sindes
play

SINDES Secure INformation DElivery System Poulhis Marc - PowerPoint PPT Presentation

Oct 09, 2022 •284 likes •596 views

SINDES Secure INformation DElivery System Poulhis Marc marc.poulhies@cern.ch CERN/EPFL CERN-IT-FIO group meeting p. 1/17 Outline Motivations Previous system New system General overview Getting a certificate

  1. SINDES Secure INformation DElivery System Poulhiès Marc marc.poulhies@cern.ch CERN/EPFL CERN-IT-FIO group meeting – p. 1/17

  2. Outline • Motivations • Previous system • New system ◦ General overview ◦ Getting a certificate ◦ Retrieving sensitive files ◦ Shell CERN-IT-FIO group meeting – p. 2/17

  3. Outline ⇒ Motivations • Previous system • New system ◦ General overview ◦ Getting a certificate ◦ Retrieving sensitive files ◦ Shell CERN-IT-FIO group meeting – p. 2/17

  4. Motivations Goal : Some files (passwords files, certificates, private data, ...) have to be distributed to a large number of machines. Problem : The network can’t be trusted 100%, mainly because the current setup does not prevent someone from faking its identity or sniffing the network traffic. You don’t want to send sensitive informations to an unknown peer (or receive informations from an unknown peer) CERN-IT-FIO group meeting – p. 3/17

  5. Motivations (cont.) We need a convenient way to transfer data from one central server to a large number of machines in a secure way: • end to end authentication • data integrity and confidentiality We also need to provide each machine with a unique identifier, which can be used by other software. CERN-IT-FIO group meeting – p. 4/17

  6. Outline • Motivations ⇒ Previous system • New system ◦ General overview ◦ Getting a certificate ◦ Retrieving sensitive files ◦ Shell CERN-IT-FIO group meeting – p. 5/17

  7. Previous system Technologies: • GPG (GNU Privacy Guard): used to give machines unique identifiers and encrypt files • SSHv1 and HTTP transfers Issues: • Clients can’t authenticate received data • Everyone has access to all encrypted files • Only a small set, hardcoded, of predefined data can be transfered • Not integrated with CDB CERN-IT-FIO group meeting – p. 6/17

  8. Outline • Motivations • Previous system ⇒ New system ◦ General overview ◦ Getting a certificate ◦ Retrieving sensitive files ◦ Shell CERN-IT-FIO group meeting – p. 7/17

  9. General overview CERN-IT-FIO group meeting – p. 8/17

  10. General overview CERN-IT-FIO group meeting – p. 8/17

  11. Getting a certificate During reinstallation, each machine will generate a x509 certificate and ask the server, over HTTPS, to sign and register it. Issues: The server must verify machine’s identity before acknowledging its request, but IP addess/ MAC address can be spoofed. CERN-IT-FIO group meeting – p. 9/17

  12. Getting a certificate During reinstallation, each machine will generate a x509 certificate and ask the server, over HTTPS, to sign and register it. Issues: The server must verify machine’s identity before acknowledging its request, but IP addess/ MAC address can be spoofed. Solutions: • manual intervention (floppy, USB key,...) CERN-IT-FIO group meeting – p. 9/17

  13. Getting a certificate During reinstallation, each machine will generate a x509 certificate and ask the server, over HTTPS, to sign and register it. Issues: The server must verify machine’s identity before acknowledging its request, but IP addess/ MAC address can be spoofed. Solutions: • manual intervention (floppy, USB key,...): does not scale very well. CERN-IT-FIO group meeting – p. 9/17

  14. Getting a certificate During reinstallation, each machine will generate a x509 certificate and ask the server, over HTTPS, to sign and register it. Issues: The server must verify machine’s identity before acknowledging its request, but IP addess/ MAC address can be spoofed. Solutions: • manual intervention (floppy, USB key,...): does not scale very well. • machine can request its certificate within a time-window (as short as possible) and monitor activity. CERN-IT-FIO group meeting – p. 9/17

  15. General overview CERN-IT-FIO group meeting – p. 10/17

  16. General overview CERN-IT-FIO group meeting – p. 10/17

  17. Retrieving sensitive files Sensitives files are files that are specific to a group of machines and must be kept private. Examples : • passwords for root/operator accounts. • ssh keys for interactive cluster (lxplus). • certificates • configuration files containing password(s) CERN-IT-FIO group meeting – p. 11/17

  18. Retrieving sensitive files (cont.) Each machine should only retrieve defined sensitive files: How to make sure machine can only get its files and not the one from another one ? CERN-IT-FIO group meeting – p. 12/17

