Commit f357de2a authored by Leigh B. Stoller's avatar Leigh B. Stoller

This script was moved to the account directory (including the RCS

history).
parent 9bb38fee
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2002 University of Utah and the Flux Group.
# Copyright (c) 2000-2003 University of Utah and the Flux Group.
# All rights reserved.
#
......@@ -12,9 +12,9 @@ UNIFIED = @UNIFIED_BOSS_AND_OPS@
include $(OBJDIR)/Makeconf
BIN_SCRIPTS = delay_config sshtb create_image node_admin addpubkey
BIN_SCRIPTS = delay_config sshtb create_image node_admin
SBIN_SCRIPTS = vlandiff vlansync withadminprivs export_tables cvsupd.pl
LIBEXEC_SCRIPTS = webcreateimage webaddpubkey
LIBEXEC_SCRIPTS = webcreateimage
#
# These are the ones installed on plastic (users, control, etc).
......
#!/usr/bin/perl -wT
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2002 University of Utah and the Flux Group.
# All rights reserved.
#
use English;
use Getopt::Std;
#
# Parse ssh public keys and enter into the DB. The default format is
# openssh, but if the key is not in that format, then use ssh-keygen
# to see if it can be converted from either SSH2 or SECSH format into
# openssh format. This gets called from the webpage to parse keys
# uploaded by users.
#
sub usage()
{
print "Usage: addpubkeys [-n] [-a] [-k] <user> [<keyfile> | <key>]\n";
print "Options:\n";
print " -k Indicates that key was passed in on the command line\n";
print " -n Verify key format only; do not enter into into DB\n";
print " -a Audit mode; send audit message to log file\n";
exit(-1);
}
my $optlist = "kna";
my $iskey = 0;
my $verify = 0;
my $auditmode = 0;
#
# Configure variables
#
my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@";
my $TBAUDIT = "@TBAUDITEMAIL@";
#
# Testbed Support libraries
#
use lib "@prefix@/lib";
use libdb;
use libtestbed;
#
# Turn off line buffering on output
#
$| = 1;
#
# Untaint the path
#
$ENV{'PATH'} = "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin";
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
#
# Please do not run it as root. Hard to track what has happened.
#
if ($UID == 0) {
die("*** $0:\n".
" Please do not run this as root!\n");
}
#
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
%options = ();
if (! getopts($optlist, \%options)) {
usage();
}
if (defined($options{"k"})) {
$iskey = 1;
}
if (defined($options{"n"})) {
$verify = 1;
}
if (defined($options{"a"})) {
$auditmode = 1;
}
if (@ARGV != 2) {
usage();
}
my $user = $ARGV[0];
my $keyfile = $ARGV[1];
my $keyline;
my $key;
my $comment;
my $db_uid;
my $db_name = "Testbed Operations";
my $db_email = $TBOPS;
my $user_name;
my $user_email;
#
# Untaint the arguments.
#
if ($iskey) {
if ($keyfile =~ /^([-\w\s\.\@\+\/\=]*)$/) {
$keyfile = $1;
}
else {
fatal("Tainted key: $keyfile");
}
$keyline = $keyfile;
}
else {
if ($keyfile =~ /^([-\w\.\/]+)$/) {
$keyfile = $1;
}
else {
fatal("Tainted filename: $keyfile");
}
if (! -e $keyfile) {
fatal("*** $0\n".
" No such file: $keyfile\n");
}
$keyline = `head -1 $keyfile`;
}
if ($user =~ /^([a-z0-9]+)$/i) {
$user = $1;
}
else {
fatal("Tainted username: $user");
}
#
# Check user and get his DB uid and email stuff. If invoked as "nobody" its
# for a user with no actual account. While we do not do anything to the
# account (other than inserting the new key into the DB) either way, we do
# lose the ability to fully audit what is happening (we will not know the
# invoker of the script from the web interface).
#
if ($verify) {
#
# Silly, and complicates things.
#
$auditmode = 0;
}
else {
if (getpwuid($UID) eq "nobody") {
$auditmode = 1;
$db_uid = $user;
}
else {
if (! UNIX2DBUID($UID, \$db_uid)) {
fatal("*** $0:\n".
