Revert "Flexible and dynamic service key/certificate fingerprints in MiGserver.conf" (#172)

Reverts #171 merge directly in edge in order to merge
through svn as usual.

Author: jonasbardino

mig/install/generateconfs.py

@@ -4,7 +4,7 @@
 # --- BEGIN_HEADER ---
 #
 # generateconfs - create custom MiG server configuration files
-# Copyright (C) 2003-2025  The MiG Project
+# Copyright (C) 2003-2024  The MiG Project lead by Brian Vinter
 #
 # This file is part of MiG.
 #
@@ -145,10 +145,7 @@ def main(argv, _generate_confs=generate_confs, _print=print):
         'ext_oidc_rewrite_cookie',
         'dhparams_path',
         'daemon_keycert',
-        'daemon_keycert_sha256',
         'daemon_pubkey',
-        'daemon_pubkey_md5',
-        'daemon_pubkey_sha256',
         'daemon_show_address',
         'alias_field',
         'peers_permit',

mig/install/migcheckssl-template.sh.cronjob

@@ -40,9 +40,7 @@ server_crt="${domain_cert_path}/server.crt"
 server_crt_ca_pem="${domain_cert_path}/server.crt.ca.pem"
 server_key_crt_ca_pem="${domain_cert_path}/server.key.crt.ca.pem"
 combined_pem="${domain_cert_path}/combined.pem"
-combined_pem_sha256="${combined_pem}.sha256"
 combined_pub="${domain_cert_path}/combined.pub"
-combined_pub_sha256="${combined_pub}.sha256"
 dhparams_pem="${cert_base}/dhparams.pem"
 # use git latest or release version of getssl
 getssl_version="release"
@@ -281,32 +279,10 @@ if [[ ${org_mtime} -ne ${new_mtime} && "${org_chksum}" != "${new_chksum}" ]]; th
         fi
     done
     if [ -n "${migrid_subservices}" ]; then
-        pem_sha256_fp=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
-        pem_sha256_fp=${pem_sha256_fp/* Fingerprint=/}
-        echo "Please manually update ftps/davs sha256 fingerprint in MiGserver.conf to:"
-        echo "${pem_sha256_fp}"
-        echo "or point those configuration values to the latest fingerprint file with:"
-        echo "FILE::${combined_pem_sha256}"
-        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
-        echo "${pem_sha256_fp}" > ${combined_pem_sha256}
-        pub_md5_fp=$(ssh-keygen -l -E md5 -f ${combined_pub})
-        pub_md5_fp=${pub_md5_fp/* MD5:/}
-        pub_md5_fp=${pub_md5_fp/ */}
-        echo "Please verify that sftp md5 fingerprint in MiGserver.conf is:"
-        echo "${pub_md5_fp}"
-        echo "or point that configuration value to the latest fingerprint file with:"
-        echo "FILE::${combined_pub_md5}"
-        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
-        echo "${pub_md5_fp}" > ${combined_pub_md5}
-        pub_sha256_fp=$(ssh-keygen -l -f ${combined_pub})
-        pub_sha256_fp=${pub_sha256_fp/* SHA256:/}
-        pub_sha256_fp=${pub_sha256_fp/ */}
-        echo "Please verify that sftp sha256 fingerprint in MiGserver.conf is:"
-        echo "${pub_sha256_fp}"
-        echo "or point that configuration value to the latest fingerprint file with:"
-        echo "FILE::${combined_pub_sha256}"
-        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
-        echo "${pub_sha256_fp}" > ${combined_pub_sha256}
+        sha256_fingerprint=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
+        sha256_fingerprint=${sha256_fingerprint/SHA256 Fingerprint=/}
+        echo "Please update ftps and davs sha256 fingerprint in MiGserver.conf to:"
+        echo "${sha256_fingerprint}"
     fi
 fi
 

mig/shared/configuration.py

@@ -4,7 +4,7 @@
 # --- BEGIN_HEADER ---
 #
 # configuration - configuration wrapper
-# Copyright (C) 2003-2025  The MiG Project by the Science HPC Center at UCPH
+# Copyright (C) 2003-2024  The MiG Project lead by Brian Vinter
 #
 # This file is part of MiG.
 #
@@ -1134,8 +1134,7 @@ def reload_config(self, verbose, skip_log=False, disable_auth_log=False,
             fingerprint = config.get('GLOBAL', 'user_sftp_key_md5')
             self.user_sftp_key_md5 = fingerprint
         if config.has_option('GLOBAL', 'user_sftp_key_sha256'):
-            fingerprint = expand_external_sources(
-                logger, config.get('GLOBAL', 'user_sftp_key_sha256'))
+            fingerprint = config.get('GLOBAL', 'user_sftp_key_sha256')
             self.user_sftp_key_sha256 = fingerprint
         if config.has_option('GLOBAL', 'user_sftp_key_from_dns'):
             self.user_sftp_key_from_dns = config.getboolean(
@@ -1229,8 +1228,7 @@ def reload_config(self, verbose, skip_log=False, disable_auth_log=False,
             self.user_davs_key = config.get('GLOBAL',
                                             'user_davs_key')
         if config.has_option('GLOBAL', 'user_davs_key_sha256'):
-            fingerprint = expand_external_sources(
-                logger, config.get('GLOBAL', 'user_davs_key_sha256'))
+            fingerprint = config.get('GLOBAL', 'user_davs_key_sha256')
             self.user_davs_key_sha256 = fingerprint
         if config.has_option('GLOBAL', 'user_davs_auth'):
             self.user_davs_auth = config.get('GLOBAL',
@@ -1276,8 +1274,7 @@ def reload_config(self, verbose, skip_log=False, disable_auth_log=False,
             self.user_ftps_key = config.get('GLOBAL',
                                             'user_ftps_key')
         if config.has_option('GLOBAL', 'user_ftps_key_sha256'):
-            fingerprint = expand_external_sources(
-                logger, config.get('GLOBAL', 'user_ftps_key_sha256'))
+            fingerprint = config.get('GLOBAL', 'user_ftps_key_sha256')
             self.user_ftps_key_sha256 = fingerprint
         if config.has_option('GLOBAL', 'user_ftps_auth'):
             self.user_ftps_auth = config.get('GLOBAL',

