#!/usr/bin/python # vim: ts=4 sts=4 et: # pylint: disable=invalid-name,line-too-long """OpenSSH AuthorizedKeysCommand: NSSCache input Copyright 2016 Gentoo Foundation Written by Robin H. Johnson Distributed under the BSD-3 license. This script returns one or more authorized keys for use by SSH, by extracting them from a local cache file /etc/sshkey.cache. Two variants are supported, based on the existing nsscache code: Format 1: username:key1 username:key2 Format 2: username:['key1', 'key2'] Ensure this script is mentioned in the sshd_config like so: AuthorizedKeysCommand /path/to/nsscache/authorized-keys-command.py If you have sufficently new OpenSSH, you can also narrow down the search: AuthorizedKeysCommand /path/to/nsscache/authorized-keys-command.py --username="%u" --key-type="%t" --key-fingerprint="%f" --key-blob="%k" Future improvements: - Validate SSH keys more strictly: - validate options string - validate X509 cert strings - Implement command line options to: - filter keys based on options better (beyond regex) - filter keys based on comments better (beyond regex) - filter X509 keys based on DN/subject - support multiple inputs for conditions - add an advanced conditional filter language """ from ast import literal_eval import sys import errno import argparse import re import base64 import hashlib import copy import textwrap DEFAULT_SSHKEY_CACHE = "/etc/sshkey.cache" REGEX_BASE64 = r"(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?" # All of the SSH blobs starts with 3 null bytes , which encode to 'AAAA' in base64 REGEX_BASE64_START3NULL = r"AAAA" + REGEX_BASE64 # This regex needs a lot of work KEYTYPE_REGEX_STRICT = ( r"\b(?:ssh-(?:rsa|dss|ed25519)|ecdsa-sha2-nistp(?:256|384|521))\b" ) # Docs: # http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xhtml#ssh-parameters-19 # RFC6187, etc KEYTYPE_REGEX_LAZY_NOX509 = r"\b(?:(?:spki|pgp|x509|x509v3)-)?(?:(?:ssh|sign)-(?:rsa|dss|ed25519)|ecdsa-[0-9a-z-]+|rsa2048-sha256)(?:-cert-v01@openssh\.com|\@ssh\.com)?\b" KEYTYPE_REGEX_LAZY_X509 = r"\bx509(?:v3)?-(?:(?:ssh|sign)-(?:rsa|dss|ed25519)|ecdsa-[0-9a-z-]+|rsa2048-sha256)(?:-cert-v01@openssh\.com|\@ssh\.com)?\b" X509_WORDDN = ( r"(?:(?i)(?:Distinguished[ _-]?Name|DN|Subject)[=:]?)" # case insensitive! ) KEY_REGEX = ( r"(.*)\s*(?:(" + KEYTYPE_REGEX_LAZY_NOX509 + r")\s+(" + REGEX_BASE64_START3NULL + r")\s*(.*)|(" + KEYTYPE_REGEX_LAZY_X509 + r")\s+(" + X509_WORDDN + ".*))" ) # Group 1: options # Branch 1: # Group 2: keytype (any, including x509) # Group 3: key blob (non-x509), always starts with AAAA (3 nulls in base64), no whitespace! # Group 4: comment (non-x509) # Branch 2: # Group 5: keytype (x509) # Group 6: x509 WORDDN followed by x509-specific blob or DN, including whitespace # # If the keytype is x509v3-*, then the data block can actually be a certificate # XOR a base64 block. # The cert specifier is "DN:/OU=.../SN=.../C=.." etc. By implication, this # EXCLUDEs the use of an comments, as you CANNOT detect when the DN ends. def warning(*objs): """Helper function for output to stderr.""" print("WARNING: ", *objs, file=sys.stderr) def parse_key(full_key_line): """Explode an authorized_keys line including options into the various parts.""" # print(KEY_REGEX) m = re.match(KEY_REGEX, full_key_line) if m is None: warning("Failed to match", full_key_line) return (None, None, None, None) options = m.group(1) key_type = m.group(2) blob = m.group(3) comment = m.group(4) if m.group(5) is not None: key_type = m.group(5) blob = m.group(6) comment = None return (options, key_type, blob, comment) def fingerprint_key(keyblob, fingerprint_format="SHA256"): """Generate SSH key fingerprints, using the requested format.""" # Don't try to fingerprint x509 blobs if keyblob is None or not keyblob.startswith("AAAA"): return None try: binary_blob = base64.b64decode(keyblob) except TypeError as e: warning(e, keyblob) return None if fingerprint_format == "MD5": raw = hashlib.md5(binary_blob).digest() return "MD5:" + ":".join("{:02x}".format(ord(c)) for c in raw) elif fingerprint_format in ["SHA256", "SHA512", "SHA1"]: h = hashlib.new(fingerprint_format) h.update(binary_blob) raw = h.digest() return fingerprint_format + ":" + base64.b64encode(raw).rstrip("=") return None def detect_fingerprint_format(fpr): """Given a fingerprint, try to detect what fingerprint format is used.""" if fpr is None: return None for prefix in ["SHA256", "SHA512", "SHA1", "MD5"]: if fpr.startswith(prefix + ":"): return prefix if re.match(r"^(MD5:)?