From 1b6df37b94b96042ac460a933b00c6ef29694053 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Tue, 24 Jun 2008 13:53:22 -0400 Subject: [PATCH] Priviledge separation: use new monkeysphere user to handle authentication keychain for server. This required a bunch of changes to all ms-server functions. Seems to be working ok, although it feels kind of hackish. --- debian/changelog | 6 +- debian/control | 2 +- debian/monkeysphere.postinst | 17 +++ debian/monkeysphere.postrm | 21 +++ man/man8/monkeysphere-server.8 | 4 +- src/common | 86 +---------- src/monkeysphere | 2 - src/monkeysphere-server | 256 ++++++++++++++++++++++++++------- 8 files changed, 258 insertions(+), 136 deletions(-) create mode 100755 debian/monkeysphere.postinst create mode 100755 debian/monkeysphere.postrm diff --git a/debian/changelog b/debian/changelog index 82f274a..c6b5de4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,7 +3,11 @@ monkeysphere (0.4-1) UNRELEASED; urgency=low [Daniel Kahn Gillmor] * New version (switch UNRELEASED to experimental when ready) - -- Daniel Kahn Gillmor Tue, 24 Jun 2008 01:25:45 -0400 + [ Jameson Graef Rollins ] + * Privilege separation: use monkeysphere user to handle maintenance of + the gnupg authentication keychain for server. + + -- Jameson Graef Rollins Tue, 24 Jun 2008 13:52:28 -0400 monkeysphere (0.3-1) experimental; urgency=low diff --git a/debian/control b/debian/control index 4f0e5f5..f5760d9 100644 --- a/debian/control +++ b/debian/control @@ -10,7 +10,7 @@ Dm-Upload-Allowed: yes Package: monkeysphere Architecture: any -Depends: openssh-client, gnupg | gnupg2, coreutils (>= 6), moreutils, lockfile-progs, ${shlibs:Depends} +Depends: openssh-client, gnupg | gnupg2, coreutils (>= 6), moreutils, lockfile-progs, adduser, ${shlibs:Depends} Recommends: netcat Enhances: openssh-client, openssh-server Description: use the OpenPGP web of trust to verify ssh connections diff --git a/debian/monkeysphere.postinst b/debian/monkeysphere.postinst new file mode 100755 index 0000000..50eaefa --- /dev/null +++ b/debian/monkeysphere.postinst @@ -0,0 +1,17 @@ +#!/bin/sh -e + +# postinst script for monkeysphere + +# Author: Jameson Rollins +# (c) 2008 + +if ! getent passwd monkeysphere >/dev/null ; then + echo "adding monkeysphere user..." + adduser --quiet --system --no-create-home --home '/var/lib/monkeysphere' \ + --shell '/bin/sh' --gecos 'monkeysphere authentication user,,,' monkeysphere +fi + +# install host gnupg home directories +install --mode 700 -d /var/lib/monkeysphere/gnupg-host +# install authentication gnupg home directories +install --mode 700 --owner monkeysphere -d /var/lib/monkeysphere/gnupg-authentication diff --git a/debian/monkeysphere.postrm b/debian/monkeysphere.postrm new file mode 100755 index 0000000..a103fc8 --- /dev/null +++ b/debian/monkeysphere.postrm @@ -0,0 +1,21 @@ +#!/bin/sh -e + +# postrm script for monkeysphere + +# Author: Jameson Rollins +# (c) 2008 + +case $1 in + purge) + rmdir --ignore-fail-on-non-empty /var/lib/monkeysphere || true + echo "removing monkeysphere user..." + userdel monkeysphere > /dev/null || true + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index 9bb7b2d..dbcc083 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -26,8 +26,8 @@ Update the admin-controlled authorized_keys files for user. For each user specified, user ID's listed in the user's authorized_user_ids file are processed, and the user's authorized_keys file in /var/cache/monkeysphere/authorized_keys/USER. See `man monkeysphere' -for more info. If the USER_CONTROLLED_AUTHORIZED_KEYS variable is -set, then a user-controlled authorized_keys file (usually +for more info. If the RAW_AUTHORIZED_KEYS variable is set, then a +user-controlled authorized_keys file (usually ~USER/.ssh/authorized_keys) is added to the authorized_keys file. `u' may be used in place of `update-users. .TP diff --git a/src/common b/src/common index ead3736..42de18d 100644 --- a/src/common +++ b/src/common @@ -466,6 +466,8 @@ update_known_hosts() { process_known_hosts() { local returnCode + log "processing known_hosts file..." + # default return code is 0, which assumes a key was found for # every host. code will be set to 1 if a key is not found for at # least one host @@ -551,6 +553,8 @@ process_authorized_user_ids() { local userid local returnCode + log "processing authorized_user_ids file..." + # default return code is 0, and is set to 1 if a key for a user ID # is not found returnCode=0 @@ -609,85 +613,3 @@ process_authorized_keys() { return "$returnCode" } - -################################################## -### GPG HELPER FUNCTIONS - -# retrieve key from web of trust, and set owner trust to "full" -# if key is found. -trust_key() { - local keyID - local trustLevel - - keyID="$1" - trustLevel="$2" - - if [ -z "$keyID" ] ; then - failure "You must specify key to trust." - fi - - # get the key from the key server - if ! gpg --keyserver "$KEYSERVER" --recv-key "$keyID" ; then - failure "Could not retrieve key '$keyID'." - fi - - # get key fingerprint - fingerprint=$(get_key_fingerprint "$keyID") - - echo "key found:" - gpg --fingerprint "$fingerprint" - - while [ -z "$trustLevel" ] ; do - cat < /dev/null 2>&1 ; then failure "Key for '$userID' already exists" fi @@ -113,19 +118,32 @@ EOF EOF ) - log "generating server key... " + log "generating server key..." + GNUPGHOME="$GNUPGHOME_HOST" echo "$keyParameters" | gpg --batch --gen-key # output the server fingerprint fingerprint_server_key "=${userID}" # find the key fingerprint of the server primary key - keyID=$(gpg --list-key --with-colons --with-fingerprint "=${userID}" | \ + GNUPGHOME="$GNUPGHOME_HOST" + fingerprint=$(gpg --list-key --with-colons --with-fingerprint "=${userID}" | \ grep '^fpr:' | head -1 | cut -d: -f10) + # export the host key to the authentication keyring + GNUPGHOME="$GNUPGHOME_HOST" gpg --export "$fingerprint" | \ + su --preserve-environment "$MONKEYSPHERE_USER" -c -- \ + "GNUPGHOME=$GNUPGHOME_AUTHENTICATION gpg --import" + + # set host key owner trust to ultimate in authentication keyring + echo "${fingerprint}:6:" | \ + su --preserve-environment "$MONKEYSPHERE_USER" -c -- \ + "GNUPGHOME=$GNUPGHOME_AUTHENTICATION gpg --import-ownertrust" + # write the key to the file # NOTE: assumes that the primary key is the proper key to use - (umask 077 && gpgsecret2ssh "$keyID" > "${VARLIB}/ssh_host_rsa_key") + GNUPGHOME="$GNUPGHOME_HOST" + (umask 077 && gpgsecret2ssh "$fingerprint" > "${VARLIB}/ssh_host_rsa_key") log "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key" } @@ -133,7 +151,7 @@ EOF fingerprint_server_key() { local ID - if [ -z "$1" ] ; then + if [ "$1" ] ; then ID="$1" else ID="=ssh://$(hostname --fqdn)" @@ -142,6 +160,113 @@ fingerprint_server_key() { gpg --fingerprint --list-secret-keys "$ID" } +# publish server key to keyserver +publish_server_key() { + read -p "really publish key to $KEYSERVER? [y|N]: " OK; OK=${OK:=N} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "aborting." + fi + + # publish host key + # FIXME: need to figure out better way to identify host key + # dummy command so as not to publish fakes keys during testing + # eventually: + #gpg --keyserver "$KEYSERVER" --send-keys $(hostname -f) + failure "NOT PUBLISHED (to avoid permanent publication errors during monkeysphere development). +To publish manually, do: gpg --keyserver $KEYSERVER --send-keys $(hostname -f)" +} + + +# retrieve key from web of trust, and set owner trust to "full" +# if key is found. +trust_key() { + local keyID + local trustLevel + + keyID="$1" + trustLevel="$2" + + if [ -z "$keyID" ] ; then + failure "You must specify key to trust." + fi + + export keyID + + # get the key from the key server + GNUPGHOME="$GNUPGHOME_AUTHENTICATION" + su --preserve-environment "$MONKEYSPHERE_USER" -c -- \ + "gpg --keyserver $KEYSERVER --recv-key $keyID" + if [ "$?" != 0 ] ; then + failure "Could not retrieve key '$keyID'." + fi + + # move the key from the authentication keyring to the host keyring + GNUPGHOME="$GNUPGHOME_AUTHENTICATION" + su --preserve-environment "$MONKEYSPHERE_USER" -c -- \ + "gpg --export $keyID" | \ + GNUPGHOME="$GNUPGHOME_HOST" gpg --import + + # get key fingerprint + GNUPGHOME="$GNUPGHOME_HOST" + fingerprint=$(get_key_fingerprint "$keyID") + + echo "key found:" + GNUPGHOME="$GNUPGHOME_HOST" + gpg --fingerprint "$fingerprint" + + while [ -z "$trustLevel" ] ; do + cat < "$TMP_AUTHORIZED_USER_IDS" + + # export needed variables + export AUTHORIZED_KEYS + export TMP_AUTHORIZED_USER_IDS + + # process authorized_user_ids file, as monkeysphere + # user + su --preserve-environment "$MONKEYSPHERE_USER" -c -- \ + ". ${SHARE}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS" fi # add user-controlled authorized_keys file path if specified - if [ "$RAW_AUTHORIZED_KEYS" != '-' ] ; then - if [ -s "$rawAuthorizedKeys" ] ; then - log -n "adding raw authorized_keys file... " - cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS" - loge "done." - fi + if [ "$rawAuthorizedKeys" != '-' -a -s "$rawAuthorizedKeys" ] ; then + log -n "adding raw authorized_keys file... " + cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS" + loge "done." fi + # openssh appears to check the contents of the + # authorized_keys file as the user in question, so the + # file must be readable by that user at least. + # FIXME: is there a better way to do this? + chown root "$AUTHORIZED_KEYS" + chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS" + chmod g+r "$AUTHORIZED_KEYS" + # if the resulting authorized_keys file is not empty, move - # the temp authorized_keys file into place - if [ -s "$AUTHORIZED_KEYS" ] ; then - # openssh appears to check the contents of the - # authorized_keys file as the user in question, so the - # file must be readable by that user at least. - # FIXME: is there a better way to do this? - chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS" - chmod g+r "$AUTHORIZED_KEYS" - - mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}" - - log "authorized_keys file updated." - - # else destroy it - else - rm -f "$AUTHORIZED_KEYS" - fi + # it into place + mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}" + + log "authorized_keys file updated." + + # destroy temporary directory + rm -rf "$TMPDIR" done ;; 'gen-key'|'g') - gen_key "$1" + # set gnupg home + GNUPGHOME="$GNUPGHOME_HOST" + gen_key "$@" ;; 'show-fingerprint'|'f') + # set gnupg home + GNUPGHOME="$GNUPGHOME_HOST" fingerprint_server_key "$@" ;; 'publish-key'|'p') + # set gnupg home + GNUPGHOME="$GNUPGHOME_HOST" publish_server_key ;; - 'trust-key'|'trust-key'|'t') + 'trust-key'|'t') trust_key "$@" ;; -- 2.25.1