Architecture #6355
closed
User story #6589: Improve Rudder security in 3.1: Inventory signature and security, SELinux compliance
Agent should sign their inventory using their private key
Added by Benoît PECCATTE over 9 years ago.
Updated over 9 years ago.
Category:
System techniques
Description
We should sign agent inventories with their private key.
The signature should be sent with the inventory in a manner that can be ignored by older inventory endpoints.
Suggestion: include them in a comment before or after the inventory and remove it before validation.
Other suggestion, use a separator that is ignored by the parser such as the ASCII record separator charatcter
Commands to create signature data:
# md4 md5 sha sha1 sha224 sha256 sha384 sha512 whirlpool
HASH=sha512
FILE=inventory.ocs
KEY=/var/rudder/cfengine-community/ppkeys/localhost.priv
openssl dgst -r -$HASH -hex -sign $KEY < $FILE
# Passphrase is: "Cfengine passphrase"
Signature can only be verified using binary signature:
# remove the -hex from before
openssl dgst -r -$HASH -sign $KEY < $FILE > $FILE.sign
# openssl command only read public keys in X509 format
PUBKEY=/var/rudder/cfengine-community/ppkeys/localhost_x509.pub
openssl rsa -in $KEY -pubout -out $PUBKEY
# verify using the new key and the binary form signature
openssl dgst -r -$HASH -verify $PUBKEY -signature $FILE.sign < $FILE
But these limitations are from the command line and can probably be removed on the server if we use libssl or something else directly.
The signature file format would be like this:
header=rudder-signature-v1
algorithm=sha512
digest=612bcb5fbfb0e9b5514dd4467d7f046f17656eb232f8777c919bfe337eb691a53efde83a7f685af88ad6fb48adfb55902198c2cb75e3638bfde33c7e94e66bae54332502b875e2e9ab518c90042f24e8e6a5d6e7fc7fa6953cec30890258d68a0e5bb715689323966081db279be68c4568cb3358e51e507455c0c0f289a105d623bf4d53df87e583ca4b86bf0e6105dcaf39a5111dd16299be9ae81c9272d041ba28949b5e819aa65a63f02da88cab6cd8522470861a4d78e8418683b6738195c56b1d22da3a0f28249f27103ffb971fb7d959c49496a89db20e5b198affb3a716b540359bd9f6dd6492e1b822971cf27d5778860b5ffd6ac4e5e99991ee9cd4
A comment to replace the conversion from the private key to a conversion from the public key that will be available on the server:
# openssl command only read public keys in X509/pkcs8 format
PKCS1PUB=/var/rudder/cfengine-community/ppkeys/localhost.pub
PUBKEY=/var/rudder/cfengine-community/ppkeys/localhost_x509.pub
openssl rsa -RSAPublicKey_in -in $PKCS1PUB -pubout -out $PUBKEY
To convert from hex to binary in shell:
echo -n -e $(tr -d '[:space:]' | sed 's/../\\x&/g')
- Status changed from New to Pending release
- % Done changed from 40 to 100
[INCORRECT COMMIT, REMOVED]
[INCORRECT COMMIT, REMOVED]
- Status changed from Pending release to Discussion
- Status changed from Discussion to New
- Parent task changed from #6363 to #6589
- Target version changed from 3.1.0~beta1 to 3.1.0~rc1
- Parent task deleted (
#6589)
- Status changed from New to Pending technical review
- Target version changed from 3.1.0~rc1 to 3.1.0~beta1
- Status changed from Pending technical review to 12
- Status changed from 12 to Pending release
- Status changed from Pending release to Released
This bug has been fixed in Rudder 3.1.0~beta1 which were released today.
Also available in: Atom
PDF
Updated by 
Updated by Matthieu CERDA 
Updated by 
Updated by Jonathan CLARKE