Commit 4675c289 authored by Alain Takoudjou's avatar Alain Takoudjou

slapformat: set login shell for slapuser and lock login by password

parent 5c7ca228
Pipeline #2299 skipped
...@@ -644,6 +644,7 @@ class User(object): ...@@ -644,6 +644,7 @@ class User(object):
user_name: string, the name of the user, who will have is home in user_name: string, the name of the user, who will have is home in
""" """
self.name = str(user_name) self.name = str(user_name)
self.shell = '/bin/sh'
self.additional_group_list = additional_group_list self.additional_group_list = additional_group_list
def __getinitargs__(self): def __getinitargs__(self):
...@@ -669,7 +670,7 @@ class User(object): ...@@ -669,7 +670,7 @@ class User(object):
except KeyError: except KeyError:
callAndRead(['groupadd', grpname]) callAndRead(['groupadd', grpname])
user_parameter_list = ['-d', self.path, '-g', self.name] user_parameter_list = ['-d', self.path, '-g', self.name, '-s', self.shell]
if self.additional_group_list is not None: if self.additional_group_list is not None:
user_parameter_list.extend(['-G', ','.join(self.additional_group_list)]) user_parameter_list.extend(['-G', ','.join(self.additional_group_list)])
user_parameter_list.append(self.name) user_parameter_list.append(self.name)
...@@ -680,6 +681,8 @@ class User(object): ...@@ -680,6 +681,8 @@ class User(object):
callAndRead(['useradd'] + user_parameter_list) callAndRead(['useradd'] + user_parameter_list)
else: else:
callAndRead(['usermod'] + user_parameter_list) callAndRead(['usermod'] + user_parameter_list)
# lock the password of user
callAndRead(['passwd', '-l', self.name])
return True return True
...@@ -1342,7 +1345,7 @@ class FormatConfig(object): ...@@ -1342,7 +1345,7 @@ class FormatConfig(object):
if not self.dry_run: if not self.dry_run:
if self.alter_user: if self.alter_user:
self.checkRequiredBinary(['groupadd', 'useradd', 'usermod']) self.checkRequiredBinary(['groupadd', 'useradd', 'usermod', 'passwd'])
if self.create_tap: if self.create_tap:
self.checkRequiredBinary([['tunctl', '-d']]) self.checkRequiredBinary([['tunctl', '-d']])
if self.tap_gateway_interface: if self.tap_gateway_interface:
......
  • @alain.takoudjou pasting it here not to make lost (as you are offline on jabber)

    [13:12:22] <kirr> I checked openssh code
    [13:12:45] <kirr> it explicitly disabled logging as "invalid" user by key:
    [13:13:44] <kirr> https://github.com/openssh/openssh-portable/blob/master/auth2-pubkey.c#L88
    [13:13:51] <kirr> we can patch it though
    [13:14:06] <kirr> for the reference I've added the followint to sshd config to get to that point:
    [13:14:30] <kirr> StrictModes no

    /cc @Nicolas

Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment