+def GenShadow(accounts, File):
+ F = None
+ try:
+ OldMask = os.umask(0077)
+ F = open(File + ".tdb.tmp", "w", 0600)
+ os.umask(OldMask)
+
+ i = 0
+ for a in accounts:
+ # If the account is locked, mark it as such in shadow
+ # See Debian Bug #308229 for why we set it to 1 instead of 0
+ if not a.pw_active(): ShadowExpire = '1'
+ elif 'shadowExpire' in a: ShadowExpire = str(a['shadowExpire'])
+ else: ShadowExpire = ''
+
+ values = []
+ values.append(a['uid'])
+ values.append(a.get_password())
+ for key in 'shadowLastChange', 'shadowMin', 'shadowMax', 'shadowWarning', 'shadowInactive':
+ if key in a: values.append(a[key])
+ else: values.append('')
+ values.append(ShadowExpire)
+ line = ':'.join(values)+':'
+ line = Sanitize(line) + "\n"
+ F.write("0%u %s" % (i, line))
+ F.write(".%s %s" % (a['uid'], line))
+ i = i + 1
+
+ # Oops, something unspeakable happened.
+ except:
+ Die(File, None, F)
+ raise
+ Done(File, None, F)
+
+# Generate the sudo passwd file
+def GenShadowSudo(accounts, File, untrusted, current_host):
+ F = None
+ try:
+ OldMask = os.umask(0077)
+ F = open(File + ".tmp", "w", 0600)
+ os.umask(OldMask)
+
+ for a in accounts:
+ Pass = '*'
+ if 'sudoPassword' in a:
+ for entry in a['sudoPassword']:
+ Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*-]+) ([^ ]+)$').match(entry)
+ if Match == None:
+ continue
+ uuid = Match.group(1)
+ status = Match.group(2)
+ hosts = Match.group(3)
+ cryptedpass = Match.group(4)
+
+ if status != 'confirmed:'+make_passwd_hmac('password-is-confirmed', 'sudo', a['uid'], uuid, hosts, cryptedpass):
+ continue
+ for_all = hosts == "*"
+ for_this_host = current_host in hosts.split(',')
+ if not (for_all or for_this_host):
+ continue
+ # ignore * passwords for untrusted hosts, but copy host specific passwords
+ if for_all and untrusted:
+ continue
+ Pass = cryptedpass
+ if for_this_host: # this makes sure we take a per-host entry over the for-all entry
+ break
+ if len(Pass) > 50:
+ Pass = '*'
+
+ Line = "%s:%s" % (a['uid'], Pass)
+ Line = Sanitize(Line) + "\n"
+ F.write("%s" % (Line))
+
+ # Oops, something unspeakable happened.
+ except:
+ Die(File, F, None)
+ raise
+ Done(File, F, None)
+
+# Generate the sudo passwd file
+def GenSSHGitolite(accounts, hosts, File, sshcommand=None, current_host=None):
+ F = None
+ if sshcommand is None:
+ sshcommand = GitoliteSSHCommand
+ try:
+ OldMask = os.umask(0022)
+ F = open(File + ".tmp", "w", 0600)
+ os.umask(OldMask)
+
+ if not GitoliteSSHRestrictions is None and GitoliteSSHRestrictions != "":
+ for a in accounts:
+ if not 'sshRSAAuthKey' in a: continue
+
+ User = a['uid']
+ prefix = GitoliteSSHRestrictions
+ prefix = prefix.replace('@@COMMAND@@', sshcommand)
+ prefix = prefix.replace('@@USER@@', User)
+ for I in a["sshRSAAuthKey"]:
+ if I.startswith("allowed_hosts=") and ' ' in line:
+ if current_host is None:
+ continue
+ machines, I = I.split('=', 1)[1].split(' ', 1)
+ if current_host not in machines.split(','):
+ continue # skip this key
+
+ if I.startswith('ssh-'):
+ line = "%s %s"%(prefix, I)
+ else:
+ continue # do not allow keys with other restrictions that might conflict
+ line = Sanitize(line) + "\n"
+ F.write(line)
+
+ for dn, attrs in hosts:
+ if not 'sshRSAHostKey' in attrs: continue
+ hostname = "host-" + attrs['hostname'][0]
+ prefix = GitoliteSSHRestrictions
+ prefix = prefix.replace('@@COMMAND@@', sshcommand)
+ prefix = prefix.replace('@@USER@@', hostname)
+ for I in attrs["sshRSAHostKey"]:
+ line = "%s %s"%(prefix, I)
+ line = Sanitize(line) + "\n"
+ F.write(line)
+
+ # Oops, something unspeakable happened.
+ except:
+ Die(File, F, None)
+ raise
+ Done(File, F, None)