mig/shared/install.py

@@ -4,7 +4,7 @@
 # --- BEGIN_HEADER ---
 #
 # install - MiG server install helpers
-# Copyright (C) 2003-2025  The MiG Project by the Science HPC Center at UCPH
+# Copyright (C) 2003-2024  The MiG Project lead by Brian Vinter
 #
 # This file is part of MiG.
 #
@@ -412,10 +412,7 @@ def generate_confs(
     ext_oidc_rewrite_cookie='',
     dhparams_path='',
     daemon_keycert='',
-    daemon_keycert_sha256=keyword_auto,
     daemon_pubkey='',
-    daemon_pubkey_md5=keyword_auto,
-    daemon_pubkey_sha256=keyword_auto,
     daemon_pubkey_from_dns=False,
     daemon_show_address='',
     alias_field='',
@@ -733,10 +730,7 @@ def _generate_confs_prepare(
     ext_oidc_rewrite_cookie,
     dhparams_path,
     daemon_keycert,
-    daemon_keycert_sha256,
     daemon_pubkey,
-    daemon_pubkey_md5,
-    daemon_pubkey_sha256,
     daemon_pubkey_from_dns,
     daemon_show_address,
     alias_field,
@@ -1005,9 +999,9 @@ def _generate_confs_prepare(
     user_dict['__DHPARAMS_PATH__'] = dhparams_path
     user_dict['__DAEMON_KEYCERT__'] = daemon_keycert
     user_dict['__DAEMON_PUBKEY__'] = daemon_pubkey
-    user_dict['__DAEMON_KEYCERT_SHA256__'] = daemon_keycert_sha256
-    user_dict['__DAEMON_PUBKEY_MD5__'] = daemon_pubkey_md5
-    user_dict['__DAEMON_PUBKEY_SHA256__'] = daemon_pubkey_sha256
+    user_dict['__DAEMON_KEYCERT_SHA256__'] = ''
+    user_dict['__DAEMON_PUBKEY_MD5__'] = ''
+    user_dict['__DAEMON_PUBKEY_SHA256__'] = ''
     user_dict['__DAEMON_PUBKEY_FROM_DNS__'] = "%s" % daemon_pubkey_from_dns
     user_dict['__SFTP_PORT__'] = "%s" % sftp_port
     user_dict['__SFTP_SUBSYS_PORT__'] = "%s" % sftp_subsys_port
@@ -1931,19 +1925,15 @@ def _generate_confs_prepare(
 openssl dhparam 2048 -out %(__DHPARAMS_PATH__)s""" % user_dict)
             sys.exit(1)
 
-    # Auto-fill fingerprints if daemon key is set with AUTO fingerprint
+    # Auto-fill fingerprints if daemon key is set
     if user_dict['__DAEMON_KEYCERT__']:
         if not os.path.isfile(os.path.expanduser("%(__DAEMON_KEYCERT__)s" %
                                                  user_dict)):
             print("ERROR: requested daemon keycert file not found!")
-            print("""You can create it e.g. with:
-openssl genrsa -out %(__DAEMON_KEYCERT__)s 4096""" % user_dict)
+            print("""You can create it with:
+openssl genrsa -out %(__DAEMON_KEYCERT__)s 2048""" % user_dict)
             sys.exit(1)
-    else:
-        user_dict['__DAEMON_KEYCERT_SHA256__'] = ''
 
