ViewMTN: File client/plugins/sshkeys.py in revision [3a2250fb..]

ViewMTN — Everything : Branches | Tags | Help | About | Change DB
Revision [3a2250fb..]: Info | Browse Files | Download (tar)
File client/plugins/sshkeys.py: Changes | View | Download | RSS

Below is the file 'client/plugins/sshkeys.py' from this revision. You can also download the file.


#
# determine which keys have access to the root account on this server
#

import os
import pwd
import string
from phonehome import urgency

def run():
    rv = []
    try:
	hd = pwd.struct_pwent(pwd.getpwnam('root')).pw_dir
    except:
	rv.append((urgency['alert'], "Unable to find a root account via get pwent()"))
	return rv
    def check_authorized_keys():
	authorized_keys = os.path.join(hd, '.ssh', 'authorized_keys')
	if not os.access(authorized_keys, os.R_OK):
	    rv.append((urgency['warning'], 'No file "%s"' % authorized_keys))
	    return
	# check the file is valid, and also output the comments for each valid
	# line
	fd = open(authorized_keys, 'r')
	for idx, line in enumerate(fd):
	    line = line.strip()
	    if line == '' or line.startswith('#'): continue
	    if line[0] in string.digits:
		d_fields = 4 # options field has been included
	    else:
		d_fields = 3
	    # the number of fields in the file, collapse multiple seperating
	    # spaces
	    fields = [t for t in line.split(' ') if t]
	    if len(fields) != d_fields:
		rv.append((urgency['warning'], 'Line %d of "%s" is invalid.' % (idx, authorized_keys)))
	    else:
		rv.append((urgency['info'], 'SSH key with comment "%s" has root-level access.' % (fields[-1])))
    def check_authorized_keys2():
	authorized_keys2 = os.path.join(hd, '.ssh', 'authorized_keys2')
	if os.access(authorized_keys2, os.R_OK):
	    rv.append((urgency['warning'], 'Old-style authorized_keys2 file "%s" should be removed.'))
	    return
    check_authorized_keys()
    check_authorized_keys2()
    return rv