"""Cette classe contient toutes les variables """Cette classe contient toutes les variables
@ -499,8 +508,8 @@ NETs = { 'serveurs' : [ '138.231.136.0/28' ],
'fil' : [ '138.231.136.0/21' ], 'fil' : [ '138.231.136.0/21' ],
'wifi': [ '138.231.144.0/21' ], 'wifi': [ '138.231.144.0/21' ],
'gratuit': [ '10.42.0.0/16' ], 'gratuit': [ '10.42.0.0/16' ],
'accueil': ['10.51.0.0/16' ], 'accueil': ['10.51.0.0/16' ],
'isolement': ['10.52.0.0/16' ], 'isolement': ['10.52.0.0/16' ],
'personnel-ens': ['10.2.9.0/24' ], 'personnel-ens': ['10.2.9.0/24' ],
'ens' : ['138.231.135.0/24'], 'ens' : ['138.231.135.0/24'],
'all' : [ '138.231.136.0/21', '138.231.148.0/21' ] 'all' : [ '138.231.136.0/21', '138.231.148.0/21' ]

16
gestion/gen_confs/bind.py
View file

@ -284,16 +284,20 @@ zone "%(NOM_zone)s" {
# Le direct # Le direct
if zone in self.zones_direct : if zone in self.zones_direct :
ligne = "%s\tIN\tA\t%s\n" % ( nom, machine.ip() ) ligne = "%s\tIN\tA\t%s\n" % ( nom, machine.ip() )
# Si la machine est une borne wifi, on ajoute la position # Si la machine est une borne wifi, on ajoute la position
if isinstance(machine,ldap_crans.BorneWifi) and machine.position(): if isinstance(machine,ldap_crans.BorneWifi) and machine.position():
ligne +="%s\tIN\tTXT\t\"LOC %s,%s\"\n" % (nom,machine.position()[0],machine.position()[1]) ligne +="%s\tIN\tTXT\t\"LOC %s,%s\"\n" % (nom,machine.position()[0],machine.position()[1])
# Si la machine à des clefs ssh, on ajoute les champs SSFP correspondant # Si la machine à des clefs ssh, on ajoute les champs SSFP correspondant
for sshkey in machine.sshFingerprint(): for sshkey in machine.sshFingerprint():
try: try:
[algo,key]=sshkey.split()[:2] [algo_txt,key]=sshkey.split()[:2]
if algo == "ssh-rsa": algo=1 algo=None
elif algo == "ssh-dss": algo=2 for value in config.sshfp_algo.values():
else: raise ValueError("Invalid Algorithms %s" % algo) if algo_txt == value[1]:
algo=value[0]
break
if not algo:
raise ValueError("Invalid Algorithms %s" % algo_txt)
key=hashlib.sha1(base64.b64decode(key)).hexdigest() key=hashlib.sha1(base64.b64decode(key)).hexdigest()
ligne +="%s\tIN\tSSHFP\t%s\t1\t%s\n" % (nom,algo,key) ligne +="%s\tIN\tSSHFP\t%s\t1\t%s\n" % (nom,algo,key)
except(ValueError,TypeError): pass except(ValueError,TypeError): pass

64
gestion/gen_confs/populate_sshFingerprint.py Executable file
View file

@ -0,0 +1,64 @@
#! /usr/bin/env python
# -*- coding: utf-8 -*-
import subprocess
import sys
import os
from socket import gethostname
from netifaces import interfaces, ifaddresses, AF_INET
sys.path.append('/usr/scripts/lc_ldap')
sys.path.append('/usr/scripts/gestion')
sys.path.append('/etc/crans/secrets/')
import lc_ldap
import config
conn=lc_ldap.lc_ldap_admin()
ssh_algo = config.sshfp_algo.keys()
def ip4_addresses():
ip_list = []
for interface in interfaces():
if interface!='lo' and AF_INET in ifaddresses(interface).keys():
for link in ifaddresses(interface)[AF_INET]:
ip_list.append(link['addr'])
return ip_list
def ssh_keyscan(host,algo):
p=subprocess.Popen(["/usr/bin/ssh-keyscan", "-t", "%s" % algo,"%s" % host],stdout=subprocess.PIPE,stderr=subprocess.PIPE)
ret=p.communicate()[0].split()
key=ret[2]
return key
def get_machines():
machines=[]
for ip in set(ip4_addresses()):
machines.extend(conn.search('ipHostNumber=%s' %ip,mode='rw'))
return machines
def get_local_keys():
keys={}
for algo in ssh_algo:
if os.path.isfile('/etc/ssh/ssh_host_%s_key.pub' % algo):
keys[algo]=open('/etc/ssh/ssh_host_%s_key.pub' % algo).read()
return keys
def check_keys(keys):
return dict([ (algo,key.split()[1] == ssh_keyscan('localhost',algo)) for algo,key in keys.items() ])
def publish_keys():
keys=get_local_keys()
validation=check_keys(keys)
machines=get_machines()
for machine in machines:
sshkeys_old=[key.value for key in machine.get('sshFingerprint',[])]
sshkeys_new=[key.decode('UTF-8') for algo,key in keys.items() if validation[algo]]
if not set(sshkeys_old)==set(sshkeys_new):
machine['sshFingerprint']=sshkeys_new
machine.save()
if __name__ == '__main__' :
publish_keys()