From a5582eb1c8b7864a4116672896017058292b95a9 Mon Sep 17 00:00:00 2001 From: Chris Roberts Date: Tue, 12 Jun 2018 10:49:10 -0700 Subject: [PATCH] Add ssh key permissions set caps to hosts --- plugins/hosts/bsd/cap/ssh.rb | 16 ++++++++++++ plugins/hosts/bsd/plugin.rb | 5 ++++ plugins/hosts/linux/cap/ssh.rb | 16 ++++++++++++ plugins/hosts/linux/plugin.rb | 5 ++++ plugins/hosts/windows/cap/ssh.rb | 25 +++++++++++++++++++ plugins/hosts/windows/host.rb | 10 ++++++++ plugins/hosts/windows/plugin.rb | 5 ++++ .../scripts/set_ssh_key_permissions.ps1 | 17 +++++++++++++ .../scripts/utils/VagrantSSH/VagrantSSH.psm1 | 24 ++++++++++++++++++ 9 files changed, 123 insertions(+) create mode 100644 plugins/hosts/bsd/cap/ssh.rb create mode 100644 plugins/hosts/linux/cap/ssh.rb create mode 100644 plugins/hosts/windows/cap/ssh.rb create mode 100644 plugins/hosts/windows/scripts/set_ssh_key_permissions.ps1 create mode 100644 plugins/hosts/windows/scripts/utils/VagrantSSH/VagrantSSH.psm1 diff --git a/plugins/hosts/bsd/cap/ssh.rb b/plugins/hosts/bsd/cap/ssh.rb new file mode 100644 index 000000000..9d38c8bea --- /dev/null +++ b/plugins/hosts/bsd/cap/ssh.rb @@ -0,0 +1,16 @@ +module VagrantPlugins + module HostBSD + module Cap + class SSH + # Set the ownership and permissions for SSH + # private key + # + # @param [Vagrant::Environment] env + # @param [Pathname] key_path + def self.set_ssh_key_permissions(env, key_path) + key_path.chmod(0600) + end + end + end + end +end diff --git a/plugins/hosts/bsd/plugin.rb b/plugins/hosts/bsd/plugin.rb index 359d4f7ad..ce79ede31 100644 --- a/plugins/hosts/bsd/plugin.rb +++ b/plugins/hosts/bsd/plugin.rb @@ -35,6 +35,11 @@ module VagrantPlugins require_relative "cap/nfs" Cap::NFS end + + host_capability("bsd", "set_ssh_key_permissions") do + require_relative "cap/ssh" + Cap::SSH + end end end end diff --git a/plugins/hosts/linux/cap/ssh.rb b/plugins/hosts/linux/cap/ssh.rb new file mode 100644 index 000000000..c3a17a5f7 --- /dev/null +++ b/plugins/hosts/linux/cap/ssh.rb @@ -0,0 +1,16 @@ +module VagrantPlugins + module HostLinux + module Cap + class SSH + # Set the ownership and permissions for SSH + # private key + # + # @param [Vagrant::Environment] env + # @param [Pathname] key_path + def self.set_ssh_key_permissions(env, key_path) + key_path.chmod(0600) + end + end + end + end +end diff --git a/plugins/hosts/linux/plugin.rb b/plugins/hosts/linux/plugin.rb index 8b89fc522..a4c6311bf 100644 --- a/plugins/hosts/linux/plugin.rb +++ b/plugins/hosts/linux/plugin.rb @@ -47,6 +47,11 @@ module VagrantPlugins require_relative "cap/nfs" Cap::NFS end + + host_capability("linux", "set_ssh_key_permissions") do + require_relative "cap/ssh" + Cap::SSH + end end end end diff --git a/plugins/hosts/windows/cap/ssh.rb b/plugins/hosts/windows/cap/ssh.rb new file mode 100644 index 000000000..e94a683c4 --- /dev/null +++ b/plugins/hosts/windows/cap/ssh.rb @@ -0,0 +1,25 @@ +module VagrantPlugins + module HostWindows + module Cap + class SSH + # Set the ownership and permissions for SSH + # private key + # + # @param [Vagrant::Environment] env + # @param [Pathname] key_path + def self.set_ssh_key_permissions(env, key_path) + script_path = Host.scripts_path.join("set_ssh_key_permissions.ps1") + result = Vagrant::Util::PowerShell.execute( + script_path.to_s, path.to_s, + module_path: Host.module_path.to_s + ) + if result.exit_code != 0 + raise Vagrant::Errors::PowerShellError, + script: script_path, + stderr: result.stderr + end + end + end + end + end +end diff --git a/plugins/hosts/windows/host.rb b/plugins/hosts/windows/host.rb index 4491f629a..b92ac335e 100644 --- a/plugins/hosts/windows/host.rb +++ b/plugins/hosts/windows/host.rb @@ -8,6 +8,16 @@ module VagrantPlugins def detect?(env) Vagrant::Util::Platform.windows? end + + # @return [Pathname] Path to scripts directory + def self.scripts_path + Pathname.new(File.expand_path("..", __FILE__)) + end + + # @return [Pathname] Path to modules directory + def self.modules_path + scripts_path.join("utils") + end end end end diff --git a/plugins/hosts/windows/plugin.rb b/plugins/hosts/windows/plugin.rb index 78d9239e1..5668141fb 100644 --- a/plugins/hosts/windows/plugin.rb +++ b/plugins/hosts/windows/plugin.rb @@ -55,6 +55,11 @@ module VagrantPlugins require_relative "cap/configured_ip_addresses" Cap::ConfiguredIPAddresses end + + host_capability("windows", "set_ssh_key_permissions") do + require_relative "cap/ssh" + Cap::SSH + end end end end diff --git a/plugins/hosts/windows/scripts/set_ssh_key_permissions.ps1 b/plugins/hosts/windows/scripts/set_ssh_key_permissions.ps1 new file mode 100644 index 000000000..9fc5a1d20 --- /dev/null +++ b/plugins/hosts/windows/scripts/set_ssh_key_permissions.ps1 @@ -0,0 +1,17 @@ +#Requires -Modules VagrantSSH + +param( + [Parameter(Mandatory=$true)] + [string] $KeyPath, + [Parameter(Mandatory=$false)] + [string] $Principal=$null +) + +$ErrorActionPreference = "Stop" + +try { + Set-SSHKeyPermissions -SSHKeyPath $KeyPath -Principal $Principal +} catch { + Write-Error "Failed to set permissions on key: ${PSItem}" + exit 1 +} diff --git a/plugins/hosts/windows/scripts/utils/VagrantSSH/VagrantSSH.psm1 b/plugins/hosts/windows/scripts/utils/VagrantSSH/VagrantSSH.psm1 new file mode 100644 index 000000000..04b1e327b --- /dev/null +++ b/plugins/hosts/windows/scripts/utils/VagrantSSH/VagrantSSH.psm1 @@ -0,0 +1,24 @@ +# Vagrant SSH capability functions + +function Set-SSHKeyPermissions { + param ( + [parameter(Mandatory=$true)] + [string] $SSHKeyPath, + [parameter(Mandatory=$false)] + [string] $Principal=$null + ) + + if(!$Principal) { + $Principal = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name + } + + # Create the new ACL we want to apply + $NewAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( + $Principal, "FullControl", "None", "None", "Allow") + # Scrub all existing ACLs from the file + $ACL = Get-ACL "${SSHKeyPath}" + $ACL.Access | %{$ACL.RemoveAccessRule($_)} + # Apply the new ACL + $ACL.SetAccessRule($NewAccessRule) + Set-ACL "${SSHKeyPath}" $ACL +}