Peter Palfrader [Tue, 8 Jul 2008 12:33:13 +0000 (14:33 +0200)]
0.3.34
Peter Palfrader [Tue, 8 Jul 2008 12:33:06 +0000 (14:33 +0200)]
Check that the primary key is not expired, even if we get a GOODSIG status from
gnupg. Based on patch by Jeremy T. Bouse
Peter Palfrader [Tue, 8 Jul 2008 12:18:45 +0000 (14:18 +0200)]
Document changes accidentially commited two commits ago:
userdir_gpg.py:
- do not use SIGEXPIRED, it's deprecated
- use EXPKEYSIG to tell if a signature is made by an expired key.
Peter Palfrader [Tue, 8 Jul 2008 08:34:53 +0000 (10:34 +0200)]
ud-info: Change the "retired" status to "inactive". inactive covers memorial, removed, expelled more clearly.
Peter Palfrader [Tue, 8 Jul 2008 07:44:46 +0000 (09:44 +0200)]
ud-info: fix changing of DD status/DD status comment - we were missing prompt information so we got a backtrace.
ud-info: Warn when we don't have a prompt string for attributes on startup.
Peter Palfrader [Mon, 23 Jun 2008 20:59:32 +0000 (22:59 +0200)]
0.3.33
Peter Palfrader [Mon, 23 Jun 2008 20:58:12 +0000 (22:58 +0200)]
Add userdir-ldap-slapd.conf, a snipped to be included in slapd.conf to the package.
Peter Palfrader [Mon, 23 Jun 2008 20:39:54 +0000 (22:39 +0200)]
remove an extra space
Peter Palfrader [Mon, 9 Jun 2008 20:59:39 +0000 (22:59 +0200)]
Allow setting of gender in ud-mailgate. Based on patch by Bernhard R. Link.
Peter Palfrader [Sun, 25 May 2008 23:29:09 +0000 (01:29 +0200)]
ud-info: Add "retire developer" option that sets accountStatus properly to
either retiring, retired, memorial or active. Active is for all currently
active developers, memorial is for those who have passed away and whose
accounts will never be reused, retiring is a developer who is retired but still
receives mail at their @debian.org address. After a few months they should
move on to retired, with their mail also disabled. accountStatus is just a
freeform text, but these 4 options should be the only ones that exist.
Peter Palfrader [Sun, 25 May 2008 20:35:48 +0000 (22:35 +0200)]
ud-info: Only show "Lock account" in root mode.
Peter Palfrader [Sun, 25 May 2008 16:34:33 +0000 (18:34 +0200)]
add "security simple_bind=128" to sample slapd.conf.
Peter Palfrader [Fri, 23 May 2008 21:52:29 +0000 (23:52 +0200)]
Do SSL when connecting to the ldap server.
Peter Palfrader [Fri, 23 May 2008 10:51:52 +0000 (12:51 +0200)]
TODO: expand authorized_keys syntax so that users can have certain keys added
to only some hosts. e.g. host="gluck,ries",from="blubb".... ssh-rsa...
Peter Palfrader [Fri, 23 May 2008 10:51:03 +0000 (12:51 +0200)]
TODO item: do SSL in all ldap connections that authenticate
Peter Palfrader [Fri, 23 May 2008 10:50:11 +0000 (12:50 +0200)]
One TODO item is resolved (openssh patch required)
Peter Palfrader [Fri, 23 May 2008 08:05:27 +0000 (10:05 +0200)]
0.3.31
Peter Palfrader [Fri, 23 May 2008 08:04:18 +0000 (10:04 +0200)]
merge from alioth: Document how to use unique overlay for uid and keyFingerPrint
Peter Palfrader [Fri, 23 May 2008 08:02:48 +0000 (10:02 +0200)]
merge from alioth: Use ud-config in ud-replicate to determine emailappend value instead of using @debian.org hardcoded
Peter Palfrader [Fri, 23 May 2008 08:00:32 +0000 (10:00 +0200)]
merge from alioth:
Make ud-useradd also not use hardcoded path
Use sync_keyrings from config instead of hardcoded list
Peter Palfrader [Thu, 22 May 2008 20:41:25 +0000 (22:41 +0200)]
* When we lock accounts, set shadowExpire to 1. shadowExpire
is "days since Jan 1, 1970 that account is disabled".
* Properly capitalize shadowInactive and shadowExpire attributes in
ud-info and ud-generate.
* Add copyright statements to ud-info from bzr log.
Peter Palfrader [Thu, 22 May 2008 20:26:49 +0000 (22:26 +0200)]
When we touch usePassword in ud-info or ud-mailgate we now also update
shadowLastChange.
Peter Palfrader [Thu, 22 May 2008 19:50:12 +0000 (21:50 +0200)]
ud-info: Add an option "L" to lock accounts in the interactive interface.
Locking an account sets a user's password to "{crypt}*LK*" and sets a
mailDisableMessage of "account locked".
Peter Palfrader [Thu, 22 May 2008 19:39:18 +0000 (21:39 +0200)]
Do not disable mail just because the account is locked.
Peter Palfrader [Mon, 19 May 2008 06:56:21 +0000 (08:56 +0200)]
* Export ssh-keys.tar.gz to [UNTRUSTED] hosts. Since we already export
ssh-rsa-shadow this is probably the right thing.
* Make keys in the ssh-keys tarball mode 0400 instead of mode 0600.
Stephen Gran [Sun, 18 May 2008 19:41:39 +0000 (20:41 +0100)]
Use new style syntax for unique overlay
Stephen Gran [Sun, 18 May 2008 17:00:05 +0000 (18:00 +0100)]
Document how to use unique overlay for uid and keyFingerPrint
Peter Palfrader [Sun, 18 May 2008 12:28:28 +0000 (14:28 +0200)]
Merge from zobel: Fix userdir-ldap.schema (objectClass now contains MAY: VoIP)
Peter Palfrader [Sun, 18 May 2008 12:26:33 +0000 (14:26 +0200)]
ud-mailgate: a bug in DoSSH caused all changes to fail that came after DoSSH in
HandleChange. Now DoSSH properly returns without raising an exception if the
line to handle is not an ssh public key.
Joerg Jaspert [Sun, 18 May 2008 12:05:08 +0000 (14:05 +0200)]
Use ud-config in ud-replicate to determine emailappend value for the sed statement
Joerg Jaspert [Sun, 18 May 2008 11:53:41 +0000 (13:53 +0200)]
Merge from Debian
Joerg Jaspert [Sun, 18 May 2008 11:45:59 +0000 (13:45 +0200)]
Make ud-useradd also not use hardcoded path
Peter Palfrader [Sun, 18 May 2008 11:41:10 +0000 (13:41 +0200)]
ud-replicate: sgran pointed out that if all we care about ignoring is EEXIST
then we should use mkdir -p instead of [ -d userkeys ] || mkdir userkeys.
Joerg Jaspert [Sun, 18 May 2008 11:37:40 +0000 (13:37 +0200)]
Uncommit a change from aba after a little discussion on irc
Joerg Jaspert [Sun, 18 May 2008 11:32:27 +0000 (13:32 +0200)]
Use sync_keyrings from config instead of hardcoded list
Andreas Barth [Sun, 18 May 2008 11:26:17 +0000 (11:26 +0000)]
Disable GSSAPIAuthentication in ud-replicate
Martin Zobel-Helas [Sun, 18 May 2008 11:05:54 +0000 (13:05 +0200)]
* fix userdir-ldap.schema, now contains MAY: VoIP
* Add changelog-entry
Joerg Jaspert [Sun, 18 May 2008 10:49:46 +0000 (12:49 +0200)]
Merge from Debian
Peter Palfrader [Sat, 17 May 2008 14:15:26 +0000 (16:15 +0200)]
Make ssh-keys.tar.gz readable only by the user.
Peter Palfrader [Sat, 17 May 2008 13:41:24 +0000 (15:41 +0200)]
0.3.24
Peter Palfrader [Sat, 17 May 2008 13:41:13 +0000 (15:41 +0200)]
And clean up the bugs I introduced while mucking with sgran's shell
Peter Palfrader [Sat, 17 May 2008 13:29:42 +0000 (15:29 +0200)]
Fix string vs. int issue in userlist introduced by multiple-ssh patch
Peter Palfrader [Sat, 17 May 2008 09:41:11 +0000 (11:41 +0200)]
Fix wording in the changelog
Peter Palfrader [Sat, 17 May 2008 09:40:33 +0000 (11:40 +0200)]
Fuzz with the shell in ud-replicate's sshkeys part
Peter Palfrader [Sat, 17 May 2008 09:39:20 +0000 (11:39 +0200)]
ud-replicate, ud-generate: Instead of one big ssh-rsa-shadow file ud-generate
now produces per-user authorized_keys files and tars them up. On the receiving
end ud-replicate takes the tar and syncs it to userkeys/. The goal here is to
no longer require a patched sshd. Setting AuthorizedKeysFile2 to
/var/lib/misc/userkeys/%u is sufficient. For homedir creation we can use
pam_mkhomedir. [mhy, sgran]
Peter Palfrader [Sat, 17 May 2008 09:30:38 +0000 (11:30 +0200)]
merge from alioth: aba: add myself to copyright holders
Peter Palfrader [Sat, 17 May 2008 09:30:01 +0000 (11:30 +0200)]
ud-generate: Add performance optimization by resolving IP adresses for hosts
only once and caching the result. [aba]
Peter Palfrader [Sat, 17 May 2008 09:27:06 +0000 (11:27 +0200)]
ud-generate: Add support for generation of authorized_keys file on the db host
for the sshdist user. This is now possible since ud-replicate clients use
their ssh host key to authenticate to the db server. The code now supports
this but the feature is still disabled. [aba]
Peter Palfrader [Sat, 17 May 2008 09:22:00 +0000 (11:22 +0200)]
ud-replicate: Also support the imposter dchroot-dsa from the debian archive [aba]
Peter Palfrader [Sat, 17 May 2008 09:18:45 +0000 (11:18 +0200)]
better check for ssh1 keys (which we do not accept). Merged from alioth but slightly improved regex
Joerg Jaspert [Fri, 16 May 2008 21:00:43 +0000 (23:00 +0200)]
Merge sshkeys branch from Stephen and Mark
Joerg Jaspert [Fri, 16 May 2008 18:56:53 +0000 (20:56 +0200)]
Merge from -common branch
Andreas Barth [Fri, 16 May 2008 18:03:40 +0000 (18:03 +0000)]
add myself to copyright holders
Andreas Barth [Fri, 16 May 2008 17:58:28 +0000 (17:58 +0000)]
Add performance optimization by caching IP adresses in ud-generate as a precondition for automatically adding aliases
Andreas Barth [Fri, 16 May 2008 17:40:19 +0000 (17:40 +0000)]
Add (disabled) generation of authorized_keys
Andreas Barth [Fri, 16 May 2008 17:34:58 +0000 (17:34 +0000)]
Add compatibility to dchroot-dsa to ud-replicate
Joerg Jaspert [Thu, 15 May 2008 21:35:13 +0000 (23:35 +0200)]
Modify the SSH1 key check so it matches all RSA1 keys, not only those of size 1024
Joerg Jaspert [Wed, 14 May 2008 23:02:17 +0000 (01:02 +0200)]
Merge from Debian
Stephen Gran [Wed, 14 May 2008 22:03:56 +0000 (23:03 +0100)]
remove debugging output
Stephen Gran [Wed, 14 May 2008 22:00:45 +0000 (23:00 +0100)]
add copyright update
Mark Hymers [Wed, 14 May 2008 21:56:59 +0000 (22:56 +0100)]
make fallbacks and group resolution more sane
Stephen Gran [Wed, 14 May 2008 21:27:10 +0000 (22:27 +0100)]
ahem, we need to actually look in the host subdir
Mark Hymers [Wed, 14 May 2008 21:10:08 +0000 (22:10 +0100)]
weasel gets upset if there isn't a changelog
Mark Hymers [Wed, 14 May 2008 21:08:53 +0000 (22:08 +0100)]
merge Steve's ud-replicate work
Mark Hymers [Wed, 14 May 2008 21:05:26 +0000 (22:05 +0100)]
export individual (and only the required) ssh keys
Stephen Gran [Wed, 14 May 2008 20:52:22 +0000 (21:52 +0100)]
ud-generate: handle individual ssh keys
Mark Hymers [Wed, 14 May 2008 19:37:13 +0000 (20:37 +0100)]
merge from debian branch
Mark Hymers [Wed, 14 May 2008 18:55:18 +0000 (19:55 +0100)]
reimport initial multiple ssh keys code which bzr kindly threw away after merging on my old branch
Peter Palfrader [Wed, 14 May 2008 15:56:01 +0000 (17:56 +0200)]
Fix generation of known_hosts file.
Peter Palfrader [Wed, 14 May 2008 15:48:00 +0000 (17:48 +0200)]
0.3.22
Peter Palfrader [Wed, 14 May 2008 15:47:17 +0000 (17:47 +0200)]
Merge: ud-mailgate no longer accepts ssh dss keys, keys with a size smaller than 1024.
Additionally it checks new keys against a blacklist of ssh key fingerprints. [joerg]
Peter Palfrader [Wed, 14 May 2008 15:37:21 +0000 (17:37 +0200)]
Add IPv6-Adresses (and IPv4 in v6 notation - ::ffff:192.0.2.1) to ssh_known_hosts. [aba]
Joerg Jaspert [Wed, 14 May 2008 15:34:01 +0000 (17:34 +0200)]
Add missing admin info template
Peter Palfrader [Wed, 14 May 2008 15:32:49 +0000 (17:32 +0200)]
Add VoIP fiels to the LDAP shema and teach ud-info and ud-mailgate about it. [zobel]
Peter Palfrader [Wed, 14 May 2008 15:29:25 +0000 (17:29 +0200)]
Merge: Add another todo item
Joerg Jaspert [Wed, 14 May 2008 14:56:04 +0000 (16:56 +0200)]
Merge sshkeys check with the alioth userdir-ldap-common
Joerg Jaspert [Wed, 14 May 2008 14:43:40 +0000 (16:43 +0200)]
Check ssh keys:
- reject all DSA keys, similar to RSA1 keys.
- reject and mail the admins for broken keys, ie keys
- of size below 1024 or
- known to be bad (fingerprintlist)
Peter Palfrader [Tue, 13 May 2008 20:09:02 +0000 (22:09 +0200)]
* ud-replicate: use the host key to sync stuff from the db server,
that is, call ssh with ii /etc/ssh/ssh_host_rsa_key.
* ud-replicate: Call ssh with -o PreferredAuthentications=publickey
so that it does not even try password authentication.
Joerg Jaspert [Mon, 12 May 2008 22:12:56 +0000 (00:12 +0200)]
First version of a check for ssh keys
Andreas Barth [Sat, 10 May 2008 21:52:42 +0000 (21:52 +0000)]
more sanitizing for IP adresses
Andreas Barth [Sat, 10 May 2008 21:49:42 +0000 (21:49 +0000)]
Add IPv6-Adresses (and IPv4 in both ways) into ssh_known_hosts
Martin Zobel-Helas [Sat, 10 May 2008 12:19:22 +0000 (14:19 +0200)]
add VoIP
Marc 'HE' Brockschmidt [Wed, 23 Apr 2008 21:11:12 +0000 (23:11 +0200)]
Add another todo item
Marc 'HE' Brockschmidt [Wed, 23 Apr 2008 21:08:10 +0000 (23:08 +0200)]
Merge Peter's debian.org-ud-ldap changes.
Peter Palfrader [Wed, 23 Apr 2008 20:33:56 +0000 (22:33 +0200)]
todo item
Peter Palfrader [Mon, 21 Apr 2008 22:18:09 +0000 (00:18 +0200)]
A few copyright notices
Peter Palfrader [Mon, 21 Apr 2008 22:08:29 +0000 (00:08 +0200)]
another todo item
Peter Palfrader [Mon, 21 Apr 2008 21:55:05 +0000 (23:55 +0200)]
add a TODO file
Peter Palfrader [Mon, 21 Apr 2008 11:31:04 +0000 (13:31 +0200)]
Teach ud-mailgate about ipv6 addresses (RT#193).
Sanitize DNS entries somewhat before inserting them into LDAP.
Peter Palfrader [Fri, 18 Apr 2008 12:34:05 +0000 (14:34 +0200)]
New [KEYRING] flag to indicate the debian keyring should be synced to this host.
Peter Palfrader [Thu, 17 Apr 2008 17:49:45 +0000 (19:49 +0200)]
Various ud-fingerserv fixes
Peter Palfrader [Wed, 16 Apr 2008 17:59:51 +0000 (19:59 +0200)]
Calling dh_installdeb before dh_pysupport was probably not the smartest move.
Reorder.
Peter Palfrader [Wed, 16 Apr 2008 14:20:53 +0000 (16:20 +0200)]
0.3.16
Peter Palfrader [Wed, 16 Apr 2008 14:20:46 +0000 (16:20 +0200)]
Use full hostname
Peter Palfrader [Wed, 16 Apr 2008 12:09:51 +0000 (14:09 +0200)]
Sleep for a random time, up to two minutes, in ud-replicate when not called
interactively. This is to prevent DoSing the db server when many clients come
at the same time.
Peter Palfrader [Wed, 16 Apr 2008 12:08:46 +0000 (14:08 +0200)]
Create /var/lib/misc/thishost as a symlink to the hostname in postinst
Mark Hymers [Thu, 10 Jan 2008 15:12:13 +0000 (15:12 +0000)]
merge from -debian branch
Peter Palfrader [Thu, 10 Jan 2008 15:07:10 +0000 (16:07 +0100)]
Merge from alioth
Peter Palfrader [Thu, 10 Jan 2008 15:03:47 +0000 (16:03 +0100)]
Nop merge - stuff that was previously included by cherry picking
Peter Palfrader [Thu, 10 Jan 2008 15:03:07 +0000 (16:03 +0100)]
Merge packaging cleanup from alioth (including template dir install location fix)