From 2004b5241b88976b7090538c214a0bc881d7e785 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 19 Feb 2013 09:49:42 +0100 Subject: [PATCH] =?utf8?q?Ajout=20:=20r=C3=A9organisation=20et=20=C3=A9bau?= =?utf8?q?che=20X509.?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit --- .../openssh/known_hosts | 2 +- etc/openssl/ca.cfg | 39 ++++++++++ etc/openssl/ca.sh | 14 ++++ etc/openssl/service/smptd.cfg | 71 +++++++++++++++++++ vm.sh => etc/vm.sh | 0 functions.sh | 58 --------------- lib/functions.sh | 25 +++++++ var/.gitignore | 1 + key/julm.gpg.pub => var/pub/openpgp/julm.key | 0 key/julm.ssh.pub => var/pub/ssh/julm.key | 0 vm_host | 4 +- vm_hosted | 16 ++--- vm_remote | 31 ++++---- vm_ssh | 3 +- 14 files changed, 178 insertions(+), 86 deletions(-) rename key/ssh.known_hosts => etc/openssh/known_hosts (71%) create mode 100644 etc/openssl/ca.cfg create mode 100644 etc/openssl/ca.sh create mode 100644 etc/openssl/service/smptd.cfg rename vm.sh => etc/vm.sh (100%) delete mode 100644 functions.sh create mode 100644 lib/functions.sh create mode 100644 var/.gitignore rename key/julm.gpg.pub => var/pub/openpgp/julm.key (100%) rename key/julm.ssh.pub => var/pub/ssh/julm.key (100%) diff --git a/key/ssh.known_hosts b/etc/openssh/known_hosts similarity index 71% rename from key/ssh.known_hosts rename to etc/openssh/known_hosts index 4376a5e..ece8292 100644 --- a/key/ssh.known_hosts +++ b/etc/openssh/known_hosts @@ -1,4 +1,4 @@ rouf.grenode.net,91.216.110.98 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWolyL7ErNN/uHTAoQFIylOOC9sixbd4i0CNxAcGN0Ht7Z7HpquzwAmRj4JHNgRRTkUFnW0GBOB/E3Py5ckU1CZ8SBZyqt3zrBwO0xybZ6ZWNlzebdgiMU3Ke2p9WfZsAd0HKG9oJjeNJFDVATI/ez0IT8pKFR0AT5wO1u5HHDX3szPl19F5Blk8S3XYc//ZypVTokpH7EDgq+tj8FPERAuwIYl3qAJesR0omwn5Gro87pUhTgqK+9mkXcWacUYsLA6m0uR+1DhdTIHwcsHFoVI+DjwOGmfeI5ZallbgRdmoeTUi1lf1RVu5myoBl6eRob9dLWCtp+7zjp0fmPEDaJ root@rouf init.ateliers.heureux-cyclage.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAmQZqrcEum8Ixy6kKU6AhENis9EmHOg8z0IPjCrF9glZjet66PLTPCulYcPdiBFhPJjxBFiKKp+bY/qiiVphSO7LXYutgzcbH9dKn681w4vsiAxTYIkgQao0AhrmsIMgoY+PZs3spoKt/E8GQq7SLXb9v7VuRcvQbkKIxp+HIc5uvaf8pZnhT2ODJLW1MiYlyIlJp+ZjvrBKd8/2TZaLOAW6P3XUqNQKCocngnDwDJQnq6EbVhrBjfU4CuFPXk9QY5dJjvSdyb5oCXDabHcQNymZwIYFsfdSjswpoDQH/bzqN0LhlvKYTauUoZNvMQ6FhHb5eiSBOv4vfJM8bJ/EftcT+Lz27u3KD7RePZudNJen75rB99UPWfcc1HkWS6I7pX4wzKtd9cUyx7qqpN7wn9G1RLYDbZ2Zo7AFJeHGdkIZ+SBEdFXuPc7W7p33A7VoRG1U/2Cq8DAiD6FpBYYYscFiacW2oGr913sYKWbSF1QxzmHHIefyio6+GthNHXebXkj3mS7DZGhEDtMq5WO5yhd3kGKsA5z67K0tdf5yte9ACOIVPJ7Ttg/adDHYVKM9Hr8PLX1OpCEuZu4CtX3F+BBH0dn3mLkBFpnHlXdN5mGNw/FDHFSO63t61xSJjM7PJG2/KOREr/5naYhEypG4FwLrbvjFq7dCwcywh+A0a4t6w98= ateliers.heureux-cyclage.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCs2PjhfXSTUryiFfbzB3Qc5lF2bvMR56tzDTmrKGtBFXifzQuAltftPAgKTFeuFohOl1jXD3KzeZS6EAk8iZ7hUzBCbPGx5nrIizw9Kak8Jvy477uHzRNuCSbdgxzpwRr8nOKkohwARxFgkRQxM08rKBZyuSYU8N+Z9OSEwMQqv+uU+/NUHWZC0JVfWwfBunwc9mQBmxzt5Y+zhKk3qzEu2Iqu4ilr8FolAwGkWp60ruffrQrnJYFpIwFGsE+k/WAd4RgGyASclCPA5upVLKiSnwx5vnyXggYX0mXNrch3Uak99rrOVH/0YpGUy1dJY91UT+BESWyvMFDbK8fQWTR39kCnESS02F8/FnVTB9tP1XRPBWWUMtavOQIL0BxsgmvbM8rJEHImiRfLCwH/6oXP5JkPQnKQZlu++WPjWxuMraPNwvFsrqBdfPuYY97L4cXiI4loea5/eEBhEyz5RVBSHXoy3BUceSsXloGH1/2iC50k5IpZJIRthYi+OJ9ZjDBLk0YioVsf4TjADythqLu2zOT+ota63trJ/AMEV2tGX1mPGiFJgJ69cHN5CIsSDJH6VcbswPWxGa3n9r/b1Wnzadp4wiNFODoe5a20qbvLg3jrOJldxowKhNHExZpgPXuEKA/gSBKnyvhnZBerFwAGBKqaQOmfDMlknQtzg1fGyQ== -|1|p+07/BQvEHNha3nWzaQimjM242U=|Ouc4VzPcrmZoCecGIJb27ztT/Og= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCs2PjhfXSTUryiFfbzB3Qc5lF2bvMR56tzDTmrKGtBFXifzQuAltftPAgKTFeuFohOl1jXD3KzeZS6EAk8iZ7hUzBCbPGx5nrIizw9Kak8Jvy477uHzRNuCSbdgxzpwRr8nOKkohwARxFgkRQxM08rKBZyuSYU8N+Z9OSEwMQqv+uU+/NUHWZC0JVfWwfBunwc9mQBmxzt5Y+zhKk3qzEu2Iqu4ilr8FolAwGkWp60ruffrQrnJYFpIwFGsE+k/WAd4RgGyASclCPA5upVLKiSnwx5vnyXggYX0mXNrch3Uak99rrOVH/0YpGUy1dJY91UT+BESWyvMFDbK8fQWTR39kCnESS02F8/FnVTB9tP1XRPBWWUMtavOQIL0BxsgmvbM8rJEHImiRfLCwH/6oXP5JkPQnKQZlu++WPjWxuMraPNwvFsrqBdfPuYY97L4cXiI4loea5/eEBhEyz5RVBSHXoy3BUceSsXloGH1/2iC50k5IpZJIRthYi+OJ9ZjDBLk0YioVsf4TjADythqLu2zOT+ota63trJ/AMEV2tGX1mPGiFJgJ69cHN5CIsSDJH6VcbswPWxGa3n9r/b1Wnzadp4wiNFODoe5a20qbvLg3jrOJldxowKhNHExZpgPXuEKA/gSBKnyvhnZBerFwAGBKqaQOmfDMlknQtzg1fGyQ== +91.216.110.42 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCs2PjhfXSTUryiFfbzB3Qc5lF2bvMR56tzDTmrKGtBFXifzQuAltftPAgKTFeuFohOl1jXD3KzeZS6EAk8iZ7hUzBCbPGx5nrIizw9Kak8Jvy477uHzRNuCSbdgxzpwRr8nOKkohwARxFgkRQxM08rKBZyuSYU8N+Z9OSEwMQqv+uU+/NUHWZC0JVfWwfBunwc9mQBmxzt5Y+zhKk3qzEu2Iqu4ilr8FolAwGkWp60ruffrQrnJYFpIwFGsE+k/WAd4RgGyASclCPA5upVLKiSnwx5vnyXggYX0mXNrch3Uak99rrOVH/0YpGUy1dJY91UT+BESWyvMFDbK8fQWTR39kCnESS02F8/FnVTB9tP1XRPBWWUMtavOQIL0BxsgmvbM8rJEHImiRfLCwH/6oXP5JkPQnKQZlu++WPjWxuMraPNwvFsrqBdfPuYY97L4cXiI4loea5/eEBhEyz5RVBSHXoy3BUceSsXloGH1/2iC50k5IpZJIRthYi+OJ9ZjDBLk0YioVsf4TjADythqLu2zOT+ota63trJ/AMEV2tGX1mPGiFJgJ69cHN5CIsSDJH6VcbswPWxGa3n9r/b1Wnzadp4wiNFODoe5a20qbvLg3jrOJldxowKhNHExZpgPXuEKA/gSBKnyvhnZBerFwAGBKqaQOmfDMlknQtzg1fGyQ== diff --git a/etc/openssl/ca.cfg b/etc/openssl/ca.cfg new file mode 100644 index 0000000..2cd0e7d --- /dev/null +++ b/etc/openssl/ca.cfg @@ -0,0 +1,39 @@ + HOME = . + RANDFILE = $HOME/var/lib/rand + oid_section = extra_oids +[ extra_oids ] + # Pour EVSSL + trustList = 2.16.840.1.113730.1.900 + telephoneNumber = 2.5.4.20 + initials = 2.5.4.43 + logotype = 1.3.6.1.5.5.7.1.12 +[ req ] + prompt = no + distinguished_name = root_distinguished_name + string_mask = pkix +[ root_distinguished_name ] + commonName = $ENV::x509_host + countryName = $ENV::x509_country + initials = $ENV::x509_initials + 0.organizationName = $ENV::x509_host + organizationalUnitName = Anti-autorité de certification primaire + postalCode = $ENV::x509_postal_code + stateOrProvinceName = $ENV::x509_state_or_province + streetAddress = $ENV::x509_street_address + telephoneNumber = $ENV::x509_telephone_number +[ root_extensions ] + basicConstraints = critical,CA:TRUE,pathlen:1 + keyUsage = keyCertSign,cRLSign + subjectAltName = email:contact@$ENV::x509_host + subjectKeyIdentifier = hash + issuerAltName = issuer:copy + authorityKeyIdentifier = keyid:always,issuer:always + authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/tls/crt.pem + crlDistributionPoints = URI:http://www.