0008-Add-ssh-agent-authentification-options-to-ssh-auth.patch
src/authm_mad/remotes/ssh/ssh_auth.rb | ||
---|---|---|
35 | 35 |
# |
36 | 36 |
# @param [Hash] default options for path |
37 | 37 |
# @option options [String] :public_key public key for the user |
38 |
# @option options [String] :private_key key private key for the user. |
|
38 |
# @option options [String] :private_key key private key for the user |
|
39 |
# @option options [Boolean] :ssh_agent use ssh agent |
|
39 | 40 |
def initialize(options={}) |
40 | 41 |
@private_key = nil |
41 | 42 |
@public_key = nil |
42 | 43 | |
43 |
@private_key = read_key(options[:private_key]) |
|
44 |
@public_key = read_key(options[:public_key]) |
|
45 |
if @public_key.nil? and not @private_key.nil? |
|
46 |
# Init ssh keys using private key. public key is extracted in a |
|
47 |
# format compatible with openssl. |
|
48 |
@public_key = @private_key.public_key |
|
44 |
if options[:ssh_agent] |
|
45 |
@agent, @public_key = read_agent_key(options[:private_key]) |
|
46 |
else |
|
47 |
@private_key = read_key(options[:private_key]) |
|
48 |
@public_key = read_key(options[:public_key]) |
|
49 |
if @public_key.nil? and not @private_key.nil? |
|
50 |
# Init ssh keys using private key. public key is extracted in a |
|
51 |
# format compatible with openssl. |
|
52 |
@public_key = @private_key.public_key |
|
53 |
end |
|
49 | 54 |
end |
50 | 55 | |
51 | 56 |
if @private_key.nil? && @public_key.nil? |
52 |
raise "You have to define at least one of the keys" |
|
57 |
raise "You have to define at least one of the keys, or use a ssh agent"
|
|
53 | 58 |
end |
54 | 59 |
end |
55 | 60 | |
... | ... | |
137 | 142 |
end unless path_or_key.nil? |
138 | 143 |
end |
139 | 144 | |
145 |
# Read a public key from an ssh agent and returns it in OpenSSL::PKey::RSA |
|
146 |
# object |
|
147 |
# identity_comment is the comment of the public key to retrieve |
|
148 |
# if nil, the first key is used |
|
149 |
def read_agent_key(identity_comment = nil) |
|
150 |
begin |
|
151 |
agent = Net::SSH::Authentication::Agent.connect |
|
152 |
identities = agent.identities |
|
153 |
public_key = if identity_comment |
|
154 |
identities.find do |identity| |
|
155 |
identity.comment == identity_comment |
|
156 |
end |
|
157 |
else |
|
158 |
identities.first |
|
159 |
end |
|
160 |
raise "Cannot find key #{identity_comment} in agent" if public_key.nil? and not identity_comment.nil? |
|
161 |
[agent, public_key] |
|
162 |
rescue Net::SSH::Authentication::AgentError |
|
163 |
raise "Cannot connect to ssh agent" |
|
164 |
end |
|
165 |
end |
|
166 | ||
140 | 167 |
# Signs data with the private key of the user and returns |
141 | 168 |
# base 64 encoded signature in a single line |
142 | 169 |
def sign(data) |
143 |
sig = @private_key.ssh_do_sign(data) |
|
170 |
sig = if @agent |
|
171 |
b = Net::SSH::Buffer.new(@agent.sign(@public_key, data)) |
|
172 |
b.read_string # remove description |
|
173 |
b.read_string |
|
174 |
else |
|
175 |
@private_key.ssh_do_sign(data) |
|
176 |
end |
|
144 | 177 |
Base64::encode64(sig).gsub!(/\n/, '').strip |
145 | 178 |
end |
146 | 179 |
src/cli/one_helper/oneuser_helper.rb | ||
---|---|---|
59 | 59 |
when OpenNebula::User::SSH_AUTH |
60 | 60 |
