1
0
mirror of https://github.com/OpenNebula/one.git synced 2024-12-24 21:34:01 +03:00

F #2152: Restrict SSH agent forwarding (#4611)

Signed-off-by: Petr Ospalý <pospaly@opennebula.io>
This commit is contained in:
Petr Ospalý 2020-04-27 17:43:19 +02:00 committed by GitHub
parent 9f05d36144
commit c54a93bb94
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 30 additions and 8 deletions

View File

@ -45,9 +45,11 @@ RBD=${RBD:-rbd}
READLINK=${READLINK:-readlink} READLINK=${READLINK:-readlink}
RM=${RM:-rm} RM=${RM:-rm}
CP=${CP:-cp} CP=${CP:-cp}
SCP=${SCP:-scp -o ForwardAgent=yes} SCP=${SCP:-scp}
SCP_FWD=${SCP_FWD:-scp -o ForwardAgent=yes}
SED=${SED:-sed} SED=${SED:-sed}
SSH=${SSH:-ssh -o ForwardAgent=yes} SSH=${SSH:-ssh}
SSH_FWD=${SSH_FWD:-ssh -o ForwardAgent=yes}
SUDO=${SUDO:-sudo -n} SUDO=${SUDO:-sudo -n}
SYNC=${SYNC:-sync} SYNC=${SYNC:-sync}
TAR=${TAR:-tar} TAR=${TAR:-tar}
@ -361,6 +363,26 @@ function mkfs_command {
fi fi
} }
# This function will accept command as an argument for which it will override
# the env. variables SSH and SCP with their agent forwarding alternative
ssh_forward()
{
_ssh_cmd_saved="$SSH"
_scp_cmd_saved="$SCP"
SSH="$SSH_FWD"
SCP="$SCP_FWD"
"$@"
_ssh_forward_result=$?
SSH="$_ssh_cmd_saved"
SCP="$_scp_cmd_saved"
return $_ssh_forward_result
}
#This function executes $2 at $1 host and report error $3 but does not exit #This function executes $2 at $1 host and report error $3 but does not exit
function ssh_exec_and_log_no_error function ssh_exec_and_log_no_error
{ {

View File

@ -76,7 +76,7 @@ $TAR -C $DST_PATH_DIRNAME --sparse -cf - $DST_PATH_BASENAME | $SSH $DST_HOST '$T
EOF EOF
) )
ssh_exec_and_log "$SRC_HOST" "$TAR_SSH" "Error copying disk directory to target host" ssh_forward ssh_exec_and_log "$SRC_HOST" "$TAR_SSH" "Error copying disk directory to target host"
migrate_other "$@" migrate_other "$@"

View File

@ -80,10 +80,10 @@ ORIGINAL_SIZE="${XPATH_ELEMENTS[j++]}"
# Copy files to the remote host # Copy files to the remote host
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
log "Cloning $SRC in $DST_PATH" log "Cloning $SRC in $DST_PATH"
exec_and_log "$SCP -r $SRC $DST" "Error copying $SRC to $DST" ssh_forward exec_and_log "$SCP -r $SRC $DST" "Error copying $SRC to $DST"
if [ -d "${SRC_PATH_SNAP}" ]; then if [ -d "${SRC_PATH_SNAP}" ]; then
exec_and_log "$SCP -r $SRC_HOST:${SRC_PATH_SNAP} $DST_HOST:${DST_PATH_SNAP}" \ ssh_forward exec_and_log "$SCP -r $SRC_HOST:${SRC_PATH_SNAP} $DST_HOST:${DST_PATH_SNAP}" \
"Error copying $SRC to $DST" "Error copying $SRC to $DST"
fi fi

View File

@ -119,6 +119,6 @@ EOF
fi fi
log "Moving $SRC to datastore as $DST" log "Moving $SRC to datastore as $DST"
exec_and_log "$SCP -r $SRC $DST" "Error copying $SRC to $DST" ssh_forward exec_and_log "$SCP -r $SRC $DST" "Error copying $SRC to $DST"
exit 0 exit 0

View File

@ -95,6 +95,6 @@ rm -rf $SRC_PATH
EOF EOF
) )
ssh_exec_and_log "$SRC_HOST" "$TAR_SSH" "Error copying disk directory to target host" ssh_forward ssh_exec_and_log "$SRC_HOST" "$TAR_SSH" "Error copying disk directory to target host"
exit 0 exit 0

View File

@ -49,7 +49,7 @@ DST_SNAP="${DST}.snap"
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
log "Moving $SRC to datastore as $DST" log "Moving $SRC to datastore as $DST"
exec_and_log "$SCP -r $SRC $DST" "Error copying $SRC to $DST" ssh_forward exec_and_log "$SCP -r $SRC $DST" "Error copying $SRC to $DST"
if $SSH $SRC_HOST ls ${SRC_PATH_SNAP} >/dev/null 2>&1; then if $SSH $SRC_HOST ls ${SRC_PATH_SNAP} >/dev/null 2>&1; then
exec_and_log "rsync -r --delete ${SRC_HOST}:${SRC_PATH_SNAP}/ ${DST_SNAP}" exec_and_log "rsync -r --delete ${SRC_HOST}:${SRC_PATH_SNAP}/ ${DST_SNAP}"