The LDAP directory has a PGP secured mail gateway that allows users to safely and conveniently effect changes to their entries. It makes use of PGP signed input messages to positively identify the user and to confirm the validity of the request. Furthermore it implements a replay cache that prevents the gateway from accepting the same message more than once.
There are three functions logically split into 3 separate email addresses that are implemented by the gateway: ping, new password and changes. The function to act on is the first argument to the program.
Error handling is currently done by generating a bounce message and passing descriptive error text to the mailer. This can generate a somewhat hard to read error message, but it does have all the relevant information.
PingThe ping command simply returns the users public record. It is useful for testing the gateway and for the requester to get a basic dump of their record. In future this address might 'freshen' the record to indicate the user is alive. Any PGP signed message will produce a reply.
New PasswordIf a user loses their password they can request that a new one be generated for them. This is done by sending the phrase "Please change my Tor password" to firstname.lastname@example.org. The phrase is required to prevent the daemon from triggering on arbitrary signed email. The best way to invoke this feature is with
echo "Please change my Tor password" | gpg --armor --sign | mail email@example.comAfter validating the request the daemon will generate a new random password, set it in the directory and respond with an encrypted message containing the new password. The password can be changed using one of the other interface methods.
ChangesAn address (firstname.lastname@example.org) is provided for making almost arbitrary changes to the contents of the record.
- SSH keys:
The most relevant change is most likely setting your ssh keys. To set a new
key, simply place it on a line by itself.
The full SSH key format specification is supported, see sshd(8). Probably the
most common way to use this function will be to run
cat .ssh/id_rsa.pub | gpg --armor --signAnd mail the output to
email@example.com. (Please avoid double signing the message.)
Multiple keys per user are supported, but they must all be sent at once. To retrieve the existing SSH keys in order to merge existing keys with new ones, use the 'show' command documented below. Keys can be exported to a subset of machines by prepending allowed_hosts=$fqdn,$fqdn2 to the specific key. The allowed machines must only be separated by a comma. Example:
allowed_hosts=ravel.debian.org,gluck.debian.org ssh-rsa AAAAB3Nz..mOX/JQ== user@machine ssh-rsa AAAAB3Nz..uD0khQ== user@machine
- show: If the single word show appears on a line in a PGP signed mail then a PGP encrypted version of the entire record will be attached to the resulting email.