require 'opennebula/ssh_auth' |
61 | 61 | |
62 |
options[:key] ||= ENV['HOME']+'/.ssh/id_rsa' |
|
62 |
options[:ssh_agent] ||= true if ENV['SSH_AUTH_SOCK'] and not options[:key] |
|
63 |
options[:key] ||= ENV['HOME']+'/.ssh/id_rsa' unless options[:ssh_agent] |
|
63 | 64 | |
64 | 65 |
begin |
65 |
auth = OpenNebula::SshAuth.new(:private_key=>options[:key]) |
|
66 |
auth_options = {} |
|
67 |
auth_options[:private_key] = options[:key] unless options[:key].nil? |
|
68 |
auth_options[:ssh_agent] = options[:ssh_agent] unless options[:ssh_agent].nil? |
|
69 |
auth = OpenNebula::SshAuth.new(auth_options) |
|
66 | 70 |
rescue Exception => e |
67 | 71 |
return -1, e.message |
68 | 72 |
end |
... | ... | |
93 | 97 |
when OpenNebula::User::SSH_AUTH |
94 | 98 |
require 'opennebula/ssh_auth' |
95 | 99 | |
96 |
options[:key] ||= ENV['HOME']+'/.ssh/id_rsa' |
|
100 |
options[:ssh_agent] ||= true if ENV['SSH_AUTH_SOCK'] and not options[:key] |
|
101 |
options[:key] ||= ENV['HOME']+'/.ssh/id_rsa' unless options[:ssh_agent] |
|
97 | 102 | |
98 | 103 |
begin |
99 |
auth = OpenNebula::SshAuth.new(:private_key=>options[:key]) |
|
104 |
auth_options = {} |
|
105 |
auth_options[:private_key] = options[:key] unless options[:key].nil? |
|
106 |
auth_options[:ssh_agent] = options[:ssh_agent] unless options[:ssh_agent].nil? |
|
107 |
auth = OpenNebula::SshAuth.new(auth_options) |
|
100 | 108 |
rescue Exception => e |
101 | 109 |
return -1, e.message |
102 | 110 |
end |
src/cli/oneuser | ||
---|---|---|
102 | 102 |
:description => "Path to the Private Key of the User" |
103 | 103 |
} |
104 | 104 | |
105 |
SSH_AGENT={ |
|
106 |
:name => "ssh-agent", |
|
107 |
:large => "--ssh-agent", |
|
108 |
:description => "Use an SSH agent to authenticate", |
|
109 |
:proc => lambda { |o, options| |
|
110 |
options[:ssh_agent] = true |
|
111 |
} |
|
112 |
} |
|
113 | ||
105 | 114 |
CERT={ |
106 | 115 |
:name => "cert", |
107 | 116 |
:short => "-c path_to_user_cert_pem", |
... | ... | |
132 | 141 |
} |
133 | 142 | |
134 | 143 |
create_options = [READ_FILE, SHA1, SSH, X509, KEY, CERT, DRIVER] |
135 |
login_options = [SSH, X509, X509_PROXY, KEY, CERT, PROXY, TIME] |
|
144 |
login_options = [SSH, X509, X509_PROXY, KEY, SSH_AGENT, CERT, PROXY, TIME]
|
|
136 | 145 | |
137 | 146 |
######################################################################## |
138 | 147 |
# Formatters for arguments |
... | ... | |
308 | 317 |
Creates the Login token for authentication |
309 | 318 |
Examples: |
310 | 319 |
oneuser login my_user --ssh --key /tmp/id_rsa --time 72000 |
320 |
oneuser login my_user --ssh --ssh-agent --time 72000 |
|
321 |
oneuser login my_user --ssh --ssh-agent --key /tmp/id_rsa --time 72000 |
|
311 | 322 |
oneuser login my_user --x509 --cert /tmp/my_cert.pem |
312 | 323 |
--key /tmp/my_key.pk --time 72000 |
313 | 324 |
oneuser login my_user --x509_proxy --proxy /tmp/my_cert.pem |
... | ... | |
325 | 336 |
for the SSH authentication mechanism. |
326 | 337 |
EOT |
327 | 338 | |
328 |
command :key, key_desc, :options=>[KEY] do |
|
339 |
command :key, key_desc, :options=>[KEY, SSH_AGENT] do
|
|
329 | 340 |
options[:driver] = OpenNebula::User::SSH_AUTH |
330 | 341 |
helper.password(options) |
331 | 342 |
end |
332 |
- |