ChangeFrom = ConfModule.changefrom
ReplayCacheFile = ConfModule.replaycachefile
SSHFingerprintFile = ConfModule.fingerprintfile
+TOTPTicketDirectory = ConfModule.totpticketdirectory
+WebUILocation = ConfModule.webuilocation
UUID_FORMAT = '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'
machine_regex = re.compile("^[0-9a-zA-Z.-]+$")
def HandleChTOTPSeed(Reply, DnRecord, Key):
# Generate a random seed
seed = binascii.hexlify(open("/dev/urandom", "r").read(32))
- msg = GPGEncrypt("Your new TOTP seed is '%s'\n" % (seed,), "0x" + Key[1], Key[4])
+ random_id = binascii.hexlify(open("/dev/urandom", "r").read(32))
+ totp_file_name = "%d-%s" % (time.time(), random_id,)
+
+ msg = GPGEncrypt("Please go to %s/fetch-totp-seed?id=%s\n to fetch your TOTP seed" % (WebUILocation, totp_file_name), "0x" + Key[1], Key[4])
if msg is None:
raise UDFormatError("Unable to generate the encrypted reply, gpg failed.")
Reply += TemplateSubst(Subst, open(TemplatesDir + "totp-seed-changed", "r").read())
lc = connect_to_ldap_and_check_if_locked(DnRecord)
+ # Save the seed so the user can pick it up.
+ f = open(os.path.join(TOTPTicketDirectory, totp_file_name), os.O_WRONLY | os.O_CREAT)
+ f.write(seed)
+ f.close()
+
# Modify the password
Rec = [(ldap.MOD_REPLACE, "totpSeed", seed)]
Dn = "uid=" + GetAttr(DnRecord, "uid") + "," + BaseDn
websearchresulthtml = "searchresults.html";
webupdatehtml = "update.html";
hosthtml = "hostinfo.html";
+webuilocation = "https://db.debian.org";
webloginurl = "login.cgi";
websearchurl = "search.cgi";
# When should authentication tokens expire?
authexpires = 600;
+# Where should totp tickets be stored while waiting for pickup?
+totpticketdirectory = "/var/cache/userdir-ldap/totp";
+
# How many bytes to use for the blowfish key (max = 56 (448 bits))
blowfishkeylen = 10;
projects / mirror / userdir-ldap.git / commitdiff