Class | MCollective::Security::Sshkey |
In: |
plugins/mcollective/security/sshkey.rb
|
Parent: | Base |
A security plugin for MCollective that uses ssh keys for message signing and verification
For clients (things initiating RPC calls):
Clients identify themselves with the RPC ‘callerid’ as your current user (via Etc::getlogin)
For nodes/agents:
In cases of configurable paths, like the location of your authorized_keys file, the ‘sshkeyauth’ library will try to parse it from the sshd_config file (defaults to /etc/ssh/sshd_config)
Since there is no challenge-reponse in MCollective RPC, we can‘t emulate ssh‘s "try each key until one is accepted" method. Instead, we will sign each method with all keys in your agent and the receiver will try to verify against any of them.
Serialization uses Marshal.
NOTE: This plugin should be considered experimental at this point as it has
a few gotchas and drawbacks. * Nodes cannot easily send messages now, this means registration is not supported * Automated systems that wish to manage a collective with this plugin will somehow need access to ssh agents, this can insecure and problematic in general.
We‘re including this plugin as an early preview of what is being worked on in order to solicit feedback.
Configuration:
For clients:
securityprovider = sshkey
For nodes:
securityprovider = sshkey plugin.sshkey = /etc/ssh/ssh_host_rsa_key
# File plugins/mcollective/security/sshkey.rb, line 100 100: def callerid 101: return Etc.getlogin 102: end
Decodes a message by unserializing all the bits etc TODO(sissel): refactor this into Base?
# File plugins/mcollective/security/sshkey.rb, line 67 67: def decodemsg(msg) 68: body = Marshal.load(msg.payload) 69: 70: if validrequest?(body) 71: body[:body] = Marshal.load(body[:body]) 72: return body 73: else 74: nil 75: end 76: end
Encodes a reply
# File plugins/mcollective/security/sshkey.rb, line 79 79: def encodereply(sender, target, msg, requestid, requestcallerid=nil) 80: serialized = Marshal.dump(msg) 81: digest = makehash(serialized) 82: 83: req = create_reply(requestid, sender, target, serialized) 84: req[:hash] = digest 85: 86: Marshal.dump(req) 87: end
Encodes a request msg
# File plugins/mcollective/security/sshkey.rb, line 90 90: def encoderequest(sender, target, msg, requestid, filter={}, target_agent=nil, target_collective=nil) 91: serialized = Marshal.dump(msg) 92: digest = makehash(serialized) 93: 94: req = create_request(requestid, target, filter, serialized, @initiated_by, target_agent, target_collective) 95: req[:hash] = digest 96: 97: Marshal.dump(req) 98: end
Checks the md5 hash in the request body against our psk, the request sent for validation should not have been deserialized already
# File plugins/mcollective/security/sshkey.rb, line 107 107: def validrequest?(req) 108: Log.info "Caller id: #{req[:callerid]}" 109: Log.info "Sender id: #{req[:senderid]}" 110: message = req[:body] 111: 112: #@log.info req.awesome_inspect 113: identity = (req[:callerid] or req[:senderid]) 114: verifier = SSH::Key::Verifier.new(identity) 115: 116: Log.info "Using name '#{identity}'" 117: 118: # If no callerid, this is a 'response' message and we should 119: # attempt to authenticate using the senderid (hostname, usually) 120: # and that ssh key in known_hosts. 121: if !req[:callerid] 122: # Search known_hosts for the senderid hostname 123: verifier.add_key_from_host(identity) 124: verifier.use_agent = false 125: verifier.use_authorized_keys = false 126: end 127: 128: signatures = Marshal.load(req[:hash]) 129: if verifier.verify?(signatures, req[:body]) 130: @stats.validated 131: return true 132: else 133: @stats.unvalidated 134: raise(SecurityValidationFailed, "Received an invalid signature in message") 135: end 136: end