X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=ud-mailgate;h=c54aee5c1649aac2b4c70304359152fdc8565f81;hb=871ab5f2e8bda25130c70834052fa8fb020a5373;hp=05756aa2ff367885c75fd8a7e5a847c61f107e10;hpb=950e6acc8178555e33f64f0bda9af99bf9d7cfab;p=mirror%2Fuserdir-ldap.git

diff --git a/ud-mailgate b/ud-mailgate
index 05756aa..c54aee5 100755
--- a/ud-mailgate
+++ b/ud-mailgate
@@ -322,24 +322,19 @@ def DoSSH(Str, Attrs, badkeys, uid):
 
    Match = SSHFingerprint.match(output)
    g = Match.groups()
+   key_size = g[0]
+   fingerprint = g[1]
 
-   if int(g[0]) < 1024:
-      try:
-         # Body
-         Subst["__ERROR__"] = "SSH keysize %s is below limit 1024" % (g[0])
-         ErrReply = TemplateSubst(Subst,open(TemplatesDir+"admin-info","r").read())
-
-         Child = os.popen("/usr/sbin/sendmail -t","w")
-         Child.write(ErrReplyHead)
-         Child.write(ErrReply)
-         if Child.close() != None:
-            raise UDExecuteError, "Sendmail gave a non-zero return code"
-      except:
-         sys.exit(EX_TEMPFAIL)
+   if typekey == "rsa":
+      key_size_ok = (int(key_size) >= 2048)
+   elif typekey == "ed25519":
+     key_size_ok = True
+   else:
+     key_size_ok = False
 
-      # And now break and stop processing input, which sends a reply to the user.
-      raise UDFormatError, "SSH keys must have at least 1024 bits, processing halted, NOTHING MODIFIED AT ALL"
-   elif g[1] in badkeys:
+   if not key_size_ok:
+      return "SSH key fails formal criteria, not added.  We only accept RSA keys (>= 2048 bits) or ed25519 keys."
+   elif fingerprint in badkeys:
       try:
          # Body
          Subst["__ERROR__"] = "SSH key with fingerprint %s known as bad key" % (g[1])
@@ -356,17 +351,14 @@ def DoSSH(Str, Attrs, badkeys, uid):
       # And now break and stop processing input, which sends a reply to the user.
       raise UDFormatError, "Submitted SSH Key known to be bad and insecure, processing halted, NOTHING MODIFIED AT ALL"
 
-   if (typekey == "dss"):
-      return "DSA keys not accepted anymore"
-
    global SeenKey;
    if SeenKey:
      Attrs.append((ldap.MOD_ADD,"sshRSAAuthKey",Str));
-     return "SSH Key added "+FormatSSHAuth(Str);
-      
+     return "SSH Key added: %s %s [%s]"%(key_size, fingerprint, FormatSSHAuth(Str))
+
    Attrs.append((ldap.MOD_REPLACE,"sshRSAAuthKey",Str));
    SeenKey = 1;
-   return "SSH Keys replaced with "+FormatSSHAuth(Str);
+   return "SSH Keys replaced with: %s %s [%s]"%(key_size, fingerprint, FormatSSHAuth(Str))
 
 # Handle changing a dns entry
 #  host IN A     12.12.12.12
@@ -490,7 +482,7 @@ def DoRBL(Str,Attrs):
 
 # Handle a ConfirmSudoPassword request
 def DoConfirmSudopassword(Str, SudoPasswd):
-   Match = re.compile('^confirm sudopassword ('+UUID_FORMAT+') ([a-z0-9.,*]+) ([0-9a-f]{40})$').match(Str)
+   Match = re.compile('^confirm sudopassword ('+UUID_FORMAT+') ([a-z0-9.,*-]+) ([0-9a-f]{40})$').match(Str)
    if Match == None:
       return None
 
@@ -517,7 +509,7 @@ def FinishConfirmSudopassword(l, uid, Attrs, SudoPasswd):
 
    newldap = []
    for entry in inldap:
-      Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry)
+      Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*-]+) ([^ ]+)$').match(entry)
       if Match == None:
          raise UDFormatError, "Could not parse existing sudopasswd entry"
       uuid = Match.group(1)