X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=ud-mailgate;h=f3752ec5bbacaedc34035554134034b7e55540fb;hb=00612ecbc10cd19f9b3d67b9fd45694f7940275b;hp=533800c26964cc1afc34b92ddee322dece4c978a;hpb=a3437bcd185d533199ebd7c3e0f69b816cc904af;p=mirror%2Fuserdir-ldap.git diff --git a/ud-mailgate b/ud-mailgate index 533800c..f3752ec 100755 --- a/ud-mailgate +++ b/ud-mailgate @@ -3,8 +3,9 @@ # Prior copyright probably rmurray, troup, joey, jgg -- weasel 2008 # Copyright (c) 2009 Stephen Gran -# Copyright (c) 2008 Peter Palfrader +# Copyright (c) 2008,2009,2010 Peter Palfrader # Copyright (c) 2008 Joerg Jaspert +# Copyright (c) 2010 Helmut Grohne import userdir_gpg, userdir_ldap, sys, traceback, time, ldap, os, commands import pwd, tempfile @@ -34,6 +35,7 @@ mailWhitelist = {} SeenList = {} DNS = {} SudoPasswd = {} +ValidHostNames = [] # will be initialized in later SSHFingerprint = re.compile('^(\d+) ([0-9a-f\:]{47}) (.+)$') SSHRSA1Match = re.compile('^^(.* )?\d+ \d+ \d+') @@ -51,6 +53,7 @@ ArbChanges = {"c": "..", "facsimileTelephoneNumber": ".*", "telephoneNumber": ".*", "postalAddress": ".*", + "bATVToken": ".*", "postalCode": ".*", "loginShell": ".*", "emailForward": "^([^<>@]+@.+)?$", @@ -63,6 +66,7 @@ ArbChanges = {"c": "..", "mailDisableMessage": ".*", "mailGreylisting": "^(TRUE|FALSE)$", "mailCallout": "^(TRUE|FALSE)$", + "mailDefaultOptions": "^(TRUE|FALSE)$", "VoIP": ".*", "gender": "^(1|2|9|male|female|unspecified)$", "mailContentInspectionAction": "^(reject|blackhole|markup)$", @@ -73,6 +77,7 @@ DelItems = {"c": None, "facsimileTelephoneNumber": None, "telephoneNumber": None, "postalAddress": None, + "bATVToken": None, "postalCode": None, "emailForward": None, "ircNick": None, @@ -92,6 +97,7 @@ DelItems = {"c": None, "mailRHSBL": None, "mailWhitelist": None, "mailDisableMessage": None, + "mailDefaultOptions": None, "VoIP": None, "mailContentInspectionAction": None, }; @@ -260,6 +266,9 @@ def LoadBadSSH(): # Handle an SSH authentication key, the line format is: # [options] 1024 35 13188913666680[..] [comment] +# maybe it really should be: +# [allowed_hosts=machine1,machine2 ][options ]ssh-rsa keybytes [comment] +machine_regex = re.compile("^[0-9a-zA-Z.-]+$") def DoSSH(Str, Attrs, badkeys, uid): Match = SSH2AuthSplit.match(Str); if Match == None: @@ -272,6 +281,22 @@ def DoSSH(Str, Attrs, badkeys, uid): return "RSA1 keys not supported anymore" return None; + # lines can now be prepended with "allowed_hosts=machine1,machine2 " + machines = [] + if Str.startswith("allowed_hosts="): + Str = Str.split("=", 1)[1] + if ' ' not in Str: + return "invalid ssh key syntax with machine specification" + machines, Str = Str.split(' ', 1) + machines = machines.split(",") + for m in machines: + if not m: + return "empty machine specification for ssh key" + if not machine_regex.match(m): + return "machine specification for ssh key contains invalid characters" + if m not in ValidHostNames: + return "unknown machine used in allowed_hosts stanza for ssh keys" + (fd, path) = tempfile.mkstemp(".pub", "sshkeytry", "/tmp") f = open(path, "w") f.write("%s\n" % (Str)) @@ -282,6 +307,10 @@ def DoSSH(Str, Attrs, badkeys, uid): if (result != 0): raise UDExecuteError, "ssh-keygen -l invocation failed!\n%s\n" % (output) + # format the string again for ldap: + if machines: + Str = "allowed_hosts=%s %s" % (",".join(machines), Str) + # Head Date = time.strftime("%a, %d %b %Y %H:%M:%S +0000",time.gmtime(time.time())) @@ -347,18 +376,20 @@ def DoDNS(Str,Attrs,DnRecord): cnamerecord = re.match("^[-\w]+\s+IN\s+CNAME\s+([-\w.]+\.)$",Str,re.IGNORECASE) arecord = re.match('^[-\w]+\s+IN\s+A\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$',Str,re.IGNORECASE) mxrecord = re.match("^[-\w]+\s+IN\s+MX\s+(\d{1,3})\s+([-\w.]+\.)$",Str,re.IGNORECASE) + txtrecord = re.match("^[-\w]+\s+IN\s+TXT\s+([-\d. a-z\t<>@]+)", Str, re.IGNORECASE) #aaaarecord = re.match('^[-\w]+\s+IN\s+AAAA\s+((?:[0-9a-f]{1,4})(?::[0-9a-f]{1,4})*(?::(?:(?::[0-9a-f]{1,4})*|:))?)