| Class | MCollective::Security::Sshkey |
| In: |
plugins/mcollective/security/sshkey.rb
|
| Parent: | Base |
A security plugin for MCollective that uses ssh keys for message signing and verification
For clients (things initiating RPC calls):
Clients identify themselves with the RPC ‘callerid’ as your current user (via Etc::getlogin)
For nodes/agents:
In cases of configurable paths, like the location of your authorized_keys file, the ‘sshkeyauth’ library will try to parse it from the sshd_config file (defaults to /etc/ssh/sshd_config)
Since there is no challenge-reponse in MCollective RPC, we can‘t emulate ssh‘s "try each key until one is accepted" method. Instead, we will sign each method with all keys in your agent and the receiver will try to verify against any of them.
Serialization uses Marshal.
NOTE: This plugin should be considered experimental at this point as it has
a few gotchas and drawbacks.
* Nodes cannot easily send messages now, this means registration is
not supported
* Automated systems that wish to manage a collective with this plugin
will somehow need access to ssh agents, this can insecure and
problematic in general.
We‘re including this plugin as an early preview of what is being worked on in order to solicit feedback.
Configuration:
For clients:
securityprovider = sshkey
For nodes:
securityprovider = sshkey plugin.sshkey = /etc/ssh/ssh_host_rsa_key
# File plugins/mcollective/security/sshkey.rb, line 100
100: def callerid
101: return Etc.getlogin
102: end
Decodes a message by unserializing all the bits etc TODO(sissel): refactor this into Base?
# File plugins/mcollective/security/sshkey.rb, line 67
67: def decodemsg(msg)
68: body = Marshal.load(msg.payload)
69:
70: if validrequest?(body)
71: body[:body] = Marshal.load(body[:body])
72: return body
73: else
74: nil
75: end
76: end
Encodes a reply
# File plugins/mcollective/security/sshkey.rb, line 79
79: def encodereply(sender, target, msg, requestid, requestcallerid=nil)
80: serialized = Marshal.dump(msg)
81: digest = makehash(serialized)
82:
83: req = create_reply(requestid, sender, target, serialized)
84: req[:hash] = digest
85:
86: Marshal.dump(req)
87: end
Encodes a request msg
# File plugins/mcollective/security/sshkey.rb, line 90
90: def encoderequest(sender, target, msg, requestid, filter={}, target_agent=nil, target_collective=nil)
91: serialized = Marshal.dump(msg)
92: digest = makehash(serialized)
93:
94: req = create_request(requestid, target, filter, serialized, @initiated_by, target_agent, target_collective)
95: req[:hash] = digest
96:
97: Marshal.dump(req)
98: end
Checks the md5 hash in the request body against our psk, the request sent for validation should not have been deserialized already
# File plugins/mcollective/security/sshkey.rb, line 107
107: def validrequest?(req)
108: Log.info "Caller id: #{req[:callerid]}"
109: Log.info "Sender id: #{req[:senderid]}"
110: message = req[:body]
111:
112: #@log.info req.awesome_inspect
113: identity = (req[:callerid] or req[:senderid])
114: verifier = SSH::Key::Verifier.new(identity)
115:
116: Log.info "Using name '#{identity}'"
117:
118: # If no callerid, this is a 'response' message and we should
119: # attempt to authenticate using the senderid (hostname, usually)
120: # and that ssh key in known_hosts.
121: if !req[:callerid]
122: # Search known_hosts for the senderid hostname
123: verifier.add_key_from_host(identity)
124: verifier.use_agent = false
125: verifier.use_authorized_keys = false
126: end
127:
128: signatures = Marshal.load(req[:hash])
129: if verifier.verify?(signatures, req[:body])
130: @stats.validated
131: return true
132: else
133: @stats.unvalidated
134: raise(SecurityValidationFailed, "Received an invalid signature in message")
135: end
136: end