rapid-tunneling:

 - Added GUI password protection.
 - Backed out GPG.


git-svn-id: svn+ssh://xorcom/home/svn/debs/components/rapid-tunneling@6682 283159da-0705-0410-b60c-f2062b4bb6ad

13 files changed, 36 insertions, 71 deletions

diff --git a/Makefile b/Makefile
index 892e796..5fa0dc1 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@ PACKAGE	= rapid-tunneling
 SPEC	= rapid-tunneling.spec
 
 SCRIPTS = rapid-tunneling rapid-tunneling-status rtadm rt-from-remote
-CONFIGS = rtadm.config sshd_support_config support_env
+CONFIGS = rtadm.config sshd_support_config support_env rapid-tunneling.conf gui.htpasswd
 INIT_D  = sshd_support
 GUI	= gui
 SOURCES = Makefile $(SPEC) $(SCRIPTS) $(CONFIGS) $(INIT_D) $(GUI) .placeholder
@@ -54,12 +54,15 @@ install:
 	install -m 755 rt-from-remote $(DESTDIR)$(BINDIR)
 	install -m 755 -d $(DESTDIR)/etc/rapid-tunneling
 	install -m 644 rtadm.config $(DESTDIR)/etc/rapid-tunneling/rtadm
+	install -m 644 gui.htpasswd $(DESTDIR)/etc/rapid-tunneling/
 	install -m 755 -d $(DESTDIR)/etc/ssh
 	install -m 644 sshd_support_config $(DESTDIR)/etc/ssh/
 	install -m 755 -d $(DESTDIR)/var/lib/rapid-tunneling
 	install -m 644 .placeholder $(DESTDIR)/var/lib/rapid-tunneling/
 	install -m 755 -d $(DESTDIR)$(WWWHOME)
 	install -m 644 gui/* $(DESTDIR)$(WWWHOME)/
+	install -m 755 -d $(DESTDIR)/etc/httpd/conf.d
+	install -m 644 rapid-tunneling.conf $(DESTDIR)/etc/httpd/conf.d/
 
 .PHONY: clean dummy
 dummy:
diff --git a/README b/README
index 85387d8..d41b6ba 100644
--- a/README
+++ b/README
@@ -35,9 +35,6 @@ to remote users.
 * Provide a special way for the support user to login. It cannot login 
   through ssh. One possible way is from another user account through 
   sudo -i .
-* Create a gpg key and make it the secret key of the support user. 
-  (See also below on 'rtadm keygen'). The public key should be imported 
-  into every client machine.
 
 
 Client
@@ -107,8 +104,6 @@ TODO: document it. For starters, its help message:
     # disconnect connection
   delete <connection-name>
     # disconnect, disable and delete any trace of the connection
-  genkey
-    # Generate an OpenPGP key for signing tarballs (interactive)
 
 "Enabled" connection is a connection that can start a new tunnel. 
 Disabling it does not Disconnect an existing connection. It essentially
@@ -178,10 +173,6 @@ no-X11-forwarding,no-agent-forwarding,no-pty,permitopen="127.0.0.1:65534",comman
 A key can also be used to flood the server's disk, which means that the
 support user's quota should be limited.
 
-The client only allows requests that are signed by someone hopefully 
-trusted by the client, as implied from the gpg ring of the 
-rapid-tunneling account on the client.
-
 THe client then sends the connection information over the already
 established connection.
 
diff --git a/debian/changelog b/debian/changelog
index 1eaa77c..935d518 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,5 +2,5 @@ rapid-tunneling (1.01) unstable; urgency=low
 
   * Initial release
 
- -- Alex Landau <alex.landau@xorcom.com>  Sun, 14 Dec 2008 17:20:04 +0200
+ -- Alex Landau <alex.landau@xorcom.com>  Sun, 01 Feb 2009 17:20:04 +0200
 
diff --git a/debian/rapid-tunneling-gui.install b/debian/rapid-tunneling-gui.install
index b1e7840..3e3d1f8 100644
--- a/debian/rapid-tunneling-gui.install
+++ b/debian/rapid-tunneling-gui.install
@@ -1 +1,3 @@
 usr/share/rapid-tunneling/www
+etc/httpd/conf.d/rapid-tunneling.conf
+etc/rapid-tunneling/gui.htpasswd
diff --git a/debian/rapid-tunneling-server.postinst b/debian/rapid-tunneling-server.postinst
index 1a1c3fb..b1a73fa 100644
--- a/debian/rapid-tunneling-server.postinst
+++ b/debian/rapid-tunneling-server.postinst
@@ -26,10 +26,10 @@ case "$1" in
             adduser --disabled-password --home $HOME_DIR \
 	      --gecos "Rapid Tunneling support" $NEW_USER 2>/dev/null || :
 	fi
-        LINE='. /usr/share/rapid-tunneling/support_env'
-        PROFILE=$HOME_DIR/.profile
-        if ! fgrep -q "$LINE" $PROFILE 2>/dev/null; then 
-	    echo "$LINE" >> $PROFILE; 
+	LINE='. /usr/share/rapid-tunneling/support_env'
+	PROFILE=$HOME_DIR/.profile
+	if ! fgrep -q "$LINE" $PROFILE 2>/dev/null; then 
+		echo "$LINE" >> $PROFILE 
 	fi
     ;;
 
diff --git a/gui.htpasswd b/gui.htpasswd
new file mode 100644
index 0000000..9321e12
--- /dev/null
+++ b/gui.htpasswd
@@ -0,0 +1 @@
+support:$apr1$.rQg4/..$oh2PxjD7BPc4hUleb16u8.
diff --git a/gui/index.php b/gui/index.php
index 891680c..423db56 100644
--- a/gui/index.php
+++ b/gui/index.php
@@ -32,9 +32,9 @@
 }
 </style>
 <?php
+$error = "";
 if (isset($_REQUEST["submit"]))
 {
-	$error = "";
 	// Not a true while due to the break at the end. A handy way to use goto...
 	while (true) {
 		if (!is_uploaded_file($_FILES["filename"]["tmp_name"])) {
@@ -44,13 +44,8 @@ if (isset($_REQUEST["submit"]))
 		# FIXME: insecure temporary file /tmp/ra.log
 		system("sudo -H -u rapid-tunneling rapid-tunneling ".
 			$_FILES["filename"]["tmp_name"]." >/tmp/ra.log 2>&1", $ret);
-		if ($ret != 0) {
+		if ($ret != 0)
 			$error = "Invalid or corrupt file. Please try again.";
-			if ( $ret == 7) {
-				$error = "Invalid GPG signature. Please try again.";
-			}
-			break;
-		}
 		break;
 	}
 }
diff --git a/rapid-tunneling b/rapid-tunneling
index 3c1f843..acc9552 100755
--- a/rapid-tunneling
+++ b/rapid-tunneling
@@ -7,24 +7,12 @@ if [ -z "$1" ]; then
 	exit 1
 fi
 
-REQUIRE_PGP=yes
-
 if [ -r /etc/rapid-tunneling/client ]; then . /etc/rapid-tunneling/client; fi
 
 tmpdir=`mktemp -d`
 mkdir $tmpdir/recv $tmpdir/send
 tar xzf "$1" -C $tmpdir/recv
 
-# The signed data is everything except the signature itself:
-(cd $tmpdir/recv; grep -- . * | grep -v ^sig.asc:) >$tmpdir/recv_data
-if [ "$REQUIRE_PGP" = 'yes' ] && 
-	! gpg --quiet --verify $tmpdir/recv/sig.asc $tmpdir/recv_data
-then
-	echo >&2 "$0: gpg signature verification failed."
-	echo >&2 "$0: Maybe someone's playing dirty tricks? Aborting."
-	exit 7
-fi
-
 user=`cat $tmpdir/recv/user`
 host=`cat $tmpdir/recv/host`
 port=`cat $tmpdir/recv/port`
diff --git a/rapid-tunneling.conf b/rapid-tunneling.conf
new file mode 100644
index 0000000..7f17156
--- /dev/null
+++ b/rapid-tunneling.conf
@@ -0,0 +1,7 @@
+<Directory "/var/www/html/support">
+AuthUserFile /etc/rapid-tunneling/gui.htpasswd
+AuthName "RapidTunneling(tm)"
+AuthType Basic
+Require valid-user
+</Directory>
+
diff --git a/rapid-tunneling.spec b/rapid-tunneling.spec
index 49811b5..d96b336 100644
--- a/rapid-tunneling.spec
+++ b/rapid-tunneling.spec
@@ -60,10 +60,14 @@ if [ "$1" = 0 ]; then
 fi
 
 %post server
-useradd -d /var/lib/rapid-tunneling-server -m support 2>/dev/null || :
-LINE='export PATH=$PATH:/usr/sbin'
-PROFILE=/var/lib/rapid-tunneling-server/.bash_profile
-if ! fgrep -q "$LINE" $PROFILE 2>/dev/null; then echo "$LINE" >> $PROFILE; fi
+HOME_DIR=/var/lib/rapid-tunneling/support
+NEW_USER=support
+useradd -d $HOME_DIR -m $NEW_USER 2>/dev/null || :
+LINE='. /usr/share/rapid-tunneling/support_env'
+PROFILE=$HOME_DIR/.bash_profile
+if ! fgrep -q "$LINE" $PROFILE 2>/dev/null; then 
+	echo "$LINE" >> $PROFILE 
+fi
 /sbin/chkconfig --add sshd_support
 
