sss_obfuscate revision c9f6ca2ca7399c301853ff774c20883fef2b2267
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek#!/usr/bin/python
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozekimport sys
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozekfrom optparse import OptionParser
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozekimport pysss
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozekimport SSSDConfig
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagherimport getpass
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozekdef parse_options():
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek parser = OptionParser()
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher parser.set_description("sss_obfuscate converts a given password into \
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher human-unreadable format and places it into \
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher appropriate domain section of the SSSD config \
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher file. The password can be passed in by stdin, \
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher specified on the command-line or entered \
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher interactively")
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek parser.add_option("-s", "--stdin", action="store_true",
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek dest="stdin", default=False,
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher help="Read the password from stdin.")
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek parser.add_option("-d", "--domain",
c9f6ca2ca7399c301853ff774c20883fef2b2267Stephen Gallagher dest="domain", default=None,
c9f6ca2ca7399c301853ff774c20883fef2b2267Stephen Gallagher help="The domain to use the password in (mandatory)",
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek metavar="DOMNAME")
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek parser.add_option("-f", "--file",
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek dest="filename", default=None,
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek help="Set input file to FILE (default: Use system default, usually /etc/sssd/sssd.conf)",
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek metavar="FILE")
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher parser.add_option("-p", "--password",
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher dest="password", default=None,
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher help="Password to obfuscate.",
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher metavar="PASSWORD")
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek (options, args) = parser.parse_args()
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek return options, args
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozekdef main():
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek options, args = parse_options()
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek if not options:
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher print >> sys.stderr, "Cannot parse options"
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek return 1
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek
c9f6ca2ca7399c301853ff774c20883fef2b2267Stephen Gallagher if not options.domain:
c9f6ca2ca7399c301853ff774c20883fef2b2267Stephen Gallagher print >> sys.stderr, "No domain specified"
c9f6ca2ca7399c301853ff774c20883fef2b2267Stephen Gallagher return 1
c9f6ca2ca7399c301853ff774c20883fef2b2267Stephen Gallagher
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher if not options.stdin and not options.password:
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher pprompt = lambda: (getpass.getpass("Enter password: "), getpass.getpass("Re-enter password: "))
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher p1, p2 = pprompt()
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher while p1 != p2:
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher print('Passwords do not match. Try again')
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher p1, p2 = pprompt()
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher password = p1
8d00718b943ab8b326320feb50820f0663031817Stephen Gallagher
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek else:
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek try:
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek password = sys.stdin.read()
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek except KeyboardInterrupt:
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek return 1
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek # Obfuscate the password
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek obfobj = pysss.password()
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek obfpwd = obfobj.encrypt(password, obfobj.AES_256)
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek # Save the obfuscated password into the domain
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek sssdconfig = SSSDConfig.SSSDConfig()
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek try:
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek sssdconfig.import_config(options.filename)
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek except IOError:
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek print "Cannot open config file %s" % options.filename
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek return 1
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek try:
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek domain = sssdconfig.get_domain(options.domain)
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek except SSSDConfig.NoDomainError:
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek print "No such domain %s" % options.domain
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek return 1
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek try:
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek domain.set_option('ldap_default_authtok_type', 'obfuscated_password')
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek domain.set_option('ldap_default_authtok', obfpwd)
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek except SSSDConfig.NoOptionError:
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek print "The domain %s does not seem to support the required options" % \
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek options.domain
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek return 1
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek sssdconfig.save_domain(domain)
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek sssdconfig.write()
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek return 0
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozekif __name__ == "__main__":
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek ret = main()
530ba03ecabb472f17d5d1ab546aec9390492de1Jakub Hrozek sys.exit(ret)