openssh: Use temp file when writing keys from LDAP.

This helps avoid a race condition when the file is not yet written properly
when a new SSH connection from that user comes in.

This isn't really a problem in practice, but we may as well do it.

1 files changed, 12 insertions, 7 deletions

diff --git a/modules/openssh/templates/ldap-sshkey2file.py b/modules/openssh/templates/ldap-sshkey2file.py
index e393e29b..36e5658d 100755
--- a/modules/openssh/templates/ldap-sshkey2file.py
+++ b/modules/openssh/templates/ldap-sshkey2file.py
@@ -4,6 +4,7 @@ import sys
 import os
 import random
 import shutil
+import tempfile
 
 try:
     import ldap
@@ -57,20 +58,24 @@ def write_keys(keys, user, uid, gid):
                os.chown(os.path.join(root, d), uid, gid)
            for f in files:
                os.chown(os.path.join(root, f), uid, gid)
+
     try:
         os.makedirs("%s/%s/.ssh" % (keypathprefix,user), 0700)
     except:
         pass
-    keyfile = "%s/%s/.ssh/authorized_keys" % (keypathprefix,user)
-    f = open(keyfile, 'w')
-    for key in keys:
-        f.write(key.strip() + "\n")
-    f.close()
-    os.chmod(keyfile, 0600)
-    os.chown(keyfile, uid, gid)
     os.chmod("%s/%s/.ssh" % (keypathprefix,user), 0700)
     os.chown("%s/%s/.ssh" % (keypathprefix,user), uid, gid)
 
+    (fd, tmpname) = tempfile.mkstemp('', 'ldap-sshkey2file-')
+    for key in keys:
+        os.write(fd, key.strip() + "\n")
+    os.close(fd)
+    os.chmod(tmpname, 0600)
+    os.chown(tmpname, uid, gid)
+    keyfile = "%s/%s/.ssh/authorized_keys" % (keypathprefix,user)
+    shutil.move(tmpname, keyfile)
+
+
 if len(sys.argv) != 1:
     usage()
     sys.exit(1)