$ENV::x509_host/tls/crl.pem + #certificatePolicies = @root_certificate_policies + #trustList = ASN1:UTF8String:https://www.$ENV::x509_host/tls/trust.etl + #policyConstraints = + #extendedKeyUsage = + #inhibitAnyPolicy = + #nameConstraints = + #noCheck = diff --git a/etc/openssl/ca.sh b/etc/openssl/ca.sh new file mode 100644 index 0000000..04a3c50 --- /dev/null +++ b/etc/openssl/ca.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +export x509_host="ateliers.heureux-cyclage.org" +export x509_country="FR" +export x509_organization="Ateliers de l'Heureux-Cyclage" +export x509_organization_unit_name="Anti-autorité de certification primaire" +export x509_initials="(A)" +export x509_state_or_province="néant" +export x509_locality="néant" +export x509_street_address="néant" +export x509_postal_code="néant" +export x509_telephone_number="néant" +export x509_business_category="V1.0, ni dieu ni maître ni moteur" +export x509_days="3653" diff --git a/etc/openssl/service/smptd.cfg b/etc/openssl/service/smptd.cfg new file mode 100644 index 0000000..f609c99 --- /dev/null +++ b/etc/openssl/service/smptd.cfg @@ -0,0 +1,71 @@ + SERVICE = smtpd + HOME = . + RANDFILE = $HOME/var/rand + oid_section = extra_oids +[ extra_oids ] + # Pour la validation étendue (Extended Validation (EV)) + jurisdictionOfIncorporationLocalityName = 1.3.6.1.4.1.311.60.2.1.1 + jurisdictionOfIncorporationStateOrProvinceName = 1.3.6.1.4.1.311.60.2.1.2 + jurisdictionOfIncorporationCountryName = 1.3.6.1.4.1.311.60.2.1.3 +[ req ] + prompt = no + distinguished_name = service_distinguished_name + string_mask = pkix + #x509_extensions = root_extensions + #req_extensions = service_extension + #attributes = req_attributes +[ service_distinguished_name ] + countryName = $ENV::x509_country + stateOrProvinceName = $ENV::x509_state_or_province + localityName = $ENV::x509_state_or_province + 0.organizationName = $ENV::x509_organization + organizationalUnitName = Service SMTP (serveur) + commonName = $SERVICE.$ENV::x509_host + businessCategory = $ENV::x509_business_category + jurisdictionOfIncorporationLocalityName = $ENV::x509_state_or_province + jurisdictionOfIncorporationStateOrProvinceName = $ENV::x509_state_or_province + jurisdictionOfIncorporationCountryName = $ENV::x509_country +[ service_extensions ] + basicConstraints = critical,CA:TRUE,pathlen:0 + keyUsage = keyCertSign,cRLSign,digitalSignature,keyEncipherment + subjectAltName = email:contact+$SERVICE@$ENV::x509_host,DNS:$SERVICE.$ENV::x509_host,DNS:smtp.$ENV::x509_host,DNS:submission.$ENV::x509_host,DNS:smtps.$ENV::x509_host + subjectKeyIdentifier = hash + issuerAltName = issuer:copy + authorityKeyIdentifier = keyid:always,issuer:always + authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/tls/crt.pem + crlDistributionPoints = URI:http://www.$ENV::x509_host/tls/$SERVICE/crl.pem + certificatePolicies = @service_certificate_policies +[ service_self_signed_extensions ] + basicConstraints = critical,CA:TRUE,pathlen:0 + keyUsage = keyCertSign,cRLSign,digitalSignature,keyEncipherment + subjectAltName = email:contact+$SERVICE@$ENV::x509_host,DNS:$SERVICE.