X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=blobdiff_plain;f=ud-generate;h=a787dfad5df514b5f7120ac6d5e92767e32d64c0;hp=a4a74b57b2988c15e2413964d27663dc95312a3c;hb=HEAD;hpb=627dc95eaf71520b27b7893b96eff318925a099a diff --git a/ud-generate b/ud-generate index a4a74b5..a787dfa 100755 --- a/ud-generate +++ b/ud-generate @@ -449,6 +449,28 @@ def GenRtcPassword(accounts, File): Die(File, None, F) raise +# Generate the TOTP auth file +def GenTOTPSeed(accounts, File): + F = None + try: + OldMask = os.umask(0077) + F = open(File, "w", 0600) + os.umask(OldMask) + + F.write("# Option User Prefix Seed\n") + for a in accounts: + if a.is_guest_account(): continue + if not 'totpSeed' in a: continue + if not a.pw_active(): continue + + Line = "HOTP/T30/6 %s - %s" % (a['uid'], a['totpSeed']) + Line = Sanitize(Line) + "\n" + F.write("%s" % (Line)) + except: + Die(File, None, F) + raise + + def GenSSHtarballs(global_dir, userlist, ssh_userkeys, grouprevmap, target, current_host): OldMask = os.umask(0077) tf = tarfile.open(name=os.path.join(global_dir, 'ssh-keys-%s.tar.gz' % current_host), mode='w:gz') @@ -866,6 +888,7 @@ def is_ipv6_addr(i): return True def ExtractDNSInfo(x): + hostname = GetAttr(x, "hostname") TTLprefix="\t" if 'dnsTTL' in x[1]: @@ -875,42 +898,54 @@ def ExtractDNSInfo(x): if x[1].has_key("ipHostNumber"): for I in x[1]["ipHostNumber"]: if is_ipv6_addr(I): - DNSInfo.append("%sIN\tAAAA\t%s" % (TTLprefix, I)) + DNSInfo.append("%s.\t%sIN\tAAAA\t%s" % (hostname, TTLprefix, I)) else: - DNSInfo.append("%sIN\tA\t%s" % (TTLprefix, I)) + DNSInfo.append("%s.\t%sIN\tA\t%s" % (hostname, TTLprefix, I)) Algorithm = None + ssh_hostnames = [ hostname ] + if x[1].has_key("sshfpHostname"): + ssh_hostnames += [ h for h in x[1]["sshfpHostname"] ] + if 'sshRSAHostKey' in x[1]: for I in x[1]["sshRSAHostKey"]: Split = I.split() - if Split[0] == 'ssh-rsa': + key_prefix = Split[0] + key = base64.decodestring(Split[1]) + + # RFC4255 + # https://www.iana.org/assignments/dns-sshfp-rr-parameters/dns-sshfp-rr-parameters.xhtml + if key_prefix == 'ssh-rsa': Algorithm = 1 - if Split[0] == 'ssh-dss': + if key_prefix == 'ssh-dss': Algorithm = 2 - if Split[0] == 'ssh-ed25519': + if key_prefix == 'ssh-ed25519': Algorithm = 4 if Algorithm == None: continue - Fingerprint = hashlib.new('sha1', base64.decodestring(Split[1])).hexdigest() - DNSInfo.append("%sIN\tSSHFP\t%u 1 %s" % (TTLprefix, Algorithm, Fingerprint)) - Fingerprint = hashlib.new('sha256', base64.decodestring(Split[1])).hexdigest() - DNSInfo.append("%sIN\tSSHFP\t%u 2 %s" % (TTLprefix, Algorithm, Fingerprint)) + # and more from the registry + sshfp_digest_codepoints = [ (1, 'sha1'), (2, 'sha256') ] + + fingerprints = [ ( digest_codepoint, hashlib.new(algorithm, key).hexdigest() ) for digest_codepoint, algorithm in sshfp_digest_codepoints ] + for h in ssh_hostnames: + for digest_codepoint, fingerprint in fingerprints: + DNSInfo.append("%s.\t%sIN\tSSHFP\t%u %d %s" % (h, TTLprefix, Algorithm, digest_codepoint, fingerprint)) if 'architecture' in x[1]: Arch = GetAttr(x, "architecture") Mach = "" if x[1].has_key("machine"): Mach = " " + GetAttr(x, "machine") - DNSInfo.append("%sIN\tHINFO\t\"%s%s\" \"%s\"" % (TTLprefix, Arch, Mach, "Debian")) + DNSInfo.append("%s.\t%sIN\tHINFO\t\"%s%s\" \"%s\"" % (hostname, TTLprefix, Arch, Mach, "Debian")) if x[1].has_key("mXRecord"): for I in x[1]["mXRecord"]: if I in MX_remap: for e in MX_remap[I]: - DNSInfo.append("%sIN\tMX\t%s" % (TTLprefix, e)) + DNSInfo.append("%s.\t%sIN\tMX\t%s" % (hostname, TTLprefix, e)) else: - DNSInfo.append("%sIN\tMX\t%s" % (TTLprefix, I)) + DNSInfo.append("%s.\t%sIN\tMX\t%s" % (hostname, TTLprefix, I)) return DNSInfo @@ -928,40 +963,9 @@ def GenZoneRecords(host_attrs, File): if IsDebianHost.match(GetAttr(x, "hostname")) is None: continue - DNSInfo = ExtractDNSInfo(x) - start = True - for Line in DNSInfo: - if start == True: - Line = "%s.\t%s" % (GetAttr(x, "hostname"), Line) - start = False - else: - Line = "\t\t\t%s" % (Line) - + for Line in ExtractDNSInfo(x): F.write(Line + "\n") - # this would write sshfp lines for services on machines - # but we can't yet, since some are cnames and we'll make - # an invalid zonefile - # - # for i in x[1].get("purpose", []): - # m = PurposeHostField.match(i) - # if m: - # m = m.group(1) - # # we ignore [[*..]] entries - # if m.startswith('*'): - # continue - # if m.startswith('-'): - # m = m[1:] - # if m: - # if not m.endswith(HostDomain): - # continue - # if not m.endswith('.'): - # m = m + "." - # for Line in DNSInfo: - # if isSSHFP.match(Line): - # Line = "%s\t%s" % (m, Line) - # F.write(Line + "\n") - # Oops, something unspeakable happened. except: Die(File, F, None) @@ -1126,7 +1130,7 @@ def get_accounts(ldap_conn): "mailGreylisting", "mailCallout", "mailRBL", "mailRHSBL",\ "mailWhitelist", "sudoPassword", "objectClass", "accountStatus",\ "mailContentInspectionAction", "webPassword", "rtcPassword",\ - "bATVToken"]) + "bATVToken", "totpSeed"]) if passwd_attrs is None: raise UDEmptyList, "No Users" @@ -1139,7 +1143,8 @@ def get_hosts(ldap_conn): # Fetch all the hosts HostAttrs = ldap_conn.search_s(HostBaseDn, ldap.SCOPE_ONELEVEL, "objectClass=debianServer",\ ["hostname", "sshRSAHostKey", "purpose", "allowedGroups", "exportOptions",\ - "mXRecord", "ipHostNumber", "dnsTTL", "machine", "architecture"]) + "mXRecord", "ipHostNumber", "dnsTTL", "machine", "architecture", + "sshfpHostname"]) if HostAttrs == None: raise UDEmptyList, "No Hosts" @@ -1214,6 +1219,7 @@ def generate_all(global_dir, ldap_conn): GenMailList(accounts, global_dir + "mail-whitelist", "mailWhitelist") GenWebPassword(accounts, global_dir + "web-passwords") GenRtcPassword(accounts, global_dir + "rtc-passwords") + GenTOTPSeed(accounts, global_dir + "users.oath") GenKeyrings(global_dir) # Compatibility. @@ -1344,6 +1350,9 @@ def generate_host(host, global_dir, all_accounts, all_hosts, ssh_userkeys): if 'RTC-PASSWORDS' in ExtraList: DoLink(global_dir, OutDir, "rtc-passwords") + if 'TOTP' in ExtraList: + DoLink(global_dir, OutDir, "users.oath") + if 'KEYRING' in ExtraList: for k in Keyrings: bn = os.path.basename(k)