cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests 8 Projects Releases Wiki Activity

known_hosts

Browse source
This commit is contained in:
cronekorkn 2023-07-28 10:00:16 +02:00
parent 789897acf6
commit 49b05fe8b8
Signed by: cronekorkn
SSH key fingerprint: SHA256:v0410ZKfuO1QHdgKBsdQNF64xmTxOF8osF1LIqwTcVw
2 changed files with 18 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
hooks/known_hosts.py Normal file
View file

@ -0,0 +1,10 @@
from os.path import expanduser
def apply_start(repo, target, nodes, interactive=False, **kwargs):
with open(expanduser('~/.ssh/known_hosts_ckn'), 'w+') as file:
file.write('\n'.join(sorted(
repo.libs.ssh.known_hosts_entry_for(node)
for node in repo.nodes
if node.has_bundle('ssh')
)))

16
libs/ssh.py
View file

@ -12,7 +12,7 @@ def generate_ed25519_key_pair(secret):
privkey_bytes = Ed25519PrivateKey.from_private_bytes(secret) privkey_bytes = Ed25519PrivateKey.from_private_bytes(secret)
# PRIVATE KEY # PRIVATE KEY
nondeterministic_privatekey = privkey_bytes.private_bytes( nondeterministic_privatekey = privkey_bytes.private_bytes(
encoding=Encoding.PEM, encoding=Encoding.PEM,
format=PrivateFormat.OpenSSH, format=PrivateFormat.OpenSSH,
@ -21,15 +21,15 @@ def generate_ed25519_key_pair(secret):
# get relevant lines from string # get relevant lines from string
nondeterministic_bytes = b64decode(''.join(nondeterministic_privatekey.split('\n')[1:-2])) nondeterministic_bytes = b64decode(''.join(nondeterministic_privatekey.split('\n')[1:-2]))
# sanity check # sanity check
if nondeterministic_bytes[98:102] != nondeterministic_bytes[102:106]: if nondeterministic_bytes[98:102] != nondeterministic_bytes[102:106]:
raise Exception("checksums should be the same: whats going on here?") raise Exception("checksums should be the same: whats going on here?")
# replace random bytes with deterministic values # replace random bytes with deterministic values
random_bytes = sha3_224(secret).digest()[0:4] random_bytes = sha3_224(secret).digest()[0:4]
deterministic_bytes = nondeterministic_bytes[:98] + random_bytes + random_bytes + nondeterministic_bytes[106:] deterministic_bytes = nondeterministic_bytes[:98] + random_bytes + random_bytes + nondeterministic_bytes[106:]
# reassemble file # reassemble file
deterministic_privatekey = '\n'.join([ deterministic_privatekey = '\n'.join([
'-----BEGIN OPENSSH PRIVATE KEY-----', '-----BEGIN OPENSSH PRIVATE KEY-----',
@ -43,9 +43,9 @@ def generate_ed25519_key_pair(secret):
encoding=Encoding.OpenSSH, encoding=Encoding.OpenSSH,
format=PublicFormat.OpenSSH, format=PublicFormat.OpenSSH,
).decode() ).decode()
# RETURN # RETURN
return (deterministic_privatekey, public_key) return (deterministic_privatekey, public_key)
@ -66,7 +66,7 @@ def known_hosts_entry_for(node, test_salt=None):
hash = hmac.new(salt, hostname.encode(), sha1).digest() hash = hmac.new(salt, hostname.encode(), sha1).digest()
pubkey = node.metadata.get('ssh/host_key/public') pubkey = node.metadata.get('ssh/host_key/public')
lines.add(f'|1|{b64encode(salt).decode()}|{b64encode(hash).decode()} {" ".join(pubkey.split()[:2])}') lines.add(f'|1|{b64encode(salt).decode()}|{b64encode(hash).decode()} {" ".join(pubkey.split()[:2])}')
return '\n'.join(sorted(lines)) return '\n'.join(sorted(lines))