$ENV::x509_host,DNS:smtp.$ENV::x509_host,DNS:submission.$ENV::x509_host,DNS:smtps.$ENV::x509_host + subjectKeyIdentifier = hash + issuerAltName = issuer:copy + authorityKeyIdentifier = keyid:always,issuer:always + authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/tls/$SERVICE/crt.pem + crlDistributionPoints = URI:http://www.$ENV::x509_host/tls/$SERVICE/crl.pem +[ user_extensions ] + basicConstraints = critical,CA:FALSE,pathlen:0 + keyUsage = digitalSignature,keyEncipherment + subjectAltName = email:$ENV::x509_user@$ENV::x509_host + subjectKeyIdentifier = hash + issuerAltName = issuer:copy + authorityKeyIdentifier = keyid:always,issuer:always + authorityInfoAccess = caIssuers;URI:http://www.$ENV::x509_host/tls/$SERVICE/crt.pem +[ service_certificate_policies ] + policyIdentifier = 1.2.250.1.42 + CPS.1 = https://www.$ENV::x509_host/tls/cps +[ service_ca ] + dir = $HOME/var/lib/x509/service/$SERVICE + crl_dir = $dir + crlnumber = $dir/crl.num + crl = $dir/crl.pem + private_key = $dir/key.pem + database = $dir/idx.txt +[ service_self_signed_ca ] + dir = $HOME/var/lib/x509/service/$SERVICE + crl_dir = $dir + crlnumber = $dir/crl.self-signed.num + crl = $dir/crl.self-signed.pem + database = $dir/idx.self-signed.txt + private_key = $dir/key.pem diff --git a/vm.sh b/etc/vm.sh similarity index 100% rename from vm.sh rename to etc/vm.sh diff --git a/functions.sh b/functions.sh deleted file mode 100644 index 1f2c97a..0000000 --- a/functions.sh +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/sh -# DESCRIPTION: ce fichier regroupe des utilitaires très génériques - -mk_dir () { - local mod=${1#mod=}; shift - local own=${1#own=}; shift - sudo mkdir -p "$@" - ! [ ${mod:+set} ] || sudo chmod $mod "$@" - ! [ ${own:+set} ] || sudo chown $own "$@" - } -mk_reg () { - local mod=${1#mod=}; shift - local own=${1#own=}; shift - local append - if [ "x${1#--append}" = "x" ] - then append='-a'; shift - else append='' - fi - sudo tee >&2 $append "$@" - ! [ ${mod:+set} ] || sudo chmod $mod "$@" - ! [ ${own:+set} ] || sudo chown $own "$@" - } -mk_lnk () { - sudo ln -fns "$@" - } -ssh_key_add () { - local user=${1#user=}; shift - local in=$1 - local out=$2 - local tmp=$(mktemp -t "$vm.ssh.XXXXXXXXX.tmp") - # NOTE: ssh-keygen ne sait lire que depuis un fichier.. - while IFS= read -r key - do - # DESCRIPTION: ajoute dans le compte de root les clefs SSH de l'admin non déjà ajoutées. - has= - cat >"$tmp" <<-EOF - $key - EOF - key_fpr=$(ssh-keygen -l -f "$tmp" | cut -d ' ' -f 1,2) - while IFS= read -r auth_key - do - cat >"$tmp" <<-EOF - $auth_key - EOF - auth_key_fpr=$(ssh-keygen -l -f "$tmp" | cut -d ' ' -f 1,2) - if [ "$key_fpr" = "$auth_key_fpr" ] - then has=1; break - fi - done <<-EOF - $(sudo cat /root/etc/ssh/authorized_keys) - EOF - [ ${has:+set} ] || - mk_reg mod=640 own="$user:$user" --append "$out" <<-EOF - $key - EOF - done <"$in" - rm -f "$tmp" - } diff --git a/lib/functions.sh b/lib/functions.sh new file mode 100644 index 0000000..a059f2f --- /dev/null +++ b/lib/functions.sh @@ -0,0 +1,25 @@ +#!