HEX
Server: nginx/1.24.0
System: Linux webserver 6.8.0-85-generic #85-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep 18 15:26:59 UTC 2025 x86_64
User: wpuser (1002)
PHP: 8.3.6
Disabled: NONE
Upload Files
File: //lib/python3/dist-packages/cloudinit/__pycache__/ssh_util.cpython-312.pyc
�

x[h�X���ddlZddlZddlZddlmZddlmZmZmZddl	m
Z
mZmZeje�ZdZdZdZdee�zd	zZGd
�d�ZGd�d
�Zd�Zd�Zd�Zd�Zd�Zd�Zefd�Zd%d�ZGd�d�Zdeefd�Z deefd�Z!d�Z"dede#fd�Z$d�Z%efd�Z&d �Z'efd!eeeeffd"�Z(d#�Z)d$�Z*y)&�N)�suppress)�List�Sequence�Tuple)�	lifecycle�subp�utilz/etc/ssh/sshd_config)�rsa�ecdsa�ed25519z(ecdsa-sha2-nistp256-cert-v01@openssh.comzecdsa-sha2-nistp256z(ecdsa-sha2-nistp384-cert-v01@openssh.comzecdsa-sha2-nistp384z(ecdsa-sha2-nistp521-cert-v01@openssh.comzecdsa-sha2-nistp521z+sk-ecdsa-sha2-nistp256-cert-v01@openssh.comz"sk-ecdsa-sha2-nistp256@openssh.comz#sk-ssh-ed25519-cert-v01@openssh.comzsk-ssh-ed25519@openssh.comz ssh-ed25519-cert-v01@openssh.comzssh-ed25519zssh-rsa-cert-v01@openssh.comzssh-rsazssh-xmss-cert-v01@openssh.comzssh-xmss@openssh.com�z�no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"$USER\" rather than the user \"$DISABLE_USER\".';echo;sleep 10;exit �"c�"�eZdZ	dd�Zd�Zd�Zy)�AuthKeyLineNc�J�||_||_||_||_||_y�N)�base64�comment�options�keytype�source)�selfrrrrrs      �4/usr/lib/python3/dist-packages/cloudinit/ssh_util.py�__init__zAuthKeyLine.__init__Es'�����������������c�6�|jxr|jSr)rr�rs r�validzAuthKeyLine.validNs���{�{�+�t�|�|�+rc�|�g}|jr|j|j�|jr|j|j�|jr|j|j�|jr|j|j�|s|j
Sdj
|�S�N� )r�appendrrrr�join)r�tokss  r�__str__zAuthKeyLine.__str__Qs~�����<�<��K�K����%��<�<��K�K����%��;�;��K�K����$��<�<��K�K����%���;�;���8�8�D�>�!r)NNNN)�__name__�
__module__�__qualname__rrr%�rrrrDs��GK��,�
"rrc��eZdZdZd�Zdd�Zy)�AuthKeyLineParserau
    AUTHORIZED_KEYS FILE FORMAT
     AuthorizedKeysFile specifies the file containing public keys for public
     key authentication; if none is specified, the default is
     ~/.ssh/authorized_keys.  Each line of the file contains one key (empty
     (because of the size of the public key encoding) up to a limit of 8 kilo-
     bytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16
     kilobits.  You don't want to type them in; instead, copy the
     identity.pub or the id_rsa.pub file and edit it.

     sshd enforces a minimum RSA key modulus size for protocol 1 and protocol
     2 keys of 768 bits.

     The options (if present) consist of comma-separated option specifica-
     tions.  No spaces are permitted, except within double quotes.  The fol-
     lowing option specifications are supported (note that option keywords are
     case-insensitive):
    c�$�d}d}|t|�krc|s||dvrZ||}|dzt|�k\r|dz}n>||dz}|dk(r|dk(r|dz}n|dk(r|}|dz}|t|�kr|r�R||dvr�Z|d|}||dj�}||fS)z�
        The options (if present) consist of comma-separated option specifica-
         tions.  No spaces are permitted, except within double quotes.
         Note that option keywords are case-insensitive.
        Fr)r!�	��\rN)�len�lstrip)r�ent�quoted�i�curc�nextcr�remains        r�_extract_optionsz"AuthKeyLineParser._extract_optionsus�����
���#�c�(�l��S��V�;�-F��q�6�D��1�u��C�� ���E�����A��J�E��t�|������E�����#����A��A��#�c�(�l��S��V�;�-F��a��(���Q�R����!���� � rNc��|jd�}|jd�s|j�dk(rt|�Sd�}|j�}	||�\}}}t|||||��S#t$rE|j|�\}	}
|�|	}	||
�\}}}n#t$rt|�cYcYSwxYwY�]wxYw)Nz
�#�c���|jdd�}t|�dkrtdt|�z��|dtvrtd|dz��t|�dk(r|j	d�|S)N�zTo few fields: %srzInvalid keytype %sr;)�splitr0�	TypeError�VALID_KEY_TYPESr")r2r$s  r�
parse_ssh_keyz.AuthKeyLineParser.parse.<locals>.parse_ssh_key�sp���9�9�T�1�%�D��4�y�1�}�� 3�c�$�i� ?�@�@��A�w�o�-�� 4�t�A�w� >�?�?��4�y�A�~����B���Kr)rrrr)�rstrip�
startswith�striprr?r8)r�src_liner�linerAr2rrr�keyoptsr7s           r�parsezAuthKeyLineParser.parse�s������v�&���?�?�3��4�:�:�<�2�#5��x�(�(�
	��j�j�l��
	-�)6�s�);�&�W�f�g�������
�	
���	-� $� 5� 5�c� :��W�f���!��
-�-:�6�-B�*��&�'���
-�"�8�,�,�
-��#*�
	-�s6�A1�1!B?�B �B?� B9�4B?�8B9�9B?�>B?r)r&r'r(�__doc__r8rHr)rrr+r+as���&!�4(
rr+c�d�g}t�}g}|D]l}	tjj|�rJt	j
|�j
�}|D]"}|j|j|���$�n|S#ttf$rt	jtd|�Y��wxYw)NzError reading lines from %s)
r+�os�path�isfiler	�load_text_file�
splitlinesr"rH�IOError�OSError�logexc�LOG)�fnames�lines�parser�contents�fnamerFs      r�parse_authorized_keysrY�s����E�
�
 �F��H��C��	C��w�w�~�~�e�$��+�+�E�2�=�=�?��!�8�D��O�O�F�L�L��$6�7�8��	C��O����!�	C��K�K��:�E�B�	C�s�A)B�*B/�.B/c���t|D�cgc]}|j�s�|��c}�}tt|��D]V}||}|j�s�|D]4}|j|jk(s�|}||vs�$|j|��6|||<�X|D]}|j
|��|D�cgc]
}t|���}}|j
d�dj|�Scc}wcc}w)Nr;�
)	�listr�ranger0r�remover"�strr#)	�old_entries�keys�k�to_addr4r2�key�brUs	         r�update_authorized_keysrf�s���
�d�0��a�g�g�i�1�0�
1�F�
�3�{�#�
$����!�n���y�y�{���	%�A��x�x�3�:�:�%�����;��M�M�!�$�
	%���A���� �����3�� �)�)��S��V�)�E�)�
�L�L����9�9�U����11��(
*s�C*�C*�4C/c��tj|�}|r|jstd|z��tj
j
|jd�|fS)Nz"Unable to get SSH info for user %rz.ssh)�pwd�getpwnam�pw_dir�RuntimeErrorrKrLr#)�username�pw_ents  r�users_ssh_inforn�sH��
�\�\�(�
#�F������?�8�L�M�M��G�G�L�L�����/��8�8rc��d|fd|fdf}|sd}|j�}g}|D]`}|D]\}}|j||�}�|jd�s tjj||�}|j
|��b|S)N�%h�%u)z%%�%�%h/.ssh/authorized_keys�/)r>�replacerCrKrLr#r")	�value�homedirrl�macros�paths�renderedrL�macro�fields	         r�render_authorizedkeysfile_pathsr}�s����W�o��h�/��
=�F��)���K�K�M�E��H����"�	.�L�E�5��<�<��u�-�D�	.����s�#��7�7�<�<���.�D��������Orc��d}|rd}tj|�}|r$||k7r|dk7rtjd||||�ytj|�}||k(r|dz}n9tj
|�}tj|�}	||	vr|dz}n|dz}||zd	k(rtjd
|||�y|r|dzrtjd||�yy
)aVCheck if the file/folder in @current_path has the right permissions.