" You do not exist in the Emulab Database.\n");
}
if ($user ne $db_uid) {
#
# Only admins can set pubkeys for another user.
#
if (!TBAdmin($UID)) {
fatal("*** $0:\n".
" You are not allowed to set pubkeys for $user.\n");
}
# Always audit when setting other people's keys.
$auditmode = 1;
}
}
}
#
# Okay, if the user record does not exist yet, then send the audit message
# to tbops only.
#
if ($auditmode) {
if (! UserDBInfo($user, \$user_name, \$user_email)) {
$user_name = "Testbed Operations";
$user_email = $TBOPS;
}
if (! UserDBInfo($db_uid, \$db_name, \$db_email)) {
$db_name = "Testbed Audit";
$db_email = $TBAUDIT;
}
}
#
# Grab the first line of the file. Parse it to see if its in the
# format we like (openssh), either protocol 1 or 2.
#
if (ParseKey($keyline)) {
if ($auditmode) {
audit();
}
exit 0;
}
# If the key was entered on the command line, then nothing more to do.
if ($iskey) {
exit 1;
}
#
# Run ssh-keygen over it and see if it can convert it.
#
if (! open(KEYGEN, "ssh-keygen -i -f $keyfile 2>/dev/null |")) {
fatal("*** $0:\n".
" Could not start ssh-keygen\n");
}
$keyline = <KEYGEN>;
if (close(KEYGEN) && ParseKey($keyline)) {
if ($auditmode) {
audit();
}
exit 0;
}
exit 1;
sub ParseKey($) {
my ($keyline) = @_;
if ($keyline =~ /^(\d*\s\d*\s[0-9a-zA-Z]*) ([-\w\@\.]*)$/) {
# Protocol 1
$type = "ssh-rsa1";
$key = $1;
$comment = $2;
}
elsif ($keyline =~ /^(\d*\s\d*\s[0-9a-zA-Z]*)\s*$/) {
# Protocol 1 but no comment field.
$type = "ssh-rsa1";
$key = $1;
}
elsif ($keyline =~
/^(ssh-rsa|ssh-dss) ([-\w\.\@\+\/\=]*) ([-\w\@\.]*)$/) {
# Protocol 2
$type = $1;
$key = "$1 $2";
$comment = $3;
}
elsif ($keyline =~ /^(ssh-rsa|ssh-dss) ([-\w\.\@\+\/\=]*)$/) {
# Protocol 2 but no comment field
$type = $1;
$key = "$1 $2";
}
if (!defined($key)) {
return 0;
}
# Do not enter into DB if in verify mode.
if ($verify) {
print "Key was good: $type\n";
return 1;
}
#
# Make up a comment field for the DB index. Need something.
#
if (!defined($comment)) {
$comment = "$type-${user_email}";
}
$key = "$key $comment";
DBQueryFatal("replace into user_pubkeys ".
"values ('$user', '$comment', '$key', now())");
#
# Mark user record as modified so nodes are updated.
#
DBQueryFatal("update users set usr_modified=now() where uid='$user'");
TBNodeUpdateAccountsByUID($user);
return 1;
}
sub audit()
{
my $chunked = "";
while (length($key)) {
$chunked .= substr($key, 0, 65, "");
if (length($key)) {
$chunked .= "\n";
}
}
SENDMAIL("$user_name <$user_email>",
"SSH Public Key for '$user' Added",
"SSH Public Key for '$user' added by '$db_uid'.\n".
"\n".
"$chunked\n",
"$db_name <$db_email>",
"Bcc: $TBAUDIT");
}
sub fatal($)
{
my($mesg) = $_[0];
print STDERR "$mesg\n";
#
# Send a message to the testbed list.
#
SENDMAIL($TBOPS,
"SSH Public key insertion failed!",
$mesg,
"$db_name <$db_email>");
exit(-1);
}
#!/usr/bin/perl -w
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2002 University of Utah and the Flux Group.
# All rights reserved.
#
use English;
#
# This gets invoked from the Web interface. Simply a wrapper ...
#
#
# Configure variables
#
my $TB = "@prefix@";
#
# Run the real thing, and never return.
#
exec "$TB/bin/addpubkey", @ARGV;
die("webaddpubkey: Could not exec addpubkey: $!");
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment