haskal
/
vagrant
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

communicators/ssh: insert random key, remove insecure key

This commit is contained in:
Mitchell Hashimoto 2014-10-24 09:58:18 -07:00
parent f4dec575ed
commit 94b2a8a56b
5 changed files with 89 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/vagrant/errors.rb
View File

@ -620,6 +620,10 @@ module Vagrant
error_key(:ssh_invalid_shell)
end
class SSHInsertKeyUnsupported < VagrantError
error_key(:ssh_insert_key_unsupported)
end
class SSHIsPuttyLink < VagrantError
error_key(:ssh_is_putty_link)
end

50
plugins/communicators/ssh/communicator.rb
View File

@ -11,6 +11,7 @@ require 'net/scp'
require 'vagrant/util/ansi_escape_code_remover'
require 'vagrant/util/file_mode'
require 'vagrant/util/keypair'
require 'vagrant/util/platform'
require 'vagrant/util/retryable'
@ -88,6 +89,8 @@ module VagrantPlugins
raise
rescue Vagrant::Errors::SSHKeyBadPermissions
raise
rescue Vagrant::Errors::SSHInsertKeyUnsupported
raise
rescue Vagrant::Errors::VagrantError => e
# Ignore it, SSH is not ready, some other error.
end
@ -142,20 +145,41 @@ module VagrantPlugins
# If we used a password, then insert the insecure key
ssh_info = @machine.ssh_info
if ssh_info[:password] && ssh_info[:private_key_path].empty?
@logger.info("Inserting insecure key to avoid password")
@machine.ui.info(I18n.t("vagrant.inserting_insecure_key"))
@machine.guest.capability(
:insert_public_key,
Vagrant.source_root.join("keys", "vagrant.pub").read.chomp)
insert = ssh_info[:password] && ssh_info[:private_key_path].empty?
ssh_info[:private_key_path].each do |pk|
if insecure_key?(pk)
insert = true
@machine.ui.detail("\n"+I18n.t("vagrant.inserting_insecure_detected"))
break
end
end
if insert
# If we don't have the power to insert/remove keys, then its an error
cap = @machine.guest.capability?(:insert_public_key) &&
@machine.guest.capability?(:remove_public_key)
raise Vagrant::Errors::SSHInsertKeyUnsupported if !cap
_pub, priv, openssh = Vagrant::Util::Keypair.create
@logger.info("Inserting key to avoid password: #{openssh}")
@machine.ui.detail("\n"+I18n.t("vagrant.inserting_random_key"))
@machine.guest.capability(:insert_public_key, openssh)
# Write out the private key in the data dir so that the
# machine automatically picks it up.
@machine.data_dir.join("private_key").open("w+") do |f|
f.write(Vagrant.source_root.join("keys", "vagrant").read)
f.write(priv)
end
@machine.ui.info(I18n.t("vagrant.inserted_key"))
# Remove the old key if it exists
@machine.ui.detail(I18n.t("vagrant.inserting_remove_key"))
@machine.guest.capability(
:remove_public_key,
Vagrant.source_root.join("keys", "vagrant.pub").read.chomp)
# Done, restart.
@machine.ui.detail(I18n.t("vagrant.inserted_key"))
@connection.close
@connection = nil
@ -597,6 +621,16 @@ module VagrantPlugins
# Otherwise, just raise the error up
raise
end
# This will test whether path is the Vagrant insecure private key.
#
# @param [String] path
def insecure_key?(path)
return false if !path
return false if !File.file?(path)
source_path = Vagrant.source_root.join("keys", "vagrant")
return File.read(path).chomp == source_path.read.chomp
end
end
end
end

21
plugins/guests/linux/cap/remove_public_key.rb Normal file
View File

@ -0,0 +1,21 @@
require "vagrant/util/shell_quote"
module VagrantPlugins
module GuestLinux
module Cap
class RemovePublicKey
def self.remove_public_key(machine, contents)
contents = contents.chomp
contents = Vagrant::Util::ShellQuote.escape(contents, "'")
machine.communicate.tap do |comm|
if comm.test("test -f ~/.ssh/authorized_keys")
comm.execute(
"sed -i '/^.*#{contents}.*$/d' ~/.ssh/authorized_keys")
end
end
end
end
end
end
end

5
plugins/guests/linux/plugin.rb
View File

@ -62,6 +62,11 @@ module VagrantPlugins
Cap::ReadIPAddress
end
guest_capability("linux", "remove_public_key") do
require_relative "cap/remove_public_key"
Cap::RemovePublicKey
end
guest_capability("linux", "rsync_installed") do
require_relative "cap/rsync"
Cap::RSync

19
templates/locales/en.yml
View File

@ -130,8 +130,13 @@ en:
Starting Docker containers...
inserted_key: |-
Key inserted! Disconnecting and reconnecting using new SSH key...
inserting_insecure_key: |-
Inserting Vagrant public key within guest...
inserting_insecure_detected: |-
Vagrant insecure key detected. Vagrant will automatically replace
this with a newly generated keypair for better security.
inserting_random_key: |-
Inserting generated public key within guest...
inserting_remove_key: |-
Removing insecure key from the guest if its present...
list_commands: |-
Below is a listing of all available Vagrant commands and a brief
description of what they do.
@ -1071,6 +1076,16 @@ en:
using a shell that is unavailable on the system. Please verify
you're using the full path to the shell and that the shell is
executable by the SSH user.
ssh_insert_key_unsupported: |-
Vagrant is configured to generate a random keypair and insert it
onto the guest machine, but it appears Vagrant doesn't know how to do
this with your guest OS. Please disable key insertion by setting
`config.ssh.insert_key = false` in the Vagrantfile.
After doing so, run `vagrant reload` for the setting to take effect.
If you'd like Vagrant to learn how to insert keys on this OS, please
open an issue with details about your environment.
ssh_is_putty_link: |-
The `ssh` executable found in the PATH is a PuTTY Link SSH client.
Vagrant is only compatible with OpenSSH SSH clients. Please install