Pass = None
for entry in x[1]['sudoPassword']:
- Match = re.compile('^('+UUID_FORMAT+') (confirmed|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry.lower())
+ Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry.lower())
if Match == None:
continue
+ uuid = Match.group(1)
status = Match.group(2)
hosts = Match.group(3)
cryptedpass = Match.group(4)
- if status != 'confirmed':
+ if status != 'confirmed:'+make_sudopasswd_hmac('password-is-confirmed', uuid, hosts, cryptedpass):
continue
for_all = hosts == "*"
for_this_host = CurrentHost in hosts.split(',')
"VoIP": None,
};
-def make_hmac(str):
- F = open(PassDir+"/key-hmac-"+pwd.getpwuid(os.getuid())[0],"r");
- key = F.readline().strip()
- F.close();
-
- return hmac.new(key, str, sha1_module).hexdigest()
-
-
# Decode a GPS location from some common forms
def LocDecode(Str,Dir):
newldap = []
for entry in inldap:
- Match = re.compile('^('+UUID_FORMAT+') (confirmed|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry.lower())
+ Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry.lower())
if Match == None:
raise Error, "Could not parse existing sudopasswd entry"
uuid = Match.group(1)
if SudoPasswd.has_key(uuid):
confirmedHosts = SudoPasswd[uuid][0]
confirmedHmac = SudoPasswd[uuid][1]
- if status == "confirmed":
- result = result + "Entry %s for sudo password on hosts %s already confirmed.\n"%(uuid, hosts)
+ if status.startswith('confirmed:'):
+ if status == 'confirmed:'+make_sudopasswd_hmac('password-is-confirmed', uuid, hosts, cryptedpass):
+ result = result + "Entry %s for sudo password on hosts %s already confirmed.\n"%(uuid, hosts)
+ else:
+ result = result + "Entry %s for sudo password on hosts %s is listed as confirmed, but HMAC does not verify.\n"%(uuid, hosts)
elif confirmedHosts != hosts:
result = result + "Entry %s hostlist mismatch (%s vs. %s).\n"%(uuid, hosts, confirmedHosts)
- elif make_hmac(':'.join([uuid, hosts, cryptedpass])) == confirmedHmac:
+ elif make_sudopasswd_hmac('confirm-new-password', uuid, hosts, cryptedpass) == confirmedHmac:
result = result + "Entry %s for sudo password on hosts %s now confirmed.\n"%(uuid, hosts)
- status = 'confirmed'
+ status = 'confirmed:'+make_sudopasswd_hmac('password-is-confirmed', uuid, hosts, cryptedpass)
else:
result = result + "Entry %s for sudo password on hosts %s HMAC verify failed.\n"%(uuid, hosts)
del SudoPasswd[uuid]
ConfModule = imp.load_source("userdir_config","/etc/userdir-ldap.conf",File);
File.close();
+File = open(PassDir+"/key-hmac-"+pwd.getpwuid(os.getuid())[0],"r");
+HmacKey = F.readline().strip()
+File.close();
+
# Cheap hack
BaseDn = ConfModule.basedn;
HostBaseDn = ConfModule.hostbasedn;
return int(GetAttr(res[0], "gidNumber"))
return -1
+
+def make_hmac(str):
+ return hmac.new(HmacKey, str, sha1_module).hexdigest()
+
+def make_sudopasswd_hmac(purpose, uuid, hosts, cryptedpass):
+ return make_hmac(':'.join([purpose, uuid, hosts, cryptedpass]))
projects / mirror / userdir-ldap.git / commitdiff