From 492031afd388121cf62643812c5af59d823d0669 Mon Sep 17 00:00:00 2001 From: Jiri Stransky Date: Wed, 18 Oct 2017 15:19:44 +0200 Subject: Create short lived ssh key for enable-ssh-admin.sh Instead of using the key provided by user on the command line, create a new short-lived key, give it to Mistral to create a tripleo-admin user with it, and remove the short-lived key. Co-Authored-By: John Fulton Change-Id: I6e6ed83fa62319d59d7289b16a1412a340ea6b26 Closes-Bug: #1724578 (cherry picked from commit b0e72c1413c9441aa592b56583e87715e7096152) --- deployed-server/scripts/enable-ssh-admin.sh | 33 +++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/deployed-server/scripts/enable-ssh-admin.sh b/deployed-server/scripts/enable-ssh-admin.sh index dcabeadf..daff3907 100755 --- a/deployed-server/scripts/enable-ssh-admin.sh +++ b/deployed-server/scripts/enable-ssh-admin.sh @@ -10,6 +10,7 @@ SUBNODES_SSH_KEY=${SUBNODES_SSH_KEY:-"$HOME/.ssh/id_rsa"} # this is the intended variable for overriding OVERCLOUD_SSH_KEY=${OVERCLOUD_SSH_KEY:-"$SUBNODES_SSH_KEY"} +SHORT_TERM_KEY_COMMENT="TripleO split stack short term key" SLEEP_TIME=5 function overcloud_ssh_hosts_json { @@ -22,7 +23,7 @@ print(json.dumps(re.split("\s+", sys.stdin.read().strip())))' function overcloud_ssh_key_json { # we pass the contents to Mistral instead of just path, otherwise # the key file would have to be readable for the mistral user - cat "$OVERCLOUD_SSH_KEY" | python -c 'import json,sys; print(json.dumps(sys.stdin.read()))' + cat "$1" | python -c 'import json,sys; print(json.dumps(sys.stdin.read()))' } function workflow_finished { @@ -30,6 +31,12 @@ function workflow_finished { openstack workflow execution show -f shell $execution_id | grep 'state="SUCCESS"' > /dev/null } +function generate_short_term_keys { + local tmpdir=$(mktemp -d) + ssh-keygen -N '' -t rsa -b 4096 -f "$tmpdir/id_rsa" -C "$SHORT_TERM_KEY_COMMENT" > /dev/null + echo "$tmpdir" +} + if [ -z "$OVERCLOUD_HOSTS" ]; then echo 'Please set $OVERCLOUD_HOSTS' exit 1 @@ -41,7 +48,20 @@ echo "SSH key file: $OVERCLOUD_SSH_KEY" echo "Hosts: $OVERCLOUD_HOSTS" echo -EXECUTION_PARAMS="{\"ssh_user\": \"$OVERCLOUD_SSH_USER\", \"ssh_servers\": $(overcloud_ssh_hosts_json), \"ssh_private_key\": $(overcloud_ssh_key_json)}" +SHORT_TERM_KEY_DIR=$(generate_short_term_keys) +SHORT_TERM_KEY_PRIVATE="$SHORT_TERM_KEY_DIR/id_rsa" +SHORT_TERM_KEY_PUBLIC="$SHORT_TERM_KEY_DIR/id_rsa.pub" +SHORT_TERM_KEY_PUBLIC_CONTENT=$(cat $SHORT_TERM_KEY_PUBLIC) + +for HOST in $OVERCLOUD_HOSTS; do + echo "Inserting TripleO short term key for $HOST" + # prepending an extra newline so that if authorized_keys didn't + # end with a newline previously, we don't end up garbling it up + ssh -i "$OVERCLOUD_SSH_KEY" -l "$OVERCLOUD_SSH_USER" "$HOST" "echo -e '\n$SHORT_TERM_KEY_PUBLIC_CONTENT' >> \$HOME/.ssh/authorized_keys" +done + +echo "Starting ssh admin enablement workflow" +EXECUTION_PARAMS="{\"ssh_user\": \"$OVERCLOUD_SSH_USER\", \"ssh_servers\": $(overcloud_ssh_hosts_json), \"ssh_private_key\": $(overcloud_ssh_key_json "$SHORT_TERM_KEY_PRIVATE")}" EXECUTION_CREATE_OUTPUT=$(openstack workflow execution create -f shell -d 'deployed server ssh admin creation' tripleo.access.v1.enable_ssh_admin "$EXECUTION_PARAMS") echo "$EXECUTION_CREATE_OUTPUT" EXECUTION_ID=$(echo "$EXECUTION_CREATE_OUTPUT" | grep '^id=' | awk '-F"' '{ print $2 }') @@ -56,5 +76,14 @@ while ! workflow_finished $EXECUTION_ID; do sleep $SLEEP_TIME echo -n . done +echo # newline after the previous dots + +for HOST in $OVERCLOUD_HOSTS; do + echo "Removing TripleO short term key from $HOST" + ssh -l "$OVERCLOUD_SSH_USER" "$HOST" "sed -i -e '/$SHORT_TERM_KEY_COMMENT/d' \$HOME/.ssh/authorized_keys" +done + +echo "Removing short term keys locally" +rm -r "$SHORT_TERM_KEY_DIR" echo "Success." -- cgit 1.2.3-korg