From 7903fe558aa8ef3f5b3494b27eddce0a9a0ce1ef Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Mon, 19 May 2008 08:56:21 +0200 Subject: [PATCH] * Export ssh-keys.tar.gz to [UNTRUSTED] hosts. Since we already export ssh-rsa-shadow this is probably the right thing. * Make keys in the ssh-keys tarball mode 0400 instead of mode 0600. --- debian/changelog | 8 ++++++++ ud-generate | 11 ++++++----- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/debian/changelog b/debian/changelog index c0e5019..4356b01 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +userdir-ldap (0.3.27) unstable; urgency=low + + * Export ssh-keys.tar.gz to [UNTRUSTED] hosts. Since we already export + ssh-rsa-shadow this is probably the right thing. + * Make keys in the ssh-keys tarball mode 0400 instead of mode 0600. + + -- Peter Palfrader Mon, 19 May 2008 08:55:28 +0200 + userdir-ldap (0.3.26) unstable; urgency=low * ud-replicate: sgran pointed out that if all we care about ignoring is diff --git a/ud-generate b/ud-generate index 6103fa8..b331c31 100755 --- a/ud-generate +++ b/ud-generate @@ -960,10 +960,6 @@ while(1): userlist = GenPasswd(l,OutDir+"passwd",Split[1], "x"); sys.stdout.flush(); grouprevmap = GenGroup(l,OutDir+"group"); - if ExtraList.has_key("[UNTRUSTED]"): - continue; - if not ExtraList.has_key("[NOPASSWD]"): - GenShadow(l,OutDir+"shadow"); # Now we know who we're allowing on the machine, export # the relevant ssh keys @@ -1008,13 +1004,18 @@ while(1): # to give a shit^W^W^Wcare about the UIDoffset stuff. to.uname = f to.gname = grname - to.mode = 0600 + to.mode = 0400 tf.addfile(to, file(os.path.join(GlobalDir, 'userkeys', f))) tf.close() os.rename(os.path.join(GlobalDir, 'ssh-keys-%s.tar.gz' % CurrentHost), os.path.join(OutDir, 'ssh-keys.tar.gz')) + if ExtraList.has_key("[UNTRUSTED]"): + continue; + if not ExtraList.has_key("[NOPASSWD]"): + GenShadow(l,OutDir+"shadow"); + # Link in global things DoLink(GlobalDir,OutDir,"markers"); DoLink(GlobalDir,OutDir,"mail-forward.cdb"); -- 2.20.1