Match = SSHFingerprint.match(output)
g = Match.groups()
- if int(g[0]) < 1024:
+ if typekey == "ssh-rsa":
+ key_size_ok = (g[0]) >= 2048)
+ elif typekey == "ed25519":
+ key_size_ok = True
+ else:
+ key_size_ok = False
+
+ if not key_size_ok:
try:
# Body
- Subst["__ERROR__"] = "SSH keysize %s is below limit 1024" % (g[0])
+ Subst["__ERROR__"] = "SSH key fails formal criteria. We only accept RSA keys (>= 2048 bits) or ed25519 keys." % (g[0])
ErrReply = TemplateSubst(Subst,open(TemplatesDir+"admin-info","r").read())
Child = os.popen("/usr/sbin/sendmail -t","w")
sys.exit(EX_TEMPFAIL)
# And now break and stop processing input, which sends a reply to the user.
- raise UDFormatError, "SSH keys must have at least 1024 bits, processing halted, NOTHING MODIFIED AT ALL"
+ raise UDFormatError, "SSH key fails formal criteria, NOTHING MODIFIED AT ALL"
elif g[1] in badkeys:
try:
# Body
# And now break and stop processing input, which sends a reply to the user.
raise UDFormatError, "Submitted SSH Key known to be bad and insecure, processing halted, NOTHING MODIFIED AT ALL"
- if (typekey == "dss"):
- return "DSA keys not accepted anymore"
-
global SeenKey;
if SeenKey:
Attrs.append((ldap.MOD_ADD,"sshRSAAuthKey",Str));
return "SSH Key added "+FormatSSHAuth(Str);
-
+
Attrs.append((ldap.MOD_REPLACE,"sshRSAAuthKey",Str));
SeenKey = 1;
return "SSH Keys replaced with "+FormatSSHAuth(Str);
# SSH Key splitting. The result is:
# (options,size,modulous,exponent,comment)
SSHAuthSplit = re.compile('^(.* )?(\d+) (\d+) (\d+) ?(.+)$');
-SSH2AuthSplit = re.compile('^(.* )?ssh-(dss|rsa) ([a-zA-Z0-9=/+]+) ?(.+)$');
+SSH2AuthSplit = re.compile('^(.* )?ssh-(dss|rsa|ecdsa-sha2-nistp(?:256|384|521)|ed25519) ([a-zA-Z0-9=/+]+) ?(.+)$');
#'^([^\d](?:[^ "]+(?:".*")?)*)? ?(\d+) (\d+) (\d+) (.+)$');
AddressSplit = re.compile("(.*).*<([^@]*)@([^>]*)>");
projects / mirror / userdir-ldap.git / commitdiff