From: Joerg Jaspert Date: Sun, 18 May 2008 10:49:46 +0000 (+0200) Subject: Merge from Debian X-Git-Tag: userdir-ldap-0.3.26^2~1 X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=commitdiff_plain;h=df2513d8d7f4a2094790a7674eedbf34f46bbf0b;hp=88a19a6e47a1c577474311d016ae5d26a72a4029 Merge from Debian --- diff --git a/debian/changelog b/debian/changelog index ffc9300..b71d365 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,18 +1,30 @@ -userdir-ldap (0.3.23+common1) unstable; urgency=low - - [ Andreas Barth ] - * Add compatibility to dchroot-dsa to ud-replicate. - * Add (disabled) generation of authorized_keys suiteable for sshdist. - * Add performance optimization by caching IP adresses in ud-generate - (as a precondition for automatically adding aliases) - - [ Stephen Gran ] - * ud-replicate: handle individual ssh keys - - [ Mark Hymers ] - * ud-generate: handle individual ssh keys - - -- Mark Hymers Wed, 14 May 2008 22:09:22 +0100 +userdir-ldap (0.3.25) unstable; urgency=low + + * Make ssh-keys.tar.gz readable only by the user. + + -- Peter Palfrader Sat, 17 May 2008 16:14:56 +0200 + +userdir-ldap (0.3.24) unstable; urgency=low + + * ud-mailgate: better regex for ssh1 keys, which we reject. [joerg, weasel] + * ud-replicate: Also support the imposter dchroot-dsa from the debian + archive. [aba, weasel] + * ud-generate: Add support for generation of authorized_keys file on + the db host for the sshdist user. This is now possible since + ud-replicate clients use their ssh host key to authenticate to the + db server. The code now supports this but the feature is still + disabled. [aba] + * ud-generate: Add performance optimization by resolving IP adresses + for hosts only once and caching the result. [aba] + * ud-replicate, ud-generate: In addition to one big ssh-rsa-shadow file + ud-generate now produces per-user authorized_keys files and tars + them up. On the receiving end ud-replicate takes the tar and + syncs it to userkeys/. The goal here is to no longer require + a patched sshd. Setting AuthorizedKeysFile2 to + /var/lib/misc/userkeys/%u is sufficient. For homedir creation + we can use pam_mkhomedir. [mhy, sgran] + + -- Peter Palfrader Sat, 17 May 2008 14:49:28 +0200 userdir-ldap (0.3.23) unstable; urgency=low diff --git a/ud-generate b/ud-generate index b48cdc3..6103fa8 100755 --- a/ud-generate +++ b/ud-generate @@ -131,7 +131,7 @@ def GenPasswd(l,File,HomePrefix,PwdMarker): if len(GetAttr(x,"gecos")) > 100 or len(GetAttr(x,"loginShell")) > 50: continue; - userlist[GetAttr(x, "uid")] = GetAttr(x, "gidNumber") + userlist[GetAttr(x, "uid")] = int(GetAttr(x, "gidNumber")) Line = "%s:%s:%s:%s:%s:%s%s:%s" % (GetAttr(x,"uid"),\ PwdMarker,\ GetAttr(x,"uidNumber"),GetAttr(x,"gidNumber"),\ @@ -968,7 +968,9 @@ while(1): # Now we know who we're allowing on the machine, export # the relevant ssh keys if MultipleSSHFiles: + OldMask = os.umask(0077); tf = tarfile.open(name=os.path.join(GlobalDir, 'ssh-keys-%s.tar.gz' % CurrentHost), mode='w:gz') + os.umask(OldMask); for f in userlist.keys(): if f not in SSHFiles: continue @@ -983,12 +985,12 @@ while(1): # In these cases, look it up in the normal way so we # deal with cases where, for instance, users are in group # users as their primary group. - grname = grp.getgrgid(int(userlist[f]))[0] + grname = grp.getgrgid(userlist[f])[0] except Exception, e: pass if grname is None: - print "User %s is supposed to have their key exported to host %s but their primary group (gid: %s) isn't in LDAP" % (f, CurrentHost, userlist[f]) + print "User %s is supposed to have their key exported to host %s but their primary group (gid: %d) isn't in LDAP" % (f, CurrentHost, userlist[f]) continue to = tf.gettarinfo(os.path.join(GlobalDir, 'userkeys', f), f) diff --git a/ud-mailgate b/ud-mailgate index b158ba8..4da4382 100755 --- a/ud-mailgate +++ b/ud-mailgate @@ -30,7 +30,7 @@ SeenList = {} DNS = {} SSHFingerprint = re.compile('^(\d+) ([0-9a-f\:]{47}) (.+)$') -SSHRSA1Match = re.compile('^\d+ (\d+) \d+ .*') +SSHRSA1Match = re.compile('^^(.* )?\d+ \d+ \d+') ArbChanges = {"c": "..", "l": ".*", @@ -242,7 +242,7 @@ def DoSSH(Str, Attrs, badkeys, uid): g = Match.groups() typekey = g[1] if Match == None: - Match =SSHRSA1Match.match(Str) + Match = SSHRSA1Match.match(Str) if Match is not None: return "RSA1 keys not supported anymore" return None; diff --git a/ud-replicate b/ud-replicate index d1c0b24..d2a065f 100755 --- a/ud-replicate +++ b/ud-replicate @@ -4,7 +4,7 @@ # Copyright (c) 2002-2003,2006 Ryan Murray # Copyright (c) 2004-2005 Joey Schulze # Copyright (c) 2008 Peter Palfrader -# Copyright (©) 2008 Stephen Gran +# Copyright (c) 2008 Stephen Gran # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -78,21 +78,19 @@ ln -sf `pwd -P`/ssh-rsa-shadow /etc/ssh ln -sf `pwd -P`/ssh_known_hosts /etc/ssh if [ -e ${HOST}/ssh-keys.tar.gz ]; then - export TMPDIR='/tmp/' + export TMPDIR='/tmp/' tempdir=$(mktemp -d) - old=$(pwd -P) - cd $tempdir && tar -xf ${old}/${HOST}/ssh-keys.tar.gz - cd $old - mkdir userkeys 2> /dev/null || true + tar -C "$tempdir" -xf ${HOST}/ssh-keys.tar.gz + [ -d userkeys ] || mkdir userkeys chmod 755 $tempdir rsync -a --delete-after $tempdir/ userkeys/ fi +CHROOTS="" if [ -x /usr/bin/dchroot ]; then CHROOTS=`dchroot --listpaths` -fi -if [ -x /usr/bin/dchroot-dsa ]; then - CHROOTS=$(dchroot-dsa -i | grep Location | awk '{print $2}') +elif [ -x /usr/bin/dchroot-dsa ]; then + CHROOTS=$(dchroot-dsa -i | grep Location | awk '{print $2}') fi if [ -n "$CHROOTS" ]; then for c in $CHROOTS; do