ucphhpc · jonasbardino · Apr 9, 2026 · Apr 9, 2026
diff --git a/mig/server/grid_openid.py b/mig/server/grid_openid.py
@@ -1,10 +1,10 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 #
 # --- BEGIN_HEADER ---
 #
 # grid_openid - openid server authenticating users against user database
-# Copyright (C) 2003-2024  The MiG Project lead by Brian Vinter
+# Copyright (C) 2003-2026  The MiG Project by the Science HPC Center at UCPH
 #
 # This file is part of MiG.
 #
@@ -20,7 +20,8 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301,
+# USA.
 #
 # -- END_HEADER ---
 #
@@ -115,7 +116,7 @@
    from mig.shared.tlsserver import hardened_ssl_context
    from mig.shared.url import urlparse, urlencode, check_local_site_url, \
        parse_qsl
    from mig.shared.useradm import get_openid_user_dn, check_password_scramble, \
        check_hash
    from mig.shared.userdb import default_db_path
    from mig.shared.validstring import possible_user_id
@@ -129,12 +130,12 @@
 cert_field_map.update({'role': 'ROLE', 'timezone': 'TZ', 'nickname': 'NICK',
                       'fullname': 'CN', 'o': 'O', 'ou': 'OU'})
 cert_field_names = list(cert_field_map)
 cert_field_values = list(cert_field_map.values())
 cert_field_aliases = {}

 # NOTE: response may contain password on the form
 # (<Symbol Bare namespace>, 'password'): 'S3cr3tP4ssw0rd'
 pw_pattern = "\(<Symbol Bare namespace>, 'password'\): '(.+)'"
 pw_regexp = re.compile(pw_pattern)


@@ -157,7 +158,7 @@
 def valid_cert_fields(arg):
    """Make sure only valid cert field names are allowed"""
    valid_job_id(arg, extra_chars=',')
    if [i for i in arg.split(',') if not i in cert_field_names]:
        invalid_argument(arg)


@@ -302,7 +303,7 @@

        # Add our own SReg fields to list of valid fields from sreg 1.1 spec
        for (key, val) in cert_field_map.items():
            if not key in sreg.data_fields:
                sreg.data_fields[key] = key.replace('_', ' ').title()
        # print "DEBUG: sreg fields: %s" % sreg.data_fields
        for name in cert_field_names:
@@ -413,12 +414,12 @@
    def clearUser(self):
        """Reset all saved user variables"""
        self.user = None
        self.user_dn = None
        self.user_dn_dir = None
        self.password = None
        self.login_expire = None

    def do_GET(self):
        """Handle all HTTP GET requests"""
        # Make sure key is always available for exception handler
        key = 'UNSET'
@@ -441,7 +442,7 @@
            # Resolve retry url, strip password and err

            retry_query = {key: val for (key, val) in self.query.items()
                           if not key in ['password', 'err']}
            self.retry_url = "%s?%s" \
                % (self.parsed_uri[2], urlencode(retry_query))

@@ -506,7 +507,7 @@
 </p>""" % (configuration.support_email, error_ref)
            self.showErrorPage(err_msg, error_code=500)

    def do_POST(self):
        """Handle all HTTP POST requests"""
        try:
            # NOTE: force native string even if socketserver provides bytes
@@ -633,7 +634,7 @@
        # Old IE 8 does not send contents of submit buttons thus only the
        # fields login_as and password are set with the allow requests. We
        # manually add a yes here if so to avoid the else case.
        if not 'yes' in query and not 'no' in query:
            query['yes'] = 'yes'

        if 'yes' in query:
@@ -1267,7 +1268,7 @@
            </fieldset>
            </form>
            <p>
            <a href="%(sid_url)s/cgi-sid/reqpwreset.py?show=migoid">Forgot your password?
            </a>
            </p>
            </div>
@@ -1303,7 +1304,7 @@
              <input type="checkbox" id="remember" name="remember" value="yes"
                  /><label for="remember">Remember this
                  decision</label><br />
              Password: <input type="password" name="password" autofocus /><br />
              <input type="submit" name="yes" value="yes" />
              <input type="submit" name="no" value="no" />
            </form>
@@ -1472,7 +1473,7 @@

