libkas: Do not overwrite existing .ssh/config

kas wrongly assumes so far that setting $HOME will also make ssh use the kas provided $HOME/.ssh/ folder. But ssh will pick up the homedir from /etc/passwd instead. This could cause kas to overwrite the users ~/.ssh/config when using SSH_PRIVATE_KEY*. We can try to cure ssh config isolation, but that may cause surprises for users so far silently relying on it. For now, as a stable fix, avoid to cause damage to ~/.ssh/config in cases where this is likely not desired, namely when there is already config file. Warn if that file does not contain the generated content from a previous run. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2021-11-23 18:11:32 +01:00 · 2021-11-23 18:11:32 +01:00 · e3af001f53
commit e3af001f53
parent 122f7749a3
1 changed files with 15 additions and 4 deletions
--- a/kas/libkas.py
+++ b/kas/libkas.py
@ -355,10 +355,21 @@ def ssh_no_host_key_check():
        Disables ssh host key check
    """
    home = os.path.expanduser('~')
-    if not os.path.exists(home + '/.ssh'):
-        os.mkdir(home + '/.ssh')
-    with open(home + '/.ssh/config', 'w') as fds:
-        fds.write('Host *\n\tStrictHostKeyChecking no\n\n')
+    ssh_dir = home + '/.ssh'
+    if not os.path.exists(ssh_dir):
+        os.mkdir(ssh_dir)
+    ssh_config = ssh_dir + "/config"
+    generated_content = 'Host *\n\tStrictHostKeyChecking no\n\n'
+    try:
+        with open(ssh_config, 'x') as fds:
+            fds.write(generated_content)
+    except FileExistsError:
+        with open(ssh_config, 'r') as fds:
+            content = fds.read()
+        if content != generated_content:
+            logging.warning("%s already exists, "
+                            "not touching it to disable StrictHostKeyChecking",
+                            ssh_config)


 def setup_parser_common_args(parser):