Commit 60b76cca authored by Leigh B Stoller's avatar Leigh B Stoller

Use "dropfile" operation to send new certificates over to ops, rather then

using NFS. Still need to do addpubkey (which is called for encrypted ssl
certs).
parent 0c5dbc6a
#!/usr/bin/perl -wT #!/usr/bin/perl -wT
# #
# Copyright (c) 2000-2014 University of Utah and the Flux Group. # Copyright (c) 2000-2015 University of Utah and the Flux Group.
# #
# {{{EMULAB-LICENSE # {{{EMULAB-LICENSE
# #
...@@ -74,6 +74,8 @@ my $EMULAB_KEY = "$TB/etc/emulab.key"; ...@@ -74,6 +74,8 @@ my $EMULAB_KEY = "$TB/etc/emulab.key";
my $OPENSSL = "/usr/bin/openssl"; my $OPENSSL = "/usr/bin/openssl";
my $KEYGEN = "/usr/bin/ssh-keygen"; my $KEYGEN = "/usr/bin/ssh-keygen";
my $ADDKEY = "$TB/sbin/addpubkey"; my $ADDKEY = "$TB/sbin/addpubkey";
my $SSH = "$TB/bin/sshtb";
my $ACCOUNTPROXY= "$TB/sbin/accountsetup";
my $WORKDIR = "$TB/ssl"; my $WORKDIR = "$TB/ssl";
my $SAVEUID = $UID; my $SAVEUID = $UID;
...@@ -583,20 +585,13 @@ if (! -d $ssldir) { ...@@ -583,20 +585,13 @@ if (! -d $ssldir) {
or fatal("Could not chown $ssldir: $!"); or fatal("Could not chown $ssldir: $!");
} }
my $target; # Drop the file into the user .ssl directory.
$UID = $EUID;
if ($encrypted) { system("$SSH -host $CONTROL ".
$target = "$ssldir/encrypted.pem"; "'$ACCOUNTPROXY dropfile $user $default_groupgid 0600 $ssldir ".
} ($encrypted ? "encrypted.pem" : "emulab.pem") . "' < usercert.pem") == 0
else { or fatal("Could not copy certificate file to $CONTROL");
$target = "$ssldir/emulab.pem"; $UID = $SAVEUID;
}
system("cp -f usercert.pem $target") == 0
or fatal("Could not copy usercert.pem to $target");
chown($user_number, $default_groupgid, "$target")
or fatal("Could not chown $target: $!");
if ($encrypted) { if ($encrypted) {
# #
...@@ -608,16 +603,13 @@ if ($encrypted) { ...@@ -608,16 +603,13 @@ if ($encrypted) {
"-out usercert.p12 -rand ./.rnd") "-out usercert.p12 -rand ./.rnd")
== 0 or fatal("Could not create usercert.p12"); == 0 or fatal("Could not create usercert.p12");
$target = "$ssldir/encrypted.p12"; # Drop the file into the user .ssl directory.
$UID = $EUID;
system("cp -f usercert.p12 $target") == 0 system("$SSH -host $CONTROL ".
or fatal("Could not copy usercert.p12 to $target"); "'$ACCOUNTPROXY dropfile $user $default_groupgid 0600 $ssldir ".
"encrypted.p12' < usercert.p12")
chown($user_number, $default_groupgid, "$target") == 0 or fatal("Could not copy .p12 file to $CONTROL");
or fatal("Could not chown $target: $!"); $UID = $SAVEUID;
chmod(0600, $target)
or fatal("Could not chmod $target: $!");
goto skipssh goto skipssh
if ($target_user->IsNonLocal()); if ($target_user->IsNonLocal());
...@@ -626,7 +618,7 @@ if ($encrypted) { ...@@ -626,7 +618,7 @@ if ($encrypted) {
# Create an SSH key from the private key. Mostly for geni users, # Create an SSH key from the private key. Mostly for geni users,
# who tend not to know how to do such things. # who tend not to know how to do such things.
# #
my $pemfile = "$ssldir/encrypted.pem"; my $pemfile = "usercert.pem";
my $sshdir = "$USERDIR/$user_uid/.ssh"; my $sshdir = "$USERDIR/$user_uid/.ssh";
my $pphrase = User::escapeshellarg($password); my $pphrase = User::escapeshellarg($password);
# This comment is special. It functions as a cross table reference # This comment is special. It functions as a cross table reference
...@@ -640,10 +632,12 @@ if ($encrypted) { ...@@ -640,10 +632,12 @@ if ($encrypted) {
# #
# The key format is identical to openssh, so just copy it over. # The key format is identical to openssh, so just copy it over.
# #
system("/bin/cp usercert_key.pem $sshdir/encrypted.key") == 0 $UID = $EUID;
or fatal("Could not copy private key to $sshdir/encrypted.key: $!"); system("$SSH -host $CONTROL ".
chmod(0600, "$sshdir/encrypted.key") "'$ACCOUNTPROXY dropfile $user $default_groupgid 0600 $sshdir ".
or fatal("Could not chmod $sshdir/encrypted.key: $!"); "encrypted.key' < usercert_key.pem")
== 0 or fatal("Could not copy ssh key file to $CONTROL");
$UID = $SAVEUID;
# #
# No need to do this when just changing the passphrase. # No need to do this when just changing the passphrase.
...@@ -652,10 +646,17 @@ if ($encrypted) { ...@@ -652,10 +646,17 @@ if ($encrypted) {
# #
# Extract a public key. # Extract a public key.
# #
system("$KEYGEN -P $pphrase -y -f $pemfile > $sshdir/encrypted.pub") system("$KEYGEN -P $pphrase -y -f $pemfile > encrypted.pub")
== 0 == 0
or fatal("Could not extract ssh pubkey from $pemfile"); or fatal("Could not extract ssh pubkey from $pemfile");
$UID = $EUID;
system("$SSH -host $CONTROL ".
"'$ACCOUNTPROXY dropfile $user $default_groupgid 0644 $sshdir ".
"encrypted.pub' < encrypted.pub")
== 0 or fatal("Could not copy ssh pub key file to $CONTROL");
$UID = $SAVEUID;
# #
# Need to remove the current ssh pubkey from the database, but we just # Need to remove the current ssh pubkey from the database, but we just
# updated the new serial number so the comment is no longer valid for # updated the new serial number so the comment is no longer valid for
...@@ -670,8 +671,8 @@ if ($encrypted) { ...@@ -670,8 +671,8 @@ if ($encrypted) {
# #
$EUID = $UID; $EUID = $UID;
system("$ADDKEY -s -N -I -C $comment -u $user_uid ". system("$ADDKEY -s -N -I -C $comment -u $user_uid ".
" -f $sshdir/encrypted.pub") " -f encrypted.pub")
== 0 or fatal("Could not add pubkey $sshdir/encrypted.pub"); == 0 or fatal("Could not add ssh pubkey");
} }
skipssh: skipssh:
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment