Done(File,None,F);
# Generate the sudo passwd file
-def GenShadowSudo(l,File):
+def GenShadowSudo(l,File, untrusted):
F = None;
try:
OldMask = os.umask(0077);
hosts = Match.group(3)
cryptedpass = Match.group(4)
- if status != 'confirmed:'+make_sudopasswd_hmac('password-is-confirmed', uuid, hosts, cryptedpass):
+ if status != 'confirmed:'+make_passwd_hmac('password-is-confirmed', 'sudo', x[1]['uid'][0], uuid, hosts, cryptedpass):
continue
for_all = hosts == "*"
for_this_host = CurrentHost in hosts.split(',')
if not (for_all or for_this_host):
continue
+ # ignore * passwords for untrusted hosts, but copy host specific passwords
+ if for_all and untrusted:
+ continue
Pass = cryptedpass
if for_this_host: # this makes sure we take a per-host entry over the for-all entry
break
userlist = GenPasswd(l,OutDir+"passwd",Split[1], "x");
sys.stdout.flush();
grouprevmap = GenGroup(l,OutDir+"group");
- GenShadowSudo(l, OutDir+"sudo-passwd")
+ GenShadowSudo(l, OutDir+"sudo-passwd", ExtraList.has_key("[UNTRUSTED]") or ExtraList.has_key("[NOPASSWD]"))
# Now we know who we're allowing on the machine, export
# the relevant ssh keys
os.path.join(OutDir, 'ssh-keys.tar.gz'))
if ExtraList.has_key("[UNTRUSTED]"):
+ print "[UNTRUSTED] tag is obsolete and may be removed in the future."
continue;
if not ExtraList.has_key("[NOPASSWD]"):
GenShadow(l,OutDir+"shadow");
# Link in global things
- DoLink(GlobalDir,OutDir,"markers");
+ if not ExtraList.has_key("[NOMARKERS]"):
+ DoLink(GlobalDir,OutDir,"markers");
DoLink(GlobalDir,OutDir,"mail-forward.cdb");
DoLink(GlobalDir,OutDir,"mail-disable");
DoLink(GlobalDir,OutDir,"mail-greylist");