X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=ud-mailgate;h=65955f6048dcb32ee0448f34e9a9425697052fe3;hb=82aef85537e4199e9db0bf2fcec7db2137561795;hp=533800c26964cc1afc34b92ddee322dece4c978a;hpb=a3437bcd185d533199ebd7c3e0f69b816cc904af;p=mirror%2Fuserdir-ldap.git diff --git a/ud-mailgate b/ud-mailgate index 533800c..65955f6 100755 --- a/ud-mailgate +++ b/ud-mailgate @@ -5,6 +5,7 @@ # Copyright (c) 2009 Stephen Gran # Copyright (c) 2008 Peter Palfrader # Copyright (c) 2008 Joerg Jaspert +# Copyright (c) 2010 Helmut Grohne import userdir_gpg, userdir_ldap, sys, traceback, time, ldap, os, commands import pwd, tempfile @@ -34,6 +35,7 @@ mailWhitelist = {} SeenList = {} DNS = {} SudoPasswd = {} +ValidHostNames = [] # will be initialized in later SSHFingerprint = re.compile('^(\d+) ([0-9a-f\:]{47}) (.+)$') SSHRSA1Match = re.compile('^^(.* )?\d+ \d+ \d+') @@ -51,6 +53,7 @@ ArbChanges = {"c": "..", "facsimileTelephoneNumber": ".*", "telephoneNumber": ".*", "postalAddress": ".*", + "bATVToken": ".*", "postalCode": ".*", "loginShell": ".*", "emailForward": "^([^<>@]+@.+)?$", @@ -63,6 +66,7 @@ ArbChanges = {"c": "..", "mailDisableMessage": ".*", "mailGreylisting": "^(TRUE|FALSE)$", "mailCallout": "^(TRUE|FALSE)$", + "mailDefaultOptions": "^(TRUE|FALSE)$", "VoIP": ".*", "gender": "^(1|2|9|male|female|unspecified)$", "mailContentInspectionAction": "^(reject|blackhole|markup)$", @@ -73,6 +77,7 @@ DelItems = {"c": None, "facsimileTelephoneNumber": None, "telephoneNumber": None, "postalAddress": None, + "bATVToken": None, "postalCode": None, "emailForward": None, "ircNick": None, @@ -92,6 +97,7 @@ DelItems = {"c": None, "mailRHSBL": None, "mailWhitelist": None, "mailDisableMessage": None, + "mailDefaultOptions": None, "VoIP": None, "mailContentInspectionAction": None, }; @@ -260,6 +266,9 @@ def LoadBadSSH(): # Handle an SSH authentication key, the line format is: # [options] 1024 35 13188913666680[..] [comment] +# maybe it really should be: +# [allowed_hosts=machine1,machine2 ][options ]ssh-rsa keybytes [comment] +machine_regex = re.compile("^[0-9a-zA-Z.-]+$") def DoSSH(Str, Attrs, badkeys, uid): Match = SSH2AuthSplit.match(Str); if Match == None: @@ -272,6 +281,22 @@ def DoSSH(Str, Attrs, badkeys, uid): return "RSA1 keys not supported anymore" return None; + # lines can now be prepended with "allowed_hosts=machine1,machine2 " + machines = [] + if Str.startswith("allowed_hosts="): + Str = Str.split("=", 1)[1] + if ' ' not in Str: + return "invalid ssh key syntax with machine specification" + machines, Str = Str.split(' ', 1) + machines = machines.split(",") + for m in machines: + if not m: + return "empty machine specification for ssh key" + if not machine_regex.match(m): + return "machine specification for ssh key contains invalid characters" + if m not in ValidHostNames: + return "unknown machine used in allowed_hosts stanza for ssh keys" + (fd, path) = tempfile.mkstemp(".pub", "sshkeytry", "/tmp") f = open(path, "w") f.write("%s\n" % (Str)) @@ -282,6 +307,10 @@ def DoSSH(Str, Attrs, badkeys, uid): if (result != 0): raise UDExecuteError, "ssh-keygen -l invocation failed!\n%s\n" % (output) + # format the string again for ldap: + if machines: + Str = "allowed_hosts=%s %s" % (",".join(machines), Str) + # Head Date = time.strftime("%a, %d %b %Y %H:%M:%S +0000",time.gmtime(time.time())) @@ -746,6 +775,14 @@ try: Date = time.strftime("%a, %d %b %Y %H:%M:%S +0000",time.gmtime(time.time())); Reply = "To: %s\nReply-To: %s\nDate: %s\n" % (Sender,ReplyTo,Date); + global ValidHostNames + Res = l.search_s(HostBaseDn, ldap.SCOPE_SUBTREE, '(objectClass=debianServer)', ['hostname'] ) + # Res is a list of tuples. + # The tuples contain a dn (str) and a dictionary. + # The dictionaries map the key "hostname" to a list. + # These lists contain a single hostname (str). + ValidHostNames = reduce(lambda a,b: a+b, [value.get("hostname", []) for (dn, value) in Res], []) + # Dispatch if sys.argv[1] == "ping": Reply = HandlePing(Reply,Attrs[0],Res[2]);