Architecture #6355
closed
User story #6589: Improve Rudder security in 3.1: Inventory signature and security, SELinux compliance
Agent should sign their inventory using their private key
Description
We should sign agent inventories with their private key.
The signature should be sent with the inventory in a manner that can be ignored by older inventory endpoints.
Suggestion: include them in a comment before or after the inventory and remove it before validation.
Other suggestion, use a separator that is ignored by the parser such as the ASCII record separator charatcter
Updated by Benoît PECCATTE over 9 years ago
Commands to create signature data:
# md4 md5 sha sha1 sha224 sha256 sha384 sha512 whirlpool HASH=sha512 FILE=inventory.ocs KEY=/var/rudder/cfengine-community/ppkeys/localhost.priv openssl dgst -r -$HASH -hex -sign $KEY < $FILE # Passphrase is: "Cfengine passphrase"
Updated by Benoît PECCATTE over 9 years ago
Signature can only be verified using binary signature:
# remove the -hex from before openssl dgst -r -$HASH -sign $KEY < $FILE > $FILE.sign # openssl command only read public keys in X509 format PUBKEY=/var/rudder/cfengine-community/ppkeys/localhost_x509.pub openssl rsa -in $KEY -pubout -out $PUBKEY # verify using the new key and the binary form signature openssl dgst -r -$HASH -verify $PUBKEY -signature $FILE.sign < $FILE
But these limitations are from the command line and can probably be removed on the server if we use libssl or something else directly.
Updated by Benoît PECCATTE over 9 years ago
The signature file format would be like this:
header=rudder-signature-v1 algorithm=sha512 digest=612bcb5fbfb0e9b5514dd4467d7f046f17656eb232f8777c919bfe337eb691a53efde83a7f685af88ad6fb48adfb55902198c2cb75e3638bfde33c7e94e66bae54332502b875e2e9ab518c90042f24e8e6a5d6e7fc7fa6953cec30890258d68a0e5bb715689323966081db279be68c4568cb3358e51e507455c0c0f289a105d623bf4d53df87e583ca4b86bf0e6105dcaf39a5111dd16299be9ae81c9272d041ba28949b5e819aa65a63f02da88cab6cd8522470861a4d78e8418683b6738195c56b1d22da3a0f28249f27103ffb971fb7d959c49496a89db20e5b198affb3a716b540359bd9f6dd6492e1b822971cf27d5778860b5ffd6ac4e5e99991ee9cd4
Updated by Benoît PECCATTE over 9 years ago
A comment to replace the conversion from the private key to a conversion from the public key that will be available on the server:
# openssl command only read public keys in X509/pkcs8 format PKCS1PUB=/var/rudder/cfengine-community/ppkeys/localhost.pub PUBKEY=/var/rudder/cfengine-community/ppkeys/localhost_x509.pub openssl rsa -RSAPublicKey_in -in $PKCS1PUB -pubout -out $PUBKEY
Updated by Benoît PECCATTE over 9 years ago
To convert from hex to binary in shell:
echo -n -e $(tr -d '[:space:]' | sed 's/../\\x&/g')
Updated by Matthieu CERDA over 9 years ago
- Status changed from New to Pending release
- % Done changed from 40 to 100
[INCORRECT COMMIT, REMOVED]
Updated by Matthieu CERDA over 9 years ago
- Status changed from Pending release to Discussion
Updated by Matthieu CERDA over 9 years ago
- Status changed from Discussion to New
Updated by Benoît PECCATTE over 9 years ago
- Parent task changed from #6363 to #6589
Updated by Vincent MEMBRÉ over 9 years ago
- Target version changed from 3.1.0~beta1 to 3.1.0~rc1
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from New to Pending technical review
- Target version changed from 3.1.0~rc1 to 3.1.0~beta1
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from Pending technical review to 12
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from 12 to Pending release
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 3.1.0~beta1 which were released today.
- Announcement 3.1
- Changelog 3.1
- Download information: https://www.rudder-project.org/site/get-rudder/downloads/
Updated by Jonathan CLARKE over 8 years ago
- Related to User story #8053: Make signature problem easier to diagnose added