-    if user_dict['__DAEMON_KEYCERT__'] and keyword_auto in \
-            (daemon_keycert_sha256, ):
         key_path = os.path.expanduser(user_dict['__DAEMON_KEYCERT__'])
         openssl_cmd = ["openssl", "x509", "-noout", "-fingerprint", "-sha256",
                        "-in", key_path]
@@ -1958,21 +1948,15 @@ def _generate_confs_prepare(
             print("ERROR: failed to extract sha256 fingerprint of %s: %s" %
                   (key_path, exc))
             daemon_keycert_sha256 = ''
-        if daemon_keycert_sha256 == keyword_auto:
-            user_dict['__DAEMON_KEYCERT_SHA256__'] = daemon_keycert_sha256
+        user_dict['__DAEMON_KEYCERT_SHA256__'] = daemon_keycert_sha256
     if user_dict['__DAEMON_PUBKEY__']:
         if not os.path.isfile(os.path.expanduser("%(__DAEMON_PUBKEY__)s" %
                                                  user_dict)):
             print("ERROR: requested daemon pubkey file not found!")
             print("""You can create it with:
 ssh-keygen -f %(__DAEMON_KEYCERT__)s -y > %(__DAEMON_PUBKEY__)s""" % user_dict)
             sys.exit(1)
-    else:
-        user_dict['__DAEMON_PUBKEY_MD5__'] = ''
-        user_dict['__DAEMON_PUBKEY_SHA256__'] = ''
 
-    if user_dict['__DAEMON_PUBKEY__'] and keyword_auto in \
-            (daemon_pubkey_md5, daemon_pubkey_sha256):
         pubkey_path = os.path.expanduser(user_dict['__DAEMON_PUBKEY__'])
         pubkey = read_file(pubkey_path, None)
         if pubkey is None:
@@ -1990,12 +1974,9 @@ def _generate_confs_prepare(
         except Exception as exc:
             print("ERROR: failed to extract fingerprints of %s : %s" %
                   (pubkey_path, exc))
-            daemon_pubkey_md5 = ''
             daemon_pubkey_sha256 = ''
-        if daemon_pubkey_md5 == keyword_auto:
-            user_dict['__DAEMON_PUBKEY_MD5__'] = daemon_pubkey_md5
-        if daemon_pubkey_sha256 == keyword_auto:
-            user_dict['__DAEMON_PUBKEY_SHA256__'] = daemon_pubkey_sha256
+        user_dict['__DAEMON_PUBKEY_MD5__'] = daemon_pubkey_md5
+        user_dict['__DAEMON_PUBKEY_SHA256__'] = daemon_pubkey_sha256
 
     # Enable Debian/Ubuntu specific lines only there
     if user_dict['__DISTRO__'].lower() in ('ubuntu', 'debian'):

tests/fixture/confs-stdlocal/migcheckssl

@@ -40,9 +40,7 @@ server_crt="${domain_cert_path}/server.crt"
 server_crt_ca_pem="${domain_cert_path}/server.crt.ca.pem"
 server_key_crt_ca_pem="${domain_cert_path}/server.key.crt.ca.pem"
 combined_pem="${domain_cert_path}/combined.pem"
-combined_pem_sha256="${combined_pem}.sha256"
 combined_pub="${domain_cert_path}/combined.pub"
-combined_pub_sha256="${combined_pub}.sha256"
 dhparams_pem="${cert_base}/dhparams.pem"
 # use git latest or release version of getssl
 getssl_version="release"
@@ -281,32 +279,10 @@ if [[ ${org_mtime} -ne ${new_mtime} && "${org_chksum}" != "${new_chksum}" ]]; th
         fi
     done
     if [ -n "${migrid_subservices}" ]; then
-        pem_sha256_fp=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
-        pem_sha256_fp=${pem_sha256_fp/* Fingerprint=/}
-        echo "Please manually update ftps/davs sha256 fingerprint in MiGserver.conf to:"
-        echo "${pem_sha256_fp}"
-        echo "or point those configuration values to the latest fingerprint file with:"
-        echo "FILE::${combined_pem_sha256}"
-        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
-        echo "${pem_sha256_fp}" > ${combined_pem_sha256}
-        pub_md5_fp=$(ssh-keygen -l -E md5 -f ${combined_pub})
-        pub_md5_fp=${pub_md5_fp/* MD5:/}
-        pub_md5_fp=${pub_md5_fp/ */}
-        echo "Please verify that sftp md5 fingerprint in MiGserver.conf is:"
-        echo "${pub_md5_fp}"
-        echo "or point that configuration value to the latest fingerprint file with:"
-        echo "FILE::${combined_pub_md5}"
-        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
-        echo "${pub_md5_fp}" > ${combined_pub_md5}
-        pub_sha256_fp=$(ssh-keygen -l -f ${combined_pub})
-        pub_sha256_fp=${pub_sha256_fp/* SHA256:/}
-        pub_sha256_fp=${pub_sha256_fp/ */}
-        echo "Please verify that sftp sha256 fingerprint in MiGserver.conf is:"
-        echo "${pub_sha256_fp}"
-        echo "or point that configuration value to the latest fingerprint file with:"
-        echo "FILE::${combined_pub_sha256}"
-        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
-        echo "${pub_sha256_fp}" > ${combined_pub_sha256}
+        sha256_fingerprint=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
+        sha256_fingerprint=${sha256_fingerprint/SHA256 Fingerprint=/}
+        echo "Please update ftps and davs sha256 fingerprint in MiGserver.conf to:"
+        echo "${sha256_fingerprint}"
     fi
 fi