X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=ud-mailgate;h=63411303f2ae2b168a84a437a91543cdf65f1db3;hb=595923978a9ad55f4ec55b1aabef44683b111911;hp=cf82b56fe5be31a0dc1a4dc007e877e33ca5af10;hpb=7e02135e1259847ac592fc58a408452f2e9e41af;p=mirror%2Fuserdir-ldap.git

diff --git a/ud-mailgate b/ud-mailgate
index cf82b56..6341130 100755
--- a/ud-mailgate
+++ b/ud-mailgate
@@ -1,9 +1,14 @@
 #!/usr/bin/env python
 # -*- mode: python -*-
-import userdir_gpg, userdir_ldap, sys, traceback, time, ldap, os;
-import pwd
-from userdir_gpg import *;
-from userdir_ldap import *;
+
+#   Prior copyright probably rmurray, troup, joey, jgg -- weasel 2008
+#   Copyright (c) 2008 Peter Palfrader <peter@palfrader.org>
+#   Copyright (c) 2008 Joerg Jaspert <joerg@debian.org>
+
+import userdir_gpg, userdir_ldap, sys, traceback, time, ldap, os, commands
+import pwd, tempfile
+from userdir_gpg import *
+from userdir_ldap import *
 
 # Error codes from /usr/include/sysexits.h
 ReplyTo = ConfModule.replyto;
@@ -11,6 +16,7 @@ PingFrom = ConfModule.pingfrom;
 ChPassFrom = ConfModule.chpassfrom;
 ChangeFrom = ConfModule.changefrom;
 ReplayCacheFile = ConfModule.replaycachefile;
+SSHFingerprintFile = ConfModule.fingerprintfile
 
 EX_TEMPFAIL = 75;
 EX_PERMFAIL = 65;      # EX_DATAERR
@@ -23,6 +29,9 @@ mailWhitelist = {}
 SeenList = {}
 DNS = {}
 
+SSHFingerprint = re.compile('^(\d+) ([0-9a-f\:]{47}) (.+)$')
+SSHRSA1Match = re.compile('^^(.* )?\d+ \d+ \d+')
+
 ArbChanges = {"c": "..",
 	      "l": ".*",
 	      "facsimileTelephoneNumber": ".*",
@@ -40,6 +49,7 @@ ArbChanges = {"c": "..",
               "mailDisableMessage": ".*",
 	      "mailGreylisting": "^(TRUE|FALSE)$",
 	      "mailCallout": "^(TRUE|FALSE)$",
+	      "VoIP": ".*",
 };
 
 DelItems = {"c": None,
@@ -67,6 +77,7 @@ DelItems = {"c": None,
             "mailRHSBL": None,
             "mailWhitelist": None,
             "mailDisableMessage": None,
+            "VoIP": None,
             };
 
 # Decode a GPS location from some common forms
@@ -212,16 +223,89 @@ def DoPosition(Str,Attrs):
    Attrs.append((ldap.MOD_REPLACE,"longitude",sLong));
    return "Position set to %s/%s (%s/%s decimal degrees)"%(sLat,sLong,Lat,Long);
 
+# Load bad ssh fingerprints
+def LoadBadSSH():
+   f = open(SSHFingerprintFile, "r")
+   bad = []
+   FingerprintLine = re.compile('^([0-9a-f\:]{47}).*$')
+   for line in f.readlines():
+      Match = FingerprintLine.match(line)
+      if Match is not None:
+         g = Match.groups()
+         bad.append(g[0])
+   return bad
+
 # Handle an SSH authentication key, the line format is:
 #  [options] 1024 35 13188913666680[..] [comment]
-def DoSSH(Str,Attrs):
+def DoSSH(Str, Attrs, badkeys, uid):
    Match = SSH2AuthSplit.match(Str);
    if Match == None:
-      Match = re.compile('^1024 (\d+) ').match(Str)
+      return None;
+   g = Match.groups()
+   typekey = g[1]
+   if Match == None:
+      Match = SSHRSA1Match.match(Str)
       if Match is not None:
-         return "SSH1 keys not supported anymore"
+         return "RSA1 keys not supported anymore"
       return None;
-   
+
+   (fd, path) = tempfile.mkstemp(".pub", "sshkeytry", "/tmp")
+   f = open(path, "w")
+   f.write("%s\n" % (Str))
+   f.close()
+   cmd = "/usr/bin/ssh-keygen -l -f %s < /dev/null" % (path)
+   (result, output) = commands.getstatusoutput(cmd)
+   os.remove(path)
+   if (result != 0):
+      raise Error, "ssh-keygen -l invocation failed!\n%s\n" % (output)
+
+
+   # Head
+   Date = time.strftime("%a, %d %b %Y %H:%M:%S +0000",time.gmtime(time.time()))
+   ErrReplyHead = "From: %s\nCc: %s\nReply-To: %s\nDate: %s\n" % (os.environ['SENDER'],os.environ['SENDER'],ReplyTo,Date)
+   Subst = {}
+   Subst["__ADMIN__"] = ReplyTo
+   Subst["__USER__"] = uid
+
+   Match = SSHFingerprint.match(output)
+   g = Match.groups()
+
+   if int(g[0]) < 1024:
+      try:
+         # Body
+         Subst["__ERROR__"] = "SSH keysize %s is below limit 1024" % (g[0])
+         ErrReply = TemplateSubst(Subst,open(TemplatesDir+"admin-info","r").read())
+
+         Child = os.popen("/usr/sbin/sendmail -t","w")
+         Child.write(ErrReplyHead)
+         Child.write(ErrReply)
+         if Child.close() != None:
+            raise Error, "Sendmail gave a non-zero return code"
+      except:
+         sys.exit(EX_TEMPFAIL)
+
+      # And now break and stop processing input, which sends a reply to the user.
+      raise Error, "SSH keys must have at least 1024 bits, processing halted, NOTHING MODIFIED AT ALL"
+   elif g[1] in badkeys:
+      try:
+         # Body
+         Subst["__ERROR__"] = "SSH key with fingerprint %s known as bad key" % (g[1])
+         ErrReply = TemplateSubst(Subst,open(TemplatesDir+"admin-info","r").read())
+
+         Child = os.popen("/usr/sbin/sendmail -t","w")
+         Child.write(ErrReplyHead)
+         Child.write(ErrReply)
+         if Child.close() != None:
+            raise Error, "Sendmail gave a non-zero return code"
+      except:
+         sys.exit(EX_TEMPFAIL)
+
+      # And now break and stop processing input, which sends a reply to the user.
+      raise Error, "Submitted SSH Key known to be bad and insecure, processing halted, NOTHING MODIFIED AT ALL"
+
+   if (typekey == "dss"):
+      return "DSA keys not accepted anymore"
+
    global SeenKey;
    if SeenKey:
      Attrs.append((ldap.MOD_ADD,"sshRSAAuthKey",Str));
@@ -232,17 +316,28 @@ def DoSSH(Str,Attrs):
    return "SSH Keys replaced with "+FormatSSHAuth(Str);
 
 # Handle changing a dns entry
-#  host in a 12.12.12.12
-#  host in cname foo.bar.    <- Trailing dot is required
+#  host IN A     12.12.12.12
+#  host IN AAAA  1234::5678
+#  host IN CNAME foo.bar.    <- Trailing dot is required
+#  host IN MX    foo.bar.    <- Trailing dot is required
 def DoDNS(Str,Attrs,DnRecord):
-   cname = re.match("^[-\w]+\s+in\s+cname\s+[-\w.]+\.$",Str,re.IGNORECASE);
-   if re.match('^[-\w]+\s+in\s+a\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$',\
-        Str,re.IGNORECASE) == None and cname == None and \
-      re.match("^[-\w]+\s+in\s+mx\s+\d{1,3}\s+[-\w.]+\.$",Str,re.IGNORECASE) == None:
-     return None;     
+   cnamerecord = re.match("^[-\w]+\s+IN\s+CNAME\s+([-\w.]+\.)$",Str,re.IGNORECASE)
+   arecord     = re.match('^[-\w]+\s+IN\s+A\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$',Str,re.IGNORECASE)
+   mxrecord    = re.match("^[-\w]+\s+IN\s+MX\s+(\d{1,3})\s+([-\w.]+\.)$",Str,re.IGNORECASE)
+   #aaaarecord  = re.match('^[-\w]+\s+IN\s+AAAA\s+((?:[0-9a-f]{1,4})(?::[0-9a-f]{1,4})*(?::(?:(?::[0-9a-f]{1,4})*|:))?)$',Str,re.IGNORECASE)
+   aaaarecord  = re.match('^[-\w]+\s+IN\s+AAAA\s+([A-F0-9:]{2,39})$',Str,re.IGNORECASE)
+
+   if cnamerecord == None and\
+      arecord == None and\
+      mxrecord == None and\
+      aaaarecord == None:
+     return None;
 
    # Check if the name is already taken
-   G = re.match('^([-\w+]+)\s',Str).groups();
+   G = re.match('^([-\w+]+)\s',Str)
+   if G == None:
+     raise Error, "Hostname not found although we already passed record syntax checks"
+   hostname = G.group(1)
 
    # Check for collisions
    global l;
@@ -250,7 +345,7 @@ def DoDNS(Str,Attrs,DnRecord):
    #  since we accept either.  It'd probably be better to parse the
    #  incoming string in order to construct what we feed LDAP rather
    #  than just passing it through as is.]
-   filter = "(|(dnsZoneEntry=%s	*)(dnsZoneEntry=%s *))" % (G[0], G[0])
+   filter = "(|(dnsZoneEntry=%s	*)(dnsZoneEntry=%s *))" % (hostname, hostname)
    Rec = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,filter,["uid"]);
    for x in Rec:
       if GetAttr(x,"uid") != GetAttr(DnRecord,"uid"):
@@ -259,24 +354,59 @@ def DoDNS(Str,Attrs,DnRecord):
    global SeenDNS;
    global DNS;
 
-   if cname:
-     if DNS.has_key(G[0]):
+   if cnamerecord:
+     if DNS.has_key(hostname):
        return "CNAME and other RR types not allowed: "+Str
      else:
-       DNS[G[0]] = 2
+       DNS[hostname] = 2
    else:
-     if DNS.has_key(G[0]) and DNS[G[0]] == 2:
+     if DNS.has_key(hostname) and DNS[hostname] == 2:
        return "CNAME and other RR types not allowed: "+Str
      else:
-       DNS[G[0]] = 1
-     
+       DNS[hostname] = 1
+
+   if cnamerecord != None:
+     sanitized = "%s IN CNAME %s" % (hostname, cnamerecord.group(1))
+   elif arecord != None:
+     ipaddress = arecord.group(1)
+     for quad in ipaddress.split('.'):
+       if not (int(quad) >=0 and int(quad) <= 255):
+         return "Invalid quad %s in IP address %s in line %s" %(quad, ipaddress, Str)
+     sanitized = "%s IN A %s"% (hostname, ipaddress)
+   elif mxrecord != None:
+     priority = mxrecord.group(1)
+     mx = mxrecord.group(2)
+     sanitized = "%s IN MX %s %s" % (hostname, priority, mx)
+   elif aaaarecord != None:
+     ipv6address = aaaarecord.group(1)
+     parts = ipv6address.split(':')
+     if len(parts) > 8:
+       return "Invalid IPv6 address (%s): too many parts"%(ipv6address)
+     if len(parts) <= 2:
+       return "Invalid IPv6 address (%s): too few parts"%(ipv6address)
+     if parts[0] == "":
+       parts.pop(0)
+     if parts[-1] == "":
+       parts.pop(-1)
+     seenEmptypart = False
+     for p in parts:
+       if len(p) > 4:
+         return "Invalid IPv6 address (%s): part %s is longer than 4 characters"%(ipv6address, p)
+       if p == "":
+         if seenEmptypart:
+           return "Invalid IPv6 address (%s): more than one :: (nothing in between colons) is not allowed"%(ipv6address)
+         seenEmptypart = True
+     sanitized = "%s IN AAAA %s" % (hostname, ipv6address)
+   else:
+     raise Error, "None of the types I recognize was it.  I shouldn't be here.  confused."
+
    if SeenDNS:
-     Attrs.append((ldap.MOD_ADD,"dnsZoneEntry",Str));
-     return "DNS Entry added "+Str;
-      
-   Attrs.append((ldap.MOD_REPLACE,"dnsZoneEntry",Str));
+     Attrs.append((ldap.MOD_ADD,"dnsZoneEntry",sanitized));
+     return "DNS Entry added "+sanitized;
+
+   Attrs.append((ldap.MOD_REPLACE,"dnsZoneEntry",sanitized));
    SeenDNS = 1;
-   return "DNS Entry replaced with "+Str;
+   return "DNS Entry replaced with "+sanitized;
 
 # Handle an RBL list (mailRBL, mailRHSBL, mailWhitelist)
 def DoRBL(Str,Attrs):
@@ -318,12 +448,13 @@ def HandleChange(Reply,DnRecord,Key):
       Result = Result + "> "+Line+"\n";
       try:
          if Line == "show":
-           Show = 1;
-	   Res = "OK";
+            Show = 1;
+            Res = "OK";
          else:
-           Res = DoPosition(Line,Attrs) or DoDNS(Line,Attrs,DnRecord) or \
-                 DoArbChange(Line,Attrs) or DoSSH(Line,Attrs) or \
-		 DoDel(Line,Attrs) or DoRBL(Line,Attrs);
+            badkeys = LoadBadSSH()
+            Res = DoPosition(Line,Attrs) or DoDNS(Line,Attrs,DnRecord) or \
+                  DoArbChange(Line,Attrs) or DoSSH(Line,Attrs,badkeys,GetAttr(DnRecord,"uid")) or \
+                  DoDel(Line,Attrs) or DoRBL(Line,Attrs)
       except:
          Res = None;
          Result = Result + "==> %s: %s\n" %(sys.exc_type,sys.exc_value);
@@ -336,7 +467,7 @@ def HandleChange(Reply,DnRecord,Key):
       Result = Result + Res + "\n";
 
    # Connect to the ldap server
-   l = ldap.open(LDAPServer);
+   l = connectLDAP()
    F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
    AccessPass = F.readline().strip().split(" ")
    F.close();
@@ -407,7 +538,7 @@ def HandleChPass(Reply,DnRecord,Key):
    Reply = Reply + TemplateSubst(Subst,open(TemplatesDir+"passwd-changed","r").read());
    
    # Connect to the ldap server
-   l = ldap.open(LDAPServer);
+   l = connectLDAP()
    F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
    AccessPass = F.readline().strip().split(" ")
    F.close();
@@ -420,7 +551,8 @@ def HandleChPass(Reply,DnRecord,Key):
       raise Error, "This account is locked";
 
    # Modify the password
-   Rec = [(ldap.MOD_REPLACE,"userPassword","{crypt}"+Pass)];
+   Rec = [(ldap.MOD_REPLACE,"userPassword","{crypt}"+Pass),
+          (ldap.MOD_REPLACE,"shadowLastChange",str(int(time.time()/24/60/60)))];
    Dn = "uid=" + GetAttr(DnRecord,"uid") + "," + BaseDn;
    l.modify_s(Dn,Rec);
 
@@ -484,7 +616,7 @@ try:
    ErrType = EX_TEMPFAIL;
    ErrMsg = "An error occured while performing the LDAP lookup";
    global l;
-   l = ldap.open(LDAPServer);
+   l = connectLDAP()
    l.simple_bind_s("","");
 
    # Search for the matching key fingerprint