erp5testnode: store shellinabox password in a dedicated file (part 2)

08b68618 · Sebastien Robin · f11280ab · 08b68618 · 08b68618 · 08b68618
Commit 08b68618 authored Mar 24, 2017 by Sebastien Robin
3 changed files
--- a/slapos/recipe/shellinabox.py
+++ b/slapos/recipe/shellinabox.py
@@ -25,6 +25,7 @@
 #
 ##############################################################################
 from getpass import getpass
+import hmac
 import pwd
 import grp
 import os
@@ -33,9 +34,9 @@ import shlex
 from slapos.recipe.librecipe import GenericBaseRecipe

 def login_shell(args):
-  shellinabox_password_file = args['shellinabox-password-file']
-  if shellinabox_password_file:
-    with open(shellinabox_password_file, 'r') as password_file:
+  password_file = args['password-file']
+  if password_file:
+    with open(password_file, 'r') as password_file:
      password = password_file.read()

    if (password != ''):
@@ -43,7 +44,7 @@ def login_shell(args):
    else:
      entered_password = ''

-    if entered_password != password:
+    if not hmac.compare_digest(entered_password, password):
      return 1
    else:
      commandline = shlex.split(args['shell'])
@@ -100,15 +101,12 @@ class Recipe(GenericBaseRecipe):
      self.options['login-shell'],
      '%s.login_shell' % __name__,
      {
-        'shellinabox-password-file': self.options['shellinabox-password-file'],
+        'password-file': self.options['password-file'],
        'shell': self.options['shell']
      }
    )
    path_list.append(login_shell)

-    with open(self.options['shellinabox-password-file'], 'w') as password_file:
-      password_file.write(self.options['password'])
-
    wrapper = self.createPythonScript(
      self.options['wrapper'],
      '%s.shellinabox' % __name__,

--- a/software/erp5testnode/instance-default.cfg
+++ b/software/erp5testnode/instance-default.cfg
@@ -94,8 +94,7 @@ port = 8080
 shell = $${shell:wrapper}
 wrapper = $${rootdirectory:bin}/shellinaboxd
 shellinabox-binary = ${shellinabox:location}/bin/shellinaboxd
-shellinabox-password-file = $${rootdirectory:etc}/shellinabox-password
-password = $${pwgen:passwd}
+password-file = $${pwgen:storage-path}
 directory = $${buildout:directory}/
 login-shell = $${rootdirectory:bin}/login
 certificate-directory = $${directory:shellinabox}

--- a/software/erp5testnode/software.cfg
+++ b/software/erp5testnode/software.cfg
@@ -56,7 +56,7 @@ recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/instance-default.cfg
 output = ${buildout:directory}/template-default.cfg
 mode = 0644
-md5sum = 4cff4f92ab230ccf02283bf924e32089
+md5sum = 05519f3887a309d3ec069e0aa9f52ebc

 [versions]
 PyXML = 0.8.5