x[hXSSKrSSKrSSKrSSKJr SSKJrJrJr SSK J r J r J r \R"\5rSrSrSrS\"\5-S -r"S S 5r"S S 5rSrSrSrSrSrSr\4SjrS%Sjr"SS5rS\\4Sjr S\\4Sjr!Sr"S\S\#4Sjr$Sr%\4Sjr&S r'\4S!\\\\44S"jjr(S#r)S$r*g)&N)suppress)ListSequenceTuple) lifecyclesubputilz/etc/ssh/sshd_config)rsaecdsaed25519z(ecdsa-sha2-nistp256-cert-v01@openssh.comzecdsa-sha2-nistp256z(ecdsa-sha2-nistp384-cert-v01@openssh.comzecdsa-sha2-nistp384z(ecdsa-sha2-nistp521-cert-v01@openssh.comzecdsa-sha2-nistp521z+sk-ecdsa-sha2-nistp256-cert-v01@openssh.comz"sk-ecdsa-sha2-nistp256@openssh.comz#sk-ssh-ed25519-cert-v01@openssh.comzsk-ssh-ed25519@openssh.comz ssh-ed25519-cert-v01@openssh.comz ssh-ed25519zssh-rsa-cert-v01@openssh.comzssh-rsazssh-xmss-cert-v01@openssh.comzssh-xmss@openssh.comzno-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"$USER\" rather than the user \"$DISABLE_USER\".';echo;sleep 10;exit "c,\rSrSrSSjrSrSrSrg) AuthKeyLineDNc@X0lX@lXPlX lXlgN)base64commentoptionskeytypesource)selfrrrrrs 4/usr/lib/python3/dist-packages/cloudinit/ssh_util.py__init__AuthKeyLine.__init__Es     c@UR=(a UR$r)rrrs rvalidAuthKeyLine.validNs{{+t||+rc/nUR(aURUR5 UR(aURUR5 UR(aURUR5 UR(aURUR5 U(d UR $SR U5$N )rappendrrrrjoin)rtokss r__str__AuthKeyLine.__str__Qs~ << KK % << KK % ;; KK $ << KK %;; 88D> !r)rrrrr)NNNN)__name__ __module__ __qualname____firstlineno__rr r(__static_attributes__rrrrDsGK, "rrc(\rSrSrSrSrSSjrSrg)AuthKeyLineParseraa9 AUTHORIZED_KEYS FILE FORMAT AuthorizedKeysFile specifies the file containing public keys for public key authentication; if none is specified, the default is ~/.ssh/authorized_keys. Each line of the file contains one key (empty (because of the size of the public key encoding) up to a limit of 8 kilo- bytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 kilobits. You don't want to type them in; instead, copy the identity.pub or the id_rsa.pub file and edit it. sshd enforces a minimum RSA key modulus size for protocol 1 and protocol 2 keys of 768 bits. The options (if present) consist of comma-separated option specifica- tions. No spaces are permitted, except within double quotes. The fol- lowing option specifications are supported (note that option keywords are case-insensitive): cLSnSnU[U5:axU(dXS;aiXnUS-[U5:aUS-nOMXS-nUS:Xa US:XaUS-nO US:XaU(+nUS-nU[U5:aU(aM_XS;aMiUSUnXSR5nXg4$)z The options (if present) consist of comma-separated option specifica- tions. No spaces are permitted, except within double quotes. Note that option keywords are case-insensitive. Fr)r$ \rN)lenlstrip)rentquotedicurcnextcrremains r_extract_options"AuthKeyLineParser._extract_optionsus  #c(lSV;-F6D1uC EAJEt| E#AA#c(lSV;-Fa(R!  rNcURS5nURS5(dUR5S:Xa [U5$SnUR5nU"U5upgn[UUUUUS9$![aD UR U5upUcU nU"U 5upgnN=![a [U5ss$f=ff=f)Nz #cURSS5n[U5S:a[S[U5-5eUS[;a[SUS-5e[U5S:XaUR S5 U$)NzTo few fields: %srzInvalid keytype %srC)splitr7 TypeErrorVALID_KEY_TYPESr%)r9r's r parse_ssh_key.AuthKeyLineParser.parse..parse_ssh_keysp99T1%D4y1} 3c$i ?