Bugfix for: __ssh_authorized_keys overwrites existing keys #577 (#579)

* Fix a bug where invalid key removes all file entries.

* __ssh_authorized_key: add key validation.
This commit is contained in:
Darko Poljak 2017-09-17 08:13:05 +02:00 committed by GitHub
parent ac04edc233
commit 8883196efb
3 changed files with 20 additions and 5 deletions

View file

@ -20,7 +20,12 @@
# extract the keytype and base64 encoded key ignoring any options and comment
type_and_key="$(cat "$__object/parameter/key" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')"
# If type_and_key is empty, which is the case with an invalid key, do not grep $file because it results
# in greping everything in file and all entries from file are removed.
if [ -n "${type_and_key}" ]
then
file="$(cat $__object/parameter/file)"
# get any entries that match the type and key
grep ".*$type_and_key\([ \n]\|$\)" "$file" || true
fi

View file

@ -20,6 +20,15 @@
set -u
the_key="$(cat "$__object/parameter/key")"
# validate key
validated_key="$(echo "${the_key}" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')"
if [ -z "${validated_key}" ]
then
echo "Key is invalid: \"${the_key}\"" >&2
exit 1
fi
remove_line() {
file="$1"
line="$2"
@ -55,11 +64,11 @@ mkdir "$__object/files"
fi
if [ -f "$__object/parameter/comment" ]; then
# extract the keytype and base64 encoded key ignoring any options and comment
printf '%s ' "$(cat "$__object/parameter/key" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')"
printf '%s ' "$(echo "${the_key}" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')"
# override the comment with the one explicitly given
printf '%s' "$(cat "$__object/parameter/comment")"
else
printf '%s' "$(cat "$__object/parameter/key")"
printf '%s' "${the_key}"
fi
printf '\n'
) > "$__object/files/should"

View file

@ -18,6 +18,7 @@ next:
* Type __install_stage: Fix __debug -> __cdist_log_level (Darko Poljak)
* Documentation: Document __cdist_log_level (Darko Poljak)
* Core: Log ERROR to stderr and rest to stdout (Darko Poljak, Steven Armstrong)
* Type __ssh_authorized_key: Bugfix the case where invalid key clears a file and add key validation (Darko Poljak)
4.6.1: 2017-08-30
* Type __user: Explore with /etc files (passwd, group, shadow) (Philippe Gregoire)