Add support for printing out the authkey's for the default user.

1. Adjust the sshutil so that it has functions
   for doing this (used by the previous functions)
2. Create a new module that pretty prints out 
   the given authorized keys fetched (if any) using the standard
   md5 scheme (for now), this module can be disabled by 
   setting 'no_ssh_fingerprints' or just removing it from the running
   list.

cloudinit/config/cc_ssh_authkey_fingerprints.py

@@ -0,0 +1,86 @@
+# vi: ts=4 expandtab
+#
+#    Copyright (C) 2012 Yahoo! Inc.
+#
+#    Author: Joshua Harlow <harlowja@yahoo-inc.com>
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License version 3, as
+#    published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import base64
+import glob
+import hashlib
+import os
+
+from prettytable import PrettyTable
+
+from cloudinit import util
+from cloudinit import ssh_util
+
+FP_HASH_TYPE = 'md5'
+FP_SEGMENT_LEN = 2
+FP_SEGMENT_SEP = ":"
+
+
+def _split_hash(bin_hash):
+    split_up = []
+    for i in xrange(0, len(bin_hash), FP_SEGMENT_LEN):
+        split_up.append(bin_hash[i:i+FP_SEGMENT_LEN])
+    return split_up
+
+
+def _gen_fingerprint(b64_text):
+    if not b64_text:
+        return ''
+    # Maybe we should feed this into 'ssh -lf'?
+    try:
+        bin_text = base64.b64decode(b64_text)
+        hasher = hashlib.new(FP_HASH_TYPE)
+        hasher.update(bin_text)
+        pp_hash = FP_SEGMENT_SEP.join(_split_hash(hasher.hexdigest()))
+        return pp_hash
+    except TypeError:
+        return ''
+
+
+def _pprint_key_entries(user, key_fn, key_entries, prefix='ci-info: '):
+    if not key_entries:
+        message = "%sno authorized ssh keys fingerprints found for user %s." % (prefix, user)
+        util.multi_log(message)
+        return
+    tbl_fields = ['Keytype', 'Fingerprint', 'Options', 'Comment']
+    tbl = PrettyTable(tbl_fields)
+    for entry in key_entries:
+        row = []
+        row.append(entry.keytype or '-')
+        row.append(_gen_fingerprint(entry.base64) or '-')
+        row.append(entry.comment or '-')
+        row.append(entry.options or '-')
+        tbl.add_row(row)
+    authtbl_s = tbl.get_string()
+    max_len = len(max(authtbl_s.splitlines(), key=len))
+    lines = [
+        util.center("Authorized keys fingerprints from %s for user %s" % (key_fn, user), "+", max_len),
+    ]
+    lines.extend(authtbl_s.splitlines())
+    for line in lines:
+        util.multi_log(text="%s%s\n" % (prefix, line))
+
+
+def handle(name, cfg, cloud, log, _args):
+    if 'no_ssh_fingerprints' in cfg:
+        log.debug(("Skipping module named %s, "
+                   "logging of ssh fingerprints disabled"), name)
+
+    user = util.get_cfg_option_str(cfg, "user", "ubuntu")
+    (auth_key_fn, auth_key_entries) = ssh_util.extract_authorized_keys(user, cloud.paths)
+    _pprint_key_entries(user, auth_key_fn, auth_key_entries)

cloudinit/ssh_util.py

@@ -181,12 +181,11 @@ def parse_authorized_keys(fname):
     return contents
 
 
-def update_authorized_keys(fname, keys):
+def update_authorized_keys(old_entries, keys):
-    entries = parse_authorized_keys(fname)
     to_add = list(keys)
 
-    for i in range(0, len(entries)):
+    for i in range(0, len(old_entries)):
-        ent = entries[i]
+        ent = old_entries[i]
         if ent.empty() or not ent.base64:
             continue
         # Replace those with the same base64
@@ -199,66 +198,81 @@ def update_authorized_keys(fname, keys):
                 # Don't add it later
                 if k in to_add:
                     to_add.remove(k)
-        entries[i] = ent
+        old_entries[i] = ent
 
     # Now append any entries we did not match above
     for key in to_add:
-        entries.append(key)
+        old_entries.append(key)
 
     # Now format them back to strings...
-    lines = [str(b) for b in entries]
+    lines = [str(b) for b in old_entries]
 
     # Ensure it ends with a newline
     lines.append('')
     return '\n'.join(lines)
 
 
-def setup_user_keys(keys, user, key_prefix, paths):
+def users_ssh_info(username, paths):
-    # Make sure the users .ssh dir is setup accordingly
+    pw_ent = pwd.getpwnam(username)
-    pwent = pwd.getpwnam(user)
+    if not pw_ent:
-    ssh_dir = os.path.join(pwent.pw_dir, '.ssh')
+        raise RuntimeError("Unable to get ssh info for user %r" % (username))
-    ssh_dir = paths.join(False, ssh_dir)
+    ssh_dir = paths.join(False, os.path.join(pw_ent.pw_dir, '.ssh'))
-    if not os.path.exists(ssh_dir):
+    return (ssh_dir, pw_ent)
-        util.ensure_dir(ssh_dir, mode=0700)
-        util.chownbyid(ssh_dir, pwent.pw_uid, pwent.pw_gid)
 