@@Awo- 4tAw >??4yA~ BKr)rrrr)rstrip startswithstriprrGr?) rsrc_linerlinerIr9rrrkeyoptsr>s rparseAuthKeyLineParser.parsesv& ??3  4::<2#5x( ( jjl -)6s); &Wg     - $ 5 5c : W! --:6-B*' -"8,, - -s* A33"C B##B=8C<B==Cr/r)r*r+r,r-__doc__r?rQr.r/rrr1r1as&!4( rr1c/n[5n/nUHwn[RRU5(aO[R "U5R 5nUH#nURURU55 M% MwMy U$![[4a [R"[SU5 Mf=f)NzError reading lines from %s) r1ospathisfiler load_text_file splitlinesr%rQIOErrorOSErrorlogexcLOG)fnameslinesparsercontentsfnamerOs rparse_authorized_keysrcs E  FH Cww~~e$$++E2==?!DOOFLL$67"% O! C KK:E B CsA1B,B>=B>c[UVs/sHo"R5(dMUPM sn5n[[U55HanXnUR5(dMUH9nURUR:XdMUnX#;dM(UR U5 M; XPU'Mc UHnUR U5 M UVs/sHn[U5PM nnUR S5 SRU5$s snfs snf)NrC ) listr ranger7rremover%strr&) old_entrieskeyskto_addr;r9keybr_s rupdate_authorized_keysrps d0dggi1d0 1F 3{# $nyy{{ Axx3::%;MM!$ A%3) )[SV[E ) LL 99U 11( *sDD Dc[R"U5nU(aUR(d[SU-5e[R R URS5U4$)Nz"Unable to get SSH info for user %rz.ssh)pwdgetpwnampw_dir RuntimeErrorrUrVr&)usernamepw_ents rusers_ssh_inforxsH \\( #F ?8LMM GGLL / 88rc$SU4SU4S4nU(dSnUR5n/nUHenUHupxURXx5nM URS5(d[RR X5nUR U5 Mg U$)N%h%u)z%%%%h/.ssh/authorized_keys/)rFreplacerLrUrVr&r%) valuehomedirrvmacrospathsrenderedrVmacrofields rrender_authorizedkeysfile_pathsrs Woh/ =F ) KKMEH"LE<<-D#s##77<<.D  OrcSnU(aSn[R"U5nU(a%X`:wa US:wa[RSUUUU5 g[R"U5nX`:XaUS-nO<[R "U5n[R "U5n X;aUS-nOUS-nXu-S :Xa[RS UUU5 gU(a"US -(a[RS UU5 gg )a>Check if the file/folder in @current_path has the right permissions. We need to check that: 1. If StrictMode is enabled, the owner is either root or the user 2. the user can access the file/folder, otherwise ssh won't use it 3. If StrictMode is enabled, no write permission is given to group and world users (022) iirootzXPath %s in %s must be own by user %s or by root, but instead is own by %s. Ignoring key.F8rzBPath %s in %s must be accessible by user %s, check its permissionszRPath %s in %s must not give writepermission to group or world users. Ignoring key.T)r get_ownerr]debugget_permissions get_groupget_user_groups) rv current_path full_pathis_file strictmodesminimal_permissionsownerparent_permission group_owner user_groupss rcheck_permissionsrs  # NN< (Eu(Uf_  @      ,,\: u$nn\2 **84  % 5 (  5 ( .!3  %     )E1  @     rc2[U5Sn[S5SnURS5SSnSn[RR UR 5nUGHnUSU-- n[RR U5(a[RSU5 g[RRU5(a[RSU5 gURU5(dXcR :XaM[RRU5(d[R"U5 S n URn URn URUR 5(aS n URn URn [R "XiS S 9 [R""XjU 5 SSS5 [%XUSU5n U (aGM g [RR U5(d$[RR'U5(a[RS U5 g[RRU5(dB[R("USSS S9 [R""XRUR5 [%XUS U5n U (dgg !,(df  GN=f![*[,4a.n [R."[[1U 55 Sn A gSn A ff=f)Nr5rr~rCz-Invalid directory. Symlink exists in path: %sFz*Invalid directory. File exists in path: %srT)modeexist_okz%s is not a file!)rensure_dir_exists)rxrFrUrVdirnamertislinkr]rrWrLexistsr SeLinuxGuardpw_uidpw_gidmakedirs chownbyidrisdir write_filerZr[r\ri)rvfilenamer user_pwent root_pwent directories parent_folder home_folder directoryruidgid permissionses rcheck_create_pathrGst)!,J'*JGnnS)!B/  ggooj&7&78 $I S9_ ,Mww~~m,, C!ww~~m,, @-&&}55 $5$5577>>-00&&}5 D$++C$++C$// 0A0ABB$(//(//KK 4HNN=s;6,5+K;U%X 77>>( # #rww}}X'>'> II)8 4ww~~h'' OOHbu M NN8%6%6 8I8I J' $   K65B W  CQ sRBK';K#A!KBKK%K'A KA;K K KL($LLc [U5up#[RRUS5nUn/n[R "USS9 [ U5nURSS5nURSS5n [XRU5nSSS5 [WR!5U5Hbup[#S U ;S U ;U R%S R'UR55/5(dMH[)X W S:H5n U (dM`U n O XT:wa[R+S U5 U[-U/54$![[4a+ XFS'[R"[S [US5 Nf=f!,(df  N=f)Nauthorized_keysT recursiveauthorizedkeysfiler}ryesrzhFailed extracting 'AuthorizedKeysFile' in SSH config from %r, using 'AuthorizedKeysFile' file %r insteadr{rzz{}/zAAuthorizedKeysFile has an user-specific authorized_keys, using %s)rxrUrVr&r rparse_ssh_config_mapgetrrtrZr[r\r] DEF_SSHD_CFGziprFanyrLformatrrrc) rv sshd_cfg_filessh_dirrwdefault_authorizedkeys_fileuser_authorizedkeys_file auth_key_fnsssh_cfg key_pathsrkey_path auth_key_fnpermissions_oks rextract_authorized_keysrs&x0W"$'',,w8I"J:L  7d 3 *=9G $&?I"++mU;K:==(L 40"%Y__%6 !E   &&u||FMM'BC   /{e';N~+6("F >   $  !789 G! 9O KKQ    4 3s+E= AD??8E:7E=9E::E== F ct[5n/nUH+nURUR[U5US95 M- [ U5upg[ R RU5n[R"USS9 [Xt5n [R"XiSS9 SSS5 g!,(df  g=f)N)rTr preserve_mode) r1r%rQrirrUrVrr rrpr) rkrvrr` key_entriesrlrauth_key_entriesrcontents rsetup_user_keysrs  FK 6<<A<@A'>h&G#[ggook*G  7d 3()9G  DA 4 3 3s ?!B)) B7c4\rSrSrSSjr\S5rSrSrg)SshdConfigLineiNc(XlX lX0lgr)rO_keyr)rrOrlvs rrSshdConfigLine.__init__s   rcRURcgURR5$r)rlowerrs rrnSshdConfigLine.keys 99 yy  rcURc[UR5$[UR5nUR(aUS[UR5-- nU$r#)rrirOr)rrs rr(SshdConfigLine.__str__sJ 99 tyy> !DIIAzzS3tzz?**Hr)rrOr)NN) r*r+r,r-rpropertyrnr(r.r/rrrrs  !! rrreturnc[RRU5(d/$[[R "U5R 55$r)rUrVrWparse_ssh_config_linesr rXrYrbs rparse_ssh_configrs9 77>>%  !$"5"5e"<"G"G"I JJrc/nUH|nUR5nU(aURS5(aUR[U55 MLUR SS5up4UR[X#U55 M~ U$![ a@ UR SS5up4NB![ a [ RSU5 Mf=ff=f)NrBr5=z;sshd_config: option "%s" has no key/value pair, skipping it)rMrLr%rrF ValueErrorr]r)r_retrOrnvals rrrs !