 %preun server
@@ -110,7 +114,12 @@ fi
 %files gui
 %defattr(-, root, root, 0755)
 %{webroot}/
+%config(noreplace) /etc/rapid-tunneling/gui.htpasswd
+%config /etc/httpd/conf.d/rapid-tunneling.conf
 
 %changelog
+* Sun Feb 01 2009 Alex Landau <alex.landau@xorcom.com> 1.01-1
+- Added password protection in the GUI.
+
 * Sun Dec 14 2008 Alex Landau <alex.landau@xorcom.com> 1.0-1
 - Initial RPM release.
diff --git a/rtadm b/rtadm
index 702e1ee..75a736e 100755
--- a/rtadm
+++ b/rtadm
@@ -3,11 +3,6 @@
 USERNAME=support
 FROM_REMOTE_COMMAND=/usr/share/rapid-tunneling/bin/rt-from-remote
 
-# Until we see how this works out.
-# Maybe we need to add a separate "sign" functionality to sign a support
-# request tarball elsewhere?
-REQUIRE_PGP=yes
-
 CFG_FILE=/etc/rapid-tunneling/rtadm 
 
 if [ -r $CFG_FILE ]; then . $CFG_FILE; fi
@@ -24,18 +19,6 @@ create()
 	TUNNEL_PORT=$1
 	COMMENT=$2
 
-	if [ "$REQUIRE_PGP" = 'yes' ] && 
-		[ `gpg --list-secret-keys 2>/dev/null | wc -l` = '0' ]
-	then
-		echo "Support user has no (secret) gpg key and can't sign the"
-		echo "support requests. Either create one:"
-		echo ""
-		echo "  rtadm keygen"
-		echo ""
-		echo "or copy over your secret gpg key."
-		echo "$0: Aborting."
-		exit 7
-	fi
 	if grep -q "ra-[0-9]\+-$COMMENT-[0-9]\+" $HOME/.ssh/authorized_keys 2>/dev/null; then
 		echo "Connection name '$COMMENT' already exists. Aborting." 1>&2
 		exit 1
@@ -53,11 +36,7 @@ create()
 	echo $PORT > ~/tmp/port
 	echo $USERNAME > ~/tmp/user
 	echo $TUNNEL_PORT > ~/tmp/tunnelport
-	# Sign all the data sent, except the signature itself:
-	files_in_tar="host key port tunnelport user" # alphbetical
-	(cd ~/tmp; grep . $files_in_tar) >~/tmp/all_data
-	gpg --output ~/tmp/sig.asc --armour --detach-sign ~/tmp/all_data
-	tar -czf remote-access-$COMMENT.tar.gz -C ~/tmp $files_in_tar sig.asc --owner root --group root
+	tar -czf remote-access-$COMMENT.tar.gz -C ~/tmp host key port tunnelport user --owner root --group root
 	mkdir -m 700 -p ~/.ssh
 	umask 022
 	cat ~/tmp/key.pub >> ~/.ssh/authorized_keys
@@ -142,8 +121,6 @@ usage()
 	echo "    # disconnect connection"
 	echo "  delete <connection-name>"
 	echo "    # disconnect, disable and delete any trace of the connection"
-	echo "  genkey"
-	echo "    # Generate an OpenPGP key for signing tarballs (interactive)"
 	exit 1
 }
 
@@ -184,10 +161,6 @@ case "$1" in
 		delete "$1"
 		disconnect "$1"
 		;;
-	keygen) 
-		shift
-		gpg "$@" --gen-key
-		;;
 	*)
 		usage
 		;;
diff --git a/rtadm.config b/rtadm.config
index 16952bc..e7734fb 100644
--- a/rtadm.config
+++ b/rtadm.config
@@ -8,7 +8,3 @@ HOSTNAME=
 # Port number on which the local SSH server listens.
 # If you change it below, change it also in /etc/ssh/sshd_support_config
 PORT=2222
-
-# Don't require that tarballs are signed at generation time. They'll
-# get somehow magically signed along the way.
-#REQUIRE_PGP=no
diff --git a/sshd_support_config b/sshd_support_config
index b0c5c21..1659e76 100644
--- a/sshd_support_config
+++ b/sshd_support_config
@@ -74,6 +74,6 @@ TCPKeepAlive yes
 
 #Subsystem sftp /usr/lib/openssh/sftp-server
 
-#UsePAM yes
+UsePAM yes
 
 AllowUsers support