add support for administrators_authorized_keys to SetUserSSHPublicKeysPlugin

savchuk1985 · savchuk1985 · commit cc8575b20cfc · 2025-08-27T14:59:43.000+04:00
see https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement#administrative-user Change-Id: Ieabb720af9a85a9bed2eb15ea11ef621ef7e1042
diff --git a/cloudbaseinit/plugins/common/sshpublickeys.py b/cloudbaseinit/plugins/common/sshpublickeys.py
@@ -25,6 +25,10 @@
 CONF = cloudbaseinit_conf.CONF
 LOG = oslo_logging.getLogger(__name__)
 
+# The default Win32-OpenSSH config assumes that the built-in Administrators
+# group with SID S-1-5-32-544 does not have an internationalized name.
+ADMINISTRATORS = "Administrators"
+
 
 class SetUserSSHPublicKeysPlugin(base.BasePlugin):
 
@@ -49,10 +53,31 @@ def execute(self, service, shared_data):
             os.makedirs(user_ssh_dir)
 
         authorized_keys_path = os.path.join(user_ssh_dir, "authorized_keys")
-        LOG.info("Writing SSH public keys in: %s" % authorized_keys_path)
-        with open(authorized_keys_path, 'w') as f:
-            for public_key in public_keys:
-                # All public keys are space-stripped.
-                f.write(public_key + "\n")
+        authorized_keys_files = [authorized_keys_path]
+
+        admin_membership_conditions = (
+            osutils.group_exists(ADMINISTRATORS),
+            ADMINISTRATORS in CONF.groups
+        )
+
+        if all(admin_membership_conditions):
+            program_data_dir = os.getenv("PROGRAMDATA", "C:\ProgramData")
+            LOG.debug("Program Data: %s" % program_data_dir)
+
+            program_data_ssh_dir = os.path.join(program_data_dir, "ssh")
+            if not os.path.exists(program_data_ssh_dir):
+                os.makedirs(program_data_ssh_dir)
+
+            administrators_authorized_keys_path = os.path.join(
+                program_data_ssh_dir, "administrators_authorized_keys"
+            )
+            authorized_keys_files.append(administrators_authorized_keys_path)
+
+        for filepath in authorized_keys_files:
+            LOG.info("Writing SSH public keys in: %s" % filepath)
+            with open(filepath, 'w') as f:
+                for public_key in public_keys:
+                    # All public keys are space-stripped.
+                    f.write(public_key + "\n")
 
         return base.PLUGIN_EXECUTION_DONE, False
