openssh: Only write authorized_keys file when it's different

This saves disk churn and will eventually allow us to take further
action when keys actually change.

1 files changed, 20 insertions, 7 deletions

diff --git a/modules/openssh/templates/ldap-sshkey2file.py b/modules/openssh/templates/ldap-sshkey2file.py
index 36e5658d..4a547b5e 100755
--- a/modules/openssh/templates/ldap-sshkey2file.py
+++ b/modules/openssh/templates/ldap-sshkey2file.py
@@ -66,14 +66,27 @@ def write_keys(keys, user, uid, gid):
     os.chmod("%s/%s/.ssh" % (keypathprefix,user), 0700)
     os.chown("%s/%s/.ssh" % (keypathprefix,user), uid, gid)
 
-    (fd, tmpname) = tempfile.mkstemp('', 'ldap-sshkey2file-')
-    for key in keys:
-        os.write(fd, key.strip() + "\n")
-    os.close(fd)
-    os.chmod(tmpname, 0600)
-    os.chown(tmpname, uid, gid)
     keyfile = "%s/%s/.ssh/authorized_keys" % (keypathprefix,user)
-    shutil.move(tmpname, keyfile)
+
+    fromldap = ''
+    for key in keys:
+        fromldap += key.strip() + "\n"
+
+    fromfile = ''
+    try:
+        f = open(keyfile, 'r')
+        fromfile = f.read()
+        f.close()
+    except:
+        pass
+
+    if fromldap != fromfile:
+        (fd, tmpname) = tempfile.mkstemp('', 'ldap-sshkey2file-')
+        os.write(fd, fromldap);
+        f.close()
+        os.chmod(tmpname, 0600)
+        os.chown(tmpname, uid, gid)
+        shutil.move(tmpname, keyfile)
 
 
 if len(sys.argv) != 1: