X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=ud-mailgate;h=1eb42c1bb061de8cc7211298973cde4ffbce1506;hb=f2981c64295da12a8b67fb20380e7391c1979e7d;hp=8d799591b427fafbf29645d17b1aca6ab7876c77;hpb=f2d431dee2f52f071afa1fd00d4e4589b1f5899e;p=mirror%2Fuserdir-ldap.git diff --git a/ud-mailgate b/ud-mailgate index 8d79959..1eb42c1 100755 --- a/ud-mailgate +++ b/ud-mailgate @@ -36,7 +36,6 @@ mailRHSBL = {} mailWhitelist = {} SeenList = {} DNS = {} -SudoPasswd = {} ValidHostNames = [] # will be initialized in later SSHFingerprint = re.compile('^(\d+) ([0-9a-f\:]{47}) (.+)$') @@ -324,10 +323,10 @@ def DoSSH(Str, Attrs, badkeys, uid): Match = SSHFingerprint.match(output) g = Match.groups() - if int(g[0]) < 1024: + if int(g[0]) < 2048 and (typekey != "ed25519"): try: # Body - Subst["__ERROR__"] = "SSH keysize %s is below limit 1024" % (g[0]) + Subst["__ERROR__"] = "SSH keysize %s is below limit 2048" % (g[0]) ErrReply = TemplateSubst(Subst,open(TemplatesDir+"admin-info","r").read()) Child = os.popen("/usr/sbin/sendmail -t","w") @@ -339,7 +338,7 @@ def DoSSH(Str, Attrs, badkeys, uid): sys.exit(EX_TEMPFAIL) # And now break and stop processing input, which sends a reply to the user. - raise UDFormatError, "SSH keys must have at least 1024 bits, processing halted, NOTHING MODIFIED AT ALL" + raise UDFormatError, "SSH keys must have at least 2048 bits, processing halted, NOTHING MODIFIED AT ALL" elif g[1] in badkeys: try: # Body @@ -490,8 +489,8 @@ def DoRBL(Str,Attrs): return "%s replaced with %s" % (Key,Host) # Handle a ConfirmSudoPassword request -def DoConfirmSudopassword(Str): - Match = re.compile('^confirm sudopassword ('+UUID_FORMAT+') ([a-z0-9.,*]+) ([0-9a-f]{40})$').match(Str) +def DoConfirmSudopassword(Str, SudoPasswd): + Match = re.compile('^confirm sudopassword ('+UUID_FORMAT+') ([a-z0-9.,*-]+) ([0-9a-f]{40})$').match(Str) if Match == None: return None @@ -499,12 +498,10 @@ def DoConfirmSudopassword(Str): hosts = Match.group(2) hmac = Match.group(3) - global SudoPasswd SudoPasswd[uuid] = (hosts, hmac) return "got confirm for sudo password %s on host(s) %s, auth code %s" % (uuid,hosts, hmac) -def FinishConfirmSudopassword(l, uid, Attrs): - global SudoPasswd +def FinishConfirmSudopassword(l, uid, Attrs, SudoPasswd): result = "\n" if len(SudoPasswd) == 0: @@ -520,7 +517,7 @@ def FinishConfirmSudopassword(l, uid, Attrs): newldap = [] for entry in inldap: - Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry) + Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*-]+) ([^ ]+)$').match(entry) if Match == None: raise UDFormatError, "Could not parse existing sudopasswd entry" uuid = Match.group(1) @@ -582,6 +579,7 @@ def HandleChange(Reply,DnRecord,Key): Result = ""; Attrs = []; + SudoPasswd = {} Show = 0; CommitChanges = 1 for Line in Lines: @@ -599,7 +597,7 @@ def HandleChange(Reply,DnRecord,Key): badkeys = LoadBadSSH() Res = DoPosition(Line,Attrs) or DoDNS(Line,Attrs,DnRecord) or \ DoArbChange(Line,Attrs) or DoSSH(Line,Attrs,badkeys,GetAttr(DnRecord,"uid")) or \ - DoDel(Line,Attrs) or DoRBL(Line,Attrs) or DoConfirmSudopassword(Line) + DoDel(Line,Attrs) or DoRBL(Line,Attrs) or DoConfirmSudopassword(Line, SudoPasswd) except: Res = None; Result = Result + "==> %s: %s\n" %(sys.exc_type,sys.exc_value); @@ -615,17 +613,16 @@ def HandleChange(Reply,DnRecord,Key): # Connect to the ldap server l = connect_to_ldap_and_check_if_locked(DnRecord) - if CommitChanges == 1 and len(Attrs) > 0: # only if we are still good to go + if CommitChanges == 1 and len(SudoPasswd) > 0: # only if we are still good to go try: - Res = FinishConfirmSudopassword(l, GetAttr(DnRecord,"uid"), Attrs) + Res = FinishConfirmSudopassword(l, GetAttr(DnRecord,"uid"), Attrs, SudoPasswd) if not Res is None: Result = Result + Res + "\n"; except Error, e: CommitChanges = 0 Result = Result + "FinishConfirmSudopassword raised an error (%s) - no changes committed\n"%(e); - # Modify the record - if CommitChanges == 1: + if CommitChanges == 1 and len(Attrs) > 0: Dn = "uid=" + GetAttr(DnRecord,"uid") + "," + BaseDn; l.modify_s(Dn,Attrs);