        <p>The URL for this server is
        <a href=%s><span class="verbatim">%s</span></a>.</p>
        ''' % (user_message, quoteattr(self.server.base_url), self.server.base_url))

    def showLoginPage(self, success_to, fail_to, query):
        """Login page provider"""
@@ -1711,42 +1712,15 @@
     address = configuration.user_openid_address
     port = configuration.user_openid_port
     session_store = configuration.openid_store
-    default_host_key = """
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEA404IBMReHOdvhhJ5YtgquY3DNi0v0QwfPUk+EcH/CxFW8UCC
-SUJe85up6lEQmOE9yKvrh+3yJgIjdV/ASOw9bd/u0NgNoPwl6A6P8GzHp94vz7UP
-nTp+PEUbA8gwqXnzzdeuF3dLDSXuGHdcv8qQEVRBwj/haecO0fgZcfd4fmLDAG53
-e/Vwc4lVIp4xx+OQowm9RW3nsAZge1DUoxlStD1/rEzBq1DvVx1Wu8pWS48f2ABH
-fHt2Z4ozypMB+a4B56jervcZCNkV/fN2bdGZ8z07hNbn/EkaH2tPw/d62zdHddum
-u7Pi0tYwMZz9GN3t18r9qi5ldUJuJNeNvNc7swIBIwKCAQBuZ7rAfKK9lPunhVDm
-3gYfnKClSSXakNv5MjQXQPg4k2S+UohsudZZERgEGL7rK5MJspb44Um6sJThPSLh
-l1EJe2VeH8wa/iEKUDdI5GD5w7DSmcXBZY3FgKa4sbE8X84wx9g3SJIq9SqA6YTS
-LzAIasDasVA6wK9tTJ6lEczPq2VkxkzpKauDMgI6SpaBV+7Un3OM7VJEbWeaJVoZ
-9I/2AHfp1hDpIfmaYBCnn2Ky70PBGA8DqAnHUKiid2dfZr8jKLu287LaUHxzIZXz
-qSzS6Vg1K0kc5FrgTgrjaXAGNtMenXZdw2/7PMuBDaNuNUApFUlAP5LGvPQ9IRCt
-YggDAoGBAP7z3lm74yxrzSa7HRASO2v3vp7jsbaYl4jPCc+6UruBFJlmUUdIQ2fh
-8i2S1M5mAvZiJ/PKLQ3r6RXxWZOeh4Vw479HFCVHr5GstSfLolJ5svY8iWEoEGdN
-D8aQTQrVAJwAPbLbF4eH5lgSokjOZcWMKsekk4vX2WmCMKWCMms/AoGBAOQ9Fffg
-B8TMc1b+jTcj1Py5TiFsxIe3usYjn8Pgg8kpoGfdBoS/TxwoR0MbJdrPgXDKLlLn
-A4GG6/7lFmxagCAfUyR2wAsOwAugcaFwS3K4QHGPiv9cgKxt9xhuhhDqXGI2lgAu
-oJLcRYBvomPQ+3cGGgifclETTWgkzD5dNVaNAoGBAMStf6RPHPZhyiUxQk4581NK
-FrUWDMAPUFOYZqePvCo/AUMjC4AhzZlH5rVxRRRAEOnz8u9EMWKCycB4Wwt6S0mu
-25OOmoMorAKpzZO6WKYGHFeNyRBvXRx9Rq8e3FjQM6uLKEglW0tLlG/T3EbLG09A
-PkI9IV1AHL8bShlHLjV5AoGBAJyBqKn4tN64FJNsuJrWve8f+w+bCmuxL53PSPtY
-H9plr9IxKQqRz9jLKY0Z7hJiZ2NIz07KS4wEvxUvX9VFXyv4OQMPmaEur5LxrQD8
-i4HdbgS6M21GvqIfhN2NncJ00aJukr5L29JrKFgSCPP9BDRb9Jgy0gu1duhTv0C0
-8V/rAoGAEUheXHIqv9n+3oXLvHadC3aApiz1TcyttDM0AjZoSHpXoBB3AIpPdU8O
-0drRG9zJTyU/BC02FvsGAMo0ZpGQRVMuN1Jj7sHsPaUdV38P4G0EaSQJDNxwFKVN
-3stfzMDGtKM9lntAsfFQ8n4yvvEbn/quEWad6srf1yxt9B4t5JA=
------END RSA PRIVATE KEY-----
-"""
     try:
         host_key_fd = open(configuration.user_openid_key, 'r')
         host_rsa_key = host_key_fd.read()
         host_key_fd.close()
     except IOError:
-        logger.info("No valid host key provided - using default")
-        host_rsa_key = default_host_key
+        bail_msg = "No valid host key configured - bailing out!"
+        logger.error(bail_msg)
+        print(bail_msg)
+        sys.exit(1)
     configuration.daemon_conf = {
         'address': address,
         'port': port,

diff --git a/mig/server/grid_sftp.py b/mig/server/grid_sftp.py
@@ -1,10 +1,10 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 #
 # --- BEGIN_HEADER ---
 #
 # grid_sftp - SFTP server providing access to MiG user homes
-# Copyright (C) 2003-2025  The MiG Project by the Science HPC Center at UCPH
+# Copyright (C) 2003-2026  The MiG Project by the Science HPC Center at UCPH
 #
 # This file is part of MiG.
 #
@@ -20,7 +20,8 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301,
+# USA.
 #
 # -- END_HEADER ---
 #
@@ -465,7 +466,7 @@
        #                  (repr(attr), [path]))
        return self.sftpserver._chattr(path, attr, self)

    @__gdp_log
    def read(self, offset, length):
        """Handle operations of same name"""
        path = getattr(self, "path", "unknown")
@@ -477,7 +478,7 @@
                              (length, offset, [path], exc))
            raise exc

    @__gdp_log
    @__workflow_history_log
    def write(self, offset, data):
        """Handle operations of same name"""
@@ -490,7 +491,7 @@
                              (len(data), offset, [path], exc))
            raise exc

    @__gdp_log
    def close(self):
        """Handle operations of same name"""
        return super(SFTPHandle, self).close()
@@ -1997,43 +1998,14 @@
     print(__doc__)
     address = configuration.user_sftp_address
     port = configuration.user_sftp_port
-    default_host_key = """
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEA404IBMReHOdvhhJ5YtgquY3DNi0v0QwfPUk+EcH/CxFW8UCC
-SUJe85up6lEQmOE9yKvrh+3yJgIjdV/ASOw9bd/u0NgNoPwl6A6P8GzHp94vz7UP
-nTp+PEUbA8gwqXnzzdeuF3dLDSXuGHdcv8qQEVRBwj/haecO0fgZcfd4fmLDAG53
-e/Vwc4lVIp4xx+OQowm9RW3nsAZge1DUoxlStD1/rEzBq1DvVx1Wu8pWS48f2ABH
-fHt2Z4ozypMB+a4B56jervcZCNkV/fN2bdGZ8z07hNbn/EkaH2tPw/d62zdHddum
-u7Pi0tYwMZz9GN3t18r9qi5ldUJuJNeNvNc7swIBIwKCAQBuZ7rAfKK9lPunhVDm
-3gYfnKClSSXakNv5MjQXQPg4k2S+UohsudZZERgEGL7rK5MJspb44Um6sJThPSLh
-l1EJe2VeH8wa/iEKUDdI5GD5w7DSmcXBZY3FgKa4sbE8X84wx9g3SJIq9SqA6YTS
-LzAIasDasVA6wK9tTJ6lEczPq2VkxkzpKauDMgI6SpaBV+7Un3OM7VJEbWeaJVoZ
-9I/2AHfp1hDpIfmaYBCnn2Ky70PBGA8DqAnHUKiid2dfZr8jKLu287LaUHxzIZXz
-qSzS6Vg1K0kc5FrgTgrjaXAGNtMenXZdw2/7PMuBDaNuNUApFUlAP5LGvPQ9IRCt
-YggDAoGBAP7z3lm74yxrzSa7HRASO2v3vp7jsbaYl4jPCc+6UruBFJlmUUdIQ2fh
-8i2S1M5mAvZiJ/PKLQ3r6RXxWZOeh4Vw479HFCVHr5GstSfLolJ5svY8iWEoEGdN
-D8aQTQrVAJwAPbLbF4eH5lgSokjOZcWMKsekk4vX2WmCMKWCMms/AoGBAOQ9Fffg
-B8TMc1b+jTcj1Py5TiFsxIe3usYjn8Pgg8kpoGfdBoS/TxwoR0MbJdrPgXDKLlLn
-A4GG6/7lFmxagCAfUyR2wAsOwAugcaFwS3K4QHGPiv9cgKxt9xhuhhDqXGI2lgAu
-oJLcRYBvomPQ+3cGGgifclETTWgkzD5dNVaNAoGBAMStf6RPHPZhyiUxQk4581NK
-FrUWDMAPUFOYZqePvCo/AUMjC4AhzZlH5rVxRRRAEOnz8u9EMWKCycB4Wwt6S0mu
-25OOmoMorAKpzZO6WKYGHFeNyRBvXRx9Rq8e3FjQM6uLKEglW0tLlG/T3EbLG09A
-PkI9IV1AHL8bShlHLjV5AoGBAJyBqKn4tN64FJNsuJrWve8f+w+bCmuxL53PSPtY
-H9plr9IxKQqRz9jLKY0Z7hJiZ2NIz07KS4wEvxUvX9VFXyv4OQMPmaEur5LxrQD8
-i4HdbgS6M21GvqIfhN2NncJ00aJukr5L29JrKFgSCPP9BDRb9Jgy0gu1duhTv0C0
-8V/rAoGAEUheXHIqv9n+3oXLvHadC3aApiz1TcyttDM0AjZoSHpXoBB3AIpPdU8O
-0drRG9zJTyU/BC02FvsGAMo0ZpGQRVMuN1Jj7sHsPaUdV38P4G0EaSQJDNxwFKVN
-3stfzMDGtKM9lntAsfFQ8n4yvvEbn/quEWad6srf1yxt9B4t5JA=
------END RSA PRIVATE KEY-----
-"""
     # NOTE: read possibly combined key/cert and strip any non-key content
     # NOTE: paramiko.RSAKey expects '-----X RSA PRIVATE KEY-----'
     #       Newer versions of 'openssl rsa -in X.key -text' generate
     #       '-----X PRIVATE KEY-----'
-    header_marks = {'genric': '-----BEGIN PRIVATE KEY-----',
+    header_marks = {'generic': '-----BEGIN PRIVATE KEY-----',
                     'rsa': '-----BEGIN RSA PRIVATE KEY-----',
                     }
-    footer_marks = {'genric': '-----END PRIVATE KEY-----',
+    footer_marks = {'generic': '-----END PRIVATE KEY-----',
                     'rsa': '-----END RSA PRIVATE KEY-----',
                     }
     possible_rsa_key = read_file(configuration.user_sftp_key, logger)
@@ -2045,16 +2017,14 @@
             host_key = host_key.split(footer_mark, 1)[0]
     host_rsa_key = None
     if host_key:
-        host_rsa_key = "%s%s%s" \
-            % (header_marks['rsa'],
-               host_key,
-               footer_marks['rsa'])
+        host_rsa_key = "%s%s%s" % (header_marks['rsa'], host_key,
+                                   footer_marks['rsa'])
         logger.debug("Using host key: %s" % configuration.user_sftp_key)
     else:
-        info_msg = "No valid host key provided - using default"
-        logger.info(info_msg)
-        print(info_msg)
-        host_rsa_key = default_host_key
+        bail_msg = "No valid host key configured - bailing out!"
+        logger.error(bail_msg)
+        print(bail_msg)
+        sys.exit(1)
     # Validate host rsa key before starting server
     try:
         host_key_file = NativeStringIO(force_native_str(host_rsa_key))

diff --git a/mig/server/sftp.conf b/mig/server/sftp.conf