X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=ud-mailgate;h=427a024a7493fa83661870473690dc3d1d3ba8e4;hb=e13094c6dcebe4f8fec69963212942d49d3e2ac2;hp=6f9b20cfc5fb2bb7e8b1f810b0cbeda88f295653;hpb=f22595d6909859cae31bb8a33ad24b50e74cb89a;p=mirror%2Fuserdir-ldap.git diff --git a/ud-mailgate b/ud-mailgate index 6f9b20c..427a024 100755 --- a/ud-mailgate +++ b/ud-mailgate @@ -11,6 +11,7 @@ import userdir_gpg, userdir_ldap, sys, traceback, time, ldap, os, commands import pwd, tempfile import subprocess import email, email.parser +import binascii from userdir_gpg import * from userdir_ldap import * @@ -322,24 +323,19 @@ def DoSSH(Str, Attrs, badkeys, uid): Match = SSHFingerprint.match(output) g = Match.groups() + key_size = g[0] + fingerprint = g[1] - if int(g[0]) < 1024: - try: - # Body - Subst["__ERROR__"] = "SSH keysize %s is below limit 1024" % (g[0]) - ErrReply = TemplateSubst(Subst,open(TemplatesDir+"admin-info","r").read()) - - Child = os.popen("/usr/sbin/sendmail -t","w") - Child.write(ErrReplyHead) - Child.write(ErrReply) - if Child.close() != None: - raise UDExecuteError, "Sendmail gave a non-zero return code" - except: - sys.exit(EX_TEMPFAIL) + if typekey == "rsa": + key_size_ok = (int(key_size) >= 2048) + elif typekey == "ed25519": + key_size_ok = True + else: + key_size_ok = False - # And now break and stop processing input, which sends a reply to the user. - raise UDFormatError, "SSH keys must have at least 1024 bits, processing halted, NOTHING MODIFIED AT ALL" - elif g[1] in badkeys: + if not key_size_ok: + return "SSH key fails formal criteria, not added. We only accept RSA keys (>= 2048 bits) or ed25519 keys." + elif fingerprint in badkeys: try: # Body Subst["__ERROR__"] = "SSH key with fingerprint %s known as bad key" % (g[1]) @@ -356,17 +352,14 @@ def DoSSH(Str, Attrs, badkeys, uid): # And now break and stop processing input, which sends a reply to the user. raise UDFormatError, "Submitted SSH Key known to be bad and insecure, processing halted, NOTHING MODIFIED AT ALL" - if (typekey == "dss"): - return "DSA keys not accepted anymore" - global SeenKey; if SeenKey: Attrs.append((ldap.MOD_ADD,"sshRSAAuthKey",Str)); - return "SSH Key added "+FormatSSHAuth(Str); - + return "SSH Key added: %s %s [%s]"%(key_size, fingerprint, FormatSSHAuth(Str)) + Attrs.append((ldap.MOD_REPLACE,"sshRSAAuthKey",Str)); SeenKey = 1; - return "SSH Keys replaced with "+FormatSSHAuth(Str); + return "SSH Keys replaced with: %s %s [%s]"%(key_size, fingerprint, FormatSSHAuth(Str)) # Handle changing a dns entry # host IN A 12.12.12.12 @@ -695,6 +688,28 @@ def HandleChPass(Reply,DnRecord,Key): return Reply; +def HandleChTOTPSeed(Reply, DnRecord, Key): + # Generate a random seed + seed = binascii.hexlify(open("/dev/urandom", "r").read(32)) + msg = GPGEncrypt("Your new TOTP seed is '%s'\n" % (seed,), "0x"+Key[1],Key[4]); + + if msg is None: + raise UDFormatError, "Unable to generate the encrypted reply, gpg failed."; + + Subst = {}; + Subst["__FROM__"] = ChPassFrom + Subst["__EMAIL__"] = EmailAddress(DnRecord) + Subst["__PASSWORD__"] = msg + Subst["__ADMIN__"] = ReplyTo + Reply = Reply + TemplateSubst(Subst, open(TemplatesDir+"totp-seed-changed", "r").read()) + + l = connect_to_ldap_and_check_if_locked(DnRecord) + # Modify the password + Rec = [(ldap.MOD_REPLACE, "totpSeed", seed)] + Dn = "uid=" + GetAttr(DnRecord,"uid") + "," + BaseDn + l.modify_s(Dn,Rec) + return Reply; + def HandleChKrbPass(Reply,DnRecord,Key): # Connect to the ldap server, will throw an exception if account locked. l = connect_to_ldap_and_check_if_locked(DnRecord) @@ -822,6 +837,8 @@ try: Reply = HandleChPass(Reply,Attrs[0],pgp.key_info); elif PlainText.strip().find("Please change my Kerberos password") >= 0: Reply = HandleChKrbPass(Reply,Attrs[0],pgp.key_info); + elif PlainText.strip().find("Please change my TOTP seed") >= 0: + Reply = HandleChTOTPSeed(Reply, Attrs[0], pgp.key_info) else: raise UDFormatError,"Please send a signed message where the first line of text is the string 'Please change my Debian password' or some other string we accept here."; elif sys.argv[1] == "change":