Change the hmac that protect sudopassword entries to also hash the purpose

[mirror/userdir-ldap.git] / userdir_ldap.py

diff --git a/userdir_ldap.py b/userdir_ldap.py
index 5e87deb..c84a655 100644 (file)
--- a/userdir_ldap.py
+++ b/userdir_ldap.py
@@ -17,8 +17,10 @@
 #   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 
 # Some routines and configuration that are used by the ldap progams
-import termios, re, imp, ldap, sys, crypt, rfc822, pwd;
+import termios, re, imp, ldap, sys, crypt, rfc822, pwd, os;
 import userdir_gpg
+import hmac
+import sha as sha1_module
 
 try:
    File = open("/etc/userdir-ldap/userdir-ldap.conf");
@@ -41,10 +43,6 @@ PassDir = ConfModule.passdir;
 Ech_ErrorLog = ConfModule.ech_errorlog;
 Ech_MainLog = ConfModule.ech_mainlog;
 
-File = open(PassDir+"/key-hmac-"+pwd.getpwuid(os.getuid())[0],"r");
-HmacKey = F.readline().strip()
-File.close();
-
 # For backwards compatibility, we default to the old behaviour
 MultipleSSHFiles = getattr(ConfModule, 'multiplesshfiles', False)
 SingleSSHFile = getattr(ConfModule, 'singlesshfile', True)
@@ -456,7 +454,10 @@ def Group2GID(l, name):
    return -1
 
 def make_hmac(str):
+   File = open(PassDir+"/key-hmac-"+pwd.getpwuid(os.getuid())[0],"r");
+   HmacKey = File.readline().strip()
+   File.close();
    return hmac.new(HmacKey, str, sha1_module).hexdigest()
 
-def make_sudopasswd_hmac(purpose, uuid, hosts, cryptedpass):
-   return make_hmac(':'.join([purpose, uuid, hosts, cryptedpass]))
+def make_passwd_hmac(status, purpose, uid, uuid, hosts, cryptedpass):
+   return make_hmac(':'.join([status, purpose, uid, uuid, hosts, cryptedpass]))