    We need to check that:
    1. If StrictMode is enabled, the owner is either root or the user
    2. the user can access the file/folder, otherwise ssh won't use it
    3. If StrictMode is enabled, no write permission is given to group
       and world users (022)
    i�i��rootzXPath %s in %s must be own by user %s or by root, but instead is own by %s. Ignoring key.F��8�rzBPath %s in %s must be accessible by user %s, check its permissions�zRPath %s in %s must not give writepermission to group or world users. Ignoring key.T)r	�	get_ownerrS�debug�get_permissions�	get_group�get_user_groups)
rl�current_path�	full_path�is_file�strictmodes�minimal_permissions�owner�parent_permission�group_owner�user_groupss
          r�check_permissionsr�s�� ���#��
�N�N�<�(�E��u��(�U�f�_��	�	�
@�����
	
���,�,�\�:������u�$���n�n�\�2���*�*�8�4���+�%��5�(��
 �5�(���.�.�!�3��	�	�
%����	
���)�E�1��	�	�
@���		
��rc���t|�d}td�d}	|jd�dd}d}tjj	|j
�}|D�]h}|d|zz
}tjj
|�rtjd|�ytjj|�rtjd|�y|j|�s||j
k(r��tjj|�s�tj|�5d	}	|j}
|j}|j|j
�rd
}	|j}
|j}tj ||	d��tj"||
|�ddd�t%|||d|�}|r��iytjj
|�stjj'|�rtjd
|�ytjj|�sDtj(|ddd��tj"||j|j�t%|||d|�}|sy	y#1swY��xYw#t*t,f$r-}
tj.tt1|
��Yd}
~
yd}
~
wwxYw)Nr.rrt���r;z-Invalid directory. Symlink exists in path: %sFz*Invalid directory. File exists in path: %s��r�T)�mode�exist_okz%s is not a file!�)r��ensure_dir_exists)rnr>rKrL�dirnamerj�islinkrSr�rMrC�existsr	�SeLinuxGuard�pw_uid�pw_gid�makedirs�	chownbyidr��isdir�
write_filerPrQrRr_)rl�filenamer��
user_pwent�
root_pwent�directories�
parent_folder�home_folder�	directoryr��uid�gid�permissions�es              r�check_create_pathr�Gsr����)�!�,�J���'��*�J�G��n�n�S�)�!�B�/���
��g�g�o�o�j�&7�&7�8��$�*	�I��S�9�_�,�M��w�w�~�~�m�,��	�	�C�!����w�w�~�~�m�,��	�	�@�-����&�&�}�5� �J�$5�$5�5���7�7�>�>�-�0��&�&�}�5�	<� �D�$�+�+�C�$�+�+�C�$�/�/�
�0A�0A�B�$��(�/�/��(�/�/���K�K�
�D�4�H��N�N�=�#�s�;�	<�,��-��5�+��K���U*	�X�7�7�>�>�(�#�r�w�w�}�}�X�'>��I�I�)�8�4���w�w�~�~�h�'�
�O�O�H�b�u��M��N�N�8�Z�%6�%6�
�8I�8I�J�'��h��$��
������K	<�	<��B
�W������C��Q�� ����sR�BJ#�"6J#�AJ#�.A?J�-J#�J#�
AJ#� A4J#�J 	�J#�#K�2#K�Kc
��t|�\}}tjj|d�}|}g}t	j
|d��5	t
|�}|jdd�}|jdd�}	t||j|�}ddd�tj!�|�D]V\}
}t#d
|
vd|
v|j%dj'|j��g�s�At)||	dk(�}|s�T|}n||k7rtj+d
|�|t-|g�fS#ttf$r+||d<t	jtd	t|d�Y��wxYw#1swY��xYw)N�authorized_keysT��	recursive�authorizedkeysfilersr��yesrzhFailed extracting 'AuthorizedKeysFile' in SSH config from %r, using 'AuthorizedKeysFile' file %r insteadrqrpz{}/zAAuthorizedKeysFile has an user-specific authorized_keys, using %s)rnrKrLr#r	r��parse_ssh_config_map�getr}rjrPrQrRrS�DEF_SSHD_CFG�zipr>�anyrC�formatr�r�rY)
rl�
sshd_cfg_file�ssh_dirrm�default_authorizedkeys_file�user_authorizedkeys_file�auth_key_fns�ssh_cfg�	key_pathsr��key_path�auth_key_fn�permissions_oks
             r�extract_authorized_keysr��s���&�x�0��W�f�"$�'�'�,�,�w�8I�"J��:���L�	
�	�	�7�d�	3��	�*�=�9�G����$�&?��I�"�+�+�m�U�;�K�:��6�=�=�(��L��0"%�Y�_�_�%6��!E�
���+���� ��� ��&�&�u�|�|�F�M�M�'B�C�
�
�/��+�{�e�';��N��+6�(��
� �#>�>��	�	�
�$�	
�	!��7�8�9����G��!�
	�9�L��O��K�K�����Q��

