Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Have server enforce SSH zone separation #7247

Merged
merged 1 commit into from Nov 4, 2022
Merged

Have server enforce SSH zone separation #7247

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Have server enforce SSH zone separation 
When a client requests a zone's ssh credentials, make sure the
client is consistent with the specified zone.

Per github user salben21
  • Loading branch information
@jjohnson42
jjohnson42 committed Sep 9, 2022
commit 85149c37f49dbca7bd85f1f586960315604fc024
26 changes: 21 additions & 5 deletions xCAT-server/lib/xcat/plugins/credentials.pm
View file
Open in desktop
Expand Up @@ -133,18 +133,34 @@ sub process_request
my $sshrootkeydir = "$root/.ssh"; # old default
if ((($parm =~ /^ssh_root_key/) || ($parm =~ /^ssh_root_pub_key/)) && ($foundkeys == 0)) {
my ($rootkeyparm, $zonename) = split(/:/, $parm);
my $client_zonename = xCAT::Zone->getmyzonename($client);
my $default_zonename = xCAT::Zone->getdefaultzone();

if ($zonename) {
$parm = $rootkeyparm; # take the zone off
xCAT::MsgUtils->trace(0, 'I', "credentials: The node ($client) is asking for sshkeys of zone: $zonename.");
$sshrootkeydir = xCAT::Zone->getzonekeydir($zonename);
if ($sshrootkeydir == 1) { # error return
xCAT::MsgUtils->trace(0, 'W', "credentials: The zone: $zonename is not defined.");
if ($client_zonename eq $zonename) {
my $sshbetweenodes_allowed = xCAT::Zone->enableSSHbetweennodes($client);
if (($sshbetweenodes_allowed == 1) || ($parm =~ /^ssh_root_pub_key/)) { # check if sshbetweennodes is allowed or pub key is requested
$sshrootkeydir = xCAT::Zone->getzonekeydir($zonename);
if ($sshrootkeydir == 1) { # error return
xCAT::MsgUtils->trace(0, 'W', "credentials: The zone: $zonename is not defined.");
} else {
$foundkeys = 1; # don't want to read the zone data twice
}
} else {
xCAT::MsgUtils->trace(0, 'E', "credentials: Not allowed to read root's private ssh key because sshbetweennodes is disabled.");
$sshrootkeydir = 1;
}
} else {
$foundkeys = 1; # don't want to read the zone data twice
xCAT::MsgUtils->trace(0, 'E', "credentials: Not allowed to read root's private ssh key of different zone.");
$sshrootkeydir = 1;
}
} elsif ($client_zonename ne $default_zonename) { # check if no zonename is submitted but node is not in default zone
xCAT::MsgUtils->trace(0, 'E', "credentials: Not allowed to read root's private ssh key of default zone.");
$sshrootkeydir = 1;
}
}

if ($parm =~ /ssh_root_key/) {
unless (-r "$sshrootkeydir/id_rsa") {
push @{ $rsp->{'error'} }, "Unable to read root's private ssh key";
Expand Down