-    # Turn the keys given into actual entries
-    parser = AuthKeyLineParser()
-    key_entries = []
-    for k in keys:
-        key_entries.append(parser.parse(str(k), def_opt=key_prefix))
 
+def extract_authorized_keys(username, paths):
+    (ssh_dir, pw_ent) = users_ssh_info(username, paths)
     sshd_conf_fn = paths.join(True, DEF_SSHD_CFG)
+    auth_key_fn = None
     with util.SeLinuxGuard(ssh_dir, recursive=True):
         try:
-            # AuthorizedKeysFile may contain tokens
+            # The 'AuthorizedKeysFile' may contain tokens
             # of the form %T which are substituted during connection set-up.
             # The following tokens are defined: %% is replaced by a literal
             # '%', %h is replaced by the home directory of the user being
             # authenticated and %u is replaced by the username of that user.
             ssh_cfg = parse_ssh_config_map(sshd_conf_fn)
-            akeys = ssh_cfg.get("authorizedkeysfile", '')
+            auth_key_fn = ssh_cfg.get("authorizedkeysfile", '').strip()
-            akeys = akeys.strip()
+            if not auth_key_fn:
-            if not akeys:
+                auth_key_fn = "%h/.ssh/authorized_keys"
-                akeys = "%h/.ssh/authorized_keys"
+            auth_key_fn = auth_key_fn.replace("%h", pw_ent.pw_dir)
-            akeys = akeys.replace("%h", pwent.pw_dir)
+            auth_key_fn = auth_key_fn.replace("%u", username)
-            akeys = akeys.replace("%u", user)
+            auth_key_fn = auth_key_fn.replace("%%", '%')
-            akeys = akeys.replace("%%", '%')
+            if not auth_key_fn.startswith('/'):
-            if not akeys.startswith('/'):
+                auth_key_fn = os.path.join(pw_ent.pw_dir, auth_key_fn)
-                akeys = os.path.join(pwent.pw_dir, akeys)
+            auth_key_fn = paths.join(False, auth_key_fn)
-            authorized_keys = paths.join(False, akeys)
         except (IOError, OSError):
-            authorized_keys = os.path.join(ssh_dir, 'authorized_keys')
+            # Give up and use a default key filename
+            auth_key_fn = os.path.join(ssh_dir, 'authorized_keys')
             util.logexc(LOG, ("Failed extracting 'AuthorizedKeysFile'"
                               " in ssh config"
-                              " from %s, using 'AuthorizedKeysFile' file"
+                              " from %r, using 'AuthorizedKeysFile' file"
-                              " %s instead"),
+                              " %r instead"),
-                        sshd_conf_fn, authorized_keys)
+                        sshd_conf_fn, auth_key_fn)
+    auth_key_entries = parse_authorized_keys(auth_key_fn)
+    return (auth_key_fn, auth_key_entries)
 
-        content = update_authorized_keys(authorized_keys, key_entries)
+
-        util.ensure_dir(os.path.dirname(authorized_keys), mode=0700)
+def setup_user_keys(keys, username, key_prefix, paths):
-        util.write_file(authorized_keys, content, mode=0600)
+    # Make sure the users .ssh dir is setup accordingly
-        util.chownbyid(authorized_keys, pwent.pw_uid, pwent.pw_gid)
+    (ssh_dir, pwent) = users_ssh_info(username, paths)
+    if not os.path.isdir(ssh_dir):
+        util.ensure_dir(ssh_dir, mode=0700)
+        util.chownbyid(ssh_dir, pwent.pw_uid, pwent.pw_gid)
+
+    # Turn the 'update' keys given into actual entries
+    parser = AuthKeyLineParser()
+    key_entries = []
+    for k in keys:
+        key_entries.append(parser.parse(str(k), def_opt=key_prefix))
+
+    # Extract the old and make the new
+    (auth_key_fn, auth_key_entries) = extract_authorized_keys(username, paths)
+    with util.SeLinuxGuard(ssh_dir, recursive=True):
+        content = update_authorized_keys(auth_key_entries, key_entries)
+        util.ensure_dir(os.path.dirname(auth_key_fn), mode=0700)
+        util.write_file(auth_key_fn, content, mode=0600)
+        util.chownbyid(auth_key_fn, pwent.pw_uid, pwent.pw_gid)
 
 
 class SshdConfigLine(object):