mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-07-24 22:00:22 -07:00
Add support for newer FreeIPA SHA256 SSH public key hashes (#40803)
* lib/ansible/modules/identity/ipa/ipa_user.py: - Check any existing `ipa_user` SSH public key fingerprints for the hash algorithm to use - Generate `module_user` SSH public key fingerprint based on detected or default algorithm
This commit is contained in:
parent
2bd8e47247
commit
93fd323457
1 changed files with 17 additions and 5 deletions
|
@ -194,7 +194,10 @@ def get_user_diff(client, ipa_user, module_user):
|
||||||
# These are used for comparison.
|
# These are used for comparison.
|
||||||
sshpubkey = None
|
sshpubkey = None
|
||||||
if 'ipasshpubkey' in module_user:
|
if 'ipasshpubkey' in module_user:
|
||||||
module_user['sshpubkeyfp'] = [get_ssh_key_fingerprint(pubkey) for pubkey in module_user['ipasshpubkey']]
|
hash_algo = 'md5'
|
||||||
|
if 'sshpubkeyfp' in ipa_user and ipa_user['sshpubkeyfp'][0][:7].upper() == 'SHA256:':
|
||||||
|
hash_algo = 'sha256'
|
||||||
|
module_user['sshpubkeyfp'] = [get_ssh_key_fingerprint(pubkey, hash_algo) for pubkey in module_user['ipasshpubkey']]
|
||||||
# Remove the ipasshpubkey element as it is not returned from IPA but save it's value to be used later on
|
# Remove the ipasshpubkey element as it is not returned from IPA but save it's value to be used later on
|
||||||
sshpubkey = module_user['ipasshpubkey']
|
sshpubkey = module_user['ipasshpubkey']
|
||||||
del module_user['ipasshpubkey']
|
del module_user['ipasshpubkey']
|
||||||
|
@ -208,11 +211,16 @@ def get_user_diff(client, ipa_user, module_user):
|
||||||
return result
|
return result
|
||||||
|
|
||||||
|
|
||||||
def get_ssh_key_fingerprint(ssh_key):
|
def get_ssh_key_fingerprint(ssh_key, hash_algo='sha256'):
|
||||||
"""
|
"""
|
||||||
Return the public key fingerprint of a given public SSH key
|
Return the public key fingerprint of a given public SSH key
|
||||||
in format "FB:0C:AC:0A:07:94:5B:CE:75:6E:63:32:13:AD:AD:D7 [user@host] (ssh-rsa)"
|
in format "[fp] [user@host] (ssh-rsa)" where fp is of the format:
|
||||||
|
FB:0C:AC:0A:07:94:5B:CE:75:6E:63:32:13:AD:AD:D7
|
||||||
|
for md5 or
|
||||||
|
SHA256:[base64]
|
||||||
|
for sha256
|
||||||
:param ssh_key:
|
:param ssh_key:
|
||||||
|
:param hash_algo:
|
||||||
:return:
|
:return:
|
||||||
"""
|
"""
|
||||||
parts = ssh_key.strip().split()
|
parts = ssh_key.strip().split()
|
||||||
|
@ -221,8 +229,12 @@ def get_ssh_key_fingerprint(ssh_key):
|
||||||
key_type = parts[0]
|
key_type = parts[0]
|
||||||
key = base64.b64decode(parts[1].encode('ascii'))
|
key = base64.b64decode(parts[1].encode('ascii'))
|
||||||
|
|
||||||
fp_plain = hashlib.md5(key).hexdigest()
|
if hash_algo == 'md5':
|
||||||
key_fp = ':'.join(a + b for a, b in zip(fp_plain[::2], fp_plain[1::2])).upper()
|
fp_plain = hashlib.md5(key).hexdigest()
|
||||||
|
key_fp = ':'.join(a + b for a, b in zip(fp_plain[::2], fp_plain[1::2])).upper()
|
||||||
|
elif hash_algo == 'sha256':
|
||||||
|
fp_plain = base64.b64encode(hashlib.sha256(key).digest()).decode('ascii').rstrip('=')
|
||||||
|
key_fp = 'SHA256:{fp}'.format(fp=fp_plain)
|
||||||
if len(parts) < 3:
|
if len(parts) < 3:
|
||||||
return "%s (%s)" % (key_fp, key_type)
|
return "%s (%s)" % (key_fp, key_type)
|
||||||
else:
|
else:
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue