[pve-devel] [PATCH RFC 21/21] ssh_merge_known_hosts: simply add cert-authority

Dietmar Maurer dietmar at proxmox.com
Mon Nov 28 08:09:13 CET 2016


And completely remove that complex merge code.

Signed-off-by: Dietmar Maurer <dietmar at proxmox.com>
---
 data/PVE/Cluster.pm | 118 +++++-----------------------------------------------
 1 file changed, 10 insertions(+), 108 deletions(-)

diff --git a/data/PVE/Cluster.pm b/data/PVE/Cluster.pm
index 14748e2..5071b93 100644
--- a/data/PVE/Cluster.pm
+++ b/data/PVE/Cluster.pm
@@ -1247,8 +1247,8 @@ sub ssh_unmerge_known_hosts {
     return if ! -l $sshglobalknownhosts;
 
     my $old = '';
-    $old = PVE::Tools::file_get_contents($sshknownhosts, 128*1024)
-	if -f $sshknownhosts;
+    $old = PVE::Tools::file_get_contents($sshglobalknownhosts, 128*1024)
+	if -f $sshglobalknownhosts;
 
     PVE::Tools::file_set_contents($sshglobalknownhosts, $old);
 }
@@ -1256,116 +1256,18 @@ sub ssh_unmerge_known_hosts {
 sub ssh_merge_known_hosts {
     my ($nodename, $ip_address, $createLink) = @_;
 
-    die "no node name specified" if !$nodename;
-    die "no ip address specified" if !$ip_address;
-   
-    mkdir $authdir;
+    # remove old symlink hack
+    ssh_unmerge_known_hosts();
 
-    if (! -f $sshknownhosts) {
-	if (my $fh = IO::File->new($sshknownhosts, O_CREAT|O_WRONLY|O_EXCL, 0600)) {
-	    close($fh);
-	}
-    }
+    my $old = PVE::Tools::file_get_contents($sshglobalknownhosts, 128*1024);
 
-    my $old = PVE::Tools::file_get_contents($sshknownhosts, 128*1024); 
-    
-    my $new = '';
-    
-    if ((! -l $sshglobalknownhosts) && (-f $sshglobalknownhosts)) {
-	$new = PVE::Tools::file_get_contents($sshglobalknownhosts, 128*1024);
-    }
+    my $cert = PVE::Tools::file_read_firstline($ssh_cluster_ca_cert);
 
-    my $hostkey = PVE::Tools::file_get_contents($ssh_host_rsa_id);
-    # Note: file sometimes containe emty lines at start, so we use multiline match
-    die "can't parse $ssh_host_rsa_id" if $hostkey !~ m/^(ssh-rsa\s\S+)(\s.*)?$/m;
-    $hostkey = $1;
-
-    my $data = '';
-    my $vhash = {};
-
-    my $found_nodename;
-    my $found_local_ip;
-
-    my $merge_line = sub {
-	my ($line, $all) = @_;
-
-	if ($line =~ m/^(\S+)\s(ssh-rsa\s\S+)(\s.*)?$/) {
-	    my $key = $1;
-	    my $rsakey = $2;
-	    if (!$vhash->{$key}) {
-		$vhash->{$key} = 1;
-		if ($key =~ m/\|1\|([^\|\s]+)\|([^\|\s]+)$/) {
-		    my $salt = decode_base64($1);
-		    my $digest = $2;
-		    my $hmac = Digest::HMAC_SHA1->new($salt);
-		    $hmac->add($nodename);
-		    my $hd = $hmac->b64digest . '=';
-		    if ($digest eq $hd) {
-			if ($rsakey eq $hostkey) {
-			    $found_nodename = 1;
-			    $data .= $line;
-			}
-			return;
-		    }
-		    $hmac = Digest::HMAC_SHA1->new($salt);
-		    $hmac->add($ip_address);
-		    $hd = $hmac->b64digest . '=';
-		    if ($digest eq $hd) {
-			if ($rsakey eq $hostkey) {
-			    $found_local_ip = 1;
-			    $data .= $line;
-			}
-			return;
-		    }
-		}
-		$data .= $line;
-	    }
-	} elsif ($all) {
-	    $data .= $line;
-	}
-    };
-
-    while ($old && $old =~ s/^((.*?)(\n|$))//) {
-	my $line = "$2\n";
-	next if $line =~ m/^\s*$/; # skip empty lines
-	next if $line =~ m/^#/; # skip comments
-	&$merge_line($line, 1);
-    }
-
-    while ($new && $new =~ s/^((.*?)(\n|$))//) {
-	my $line = "$2\n";
-	next if $line =~ m/^\s*$/; # skip empty lines
-	next if $line =~ m/^#/; # skip comments
-	&$merge_line($line);
+    if ($old !~ m/^\@cert-authority\s+\*\s+\Q$cert\E\s*$/m) {
+	chomp $old;
+	$old = "\@cert-authority * $cert\n$old\n";
+	PVE::Tools::file_set_contents($sshglobalknownhosts, $old);
     }
-
-    my $addIndex = $$;
-    my $add_known_hosts_entry  = sub {
-	my ($name, $hostkey) = @_;
-	$addIndex++;
-	my $hmac = Digest::HMAC_SHA1->new("$addIndex" . time());
-	my $b64salt = $hmac->b64digest . '=';
-	$hmac = Digest::HMAC_SHA1->new(decode_base64($b64salt));
-	$hmac->add($name);
-	my $digest = $hmac->b64digest . '=';
-	$data .= "|1|$b64salt|$digest $hostkey\n";
-    };
-
-    if (!$found_nodename || !$found_local_ip) {
-	&$add_known_hosts_entry($nodename, $hostkey) if !$found_nodename;
-	&$add_known_hosts_entry($ip_address, $hostkey) if !$found_local_ip;
-    }
-
-    PVE::Tools::file_set_contents($sshknownhosts, $data);
-
-    return if !$createLink;
-
-    unlink $sshglobalknownhosts;
-    symlink $sshknownhosts, $sshglobalknownhosts;
- 
-    warn "can't create symlink for ssh known hosts '$sshglobalknownhosts' -> '$sshknownhosts'\n" 
-	if ! -l $sshglobalknownhosts;
-
 }
 
 my $migration_format = {
-- 
2.1.4




More information about the pve-devel mailing list