From 8e13d7e1fddc0e7faaae5ac640a5e05b114eea33 Mon Sep 17 00:00:00 2001 From: Alex Landau Date: Sun, 1 Feb 2009 18:09:40 +0000 Subject: rapid-tunneling: - Added GUI password protection. - Backed out GPG. git-svn-id: svn+ssh://xorcom/home/svn/debs/components/rapid-tunneling@6682 283159da-0705-0410-b60c-f2062b4bb6ad --- Makefile | 5 ++++- README | 9 --------- debian/changelog | 2 +- debian/rapid-tunneling-gui.install | 2 ++ debian/rapid-tunneling-server.postinst | 8 ++++---- gui.htpasswd | 1 + gui/index.php | 9 ++------- rapid-tunneling | 12 ------------ rapid-tunneling.conf | 7 +++++++ rapid-tunneling.spec | 17 +++++++++++++---- rtadm | 29 +---------------------------- rtadm.config | 4 ---- sshd_support_config | 2 +- 13 files changed, 36 insertions(+), 71 deletions(-) create mode 100644 gui.htpasswd create mode 100644 rapid-tunneling.conf diff --git a/Makefile b/Makefile index 892e796..5fa0dc1 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ PACKAGE = rapid-tunneling SPEC = rapid-tunneling.spec SCRIPTS = rapid-tunneling rapid-tunneling-status rtadm rt-from-remote -CONFIGS = rtadm.config sshd_support_config support_env +CONFIGS = rtadm.config sshd_support_config support_env rapid-tunneling.conf gui.htpasswd INIT_D = sshd_support GUI = gui SOURCES = Makefile $(SPEC) $(SCRIPTS) $(CONFIGS) $(INIT_D) $(GUI) .placeholder @@ -54,12 +54,15 @@ install: install -m 755 rt-from-remote $(DESTDIR)$(BINDIR) install -m 755 -d $(DESTDIR)/etc/rapid-tunneling install -m 644 rtadm.config $(DESTDIR)/etc/rapid-tunneling/rtadm + install -m 644 gui.htpasswd $(DESTDIR)/etc/rapid-tunneling/ install -m 755 -d $(DESTDIR)/etc/ssh install -m 644 sshd_support_config $(DESTDIR)/etc/ssh/ install -m 755 -d $(DESTDIR)/var/lib/rapid-tunneling install -m 644 .placeholder $(DESTDIR)/var/lib/rapid-tunneling/ install -m 755 -d $(DESTDIR)$(WWWHOME) install -m 644 gui/* $(DESTDIR)$(WWWHOME)/ + install -m 755 -d $(DESTDIR)/etc/httpd/conf.d + install -m 644 rapid-tunneling.conf $(DESTDIR)/etc/httpd/conf.d/ .PHONY: clean dummy dummy: diff --git a/README b/README index 85387d8..d41b6ba 100644 --- a/README +++ b/README @@ -35,9 +35,6 @@ to remote users. * Provide a special way for the support user to login. It cannot login through ssh. One possible way is from another user account through sudo -i . -* Create a gpg key and make it the secret key of the support user. - (See also below on 'rtadm keygen'). The public key should be imported - into every client machine. Client @@ -107,8 +104,6 @@ TODO: document it. For starters, its help message: # disconnect connection delete # disconnect, disable and delete any trace of the connection - genkey - # Generate an OpenPGP key for signing tarballs (interactive) "Enabled" connection is a connection that can start a new tunnel. Disabling it does not Disconnect an existing connection. It essentially @@ -178,10 +173,6 @@ no-X11-forwarding,no-agent-forwarding,no-pty,permitopen="127.0.0.1:65534",comman A key can also be used to flood the server's disk, which means that the support user's quota should be limited. -The client only allows requests that are signed by someone hopefully -trusted by the client, as implied from the gpg ring of the -rapid-tunneling account on the client. - THe client then sends the connection information over the already established connection. diff --git a/debian/changelog b/debian/changelog index 1eaa77c..935d518 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,5 +2,5 @@ rapid-tunneling (1.01) unstable; urgency=low * Initial release - -- Alex Landau Sun, 14 Dec 2008 17:20:04 +0200 + -- Alex Landau Sun, 01 Feb 2009 17:20:04 +0200 diff --git a/debian/rapid-tunneling-gui.install b/debian/rapid-tunneling-gui.install index b1e7840..3e3d1f8 100644 --- a/debian/rapid-tunneling-gui.install +++ b/debian/rapid-tunneling-gui.install @@ -1 +1,3 @@ usr/share/rapid-tunneling/www +etc/httpd/conf.d/rapid-tunneling.conf +etc/rapid-tunneling/gui.htpasswd diff --git a/debian/rapid-tunneling-server.postinst b/debian/rapid-tunneling-server.postinst index 1a1c3fb..b1a73fa 100644 --- a/debian/rapid-tunneling-server.postinst +++ b/debian/rapid-tunneling-server.postinst @@ -26,10 +26,10 @@ case "$1" in adduser --disabled-password --home $HOME_DIR \ --gecos "Rapid Tunneling support" $NEW_USER 2>/dev/null || : fi - LINE='. /usr/share/rapid-tunneling/support_env' - PROFILE=$HOME_DIR/.profile - if ! fgrep -q "$LINE" $PROFILE 2>/dev/null; then - echo "$LINE" >> $PROFILE; + LINE='. /usr/share/rapid-tunneling/support_env' + PROFILE=$HOME_DIR/.profile + if ! fgrep -q "$LINE" $PROFILE 2>/dev/null; then + echo "$LINE" >> $PROFILE fi ;; diff --git a/gui.htpasswd b/gui.htpasswd new file mode 100644 index 0000000..9321e12 --- /dev/null +++ b/gui.htpasswd @@ -0,0 +1 @@ +support:$apr1$.rQg4/..$oh2PxjD7BPc4hUleb16u8. diff --git a/gui/index.php b/gui/index.php index 891680c..423db56 100644 --- a/gui/index.php +++ b/gui/index.php @@ -32,9 +32,9 @@ } /tmp/ra.log 2>&1", $ret); - if ($ret != 0) { + if ($ret != 0) $error = "Invalid or corrupt file. Please try again."; - if ( $ret == 7) { - $error = "Invalid GPG signature. Please try again."; - } - break; - } break; } } diff --git a/rapid-tunneling b/rapid-tunneling index 3c1f843..acc9552 100755 --- a/rapid-tunneling +++ b/rapid-tunneling @@ -7,24 +7,12 @@ if [ -z "$1" ]; then exit 1 fi -REQUIRE_PGP=yes - if [ -r /etc/rapid-tunneling/client ]; then . /etc/rapid-tunneling/client; fi tmpdir=`mktemp -d` mkdir $tmpdir/recv $tmpdir/send tar xzf "$1" -C $tmpdir/recv -# The signed data is everything except the signature itself: -(cd $tmpdir/recv; grep -- . * | grep -v ^sig.asc:) >$tmpdir/recv_data -if [ "$REQUIRE_PGP" = 'yes' ] && - ! gpg --quiet --verify $tmpdir/recv/sig.asc $tmpdir/recv_data -then - echo >&2 "$0: gpg signature verification failed." - echo >&2 "$0: Maybe someone's playing dirty tricks? Aborting." - exit 7 -fi - user=`cat $tmpdir/recv/user` host=`cat $tmpdir/recv/host` port=`cat $tmpdir/recv/port` diff --git a/rapid-tunneling.conf b/rapid-tunneling.conf new file mode 100644 index 0000000..7f17156 --- /dev/null +++ b/rapid-tunneling.conf @@ -0,0 +1,7 @@ + +AuthUserFile /etc/rapid-tunneling/gui.htpasswd +AuthName "RapidTunneling(tm)" +AuthType Basic +Require valid-user + + diff --git a/rapid-tunneling.spec b/rapid-tunneling.spec index 49811b5..d96b336 100644 --- a/rapid-tunneling.spec +++ b/rapid-tunneling.spec @@ -60,10 +60,14 @@ if [ "$1" = 0 ]; then fi %post server -useradd -d /var/lib/rapid-tunneling-server -m support 2>/dev/null || : -LINE='export PATH=$PATH:/usr/sbin' -PROFILE=/var/lib/rapid-tunneling-server/.bash_profile -if ! fgrep -q "$LINE" $PROFILE 2>/dev/null; then echo "$LINE" >> $PROFILE; fi +HOME_DIR=/var/lib/rapid-tunneling/support +NEW_USER=support +useradd -d $HOME_DIR -m $NEW_USER 2>/dev/null || : +LINE='. /usr/share/rapid-tunneling/support_env' +PROFILE=$HOME_DIR/.bash_profile +if ! fgrep -q "$LINE" $PROFILE 2>/dev/null; then + echo "$LINE" >> $PROFILE +fi /sbin/chkconfig --add sshd_support %preun server @@ -110,7 +114,12 @@ fi %files gui %defattr(-, root, root, 0755) %{webroot}/ +%config(noreplace) /etc/rapid-tunneling/gui.htpasswd +%config /etc/httpd/conf.d/rapid-tunneling.conf %changelog +* Sun Feb 01 2009 Alex Landau 1.01-1 +- Added password protection in the GUI. + * Sun Dec 14 2008 Alex Landau 1.0-1 - Initial RPM release. diff --git a/rtadm b/rtadm index 702e1ee..75a736e 100755 --- a/rtadm +++ b/rtadm @@ -3,11 +3,6 @@ USERNAME=support FROM_REMOTE_COMMAND=/usr/share/rapid-tunneling/bin/rt-from-remote -# Until we see how this works out. -# Maybe we need to add a separate "sign" functionality to sign a support -# request tarball elsewhere? -REQUIRE_PGP=yes - CFG_FILE=/etc/rapid-tunneling/rtadm if [ -r $CFG_FILE ]; then . $CFG_FILE; fi @@ -24,18 +19,6 @@ create() TUNNEL_PORT=$1 COMMENT=$2 - if [ "$REQUIRE_PGP" = 'yes' ] && - [ `gpg --list-secret-keys 2>/dev/null | wc -l` = '0' ] - then - echo "Support user has no (secret) gpg key and can't sign the" - echo "support requests. Either create one:" - echo "" - echo " rtadm keygen" - echo "" - echo "or copy over your secret gpg key." - echo "$0: Aborting." - exit 7 - fi if grep -q "ra-[0-9]\+-$COMMENT-[0-9]\+" $HOME/.ssh/authorized_keys 2>/dev/null; then echo "Connection name '$COMMENT' already exists. Aborting." 1>&2 exit 1 @@ -53,11 +36,7 @@ create() echo $PORT > ~/tmp/port echo $USERNAME > ~/tmp/user echo $TUNNEL_PORT > ~/tmp/tunnelport - # Sign all the data sent, except the signature itself: - files_in_tar="host key port tunnelport user" # alphbetical - (cd ~/tmp; grep . $files_in_tar) >~/tmp/all_data - gpg --output ~/tmp/sig.asc --armour --detach-sign ~/tmp/all_data - tar -czf remote-access-$COMMENT.tar.gz -C ~/tmp $files_in_tar sig.asc --owner root --group root + tar -czf remote-access-$COMMENT.tar.gz -C ~/tmp host key port tunnelport user --owner root --group root mkdir -m 700 -p ~/.ssh umask 022 cat ~/tmp/key.pub >> ~/.ssh/authorized_keys @@ -142,8 +121,6 @@ usage() echo " # disconnect connection" echo " delete " echo " # disconnect, disable and delete any trace of the connection" - echo " genkey" - echo " # Generate an OpenPGP key for signing tarballs (interactive)" exit 1 } @@ -184,10 +161,6 @@ case "$1" in delete "$1" disconnect "$1" ;; - keygen) - shift - gpg "$@" --gen-key - ;; *) usage ;; diff --git a/rtadm.config b/rtadm.config index 16952bc..e7734fb 100644 --- a/rtadm.config +++ b/rtadm.config @@ -8,7 +8,3 @@ HOSTNAME= # Port number on which the local SSH server listens. # If you change it below, change it also in /etc/ssh/sshd_support_config PORT=2222 - -# Don't require that tarballs are signed at generation time. They'll -# get somehow magically signed along the way. -#REQUIRE_PGP=no diff --git a/sshd_support_config b/sshd_support_config index b0c5c21..1659e76 100644 --- a/sshd_support_config +++ b/sshd_support_config @@ -74,6 +74,6 @@ TCPKeepAlive yes #Subsystem sftp /usr/lib/openssh/sftp-server -#UsePAM yes +UsePAM yes AllowUsers support -- cgit v1.2.3