crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[config.py,bind.py,populate_sshFingerprint.py] Configuration pour sshfp dans config.py, ajout d'un script pour ajouter les clef des serveur dans ldap

Browse source 
Ignore-this: 5fe4b7490ca1f97168b6ce457374ffb5

darcs-hash:20130118011803-3a55a-2fb24947d4f3807082ae5f0da41741e0ef0086c8.gz
This commit is contained in:
Valentin Samir 2013-01-18 02:18:03 +01:00
parent 4c206f8649
commit b844853894
3 changed files with 85 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

9
gestion/config.py
View file

@ -116,6 +116,15 @@ cfengine_main = bcfg2_main
ISCSI_MAP_FILE = "/usr/scripts/var/iscsi_names.py"
ISCSI_MAP_FILE_TEMPLATE = "/usr/scripts/var/iscsi_names_%s.py"
# format: { algorithm : (IANA_id, ssh_algo) }
# où algorithm est tel qu'il apparait dans les fichiers /etc/ssh/ssh_host_%s_key.pub % algorithm
# IANA_id correspond à l'entier attribué par l'IANA pour l'algorithm dans les champs dns SSHFP
# ssh_algo correspond a la première chaine de charactère donnant le nom de l'algorithme de chiffrement lorsque la clef ssh est dans le format openssh (algo key comment)
sshfp_algo = {
"rsa" : (1,"ssh-rsa"),
"dsa" : (2,"ssh-dss"),
}
## Impression
class impression:
"""Cette classe contient toutes les variables

12
gestion/gen_confs/bind.py
View file

@ -290,10 +290,14 @@ zone "%(NOM_zone)s" {
# Si la machine à des clefs ssh, on ajoute les champs SSFP correspondant
for sshkey in machine.sshFingerprint():
try:
[algo,key]=sshkey.split()[:2]
if algo == "ssh-rsa": algo=1
elif algo == "ssh-dss": algo=2
else: raise ValueError("Invalid Algorithms %s" % algo)
[algo_txt,key]=sshkey.split()[:2]
algo=None
for value in config.sshfp_algo.values():
if algo_txt == value[1]:
algo=value[0]
break
if not algo:
raise ValueError("Invalid Algorithms %s" % algo_txt)
key=hashlib.sha1(base64.b64decode(key)).hexdigest()
ligne +="%s\tIN\tSSHFP\t%s\t1\t%s\n" % (nom,algo,key)
except(ValueError,TypeError): pass

64
gestion/gen_confs/populate_sshFingerprint.py Executable file
View file

@ -0,0 +1,64 @@
#! /usr/bin/env python
# -*- coding: utf-8 -*-
import subprocess
import sys
import os
from socket import gethostname
from netifaces import interfaces, ifaddresses, AF_INET
sys.path.append('/usr/scripts/lc_ldap')
sys.path.append('/usr/scripts/gestion')
sys.path.append('/etc/crans/secrets/')
import lc_ldap
import config
conn=lc_ldap.lc_ldap_admin()
ssh_algo = config.sshfp_algo.keys()
def ip4_addresses():
ip_list = []
for interface in interfaces():
if interface!='lo' and AF_INET in ifaddresses(interface).keys():
for link in ifaddresses(interface)[AF_INET]:
ip_list.append(link['addr'])
return ip_list
def ssh_keyscan(host,algo):
p=subprocess.Popen(["/usr/bin/ssh-keyscan", "-t", "%s" % algo,"%s" % host],stdout=subprocess.PIPE,stderr=subprocess.PIPE)
ret=p.communicate()[0].split()
key=ret[2]
return key
def get_machines():
machines=[]
for ip in set(ip4_addresses()):
machines.extend(conn.search('ipHostNumber=%s' %ip,mode='rw'))
return machines
def get_local_keys():
keys={}
for algo in ssh_algo:
if os.path.isfile('/etc/ssh/ssh_host_%s_key.pub' % algo):
keys[algo]=open('/etc/ssh/ssh_host_%s_key.pub' % algo).read()
return keys
def check_keys(keys):
return dict([ (algo,key.split()[1] == ssh_keyscan('localhost',algo)) for algo,key in keys.items() ])
def publish_keys():
keys=get_local_keys()
validation=check_keys(keys)
machines=get_machines()
for machine in machines:
sshkeys_old=[key.value for key in machine.get('sshFingerprint',[])]
sshkeys_new=[key.decode('UTF-8') for algo,key in keys.items() if validation[algo]]
if not set(sshkeys_old)==set(sshkeys_new):
machine['sshFingerprint']=sshkeys_new
machine.save()
if __name__ == '__main__' :
publish_keys()