�
	����s+�
E3�AD6�67E0�-E3�/E0�0E3�3E<c�z�t�}g}|D]-}|j|jt|�|����/t	|�\}}t
jj|�}tj|d��5t||�}	tj||	d��ddd�y#1swYyxYw)N)rTr���
preserve_mode)r+r"rHr_r�rKrLr�r	r�rfr�)
rarlrrV�key_entriesrbr��auth_key_entriesr��contents
          r�setup_user_keysr��s���
�
 �F��K�
�B�����6�<�<��A���<�@�A�B�'>�h�&G�#�[�"��g�g�o�o�k�*�G�	
�	�	�7�d�	3�B�(�)9�;�G������W�D�A�B�B�B�s�%B1�1B:c�*�eZdZdd�Zed��Zd�Zy)�SshdConfigLineNc�.�||_||_||_yr)rF�_keyrv)rrFrb�vs    rrzSshdConfigLine.__init__�s����	���	���
rc�P�|j�y|jj�Sr)r��lowerrs rrdzSshdConfigLine.key�s ���9�9����y�y��� � rc��|j�t|j�St|j�}|jr|dt|j�zz
}|Sr )r�r_rFrv)rr�s  rr%zSshdConfigLine.__str__�sJ���9�9���t�y�y�>�!��D�I�I��A��z�z��S�3�t�z�z�?�*�*���Hr)NN)r&r'r(r�propertyrdr%r)rrr�r��s ���
�!��!�rr��returnc��tjj|�sgStt	j
|�j
��Sr)rKrLrM�parse_ssh_config_linesr	rNrO�rXs r�parse_ssh_configr��s6��
�7�7�>�>�%� ��	�!�$�"5�"5�e�"<�"G�"G�"I�J�Jrc��g}|D]r}|j�}|r|jd�r|jt|���A	|j	dd�\}}|jt|||���t|S#t
$r@	|j	dd�\}}n&#t
$rtjd|�YY��wxYwY�hwxYw)Nr:r.�=z;sshd_config: option "%s" has no key/value pair, skipping it)rDrCr"r�r>�
ValueErrorrSr�)rU�retrFrd�vals     rr�r��s���
!#�C��3���z�z�|���t���s�+��J�J�~�d�+�,��	��z�z�$��*�H�C��	�
�
�>�$��S�1�2�#3�$�J���		�
��:�:�c�1�-���S���
��	�	�#���
�

���		�s6�A<�<	C�B�C�B?�;C�>B?�?C�Cc��t|�}|siSi}|D](}|js�|j||j<�*|Sr)r�rdrv)rXrUr�rFs    rr�r�sJ���U�#�E���	�
�C��#���x�x���
�
��D�H�H�
�#��JrrXc���tjj|�sytj|�j�D]}|j
d|�d��s�yy)NFzInclude z	.d/*.confT)rKrLrMr	rNrOrC)rXrFs  r�_includes_dconfr�"sU��
�7�7�>�>�%� ���#�#�E�*�5�5�7����?�?�X�e�W�I�6�7���rc�D�t|�r�tjj|�d��st	j
|�d�d��tjj
|�d�d�}tjj|�st	j|d�|S)Nz.dr�)r�z50-cloud-init.confr�)	r�rKrLr�r	�
ensure_dirr#rM�ensure_filer�s r�"_ensure_cloud_init_ssh_config_filer�+st���u���w�w�}�}��w�b�\�*��O�O�u�g�R�L�u�5�������w�b�\�+?�@���w�w�~�~�e�$����U�E�*��Lrc���t|�}t|�}t||��}|rAtj|dj|D�cgc]
}t
|���c}�dzd��t|�dk7Scc}w)z�Read fname, and update if changes are necessary.

    @param updates: dictionary of desired values {Option: value}
    @return: boolean indicating if an update was done.)rU�updatesr[Tr�r)r�r��update_ssh_config_linesr	r�r#r_r0)r�rXrU�changedrFs     r�update_ssh_configr�6so��

/�u�5�E��U�#�E�%�E�7�C�G�������I�I�U�3�T�s�4�y�3�4�t�;��	
�
�w�<�1����4s�A5c��t�}g}t|j�D�cgc]}|j�|f��c}�}t	|d��D]�\}}|j
s�|j
|vs�"||j
}||}	|j
|�|j|	k(rtjd|||	��o|j|�tjd|||j|	�|	|_��t|�t|�k7rk|j�D]X\}}	||vr�|j|�|jtd||	��tjdt|�||	��Z|Scc}w)z�Update the SSH config lines per updates.

    @param lines: array of SshdConfigLine.  This array is updated in place.
    @param updates: dictionary of desired values {Option: value}
    @return: A list of keys in updates that were changed.r.)�startz$line %d: option %s already set to %sz#line %d: option %s updated %s -> %sr;z line %d: option %s added with %s)�set�dictrar��	enumeraterd�addrvrSr�r"r0�itemsr�)
rUr��foundr�rb�casemapr4rFrdrvs
          rr�r�Gs\��
�E�E��G��G�L�L�N�;�q�Q�W�W�Y��N�;�<�G��U�!�,�#���4��x�x���8�8�w���$�(�(�#�C��C�L�E��I�I�c�N��z�z�U�"��	�	�:�A�s�E�����s�#��	�	�9����J�J���#��
�)#�,�5�z�S��\�!�!�-�-�/�	�J�C���e�|���N�N�3���L�L���C��7�8��I�I�2�C��J��U�
�	��N��C<s�FrUc��|syt|�}d�|D�}tj|dj|�dzdd��y)Nc3�0K�|]\}}|�d|�����y�w)r!Nr))�.0rbr�s   r�	<genexpr>z$append_ssh_config.<locals>.<genexpr>ys����,�d�a��!��A�a�S�z�,�s�r[�abT)�omoder�)r�r	r�r#)rUrXr�s   r�append_ssh_configr�usB����.�u�5�E�,�e�,�G��O�O�
��	�	�'��T�!���	rc�0�d}ttj�5tjddgddg��\}}ddd�d}|jd	�D]2}|j	|�s�|t|�|j
d
�cSy#1swY�RxYw)z�Get the full version of the OpenSSH sshd daemon on the system.

    On an ubuntu system, this would look something like:
    1.2p1 Ubuntu-1ubuntu0.1

    If we can't find `sshd` or parse the version number, return None.
    r;�sshdz-Vrr.)�rcsN�OpenSSH_r[�,)rr�ProcessExecutionErrorr>rCr0�find)�err�_�prefixrFs    r�get_opensshd_versionr�s���
�C�	�$�,�,�	-�7����F�D�>��1�v�6���3�7�
�F��	�	�$��6���?�?�6�"���F��d�i�i��n�5�5�6��
7�7�s�B�Bc�^�d}t�}|�tjj|�Sd|vr|d|j	d�}nd|vr|d|j	d�}n|}	tjj|�}|S#t
tf$rtjd|�YywxYw)z�Get the upstream version of the OpenSSH sshd daemon on the system.

    This will NOT include the portable number, so if the Ubuntu version looks
    like `1.2p1 Ubuntu-1ubuntu0.1`, then this function would return
    `1.2`
    z9.0N�pr!z Could not parse sshd version: %s)	rr�Version�from_strrr�r?rS�warning)�upstream_version�full_versions  r�get_opensshd_upstream_versionr�s�����'�)�L���� � �)�)�*:�;�;�
�l��'�(@�,�*;�*;�C�*@�A��	��	�'�(@�,�*;�*;�C�*@�A��'��J�$�,�,�5�5�6F�G������	�"�J����6�8H�I�J�s�# B�%B,�+B,r)+�loggingrKrh�
contextlibr�typingrrr�	cloudinitrrr	�	getLoggerr&rSr�r@�_DISABLE_USER_SSH_EXITr_�DISABLE_USER_OPTSrr+rYrfrnr}r�r�r�r�r�r�r�r��boolr�r�r�r�r�rrr)rr�<module>rs;���	�
��(�(�+�+��g����!��&�� ��,����(�)�*�-0�0��"�"�:V
�V
�r
� �89��*B�JL�^5A�6�rB���.K�t�N�3�K��T�.�%9��6	��3��4���&2��"+�\?K�
�X�e�C��H�o�6�
��(Jr