Merge pull request #106196 from mauriciopoppe/gce-windows-ssh-fix

Fix creation of the administrator_keys_file file with many users
This commit is contained in:
Kubernetes Prow Robot
2021-11-08 13:11:57 -08:00
committed by GitHub

View File

@@ -129,6 +129,18 @@ Add-Type -AssemblyName System.Web
$poll_interval = 10 $poll_interval = 10
# New for v7.9.0.0: administrators_authorized_keys file. For permission
# information see
# https://github.com/PowerShell/Win32-OpenSSH/wiki/Security-protection-of-various-files-in-Win32-OpenSSH#administrators_authorized_keys.
# this file is created only once, each valid user will be added here
$administrator_keys_file = ${env:ProgramData} + `
"\ssh\administrators_authorized_keys"
New-Item -ItemType file -Force $administrator_keys_file | Out-Null
icacls $administrator_keys_file /inheritance:r | Out-Null
icacls $administrator_keys_file /grant SYSTEM:`(F`) | Out-Null
icacls $administrator_keys_file /grant BUILTIN\Administrators:`(F`) | `
Out-Null
while($true) { while($true) {
$r1 = "" $r1 = ""
$r2 = "" $r2 = ""
@@ -191,10 +203,18 @@ while($true) {
$pw = [System.Web.Security.Membership]::GeneratePassword(16,2) $pw = [System.Web.Security.Membership]::GeneratePassword(16,2)
try { try {
# Create-NewProfile will throw this when the user profile already exists: # Create-NewProfile will throw these errors:
#
# - if the username already exists:
#
# Create-NewProfile : Exception calling "SetInfo" with "0" argument(s): # Create-NewProfile : Exception calling "SetInfo" with "0" argument(s):
# "The account already exists." # "The account already exists."
# Just catch it and ignore it. #
# - if the username is invalid (e.g. gke-29bd5e8d9ea0446f829d)
#
# Create-NewProfile : Exception calling "SetInfo" with "0" argument(s): "The specified username is invalid.
#
# Just catch them and ignore them.
Create-NewProfile $username $pw -ErrorAction Stop Create-NewProfile $username $pw -ErrorAction Stop
# Add the user to the Administrators group, otherwise we will not have # Add the user to the Administrators group, otherwise we will not have
@@ -209,29 +229,26 @@ while($true) {
return return
} }
# NOTE: there is a race condition here where someone could try to ssh to # the authorized_keys file is created only once per user
# this node in-between when we clear out the authorized_keys file and when
# we write keys to it. Oh well.
$user_keys_file = -join($user_dir, "\.ssh\authorized_keys") $user_keys_file = -join($user_dir, "\.ssh\authorized_keys")
New-Item -ItemType file -Force $user_keys_file | Out-Null if (-not (Test-Path $user_keys_file)) {
New-Item -ItemType file -Force $user_keys_file | Out-Null
# New for v7.9.0.0: administrators_authorized_keys file. For permission }
# information see
# https://github.com/PowerShell/Win32-OpenSSH/wiki/Security-protection-of-various-files-in-Win32-OpenSSH#administrators_authorized_keys.
$administrator_keys_file = ${env:ProgramData} + `
"\ssh\administrators_authorized_keys"
New-Item -ItemType file -Force $administrator_keys_file | Out-Null
icacls $administrator_keys_file /inheritance:r | Out-Null
icacls $administrator_keys_file /grant SYSTEM:`(F`) | Out-Null
icacls $administrator_keys_file /grant BUILTIN\Administrators:`(F`) | `
Out-Null
ForEach ($ssh_key in $_.value) { ForEach ($ssh_key in $_.value) {
# authorized_keys and other ssh config files must be UTF-8 encoded: # authorized_keys and other ssh config files must be UTF-8 encoded:
# https://github.com/PowerShell/Win32-OpenSSH/issues/862 # https://github.com/PowerShell/Win32-OpenSSH/issues/862
# https://github.com/PowerShell/Win32-OpenSSH/wiki/Various-Considerations # https://github.com/PowerShell/Win32-OpenSSH/wiki/Various-Considerations
Add-Content -Encoding UTF8 $user_keys_file $ssh_key #
Add-Content -Encoding UTF8 $administrator_keys_file $ssh_key # these files will be append only, only new keys will be added
$found = Select-String -Path $user_keys_file -Pattern $ssh_key
if ($found -eq $null) {
Add-Content -Encoding UTF8 $user_keys_file $ssh_key
}
$found = Select-String -Path $administrator_keys_file -Pattern $ssh_key
if ($found -eq $null) {
Add-Content -Encoding UTF8 $administrator_keys_file $ssh_key
}
} }
} }
Start-Sleep -sec $poll_interval Start-Sleep -sec $poll_interval