LDAP Gateway

The LDAP directory has a PGP secured mail gateway that allows users to safely and conveniently effect changes to their entries. It makes use of PGP signed input messages to positively identify the user and to confirm the validity of the request. Furthermore it implements a replay cache that prevents the gateway from accepting the same message more than once.

There are three functions logically split into 3 separate email addresses that are implemented by the gateway: ping, new password and changes. The function to act on is the first argument to the program.

Error handling is currently done by generating a bounce message and passing descriptive error text to the mailer. This can generate a somewhat hard to read error message, but it does have all the relevant information.

Ping

The ping command simply returns the users public record. It is useful for testing the gateway and for the requester to get a basic dump of their record. In future this address might 'freshen' the record to indicate the user is alive. Any PGP signed message will produce a reply.

New Password

If a user loses their password they can request that a new one be generated for them. This is done by sending the phrase "Please change my Tor password" to chpasswd@db.torproject.org. The phrase is required to prevent the daemon from triggering on arbitrary signed email. The best way to invoke this feature is with
echo "Please change my Tor password" | gpg --armor --sign | mail chpasswd@db.torproject.org
After validating the request the daemon will generate a new random password, set it in the directory and respond with an encrypted message containing the new password. The password can be changed using one of the other interface methods.

Changes

An address (changes@db.torproject.org) is provided for making almost arbitrary changes to the contents of the record. The daemon parses its input line by line and acts on each line in a command oriented manner. Anything, except for passwords, can be changed using this mechanism. Note however that because this is a mail gateway it does stringent checking on its input. The other tools allow fields to be set to virtually anything, the gateway requires specific field formats to be met. Note that the changes alias does not handle PGP/MIME emails. After processing the requests the daemon will generate a report which contains each input command and the action taken. If there are any parsing errors processing stops immediately, but valid changes up to that point are processed.

Notes

In this document PGP refers to any message or key that GnuPG is able to generate or parse, specifically it includes both PGP2.x and OpenPGP (aka GnuPG) keys.

Due to the replay cache the clock on the computer that generates the signatures has to be accurate to at least one day. If it is off by several months or more then the daemon will outright reject all messages.

Examples are given using GnuPG, but PGP 2.x can also be used. The correct options to generate a clear signed ascii armored message in 'filter' mode are pgp -fast which does the same as gpg --clearsign

Torproject.org machines rely on secured replication to transfer login data out of the database. Replication is performed at 15 min intervals so it can take a short while before any changes made take effect.

If the mail you're sending to the mail robot is too long for your MUA and gets split, or if you want something that is more robust while copy pasting into a web-mailer, you can try to create a non-clearsigned message and mail that to changes@db.torproject.org:

cat .ssh/id_rsa.pub | gpg --armor --sign

You can contact us at torproject-admin@torproject.org.

"Tor" and the "Onion Logo" are registered trademarks of The Tor Project, Inc.
Based on db.debian.org, copyright SPI, see license terms.
Webmaster