X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=ud-generate;h=1a3d3f6a6727036ad91ec8fedde8ca6f24b2604b;hb=0539c19e661f05d992fdeb6e05ec9dcf99bb691d;hp=e9121790a2538af49b939d04ada63b14ec38040c;hpb=584812bff68677748e4a2f0b96a0690e9d0b2e89;p=mirror%2Fuserdir-ldap.git

diff --git a/ud-generate b/ud-generate
index e912179..1a3d3f6 100755
--- a/ud-generate
+++ b/ud-generate
@@ -203,7 +203,7 @@ def GenShadow(l,File):
   Done(File,None,F);
 
 # Generate the sudo passwd file
-def GenShadowSudo(l,File):
+def GenShadowSudo(l,File, untrusted):
   F = None;
   try:
    OldMask = os.umask(0077);
@@ -230,12 +230,15 @@ def GenShadowSudo(l,File):
             hosts = Match.group(3)
             cryptedpass = Match.group(4)
 
-            if status != 'confirmed:'+make_sudopasswd_hmac('password-is-confirmed', uuid, hosts, cryptedpass):
+            if status != 'confirmed:'+make_passwd_hmac('password-is-confirmed', 'sudo', x[1]['uid'][0], uuid, hosts, cryptedpass):
                continue
             for_all = hosts == "*"
             for_this_host = CurrentHost in hosts.split(',')
             if not (for_all or for_this_host):
                continue
+            # ignore * passwords for untrusted hosts, but copy host specific passwords
+            if for_all and untrusted:
+               continue
             Pass = cryptedpass
             if for_this_host: # this makes sure we take a per-host entry over the for-all entry
               break
@@ -1004,7 +1007,7 @@ while(1):
       userlist = GenPasswd(l,OutDir+"passwd",Split[1], "x");
    sys.stdout.flush();
    grouprevmap = GenGroup(l,OutDir+"group");
-   GenShadowSudo(l, OutDir+"sudo-passwd")
+   GenShadowSudo(l, OutDir+"sudo-passwd", ExtraList.has_key("[UNTRUSTED]") or ExtraList.has_key("[NOPASSWD]"))
 
    # Now we know who we're allowing on the machine, export
    # the relevant ssh keys
@@ -1057,12 +1060,14 @@ while(1):
                 os.path.join(OutDir, 'ssh-keys.tar.gz'))
 
    if ExtraList.has_key("[UNTRUSTED]"):
+     print "[UNTRUSTED] tag is obsolete and may be removed in the future."
      continue;
    if not ExtraList.has_key("[NOPASSWD]"):
      GenShadow(l,OutDir+"shadow");
 
    # Link in global things
-   DoLink(GlobalDir,OutDir,"markers");
+   if not ExtraList.has_key("[NOMARKERS]"):
+     DoLink(GlobalDir,OutDir,"markers");
    DoLink(GlobalDir,OutDir,"mail-forward.cdb");
    DoLink(GlobalDir,OutDir,"mail-disable");
    DoLink(GlobalDir,OutDir,"mail-greylist");
@@ -1091,3 +1096,7 @@ while(1):
      for k in Keyrings:
        try: posix.remove(OutDir+os.path.basename(k));
        except: pass;
+
+# vim:set et:
+# vim:set ts=3:
+# vim:set shiftwidth=3: