@@ -86,12 +86,50 @@ fn-adduser() {
8686 esac
8787}
8888
89+ fn-verify-file () {
90+ declare desc=" Test that public key is valid"
91+ declare file=" $1 "
92+ local has_errors=false
93+
94+ local key line=0
95+ local TMP_KEY_FILE
96+ TMP_KEY_FILE=$( mktemp " /tmp/dokku-${DOKKU_PID} -${FUNCNAME[0]} .XXXXXX" )
97+ # shellcheck disable=SC2064
98+ trap " rm -rf '$TMP_KEY_FILE ' >/dev/null" RETURN INT TERM EXIT
99+
100+ SSHCOMMAND_IGNORE_LIST_WARNINGS=" ${SSHCOMMAND_IGNORE_LIST_WARNINGS:- false} "
101+ while read -r key; do
102+ line=$(( line + 1 ))
103+ [[ -z " $key " ]] && continue
104+ [[ " $key " =~ ^# .*$ ]] && continue
105+
106+ echo " $key " > " $TMP_KEY_FILE "
107+ if ! ssh-keygen -lf " $TMP_KEY_FILE " & > /dev/null; then
108+ has_errors=true
109+ if [[ " $SSHCOMMAND_IGNORE_LIST_WARNINGS " == " false" ]]; then
110+ log-warn " ${file} line $line failed ssh-keygen check."
111+ else
112+ log-warn " ${file} line $line failed ssh-keygen check, ignoring."
113+ fi
114+ fi
115+ done < " ${file} "
116+
117+ if [[ " $has_errors " == " true" ]]; then
118+ return 1
119+ fi
120+ }
121+
89122log-fail () {
90123 declare desc=" Log fail formatter"
91124 echo " $@ " 1>&2
92125 exit 1
93126}
94127
128+ log-warn () {
129+ declare desc=" Log warn formatter"
130+ echo " $@ " 1>&2
131+ }
132+
95133log-verbose () {
96134 declare desc=" Log verbose formatter"
97135 if [[ -n " $SSHCOMMAND_VERBOSE_OUTPUT " ]]; then
@@ -209,6 +247,11 @@ sshcommand-list() {
209247 [[ -e " $userhome /.ssh/authorized_keys" ]] || log-fail " authorized_keys not found for $USER "
210248 [[ -s " $userhome /.ssh/authorized_keys" ]] || log-fail " authorized_keys is empty for $USER "
211249
250+ SSHCOMMAND_IGNORE_LIST_WARNINGS=" ${SSHCOMMAND_IGNORE_LIST_WARNINGS:- false} "
251+ if ! fn-verify-file " $userhome /.ssh/authorized_keys" && [[ " $SSHCOMMAND_IGNORE_LIST_WARNINGS " == " false" ]]; then
252+ return 1
253+ fi
254+
212255 if [[ -n " $OUTPUT_TYPE " ]] && [[ " $OUTPUT_TYPE " == " json" ]]; then
213256 data=$( sed --silent --regexp-extended \
214257 ' s/^command="FINGERPRINT=(\S+) NAME=(\\"|)(.*)\2 `.*",(\S+).*/{ "fingerprint": "\1", "name": "\3", "SSHCOMMAND_ALLOWED_KEYS": "\4" }/p' \
0 commit comments