Add support for SSH public keys to user and host objects.

This patch adds a new multivalue param "sshpubkey" for specifying SSH public keys to both user and host objects. The accepted value is base64-encoded public key blob as specified in RFC4253, section 6.6. Additionaly, host commands automatically update DNS SSHFP records when requested by user. https://fedorahosted.org/freeipa/ticket/754
author: Jan Cholasta <jcholast@redhat.com> 2011-12-07 02:50:31 -0500
committer: Rob Crittenden <rcritten@redhat.com> 2012-02-13 22:21:27 -0500
commit: 3c2b0fc28ae21c7e4b26961e28e2eb0ba0559d29 (patch)
tree: 856f8f2850043d1f3eb6f3df1c2d3287ae7fc969 /ipalib/plugins/user.py
parent: 9b6baf9beeb733d77883f4ed32e553265ee15543 (diff)
download: freeipa-3c2b0fc28ae21c7e4b26961e28e2eb0ba0559d29.tar.gz
freeipa-3c2b0fc28ae21c7e4b26961e28e2eb0ba0559d29.tar.xz
freeipa-3c2b0fc28ae21c7e4b26961e28e2eb0ba0559d29.zip
1 files changed, 31 insertions, 6 deletions
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 8c4cc49a0..ad9805bec 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -18,16 +18,18 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+from time import gmtime, strftime
+import copy
+import string
+
 from ipalib import api, errors
-from ipalib import Flag, Int, Password, Str, Bool
+from ipalib import Flag, Int, Password, Str, Bool, Bytes
 from ipalib.plugins.baseldap import *
 from ipalib.request import context
-from time import gmtime, strftime
-import copy
 from ipalib import _, ngettext
 from ipapython.ipautil import ipa_generate_password
-import string
 import posixpath
+from ipalib.util import validate_sshpubkey, output_sshpubkey
 
 __doc__ = _("""
 Users
@@ -154,12 +156,12 @@ class user(LDAPObject):
         'uid', 'givenname', 'sn', 'homedirectory', 'loginshell',
         'uidnumber', 'gidnumber', 'mail', 'ou',
         'telephonenumber', 'title', 'memberof', 'nsaccountlock',
-        'memberofindirect',
+        'memberofindirect', 'sshpubkeyfp',
     ]
     search_display_attributes = [
         'uid', 'givenname', 'sn', 'homedirectory', 'loginshell',
         'mail', 'telephonenumber', 'title', 'nsaccountlock',
-        'uidnumber', 'gidnumber',
+        'uidnumber', 'gidnumber', 'sshpubkeyfp',
     ]
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
@@ -310,6 +312,15 @@ class user(LDAPObject):
             label=_('Account disabled'),
             flags=['no_create', 'no_update', 'no_search'],
         ),
+        Bytes('ipasshpubkey*', validate_sshpubkey,
+            cli_name='sshpubkey',
+            label=_('Base-64 encoded SSH public key'),
+            flags=['no_search'],
+        ),
+        Str('sshpubkeyfp*',
+            label=_('SSH public key fingerprint'),
+            flags=['virtual_attribute', 'no_create', 'no_update', 'no_search'],
+        ),
     )
 
     def _normalize_email(self, email, config=None):
@@ -489,6 +500,9 @@ class user_add(LDAPCreate):
                 pass
 
         self.obj.get_password_attributes(ldap, dn, entry_attrs)
+
+        output_sshpubkey(ldap, dn, entry_attrs)
+
         return dn
 
 api.register(user_add)
@@ -522,6 +536,14 @@ class user_mod(LDAPUpdate):
             entry_attrs['userpassword'] = ipa_generate_password(user_pwdchars)
             # save the password so it can be displayed in post_callback
             setattr(context, 'randompassword', entry_attrs['userpassword'])
+        if 'ipasshpubkey' in entry_attrs:
+            if 'objectclass' in entry_attrs:
+                obj_classes = entry_attrs['objectclass']
+            else:
+                (_dn, _entry_attrs) = ldap.get_entry(dn, ['objectclass'])
+                obj_classes = entry_attrs['objectclass'] = _entry_attrs['objectclass']
+            if 'ipasshuser' not in obj_classes:
+                obj_classes.append('ipasshuser')
         return dn
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
@@ -534,6 +556,7 @@ class user_mod(LDAPUpdate):
         convert_nsaccountlock(entry_attrs)
         self.obj._convert_manager(entry_attrs, **options)
         self.obj.get_password_attributes(ldap, dn, entry_attrs)
+        output_sshpubkey(ldap, dn, entry_attrs)
         return dn
 
 api.register(user_mod)
@@ -567,6 +590,7 @@ class user_find(LDAPSearch):
             self.obj._convert_manager(attrs, **options)
             self.obj.get_password_attributes(ldap, dn, attrs)
             convert_nsaccountlock(attrs)
+            output_sshpubkey(ldap, dn, attrs)
 
     msg_summary = ngettext(
         '%(count)d user matched', '%(count)d users matched', 0
@@ -584,6 +608,7 @@ class user_show(LDAPRetrieve):
         convert_nsaccountlock(entry_attrs)
         self.obj._convert_manager(entry_attrs, **options)
         self.obj.get_password_attributes(ldap, dn, entry_attrs)
+        output_sshpubkey(ldap, dn, entry_attrs)
         return dn
 
 api.register(user_show)
author	Jan Cholasta <jcholast@redhat.com>	2011-12-07 02:50:31 -0500
committer	Rob Crittenden <rcritten@redhat.com>	2012-02-13 22:21:27 -0500
commit	3c2b0fc28ae21c7e4b26961e28e2eb0ba0559d29 (patch)
tree	856f8f2850043d1f3eb6f3df1c2d3287ae7fc969 /ipalib/plugins/user.py
parent	9b6baf9beeb733d77883f4ed32e553265ee15543 (diff)
download	freeipa-3c2b0fc28ae21c7e4b26961e28e2eb0ba0559d29.tar.gz freeipa-3c2b0fc28ae21c7e4b26961e28e2eb0ba0559d29.tar.xz freeipa-3c2b0fc28ae21c7e4b26961e28e2eb0ba0559d29.zip