diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/man/sss_obfuscate.8.xml | 113 | ||||
-rw-r--r-- | src/tools/sss_obfuscate | 81 |
2 files changed, 194 insertions, 0 deletions
diff --git a/src/man/sss_obfuscate.8.xml b/src/man/sss_obfuscate.8.xml new file mode 100644 index 00000000..55bb1c33 --- /dev/null +++ b/src/man/sss_obfuscate.8.xml @@ -0,0 +1,113 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sss_obfuscate</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv id='name'> + <refname>sss_obfuscate</refname> + <refpurpose>obfuscate a clear text password</refpurpose> + </refnamediv> + + <refsynopsisdiv id='synopsis'> + <cmdsynopsis> + <command>sss_obfuscate</command> + <arg choice='opt'> + <replaceable>options</replaceable> + </arg> + <arg choice='plain'><replaceable>[PASSWORD]</replaceable></arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + <command>sss_obfuscate</command> converts a given password into + human-unreadable format and places it into appropriate domain + section of the SSSD config file. + </para> + <para> + The cleartext password can be specified as an extra argument to the + program or read from standard input. + The obfuscated password is put into <quote>ldap_default_authtok</quote> + parameter of a given SSSD domain and the + <quote>ldap_default_authtok_type</quote> parameter is set to + <quote>obfuscated_password</quote>. Refer to + <citerefentry> + <refentrytitle>sssd-ldap</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + for more details on these parameters. + </para> + <para> + Please note that obfuscating the password provides <emphasis>no + real security benefit</emphasis> as it is still possible for an + attacker to reverse-engineer the password back. Using better + authentication mechanisms such as client side certificates or GSSAPI + is <emphasis>strongly</emphasis> advised. + </para> + </refsect1> + + <refsect1 id='options'> + <title>OPTIONS</title> + <variablelist remap='IP'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" /> + <varlistentry> + <term> + <option>-s</option>,<option>--stdin</option> + </term> + <listitem> + <para> + The password to obfuscate will be read from standard + input. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-d</option>,<option>--domain</option> + <replaceable>DOMAIN</replaceable> + </term> + <listitem> + <para> + The SSSD domain to use the password in. The + default name is <quote>default</quote>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-f</option>,<option>--file</option> + <replaceable>FILE</replaceable> + </term> + <listitem> + <para> + Read the config file specified by the positional + parameter. + </para> + <para> + Default: <filename>/etc/sssd/sssd.conf</filename> + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>sssd-ldap</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> +</reference> diff --git a/src/tools/sss_obfuscate b/src/tools/sss_obfuscate new file mode 100644 index 00000000..220cd9be --- /dev/null +++ b/src/tools/sss_obfuscate @@ -0,0 +1,81 @@ +#!/usr/bin/python + +import sys +from optparse import OptionParser + +import pysss +import SSSDConfig + +def parse_options(): + parser = OptionParser() + parser.add_option("-s", "--stdin", action="store_true", + dest="stdin", default=False, + help="Read input from stdin") + parser.add_option("-d", "--domain", + dest="domain", default="default", + help="The domain to use the password in (default: default)", + metavar="DOMNAME") + parser.add_option("-f", "--file", + dest="filename", default=None, + help="Set input file to FILE (default: Use system default, usually /etc/sssd/sssd.conf)", + metavar="FILE") + (options, args) = parser.parse_args() + + # If no password given as positional paramater, read up from stdin + if len(args) == 0: + options.stdin = True + + return options, args + +def main(): + options, args = parse_options() + if not options: + print >>sys.stderr, "Cannot parse options" + return 1 + + if not options.stdin: + try: + password = args[0] + except IndexError: # should never happen + print "Missing password parameter!" + return 1 + else: + try: + password = sys.stdin.read() + except KeyboardInterrupt: + return 1 + + # Obfuscate the password + obfobj = pysss.password() + obfpwd = obfobj.encrypt(password, obfobj.AES_256) + + # Save the obfuscated password into the domain + sssdconfig = SSSDConfig.SSSDConfig() + try: + sssdconfig.import_config(options.filename) + except IOError: + print "Cannot open config file %s" % options.filename + return 1 + + try: + domain = sssdconfig.get_domain(options.domain) + except SSSDConfig.NoDomainError: + print "No such domain %s" % options.domain + return 1 + + try: + domain.set_option('ldap_default_authtok_type', 'obfuscated_password') + domain.set_option('ldap_default_authtok', obfpwd) + except SSSDConfig.NoOptionError: + print "The domain %s does not seem to support the required options" % \ + options.domain + return 1 + + + sssdconfig.save_domain(domain) + sssdconfig.write() + return 0 + +if __name__ == "__main__": + ret = main() + sys.exit(ret) |