diff options
Diffstat (limited to 'src')
3 files changed, 40 insertions, 3 deletions
diff --git a/src/com.gluster.storage.management.server.scripts/src/disable-ssh-password-auth.sh b/src/com.gluster.storage.management.server.scripts/src/disable-ssh-password-auth.sh new file mode 100755 index 00000000..07ee1a3a --- /dev/null +++ b/src/com.gluster.storage.management.server.scripts/src/disable-ssh-password-auth.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +#----------------------------------------------------------------------------- +# disable-ssh-password-auth.sh +# Script for disabling SSH password authentication. This is used by the +# management gateway after installing the public key, so that the gluster +# node can be accessed (using ssh) only from the management gateway. +#----------------------------------------------------------------------------- + +CONFIG_FILE="/etc/ssh/sshd_config" +TIMESTAMP=`date +%d%m%Y%H%M%S` +BACKUP_FILE="${CONFIG_FILE}_${TIMESTAMP}" +TEMP_FILE="/tmp/new_sshd_config_${TIMESTAMP}" + +# Modify config file to disable password authentication, redirect to a temp file +# TODO: disable only if enabled! +sed "s/^PasswordAuthentication yes$/PasswordAuthentication no/g" ${CONFIG_FILE} > ${TEMP_FILE} + +# Secure the file by changing permissions (600) +chmod 600 ${TEMP_FILE} + +# Take backup of config file +cp ${CONFIG_FILE} ${BACKUP_FILE} + +# Overwrite config file with the modified one +mv ${TEMP_FILE} ${CONFIG_FILE} + +# Re-start ssh daemon +/etc/init.d/sshd restart + diff --git a/src/com.gluster.storage.management.server/src/com/gluster/storage/management/server/resources/ClustersResource.java b/src/com.gluster.storage.management.server/src/com/gluster/storage/management/server/resources/ClustersResource.java index 6955b723..e1971322 100644 --- a/src/com.gluster.storage.management.server/src/com/gluster/storage/management/server/resources/ClustersResource.java +++ b/src/com.gluster.storage.management.server/src/com/gluster/storage/management/server/resources/ClustersResource.java @@ -93,7 +93,6 @@ public class ClustersResource { return new StringListResponse(clusterList); } - @SuppressWarnings("unchecked") @POST @Produces(MediaType.TEXT_XML) public Status createCluster(@FormParam(FORM_PARAM_CLUSTER_NAME) String clusterName) { diff --git a/src/com.gluster.storage.management.server/src/com/gluster/storage/management/server/utils/SshUtil.java b/src/com.gluster.storage.management.server/src/com/gluster/storage/management/server/utils/SshUtil.java index 82cec63b..1cc51d23 100644 --- a/src/com.gluster.storage.management.server/src/com/gluster/storage/management/server/utils/SshUtil.java +++ b/src/com.gluster.storage.management.server/src/com/gluster/storage/management/server/utils/SshUtil.java @@ -55,6 +55,7 @@ public class SshUtil { private LRUCache<String, Connection> sshConnCache = new LRUCache<String, Connection>(10); private static final File PEM_FILE = new File(CoreConstants.USER_HOME + File.separator + ".ssh/id_rsa"); private static final File PUBLIC_KEY_FILE = new File(CoreConstants.USER_HOME + File.separator + ".ssh/id_rsa.pub"); + private static final String SCRIPT_DISABLE_SSH_PASSWORD_AUTH = "disable-ssh-password-auth.sh"; // TODO: Make user name configurable private static final String USER_NAME = "root"; @@ -89,7 +90,6 @@ public class SshUtil { localTempFile.delete(); } try { - // get authorized_keys from server scpClient.get(SSH_AUTHORIZED_KEYS_PATH, TEMP_DIR); } catch (IOException e) { @@ -119,7 +119,15 @@ public class SshUtil { throw new GlusterRuntimeException("Couldn't add public key to server [" + serverName + "]", e); } - // TODO: Disable password based ssh connections + disableSshPasswordLogin(serverName, scpClient); + } + + private void disableSshPasswordLogin(String serverName, SCPClient scpClient) { + ProcessResult result = executeRemote(serverName, SCRIPT_DISABLE_SSH_PASSWORD_AUTH); + if(!result.isSuccess()) { + throw new GlusterRuntimeException("Couldn't disable SSH password authentication on [" + serverName + + "]. Error: " + result); + } } private Connection getConnectionWithPassword(String serverName) { |