#Czz|ts++ JJ~d+ ,  zz$*HC >$S12#$ J  ::c1-S  #    s*B CB(( C C C  Cc[U5nU(d0$0nUH.nUR(dMURX#R'M0 U$r)rrnr)rbr_rrOs rrrsC U #E  Cxx  HH  Jrrbc[RRU5(dg[R"U5R 5HnUR SUS35(dM g g)NFzInclude z .d/*.confT)rUrVrWr rXrYrL)rbrOs r_includes_dconfr"sV 77>>% ##E*557 ??XeWI6 7 78 rc`[U5(a[RRUS35(d[R "US3SS9 [RR US3S5n[RRU5(d[R"US5 U$)Nz.dr)rz50-cloud-init.confr) rrUrVrr ensure_dirr&rW ensure_filers r"_ensure_cloud_init_ssh_config_filer+s}uww}}wb\** OOugRLu 5 wb\+?@ww~~e$$   UE * Lrc [U5n[U5n[X S9nU(aB[R"USR UVs/sHn[ U5PM sn5S-SS9 [U5S:g$s snf)zRead fname, and update if changes are necessary. @param updates: dictionary of desired values {Option: value} @return: boolean indicating if an update was done.)r_updatesreTrr)rrupdate_ssh_config_linesr rr&rir7)rrbr_changedrOs rupdate_ssh_configr6sq /u 5E U #E%ECG   IIU3UTs4yU3 4t ; w<1 4sA7c[5n/n[UR5Vs/sHoDR5U4PM sn5n[ USS9HupgUR (dMUR U;dM*XWR nXn UR U5 URU :Xa[RSXhU 5 MvURU5 [RSUUURU 5 XlM [U5[U5:walUR5HXupX;aM URU5 UR[SX55 [RS[U5X5 MZ U$s snf)zUpdate the SSH config lines per updates. @param lines: array of SshdConfigLine. This array is updated in place. @param updates: dictionary of desired values {Option: value} @return: A list of keys in updates that were changed.r5)startz$line %d: option %s already set to %sz#line %d: option %s updated %s -> %srCz line %d: option %s added with %s)setdictrkr enumeraternaddrr]rr%r7itemsr) r_rfoundrrlcasemapr;rOrnrs rrrGsB EEGGLLN;NqWWYNN;$append_ssh_config..ys,eda!AaSzesreabT)omoder)rr rr&)r_rbrs rappend_ssh_configr usB  .u 5E,e,GOO  'T! rcBSn[[R5 [R"SS/SS/S9upSSS5 SnURS 5H8nUR U5(dMU[ U5UR S 5s $ g!,(df  N^=f) zGet the full version of the OpenSSH sshd daemon on the system. On an ubuntu system, this would look something like: 1.2p1 Ubuntu-1ubuntu0.1 If we can't find `sshd` or parse the version number, return None. rCsshdz-Vrr5)rcsNOpenSSH_re,)rrProcessExecutionErrorrFrLr7find)err_prefixrOs rget_opensshd_versionrs C $,, -FD>1v6 . F $ ??6 " "F diin5 5   . -s B BcjSn[5nUc[RRU5$SU;aUSUR S5nOSU;aUSUR S5nOUn[RRU5nU$![ [ 4a [RSU5 gf=f)zGet the upstream version of the OpenSSH sshd daemon on the system. This will NOT include the portable number, so if the Ubuntu version looks like `1.2p1 Ubuntu-1ubuntu0.1`, then this function would return `1.2` z9.0Npr$z Could not parse sshd version: %s) rrVersionfrom_strrrrGr]warning)upstream_version full_versions rget_opensshd_upstream_versionrs')L  ))*:;; l'(@,*;*;C*@A '(@,*;*;C*@A'J$,,556FG  "J 68HIJs( B &B21B2r)+loggingrUrr contextlibrtypingrrr cloudinitrrr getLoggerr*r]rrH_DISABLE_USER_SSH_EXITriDISABLE_USER_OPTSrr1rcrprxrrrrrrrrrboolrrrrr rrr/rrr&s9 ((++ !& , ()*-00"":V V r  89*BJL^5A6r B.KtN3K T.%96 34&2"+\?K XeCHo6 (Jr