[Kimchi-devel] [PATCH] [Kimchi 2/3] Github #1007: Fixing non-root ssh key generation

dhbarboza82 at gmail.com dhbarboza82 at gmail.com
Tue Oct 11 15:49:48 UTC 2016 

From: Daniel Henrique Barboza <danielhb at linux.vnet.ibm.com>

Running ssh-keygen as root (or with sudo) will always generated
a ssh-key binded to the user 'root' under /root/.ssh dir. This
patch makes the following changes in the ssh-key generation
process when the user is not 'root':

- ssh-keygen now always generate the key under /home/<user>/.ssh

- the generated .pub file is edited, changing 'root at ...' to
'user at ...'

- file permissions are changed accordingly to the new generated
key files (both private and public).

Signed-off-by: Daniel Henrique Barboza <danielhb at linux.vnet.ibm.com>
---
 model/vms.py | 44 ++++++++++++++++++++++++++++++--------------
 1 file changed, 30 insertions(+), 14 deletions(-)

diff --git a/model/vms.py b/model/vms.py
index 209b41b..b702fe1 100644
--- a/model/vms.py
+++ b/model/vms.py
@@ -23,6 +23,7 @@ import lxml.etree as ET
 import os
 import paramiko
 import platform
+import pwd
 import random
 import socket
 import subprocess
@@ -1757,26 +1758,41 @@ class VMModel(object):
         ssh_port = 22
         ssh_client = None
 
-        def create_root_ssh_key_if_required():
-            if not os.path.isfile(id_rsa_pub_file):
-
-                with open("/dev/zero") as zero_input:
-                    cmd = ['ssh-keygen', '-q', '-N', '', '-f', id_rsa_file]
-                    proc = subprocess.Popen(
-                        cmd,
-                        stdin=zero_input,
-                        stdout=open(os.devnull, 'wb')
-                    )
-                    out, err = proc.communicate()
-                    if not os.path.isfile(id_rsa_pub_file):
-                        raise OperationFailed("KCHVM0070E")
-
         def read_id_rsa_pub_file():
             data = None
             with open(id_rsa_pub_file, "r") as id_file:
                 data = id_file.read()
             return data
 
+        def create_root_ssh_key_if_required():
+            if os.path.isfile(id_rsa_pub_file):
+                return
+
+            with open("/dev/zero") as zero_input:
+                cmd = ['ssh-keygen', '-q', '-N', '', '-f', id_rsa_file]
+                proc = subprocess.Popen(
+                    cmd,
+                    stdin=zero_input,
+                    stdout=open(os.devnull, 'wb')
+                )
+                out, err = proc.communicate()
+
+                if not os.path.isfile(id_rsa_pub_file):
+                    raise OperationFailed("KCHVM0070E")
+
+                if user is not 'root':
+                    id_rsa_content = read_id_rsa_pub_file()
+                    updated_content = id_rsa_content.replace(
+                        ' root@', ' %s@' % user
+                    )
+                    with open(id_rsa_pub_file, 'w+') as f:
+                        f.write(updated_content)
+
+                    user_uid = pwd.getpwnam(user).pw_uid
+                    user_gid = pwd.getpwnam(user).pw_gid
+                    os.chown(id_rsa_pub_file, user_uid, user_gid)
+                    os.chown(id_rsa_file, user_uid, user_gid)
+
         def get_ssh_client(remote_host, user, passwd):
             ssh_client = paramiko.SSHClient()
             ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
-- 
2.7.4

More information about the Kimchi-devel mailing list