-userdir-ldap (0.3.23+common1) unstable; urgency=low
-
- [ Andreas Barth ]
- * Add compatibility to dchroot-dsa to ud-replicate.
- * Add (disabled) generation of authorized_keys suiteable for sshdist.
- * Add performance optimization by caching IP adresses in ud-generate
- (as a precondition for automatically adding aliases)
-
- [ Stephen Gran ]
- * ud-replicate: handle individual ssh keys
-
- [ Mark Hymers ]
- * ud-generate: handle individual ssh keys
-
- -- Mark Hymers <mhy@debian.org> Wed, 14 May 2008 22:09:22 +0100
+userdir-ldap (0.3.25) unstable; urgency=low
+
+ * Make ssh-keys.tar.gz readable only by the user.
+
+ -- Peter Palfrader <weasel@debian.org> Sat, 17 May 2008 16:14:56 +0200
+
+userdir-ldap (0.3.24) unstable; urgency=low
+
+ * ud-mailgate: better regex for ssh1 keys, which we reject. [joerg, weasel]
+ * ud-replicate: Also support the imposter dchroot-dsa from the debian
+ archive. [aba, weasel]
+ * ud-generate: Add support for generation of authorized_keys file on
+ the db host for the sshdist user. This is now possible since
+ ud-replicate clients use their ssh host key to authenticate to the
+ db server. The code now supports this but the feature is still
+ disabled. [aba]
+ * ud-generate: Add performance optimization by resolving IP adresses
+ for hosts only once and caching the result. [aba]
+ * ud-replicate, ud-generate: In addition to one big ssh-rsa-shadow file
+ ud-generate now produces per-user authorized_keys files and tars
+ them up. On the receiving end ud-replicate takes the tar and
+ syncs it to userkeys/. The goal here is to no longer require
+ a patched sshd. Setting AuthorizedKeysFile2 to
+ /var/lib/misc/userkeys/%u is sufficient. For homedir creation
+ we can use pam_mkhomedir. [mhy, sgran]
+
+ -- Peter Palfrader <weasel@debian.org> Sat, 17 May 2008 14:49:28 +0200
userdir-ldap (0.3.23) unstable; urgency=low
if len(GetAttr(x,"gecos")) > 100 or len(GetAttr(x,"loginShell")) > 50:
continue;
- userlist[GetAttr(x, "uid")] = GetAttr(x, "gidNumber")
+ userlist[GetAttr(x, "uid")] = int(GetAttr(x, "gidNumber"))
Line = "%s:%s:%s:%s:%s:%s%s:%s" % (GetAttr(x,"uid"),\
PwdMarker,\
GetAttr(x,"uidNumber"),GetAttr(x,"gidNumber"),\
# Now we know who we're allowing on the machine, export
# the relevant ssh keys
if MultipleSSHFiles:
+ OldMask = os.umask(0077);
tf = tarfile.open(name=os.path.join(GlobalDir, 'ssh-keys-%s.tar.gz' % CurrentHost), mode='w:gz')
+ os.umask(OldMask);
for f in userlist.keys():
if f not in SSHFiles:
continue
# In these cases, look it up in the normal way so we
# deal with cases where, for instance, users are in group
# users as their primary group.
- grname = grp.getgrgid(int(userlist[f]))[0]
+ grname = grp.getgrgid(userlist[f])[0]
except Exception, e:
pass
if grname is None:
- print "User %s is supposed to have their key exported to host %s but their primary group (gid: %s) isn't in LDAP" % (f, CurrentHost, userlist[f])
+ print "User %s is supposed to have their key exported to host %s but their primary group (gid: %d) isn't in LDAP" % (f, CurrentHost, userlist[f])
continue
to = tf.gettarinfo(os.path.join(GlobalDir, 'userkeys', f), f)
DNS = {}
SSHFingerprint = re.compile('^(\d+) ([0-9a-f\:]{47}) (.+)$')
-SSHRSA1Match = re.compile('^\d+ (\d+) \d+ .*')
+SSHRSA1Match = re.compile('^^(.* )?\d+ \d+ \d+')
ArbChanges = {"c": "..",
"l": ".*",
g = Match.groups()
typekey = g[1]
if Match == None:
- Match =SSHRSA1Match.match(Str)
+ Match = SSHRSA1Match.match(Str)
if Match is not None:
return "RSA1 keys not supported anymore"
return None;
# Copyright (c) 2002-2003,2006 Ryan Murray <rmurray@debian.org>
# Copyright (c) 2004-2005 Joey Schulze <joey@infodrom.org>
# Copyright (c) 2008 Peter Palfrader <peter@palfrader.org>
-# Copyright (©) 2008 Stephen Gran <sgran@debian.org>
+# Copyright (c) 2008 Stephen Gran <sgran@debian.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
ln -sf `pwd -P`/ssh_known_hosts /etc/ssh
if [ -e ${HOST}/ssh-keys.tar.gz ]; then
- export TMPDIR='/tmp/'
+ export TMPDIR='/tmp/'
tempdir=$(mktemp -d)
- old=$(pwd -P)
- cd $tempdir && tar -xf ${old}/${HOST}/ssh-keys.tar.gz
- cd $old
- mkdir userkeys 2> /dev/null || true
+ tar -C "$tempdir" -xf ${HOST}/ssh-keys.tar.gz
+ [ -d userkeys ] || mkdir userkeys
chmod 755 $tempdir
rsync -a --delete-after $tempdir/ userkeys/
fi
+CHROOTS=""
if [ -x /usr/bin/dchroot ]; then
CHROOTS=`dchroot --listpaths`
-fi
-if [ -x /usr/bin/dchroot-dsa ]; then
- CHROOTS=$(dchroot-dsa -i | grep Location | awk '{print $2}')
+elif [ -x /usr/bin/dchroot-dsa ]; then
+ CHROOTS=$(dchroot-dsa -i | grep Location | awk '{print $2}')
fi
if [ -n "$CHROOTS" ]; then
for c in $CHROOTS; do
projects / mirror / userdir-ldap.git / commitdiff