/bin/sh +# DESCRIPTION: ce fichier regroupe des utilitaires très génériques + +mk_dir () { + local mod=${1#mod=}; shift + local own=${1#own=}; shift + sudo mkdir -p "$@" + ! [ ${mod:+set} ] || sudo chmod $mod "$@" + ! [ ${own:+set} ] || sudo chown $own "$@" + } +mk_reg () { + local mod=${1#mod=}; shift + local own=${1#own=}; shift + local append + if [ "x${1#--append}" = "x" ] + then append='-a'; shift + else append='' + fi + sudo tee >&2 $append "$@" + ! [ ${mod:+set} ] || sudo chmod $mod "$@" + ! [ ${own:+set} ] || sudo chown $own "$@" + } +mk_lnk () { + sudo ln -fns "$@" + } diff --git a/var/.gitignore b/var/.gitignore new file mode 100644 index 0000000..b687655 --- /dev/null +++ b/var/.gitignore @@ -0,0 +1 @@ +sec diff --git a/key/julm.gpg.pub b/var/pub/openpgp/julm.key similarity index 100% rename from key/julm.gpg.pub rename to var/pub/openpgp/julm.key diff --git a/key/julm.ssh.pub b/var/pub/ssh/julm.key similarity index 100% rename from key/julm.ssh.pub rename to var/pub/ssh/julm.key diff --git a/vm_host b/vm_host index f754547..0bf383d 100755 --- a/vm_host +++ b/vm_host @@ -1,8 +1,8 @@ #!/bin/sh set -e -f ${DRY_RUN:+-n} -u tool=${0%/*} -. "$tool"/functions.sh -. "$tool"/vm.sh +. "$tool"/lib/functions.sh +. "$tool"/etc/vm.sh test "$(hostname --fqdn)" = "$vm_host" rule_help () { diff --git a/vm_hosted b/vm_hosted index 56e1ee0..925f1a9 100755 --- a/vm_hosted +++ b/vm_hosted @@ -1,8 +1,8 @@ #!/bin/sh set -e -f ${DRY_RUN:+-n} -u tool=${0%/*} -. "$tool"/functions.sh -. "$tool"/vm.sh +. "$tool"/lib/functions.sh +. "$tool"/etc/vm.sh test "$(hostname --fqdn)" = "$vm_fqdn" rule_help () { @@ -229,7 +229,7 @@ rule__user_root_init () { EOF done | mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys - sudo find "$tool"/key -type f -name '*.gpg.pub' -exec gpg --import {} \; + sudo find "$tool"/var/pub/openpgp -type f -name '*.key' -exec gpg --import {} \; } rule__initramfs_init () { mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF @@ -265,13 +265,13 @@ rule__initramfs_init () { #mk_reg mod=640 own=root:root /dev/null } rule_disk_key_backup () { for part in root swap var home do - rule_ssh sudo cryptsetup luksHeaderBackup /dev/$vm_lvm_vg/${vm_lvm_lv}_${part} | - gpg --encrypt --recipient $USER@ -o key/secret/${vm_lvm_lv}_${part}.luks.gpg - done - } -rule_disk_key_restore () { - for part in root swap var home - do - gpg --decrypt ${vm_lvm_lv}_${part}.luks | - rule_ssh sudo cryptsetup luksHeaderRestore /dev/$vm_lvm_vg/${vm_lvm_lv}_${part} + mkdir -p var/lib/luks + rule_ssh -l root ' \ + tmp=$(mktemp) + cryptsetup luksHeaderBackup \ + /dev/$vm_lvm_vg/${vm_lvm_lv}_${part} \ + --header-backup-file "$tmp" \ + cat "$tmp" + shred --remove "$tmp" + ' | + gpg --encrypt --recipient $USER@ \ + -o var/lib/luks/${vm_lvm_lv}_${part}.luks.gpg done } diff --git a/vm_ssh b/vm_ssh index d1c0c51..e39d9b1 100755 --- a/vm_ssh +++ b/vm_ssh @@ -3,5 +3,6 @@ set -e -f ${DRY_RUN:+-n} -u tool=${0%/*} ssh \ -o StrictHostKeyChecking=yes \ - -o UserKnownHostsFile="$tool"/key/ssh.known_hosts \ + -o UserKnownHostsFile=etc/openssh/known_hosts \ + -o HashKnownHosts=no \ "$@" -- 2.20.1