rde-sshproxy Code

165 lines (136 with data), 5.7 kB

#!/usr/bin/python
# -*- coding: ISO-8859-15 -*-
#
# Copyright (C) 2005-2007 David Guerizec <david@guerizec.net>
#
# Last modified: 2006 Sep 20, 01:35:30 by david
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301  USA

import sys, os, pwd
from optparse import OptionParser

from sshproxy import __version__

usage = """
  %prog [--config-dir CFGDIR] [--user USER]
      Launch sshproxy setup tool.
  
  %prog [--config-dir CFGDIR] [-u USER] --add-admin USERNAME
      Add an sshproxy administrator.

  %prog [--config-dir CFGDIR] [-u USER] --cipher ENGINE [--keep] [--dry-run]
      Recipher the database.
"""

version = "%prog " + __version__

parser = OptionParser(usage=usage, version=version)

##### runtime options
parser.add_option("-c", "--config-dir", dest="config", default=None,
                    help="configuration directory (default: ~/.sshproxy).",
                    metavar="CFGDIR")

parser.add_option("-u", "--user", dest="user", default=None,
                    help="run as user USER.",
                    metavar="USER")

#parser.add_option("-V", "--version", dest="version", default=None,
#                    help="Show the version number.")

parser.add_option("", "--add-admin", dest="admin", default=None,
                    help="Add a new admin to the client database. The "
                         "admin's password will be prompted.",
                    metavar="USERNAME")
##### recipher options
parser.add_option("", "--cipher", dest="cipher", default=None,
                    help="cipher rlogin passwords with ENGINE. "
                         "ENGINE can be one of plain, base64 or blowfish. "
                         "The password will be prompted, if needed, or if "
                         "- is on the command line, it will be read "
                         "from stdin.",
                    metavar="ENGINE")
parser.add_option("-k", "--keep", dest="keep", default=False,
                    help="Along with --cipher, keep the old secret "
                         "(do not ask for a new secret). "
                         "This option has no effect with other options.",
                    action="store_true")
parser.add_option("-n", "--dry-run", dest="dry_run", default=False,
                    help="Along with --cipher, do not modify anything. "
                         "This option has no effect with other options.",
                    action="store_true")

(options, args) = parser.parse_args()

os.environ['SSHPROXY_CONFIG'] = (options.config
                                or os.environ.get('SSHPROXY_CONFIG', ''))
if not os.environ['SSHPROXY_CONFIG'] and options.user:
    os.environ['SSHPROXY_CONFIG'] = os.path.join(pwd.getpwnam(options.user)[5],
                                                    '.sshproxy')

if os.getuid() != 0:
    if options.user:
        print "Error: the --user option has no effect if not run as root."
        sys.exit(1)
    run_as_root = False
else:
    if not options.user:
        print "Error: the --user option must be given if run as root."
        sys.exit(1)
    elif options.user == 'root':
        print "Error: for security reasons, you cannot run sshproxy as root."
        sys.exit(1)
    run_as_root = True


def change_uid(user):
    if not run_as_root or not user:
        return
    from sshproxy import util
    uid = util.getuid(user)
    os.seteuid(0)
    os.setgid(util.getgid(user))
    os.setgroups(util.getgrouplist(user))
    os.setuid(uid)
    #os.makedirs(os.environ['SSHPROXY_CONFIG'])


exclusive_options = ('add-admin', 'cipher')
nb_opt = 0
for opt in exclusive_options:
    if getattr(options, opt.replace('-', '_'), None):
        nb_opt += 1

if nb_opt > 1:
    print "Options %s are mutually exclusives." % ', '.join(exclusive_options)
    sys.exit(1)


if options.admin:
    from getpass import getpass
    import sha
    from sshproxy.plugins import init_plugins
    init_plugins()
    from sshproxy.backend import Backend
    from sshproxy.acl import ACLDB

    change_uid(options.user)
    backend = Backend()
    password = getpass("Enter password for user %s:" % options.admin)
    passwordv = getpass("Enter password again:")
    if password != passwordv:
        print "Passwords don't match!"
    else:
        password = sha.new(password).hexdigest()
        backend.add_client(options.admin, password=password)
        print "Admin %s added." % options.admin
        aclrule = 'client.username == "%s"' % options.admin
        acldb = ACLDB()
        for acl in ('authenticate', 'authorize', 'admin', 'console_session'):
            acldb.add_rule(acl, aclrule)
        acldb.save_rules()


elif options.cipher:
    from sshproxy.plugins import init_plugins
    init_plugins()
    from sshproxy import cipher

    change_uid(options.user)
    password = options.keep
    if '-' in args:
        password = sys.stdin
    cipher.recipher(options.cipher, password, options.dry_run)

else:
    os.environ['SSHPROXY_WIZARD'] = "yes"
    change_uid(options.user)

    from sshproxy import wizard
    wizard.setup(options.user)