X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=ud-mailgate;h=427a024a7493fa83661870473690dc3d1d3ba8e4;hb=e13094c6dcebe4f8fec69963212942d49d3e2ac2;hp=7edb3fd33b074752581d7f1b480c700babae4cb4;hpb=7a692d8d2ba0aec4d991f8a2e2db8f332090f460;p=mirror%2Fuserdir-ldap.git diff --git a/ud-mailgate b/ud-mailgate index 7edb3fd..427a024 100755 --- a/ud-mailgate +++ b/ud-mailgate @@ -11,6 +11,7 @@ import userdir_gpg, userdir_ldap, sys, traceback, time, ldap, os, commands import pwd, tempfile import subprocess import email, email.parser +import binascii from userdir_gpg import * from userdir_ldap import * @@ -322,31 +323,19 @@ def DoSSH(Str, Attrs, badkeys, uid): Match = SSHFingerprint.match(output) g = Match.groups() + key_size = g[0] + fingerprint = g[1] - if typekey == "ssh-rsa": - key_size_ok = (g[0]) >= 2048) + if typekey == "rsa": + key_size_ok = (int(key_size) >= 2048) elif typekey == "ed25519": key_size_ok = True else: key_size_ok = False if not key_size_ok: - try: - # Body - Subst["__ERROR__"] = "SSH key fails formal criteria. We only accept RSA keys (>= 2048 bits) or ed25519 keys." % (g[0]) - ErrReply = TemplateSubst(Subst,open(TemplatesDir+"admin-info","r").read()) - - Child = os.popen("/usr/sbin/sendmail -t","w") - Child.write(ErrReplyHead) - Child.write(ErrReply) - if Child.close() != None: - raise UDExecuteError, "Sendmail gave a non-zero return code" - except: - sys.exit(EX_TEMPFAIL) - - # And now break and stop processing input, which sends a reply to the user. - raise UDFormatError, "SSH key fails formal criteria, NOTHING MODIFIED AT ALL" - elif g[1] in badkeys: + return "SSH key fails formal criteria, not added. We only accept RSA keys (>= 2048 bits) or ed25519 keys." + elif fingerprint in badkeys: try: # Body Subst["__ERROR__"] = "SSH key with fingerprint %s known as bad key" % (g[1]) @@ -366,11 +355,11 @@ def DoSSH(Str, Attrs, badkeys, uid): global SeenKey; if SeenKey: Attrs.append((ldap.MOD_ADD,"sshRSAAuthKey",Str)); - return "SSH Key added "+FormatSSHAuth(Str); + return "SSH Key added: %s %s [%s]"%(key_size, fingerprint, FormatSSHAuth(Str)) Attrs.append((ldap.MOD_REPLACE,"sshRSAAuthKey",Str)); SeenKey = 1; - return "SSH Keys replaced with "+FormatSSHAuth(Str); + return "SSH Keys replaced with: %s %s [%s]"%(key_size, fingerprint, FormatSSHAuth(Str)) # Handle changing a dns entry # host IN A 12.12.12.12 @@ -699,6 +688,28 @@ def HandleChPass(Reply,DnRecord,Key): return Reply; +def HandleChTOTPSeed(Reply, DnRecord, Key): + # Generate a random seed + seed = binascii.hexlify(open("/dev/urandom", "r").read(32)) + msg = GPGEncrypt("Your new TOTP seed is '%s'\n" % (seed,), "0x"+Key[1],Key[4]); + + if msg is None: + raise UDFormatError, "Unable to generate the encrypted reply, gpg failed."; + + Subst = {}; + Subst["__FROM__"] = ChPassFrom + Subst["__EMAIL__"] = EmailAddress(DnRecord) + Subst["__PASSWORD__"] = msg + Subst["__ADMIN__"] = ReplyTo + Reply = Reply + TemplateSubst(Subst, open(TemplatesDir+"totp-seed-changed", "r").read()) + + l = connect_to_ldap_and_check_if_locked(DnRecord) + # Modify the password + Rec = [(ldap.MOD_REPLACE, "totpSeed", seed)] + Dn = "uid=" + GetAttr(DnRecord,"uid") + "," + BaseDn + l.modify_s(Dn,Rec) + return Reply; + def HandleChKrbPass(Reply,DnRecord,Key): # Connect to the ldap server, will throw an exception if account locked. l = connect_to_ldap_and_check_if_locked(DnRecord) @@ -826,6 +837,8 @@ try: Reply = HandleChPass(Reply,Attrs[0],pgp.key_info); elif PlainText.strip().find("Please change my Kerberos password") >= 0: Reply = HandleChKrbPass(Reply,Attrs[0],pgp.key_info); + elif PlainText.strip().find("Please change my TOTP seed") >= 0: + Reply = HandleChTOTPSeed(Reply, Attrs[0], pgp.key_info) else: raise UDFormatError,"Please send a signed message where the first line of text is the string 'Please change my Debian password' or some other string we accept here."; elif sys.argv[1] == "change":