ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-07-26 14:41:23 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

Add support for newer FreeIPA SHA256 SSH public key hashes (#40803)

Browse source 
* lib/ansible/modules/identity/ipa/ipa_user.py:
    - Check any existing `ipa_user` SSH public key fingerprints for the hash algorithm to use
    - Generate `module_user` SSH public key fingerprint based on detected or default algorithm
This commit is contained in:
Matthew Krupcale 2018-11-30 02:47:58 -05:00 committed by ansibot
commit 93fd323457
1 changed files with 17 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

22
lib/ansible/modules/identity/ipa/ipa_user.py
View file

@ -194,7 +194,10 @@ def get_user_diff(client, ipa_user, module_user):
# These are used for comparison. # These are used for comparison.
sshpubkey = None sshpubkey = None
if 'ipasshpubkey' in module_user: if 'ipasshpubkey' in module_user:
module_user['sshpubkeyfp'] = [get_ssh_key_fingerprint(pubkey) for pubkey in module_user['ipasshpubkey']] hash_algo = 'md5'
if 'sshpubkeyfp' in ipa_user and ipa_user['sshpubkeyfp'][0][:7].upper() == 'SHA256:':
hash_algo = 'sha256'
module_user['sshpubkeyfp'] = [get_ssh_key_fingerprint(pubkey, hash_algo) for pubkey in module_user['ipasshpubkey']]
# Remove the ipasshpubkey element as it is not returned from IPA but save it's value to be used later on # Remove the ipasshpubkey element as it is not returned from IPA but save it's value to be used later on
sshpubkey = module_user['ipasshpubkey'] sshpubkey = module_user['ipasshpubkey']
del module_user['ipasshpubkey'] del module_user['ipasshpubkey']
@ -208,11 +211,16 @@ def get_user_diff(client, ipa_user, module_user):
return result return result
def get_ssh_key_fingerprint(ssh_key): def get_ssh_key_fingerprint(ssh_key, hash_algo='sha256'):
""" """
Return the public key fingerprint of a given public SSH key Return the public key fingerprint of a given public SSH key
in format "FB:0C:AC:0A:07:94:5B:CE:75:6E:63:32:13:AD:AD:D7 [user@host] (ssh-rsa)" in format "[fp] [user@host] (ssh-rsa)" where fp is of the format:
FB:0C:AC:0A:07:94:5B:CE:75:6E:63:32:13:AD:AD:D7
for md5 or
SHA256:[base64]
for sha256
:param ssh_key: :param ssh_key:
:param hash_algo:
:return: :return:
""" """
parts = ssh_key.strip().split() parts = ssh_key.strip().split()
@ -221,8 +229,12 @@ def get_ssh_key_fingerprint(ssh_key):
key_type = parts[0] key_type = parts[0]
key = base64.b64decode(parts[1].encode('ascii')) key = base64.b64decode(parts[1].encode('ascii'))
fp_plain = hashlib.md5(key).hexdigest() if hash_algo == 'md5':
key_fp = ':'.join(a + b for a, b in zip(fp_plain[::2], fp_plain[1::2])).upper() fp_plain = hashlib.md5(key).hexdigest()
key_fp = ':'.join(a + b for a, b in zip(fp_plain[::2], fp_plain[1::2])).upper()
elif hash_algo == 'sha256':
fp_plain = base64.b64encode(hashlib.sha256(key).digest()).decode('ascii').rstrip('=')
key_fp = 'SHA256:{fp}'.format(fp=fp_plain)
if len(parts) < 3: if len(parts) < 3:
return "%s (%s)" % (key_fp, key_type) return "%s (%s)" % (key_fp, key_type)
else: else: