Fri, Feb 26, 2016 at 03:59:57PM CET, olichtne(a)redhat.com wrote:
From: Ondrej Lichtner <olichtne(a)redhat.com>
First of all, this isn't a patchset to be pulled into the repository yet, just a
request for comments to see if anything can be improved, while I work on
finishing some minor problem areas:
* this breaks the lnst-pool-wizard because it doesn't use SecureSockets yet
* this breaks the lnst-ctl deconfigure command for the same reason
The following patch set implements secure communication between the Controller
and the Slave. It implements 4 different authentication mechanisms:
none - no authentication, just DH secret negotiation and encryption
password - password authenticated secret negotiation using SRP-6a protocol and
encryption
pubkey - DH secret negotiation, authentication by using a private-public key
pairs
ssh - the same as pubkey, but uses ssh keys already present on the system
By default, both the Controller and Slave assume the "none" mechanism so
everything should work just as before without any additional work needed. To try
the other mechanisms you'll need to configure both the Controller and the Slave
as follows:
password:
on Slave edit the lnst-slave.conf like this:
[security]
auth_types = password
auth_password = your_chosen_password
on Controller edit the SlaveMachineXML file of the slave and add this:
<security>
<auth_type>password</auth_type>
<auth_password>your_chosen_password</auth_password>
</security>
under the main <slavemachine> element
pubkey:
generate a private-public key pair on both the Slave and the Controller and
exchange the public keys between the machines.
on Slave edit the lnst-slave.conf file like this:
[security]
auth_types = pubkey
privkey = path/to/slave_private_key
ctl_pubkeys = path/to/pubkeys_dir/
on Controller edit the SlaveMachineXML and add this:
<security>
<auth_type>pubkey</auth_type>
<pubkey_path>path/to/slave_pubkey</pubkey_path>
</security>
under the main <slavemachine> element
and edit the lnst-ctl.conf like this:
[security]
identity = ctl_name
privkey = path/to/ctl_privatekey
On the Slave the Controller public key needs to be placed into the
ctl_pubkeys directory and the filename must match the value of the identity
option in the lnst-ctl.conf
ssh:
have ssh presetup between the Controller and Slave machines - the slave
needs its sshd private keys to be located in /etc/ssh (ssh_host.*key files)
and the controllers public key must be in the ~/.ssh/authorized_keys file
On the Controller you need to have the ~/.ssh/id_rsa file to contain a
private RSA key (the public part is in the slaves authorized_keys file) and
you also need to have at least one of the Slaves public keys located in the
~/.ssh/known_hosts file
you can easily achieve this by just starting the sshd daemon on the Slave
machine and on the Controller generate the key with
ssh-keygen -t rsa -C "your_email(a)example.com"
and run ssh-copy-id username@slavehostname
then configure the LNST Slave - lnst-slave.conf:
[security]
auth_types = ssh
and on the Controller edit the Slave Machine XML file like this:
<security>
<auth_type>pubkey</auth_type>
<pubkey_path>path/to/slave_pubkey</pubkey_path>
</security>
This is awesome. I like this a lot! Looking forward to merge this so
running lnst-slave is no longer a huge security issue :)
>
>Ondrej Lichtner (7):
> Config: add get_section_values method
> Config: add security section and options to config
> Add SecureSocket classes
> SlaveMachineXML: add security information
> Machine: add security parameters of the slave machine
> Use SecureSockets for Ctl<->Slave communication
> Machine: rename method configure to init_connection
>
> lnst/Common/Config.py | 44 ++++
> lnst/Common/ConnectionHandler.py | 39 +---
> lnst/Common/SecureSocket.py | 377 ++++++++++++++++++++++++++++++++++
> lnst/Controller/CtlSecSocket.py | 318 ++++++++++++++++++++++++++++
> lnst/Controller/Machine.py | 17 +-
> lnst/Controller/NetTestController.py | 2 +-
> lnst/Controller/SlaveMachineParser.py | 31 +++
> lnst/Controller/SlavePool.py | 9 +-
> lnst/Slave/NetTestSlave.py | 13 +-
> lnst/Slave/SlaveSecSocket.py | 323 +++++++++++++++++++++++++++++
> schema-sm.rng | 29 +++
> 11 files changed, 1163 insertions(+), 39 deletions(-)
> create mode 100644 lnst/Common/SecureSocket.py
> create mode 100644 lnst/Controller/CtlSecSocket.py
> create mode 100644 lnst/Slave/SlaveSecSocket.py
>
>--
>2.7.1
>_______________________________________________
>LNST-developers mailing list
>lnst-developers(a)lists.fedorahosted.org
>https://lists.fedorahosted.org/admin/lists/lnst-developers@lists.fedorahosted.org