pcp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [pcp] Client Certificates

from [Martins Innus] [Permanent Link][Original]
To: Nathan Scott <nathans@xxxxxxxxxx>
Subject: Re: [pcp] Client Certificates
From: Martins Innus <minnus@xxxxxxxxxxx>
Date: Thu, 14 Apr 2016 16:12:50 -0400
Cc: PCP <pcp@xxxxxxxxxxx>, "Andrew E. Bruno" <aebruno2@xxxxxxxxxxx>
Delivered-to: pcp@xxxxxxxxxxx
In-reply-to: <1342536304.39522715.1460426883551.JavaMail.zimbra@xxxxxxxxxx>
References: <570C08BD.6000101@xxxxxxxxxxx> <1342536304.39522715.1460426883551.JavaMail.zimbra@xxxxxxxxxx>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 
Nathan,

On 4/11/16 10:08 PM, Nathan Scott wrote:

Hi Martins,

----- Original Message -----

Hi,
      We have a few systems we'd like to setup with security and
authentication:

http://www.pcp.io/docs/lab.secure.html
http://www.pcp.io/docs/lab.auth.html

I have 2 questions:

1.  In the "Secure Connections" documentation, the documentation seems
to be about certificates on the server side and ensuring the
authenticity of the of the server(pmcd).  Has anyone looked into
implementing support for client(pmlogger, pminfo, etc) side certificates
for authentication/access-control?

Alternatively, should this be done through SASL authentication and
something like X509 certificates, which seem to be supported by SASL,
but I can't find any documentation on.

2.  Is it possible to configure pmcd to reject all
non-secure/non-authenticated remote connections?


Yes - there's a -S option to pmcd that does this.  It works, but there
are gotchas to watch out for, like the rc scripts we provide use tools
like pmcd_wait(1) to check pmcd started up ... can be problematic when
these check tools are not setup to authenticate with pmcd.  :)
Thanks for the information to get started. I have a few patches to add some functionality that I'd like to get feedback on. 

All are here, but are really 3 different changes:


https://github.com/ubccr/pcp/tree/client_certs


Patch 1:

https://github.com/ubccr/pcp/commit/e440d98b12930e3638c22b0fe80b7667ed3a04d9
Provide a way for a client to indicate in a non-interactive manner that it is fine accepting an untrusted server certificate. Basically pre-ack the message: 

######
WARNING: issuer of certificate received from host YOUR.HOST.NAME is not trusted. SHA1 fingerprint is 34:92:D2:DC:DE:28:3A:2D:DD:B9:1A:6C:C9:51:1E:B8:FA:CE:63:51 
Do you want to accept and save this certificate locally anyway (y/n)? y
######

Patch 2:

https://github.com/ubccr/pcp/commit/07e750df6e3afd0176f8ce135a1856e272fb1f90
Provide an environment variable: PMCD_REQUIRE_CLIENT_CERT, where pmcd requires a *client side* certificate if a client requests a secure connection. This cert must be trusted already by the server, since there is no interactive way to accept it. In the current implementation, only a server side certificate is used. 

Patch 3:

https://github.com/ubccr/pcp/commit/f6b822d0bfadcdb439e4a65be6cebf2df6480487
This one I'm fairly confidant that there should be a better way to implement, but I couldn't come up with it. PMCD has the -S option to force authenticated connections, but for our purposes, forcing secure connections is sufficient. Basically, ensure the client is from a machine we trust, but we don't really care about the user.
The intent here is to determine if the request is from a remote source, and if so configured, force a secure connection.
This secure connection can than be configured without SASL, username/password, etc. As long as the implementer is comfortable with this level of security. 



I can provide more documentation, QA, etc, if this would be acceptable.


Also, my plan is to add the same functionality to pmproxy.


Thanks

Martins





commit f6b822d0bfadcdb439e4a65be6cebf2df6480487
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Thu Apr 14 19:55:02 2016 +0000

    Reject insecure remote connections if PMCD_REQUIRE_CLIENT_CERT is set

 src/pmcd/src/dopdus.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

commit 07e750df6e3afd0176f8ce135a1856e272fb1f90
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Thu Apr 14 19:52:25 2016 +0000

    Add client certificate support in secure connections.

    By setting PMCD_REQUIRE_CLIENT_CERT, pmcd can require that a client
    making a secure connection provide a valid certificate.

 src/libpcp/src/secureconnect.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

commit e440d98b12930e3638c22b0fe80b7667ed3a04d9
Author: Cloud User <centos@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date:   Thu Apr 14 19:45:25 2016 +0000

    Pre-allow self signed server certificates in secure connections

    By setting PCP_SERVER_SELF_CERT, a client can instruct libpcp
    to accept a self signed server certificate on its behalf.

 src/libpcp/src/secureconnect.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: pcp updates: multithreaded libpcp pmNewContext, Frank Ch. Eigler
Next by Date:  Re: Oracle connection debugging (was Re: [pcp] Handling Oracle PMDA Latencies), Nathan Scott
Previous by Thread:  Re: [pcp] Client Certificates, Nathan Scott
Next by Thread:  Re: [pcp] Client Certificates, Nathan Scott
Indexes:  [Date] [Thread] [Top] [All Lists]