([0-9a-f]{2}:)+[0-9a-f]{2}$", fpr) is not None: return "MD5" # Cannot detect the format return None def validate_key(candidate_key, conditions, strict=False): # pylint: disable=invalid-name,line-too-long,too-many-locals """Validate a potential authorized_key line against multiple conditions.""" # Explode the key ( candidate_key_options, candidate_key_type, candidate_key_blob, candidate_key_comment, ) = parse_key(candidate_key) # Set up our conditions with their defaults key_type = conditions.get("key_type", None) key_blob = conditions.get("key_blob", None) key_fingerprint = conditions.get("key_fingerprint", None) key_options_re = conditions.get("key_options_re", None) key_comment_re = conditions.get("key_comment_re", None) # Try to detect the fingerprint format fingerprint_format = detect_fingerprint_format(key_fingerprint) # Force MD5 prefix on old fingerprints if fingerprint_format is "MD5": if not key_fingerprint.startswith("MD5:"): key_fingerprint = "MD5:" + key_fingerprint # The OpenSSH base64 fingerprints drops the trailing padding, ensure we do # the same on provided input if fingerprint_format is not "MD5" and key_fingerprint is not None: key_fingerprint = key_fingerprint.rstrip("=") # Build the fingerprint for the candidate key # (the func does the padding strip as well) candidate_key_fingerprint = fingerprint_key(candidate_key_blob, fingerprint_format) match = True strict_pass = False if key_type is not None and candidate_key_type is not None: strict_pass = True match = match and (candidate_key_type == key_type) if key_fingerprint is not None and candidate_key_fingerprint is not None: strict_pass = True match = match and (candidate_key_fingerprint == key_fingerprint) if key_blob is not None and candidate_key_blob is not None: strict_pass = True match = match and (candidate_key_blob == key_blob) if key_comment_re is not None and candidate_key_comment is not None: strict_pass = True match = match and key_comment_re.search(candidate_key_comment) is not None if key_options_re is not None: strict_pass = True match = match and key_options_re.search(candidate_key_options) is not None if strict: return match and strict_pass return match PROG_EPILOG = textwrap.dedent( """\ Strict match will require that at least one condition matched. Conditions marked with X may not work correctly with X509 authorized_keys lines. """ ) PROG_DESC = "OpenSSH AuthorizedKeysCommand to read from cached keys file" if __name__ == "__main__": parser = argparse.ArgumentParser( prog="AUTHKEYCMD", description=PROG_DESC, epilog=PROG_EPILOG, formatter_class=argparse.RawDescriptionHelpFormatter, add_help=False, ) # Arguments group = parser.add_argument_group("Mandatory arguments") group.add_argument( "username", metavar="USERNAME", nargs="?", type=str, help="Username" ) group.add_argument( "--username", metavar="USERNAME", dest="username_opt", type=str, help="Username (alternative form)", ) # Conditions group = parser.add_argument_group("Match Conditions (optional)") group.add_argument("--key-type", metavar="KEY-TYPE", type=str, help="Key type") group.add_argument( "--key-fingerprint", "--key-fp", metavar="KEY-FP", type=str, help="Key fingerprint X", ) group.add_argument( "--key-blob", metavar="KEY-BLOB", type=str, help="Key blob (Base64 section) X" ) group.add_argument( "--key-comment-re", metavar="REGEX", type=str, help="Regex to match on comments X", ) group.add_argument( "--key-options-re", metavar="REGEX", type=str, help="Regex to match on options" ) # Setup parameters: group = parser.add_argument_group("Misc settings") group.add_argument( "--cache-file", metavar="FILENAME", default=DEFAULT_SSHKEY_CACHE, type=argparse.FileType("r"), help="Cache file [%s]" % (DEFAULT_SSHKEY_CACHE,), ) group.add_argument( "--strict", action="store_true", default=False, help="Strict match required" ) group.add_argument("--help", action="help", default=False, help="This help") # Fire it all args = parser.parse_args() # Handle that we support both variants lst = [args.username, args.username_opt] cnt = lst.count(None) if cnt == 2: parser.error("Username was not specified") elif cnt == 0: parser.error("Username must be specified either as an option XOR argument.") else: args.username = [x for x in lst if x is not None][0] # Strict makes no sense without at least one condition being specified if args.strict: d = copy.copy(vars(args)) for k in ["cache_file", "strict", "username"]: d.pop(k, None) if not any(v is not None for v in list(d.values())): parser.error("At least one condition must be specified with --strict") if args.key_comment_re is not None: args.key_comment_re = re.compile(args.key_comment_re) if args.key_options_re is not None: args.key_options_re = re.compile(args.key_options_re) try: key_conditions = { "key_options_re": args.key_options_re, "key_type": args.key_type, "key_blob": args.key_blob, "key_fingerprint": args.key_fingerprint, "key_comment_re": args.key_comment_re, } with args.cache_file as f: for line in f: (username, key) = line.split(":", 1) if username != args.username: continue key = key.strip() if key.startswith("[") and key.endswith("]"): # Python array, but handle it safely! keys = [i.strip() for i in literal_eval(key)] else: # Raw key keys = [key.strip()] for k in keys: if validate_key( candidate_key=k, conditions=key_conditions, strict=args.strict ): print(k) except IOError as err: if err.errno in [errno.EPERM, errno.ENOENT]: pass else: raise err