Class MCollective::Security::Ssl
In: plugins/mcollective/security/ssl.rb
Parent: Base

Impliments a public/private key based message validation system using SSL public and private keys.

The design goal of the plugin is two fold:

  • give different security credentials to clients and servers to avoid a compromised server from sending new client requests.
  • create a token that uniquely identify the client - based on the filename of the public key

To setup you need to create a SSL key pair that is shared by all nodes.

  openssl genrsa -out mcserver-private.pem 1024
  openssl rsa -in mcserver-private.pem -out mcserver-public.pem -outform PEM -pubout

Distribute the private and public file to /etc/mcollective/ssl on all the nodes. Distribute the public file to /etc/mcollective/ssl everywhere the client code runs.

Now you should create a key pair for every one of your clients, here we create one for user john - you could also if you are less concerned with client id create one pair and share it with all clients:

  openssl genrsa -out john-private.pem 1024
  openssl rsa -in john-private.pem -out john-public.pem -outform PEM -pubout

Each user has a unique userid, this is based on the name of the public key. In this example case the userid would be ‘john-public’.

Store these somewhere like:

    /home/john/.mc/john-private.pem
    /home/john/.mc/john-public.pem

Every users public key needs to be distributed to all the nodes, save the john one in a file called:

  /etc/mcollective/ssl/clients/john-public.pem

If you wish to use registration or auditing that sends connections over MC to a central host you will need also put the server-public.pem in the clients directory.

You should be aware if you do add the node public key to the clients dir you will in effect be weakening your overall security. You should consider doing this only if you also set up an Authorization method that limits the requests the nodes can make.

client.cfg:

  securityprovider = ssl
  plugin.ssl_server_public = /etc/mcollective/ssl/server-public.pem
  plugin.ssl_client_private = /home/john/.mc/john-private.pem
  plugin.ssl_client_public = /home/john/.mc/john-public.pem

If you have many clients per machine and dont want to configure the main config file with the public/private keys you can set the following environment variables:

  export MCOLLECTIVE_SSL_PRIVATE=/home/john/.mc/john-private.pem
  export MCOLLECTIVE_SSL_PUBLIC=/home/john/.mc/john-public.pem

server.cfg:

  securityprovider = ssl
  plugin.ssl_server_private = /etc/mcollective/ssl/server-private.pem
  plugin.ssl_server_public = /etc/mcollective/ssl/server-public.pem
  plugin.ssl_client_cert_dir = /etc/mcollective/etc/ssl/clients/

Serialization can be configured to use either Marshal or YAML, data types in and out of mcollective will be preserved from client to server and reverse

You can configure YAML serialization:

   plugins.ssl_serializer = yaml

else the default is Marshal. Use YAML if you wish to write a client using a language other than Ruby that doesn‘t support Marshal.

Validation is as default and is provided by MCollective::Security::Base

Initial code was contributed by Vladimir Vuksan and modified by R.I.Pienaar

Methods

Public Instance methods

sets the caller id to the md5 of the public key

[Source]

     # File plugins/mcollective/security/ssl.rb, line 141
141:             def callerid
142:                 if @initiated_by == :client
143:                     "cert=#{File.basename(client_public_key).gsub(/\.pem$/, '')}"
144:                 else
145:                     # servers need to set callerid as well, not usually needed but
146:                     # would be if you're doing registration or auditing or generating
147:                     # requests for some or other reason
148:                     "cert=#{File.basename(server_public_key).gsub(/\.pem$/, '')}"
149:                 end
150:             end

Decodes a message by unserializing all the bits etc, it also validates it as valid using the psk etc

[Source]

    # File plugins/mcollective/security/ssl.rb, line 87
87:             def decodemsg(msg)
88:                 body = deserialize(msg.payload)
89: 
90:                 if validrequest?(body)
91:                     body[:body] = deserialize(body[:body])
92:                     return body
93:                 else
94:                     nil
95:                 end
96:             end

Encodes a reply

[Source]

     # File plugins/mcollective/security/ssl.rb, line 99
 99:             def encodereply(sender, target, msg, requestid, requestcallerid=nil)
100:                 serialized  = serialize(msg)
101:                 digest = makehash(serialized)
102: 
103: 
104:                 req = create_reply(requestid, sender, target, serialized)
105:                 req[:hash] = digest
106: 
107:                 serialize(req)
108:             end

Encodes a request msg

[Source]

     # File plugins/mcollective/security/ssl.rb, line 111
111:             def encoderequest(sender, target, msg, requestid, filter={}, target_agent=nil, target_collective=nil)
112:                 serialized = serialize(msg)
113:                 digest = makehash(serialized)
114: 
115:                 req = create_request(requestid, target, filter, serialized, @initiated_by, target_agent, target_collective)
116:                 req[:hash] = digest
117: 
118:                 serialize(req)
119:             end

Checks the SSL signature in the request body

[Source]

     # File plugins/mcollective/security/ssl.rb, line 122
122:             def validrequest?(req)
123:                 message = req[:body]
124:                 signature = req[:hash]
125: 
126:                 Log.debug("Validating request from #{req[:callerid]}")
127: 
128:                 public_key = File.read(public_key_file(req[:callerid]))
129: 
130:                 if verify(public_key, signature, message.to_s)
131:                     @stats.validated
132:                     return true
133:                 else
134:                     @stats.unvalidated
135:                     raise(SecurityValidationFailed, "Received an invalid signature in message")
136:                 end
137:             end

[Validate]