$',Str,re.IGNORECASE) aaaarecord = re.match('^[-\w]+\s+IN\s+AAAA\s+([A-F0-9:]{2,39})$',Str,re.IGNORECASE) - if cnamerecord == None and\ - arecord == None and\ - mxrecord == None and\ - aaaarecord == None: + if cnamerecord is None and\ + arecord is None and\ + mxrecord is None and\ + txtrecord is None and\ + aaaarecord is None: return None; # Check if the name is already taken G = re.match('^([-\w+]+)\s',Str) - if G == None: + if G is None: raise UDFormatError, "Hostname not found although we already passed record syntax checks" hostname = G.group(1) @@ -388,19 +419,21 @@ def DoDNS(Str,Attrs,DnRecord): else: DNS[hostname] = 1 - if cnamerecord != None: + if cnamerecord is not None: sanitized = "%s IN CNAME %s" % (hostname, cnamerecord.group(1)) - elif arecord != None: + elif txtrecord is not None: + sanitized = "%s IN TXT %s" % (hostname, txtrecord.group(1)) + elif arecord is not None: ipaddress = arecord.group(1) for quad in ipaddress.split('.'): if not (int(quad) >=0 and int(quad) <= 255): return "Invalid quad %s in IP address %s in line %s" %(quad, ipaddress, Str) sanitized = "%s IN A %s"% (hostname, ipaddress) - elif mxrecord != None: + elif mxrecord is not None: priority = mxrecord.group(1) mx = mxrecord.group(2) sanitized = "%s IN MX %s %s" % (hostname, priority, mx) - elif aaaarecord != None: + elif aaaarecord is not None: ipv6address = aaaarecord.group(1) parts = ipv6address.split(':') if len(parts) > 8: @@ -521,6 +554,20 @@ def FinishConfirmSudopassword(l, uid, Attrs): return result +def connect_to_ldap_and_check_if_locked(DnRecord): + # Connect to the ldap server + l = connectLDAP() + F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r"); + AccessPass = F.readline().strip().split(" ") + F.close(); + l.simple_bind_s("uid="+AccessPass[0]+","+BaseDn,AccessPass[1]); + + # Check for a locked account + Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid="+GetAttr(DnRecord,"uid")); + if (GetAttr(Attrs[0],"userPassword").find("*LK*") != -1) \ + or GetAttr(Attrs[0],"userPassword").startswith("!"): + raise UDNotAllowedError, "This account is locked"; + # Handle an [almost] arbitary change def HandleChange(Reply,DnRecord,Key): global PlainText; @@ -559,16 +606,7 @@ def HandleChange(Reply,DnRecord,Key): Result = Result + Res + "\n"; # Connect to the ldap server - l = connectLDAP() - F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r"); - AccessPass = F.readline().strip().split(" ") - F.close(); - - l.simple_bind_s("uid="+AccessPass[0]+","+BaseDn,AccessPass[1]); - oldAttrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid="+GetAttr(DnRecord,"uid")); - if ((GetAttr(oldAttrs[0],"userPassword").find("*LK*") != -1) - or GetAttr(oldAttrs[0],"userPassword").startswith("!")): - raise UDNotAllowedError, "This account is locked"; + l = connect_to_ldap_and_check_if_locked(DnRecord) if CommitChanges == 1: # only if we are still good to go try: @@ -610,13 +648,23 @@ def HandlePing(Reply,DnRecord,Key): return Reply + TemplateSubst(Subst,open(TemplatesDir+"ping-reply","r").read()); + + +def get_crypttype_preamble(key): + if (key[4] == 1): + type = "Your message was encrypted using PGP 2.x\ncompatibility mode."; + else: + type = "Your message was encrypted using GPG (OpenPGP)\ncompatibility "\ + "mode, without IDEA. This message cannot be decoded using PGP 2.x"; + return type + # Handle a change password email sent to the change password address # (this program called with the chpass argument) def HandleChPass(Reply,DnRecord,Key): # Generate a random password Password = GenPass(); Pass = HashPass(Password); - + # Use GPG to encrypt it Message = GPGEncrypt("Your new password is '" + Password + "'\n",\ "0x"+Key[1],Key[4]); @@ -625,33 +673,15 @@ def HandleChPass(Reply,DnRecord,Key): if Message == None: raise UDFormatError, "Unable to generate the encrypted reply, gpg failed."; - if (Key[4] == 1): - Type = "Your message was encrypted using PGP 2.x\ncompatibility mode."; - else: - Type = "Your message was encrypted using GPG (OpenPGP)\ncompatibility "\ - "mode, without IDEA. This message cannot be decoded using PGP 2.x"; - Subst = {}; Subst["__FROM__"] = ChPassFrom; Subst["__EMAIL__"] = EmailAddress(DnRecord); - Subst["__CRYPTTYPE__"] = Type; + Subst["__CRYPTTYPE__"] = get_crypttype_preamble(Key) Subst["__PASSWORD__"] = Message; Subst["__ADMIN__"] = ReplyTo; Reply = Reply + TemplateSubst(Subst,open(TemplatesDir+"passwd-changed","r").read()); - - # Connect to the ldap server - l = connectLDAP() - F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r"); - AccessPass = F.readline().strip().split(" ") - F.close(); - l.simple_bind_s("uid="+AccessPass[0]+","+BaseDn,AccessPass[1]); - - # Check for a locked account - Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid="+GetAttr(DnRecord,"uid")); - if (GetAttr(Attrs[0],"userPassword").find("*LK*") != -1) \ - or GetAttr(Attrs[0],"userPassword").startswith("!"): - raise UDNotAllowedError, "This account is locked"; + l = connect_to_ldap_and_check_if_locked(DnRecord) # Modify the password Rec = [(ldap.MOD_REPLACE,"userPassword","{crypt}"+Pass), (ldap.MOD_REPLACE,"shadowLastChange",str(int(time.time()/24/60/60)))]; @@ -659,7 +689,7 @@ def HandleChPass(Reply,DnRecord,Key): l.modify_s(Dn,Rec); return Reply; - + # Start of main program # Drop messages from a mailer daemon. @@ -686,25 +716,25 @@ try: # Check the signature ErrMsg = "Unable to check the signature or the signature was invalid:"; - Res = GPGCheckSig(Msg[0]); + pgp = GPGCheckSig2(Msg[0]) - if Res[0] != None: - raise UDFormatError, Res[0]; + if not pgp.ok: + raise UDFormatError, pgp.why - if Res[3] == None: - raise UDFormatError, "Null signature text"; + if pgp.text is None: + raise UDFormatError, "Null signature text" # Extract the plain message text in the event of mime encoding global PlainText; ErrMsg = "Problem stripping MIME headers from the decoded message" if Msg[1] == 1: try: - Index = Res[3].index("\n\n") + 2; + Index = pgp.text.index("\n\n") + 2 except ValueError: - Index = Res[3].index("\n\r\n") + 3; - PlainText = Res[3][Index:]; + Index = pgp.text.index("\n\r\n") + 3 + PlainText = pgp.text[Index:] else: - PlainText = Res[3]; + PlainText = pgp.text # Connect to the ldap server ErrType = EX_TEMPFAIL; @@ -714,7 +744,7 @@ try: l.simple_bind_s("",""); # Search for the matching key fingerprint - Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"keyFingerPrint=" + Res[2][1]); + Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"keyFingerPrint=" + pgp.key_fpr) ErrType = EX_PERMFAIL; if len(Attrs) == 0: @@ -727,11 +757,11 @@ try: RC = ReplayCache(ReplayCacheFile); RC.Clean(); ErrMsg = "The replay cache rejected your message. Check your clock!"; - Rply = RC.Check(Res[1]); + Rply = RC.Check(pgp.sig_info); if Rply != None: RC.close() raise UDNotAllowedError, Rply; - RC.Add(Res[1]); + RC.Add(pgp.sig_info); RC.close() # Determine the sender address @@ -746,15 +776,23 @@ try: Date = time.strftime("%a, %d %b %Y %H:%M:%S +0000",time.gmtime(time.time())); Reply = "To: %s\nReply-To: %s\nDate: %s\n" % (Sender,ReplyTo,Date); + Res = l.search_s(HostBaseDn, ldap.SCOPE_SUBTREE, '(objectClass=debianServer)', ['hostname'] ) + # Res is a list of tuples. + # The tuples contain a dn (str) and a dictionary. + # The dictionaries map the key "hostname" to a list. + # These lists contain a single hostname (str). + ValidHostNames = reduce(lambda a,b: a+b, [value.get("hostname", []) for (dn, value) in Res], []) + # Dispatch if sys.argv[1] == "ping": - Reply = HandlePing(Reply,Attrs[0],Res[2]); + Reply = HandlePing(Reply,Attrs[0],pgp.key_info); elif sys.argv[1] == "chpass": - if PlainText.strip().find("Please change my Debian password") != 0: - raise UDFormatError,"Please send a signed message where the first line of text is the string 'Please change my Debian password'"; - Reply = HandleChPass(Reply,Attrs[0],Res[2]); + if PlainText.strip().find("Please change my Debian password"): + Reply = HandleChPass(Reply,Attrs[0],pgp.key_info); + else: + raise UDFormatError,"Please send a signed message where the first line of text is the string 'Please change my Debian password' or some other string we accept here."; elif sys.argv[1] == "change": - Reply = HandleChange(Reply,Attrs[0],Res[2]); + Reply = HandleChange(Reply,Attrs[0],pgp.key_info); else: print sys.argv; raise UDFormatError, "Incorrect Invokation";