  19. Retrieving sensitive files (cont.) Each machine should only retrieve defined sensitive files: How to make sure machine can only get its files and not the one from another one ? • Define items to be transfered in CDB. "/software/components/sindes/items/passwd-header/method" = script "/software/components/sindes/items/passwd-header/scope" = node "/software/components/sindes/all" = sindes_add("passwd-header"); "/software/components/sindes/items/ssh_key/method" = file "/software/components/sindes/items/ssh_key/scope" = node "/software/components/sindes/all" = sindes_add("ssh_key"); CERN-IT-FIO group meeting – p. 12/17

  20. Retrieving sensitive files (cont.) Each machine should only retrieve defined sensitive files: How to make sure machine can only get its files and not the one from another one ? • Define items to be transfered in CDB. • Solution based on Apache, mod_ssl (HTTPS) and mod_rewrite to act as a “switched network”. CERN-IT-FIO group meeting – p. 12/17

  21. General overview CERN-IT-FIO group meeting – p. 13/17

  22. General overview CERN-IT-FIO group meeting – p. 13/17

  23. Shell Common actions: • Prepare a machine lxplus $ PrepareInstall .... ... Opening time-window and adding machine(s) to ACL... [SUMMARY] 2 item(s) processed successfully. Updating ACL/MAP if necessary [SUMMARY] Updating host map for 1 host(s), mapped to lxdev [SUMMARY] Updating ACL with 1 host(s) [SUMMARY] You _must_ reinstall machine(s) within the next 24hour(s). Preparation OK. ... CERN-IT-FIO group meeting – p. 14/17

  24. Shell Common actions: • Prepare a machine • See scheduled installation lxplus $ ssh sindes@sindes-server "acl -print -target lxdev06,lxdev12,lxdev03" ---------------------------------------------- | hostname TTL Request Right| ---------------------------------------------- | lxdev06 23:53 YES| | lxdev12 3:53 NO| | lxdev03 EXP NO| ---------------------------------------------- CERN-IT-FIO group meeting – p. 14/17

  25. Shell Common actions: • Prepare a machine • See scheduled installation • Check certificate authority lxplus $ ssh sindes@sindes-server "cert -check -target lxplus00[1-4],lxb1008" ------------------------------- | hostname valid | ------------------------------- | lxplus001 YES | | lxplus002 YES | | lxplus003 YES | | lxplus004 YES | | lxb1008 NO | ------------------------------- CERN-IT-FIO group meeting – p. 14/17

  26. Shell Common actions: • Prepare a machine • See scheduled installation • Check certificate authority • Display errors messages + ’[’ -x /usr/sbin/sindes-get-certificate ’]’ + /usr/sbin/sindes-get-certificate Generating key-pair: [RSA/1024] OK Creating certificate request All went fine. Private key in /var/tmp/get-crt-Hp7990/client.key Certificate request in /var/tmp/get-crt-Hp7990/client.csr Sending the request to sindes-server.cern.ch... Something went wrong while contacting CA (curl returned 22) Cleaning /var/tmp/get-crt-Hp7990 + fail ’sindes-get-certificate failed (1)’ + cat /root/ks-post-reboot.log + mail -s ’install failed on itrb5808: sindes-get-certificate failed (1)’ CERN-IT-FIO group meeting – p. 14/17

  27. Shell (cont) Interactive shell gives more control over the system and has online help. You can access it with lxplus $ ssh sindes@sindes-server : SINDESsh > help acl acl -set -target <targetname> [-type node|cluster] [-length <secs>] [-grant] [-deny] [-nodomain] acl -remove -target <targetname> [-type node|cluster] [-nodomain] acl -print [-target <targetname> -type node|cluster] [-nodomain] [-length <secs>] [-grant] [-deny] acl -clean [-clean] [-nodomain] targetname : host(s) (comma separated) or cluster name type: cluster or node length: time window size in seconds (in print, only lines where ttl <= length) grant: permit the target(s) to request a certificate (in print, only lines where csr = YES) deny: prevent the target(s) from requesting a certificate (in print, only lines where csr = NO) clean: cleans the ACL by removing expired entries where certificate right is 0. Repeat -clean if you want to clean all expired entries (no matter what the certificate right is) nodomain: won’t handle domain name (DANGEROUS) SINDESsh > acl -print -target lxdc -type cluster -grant ---------------------------------------------- | hostname TTL Request Right| ---------------------------------------------- | lxb5314 EXP YES| | lxb5316 EXP YES| | lxb5318 EXP YES| | lxs5021 22:34 YES| | tbed0012 EXP YES| | tbed0066 15:34 YES| | tbed0067 22:34 YES| ---------------------------------------------- CERN-IT-FIO group meeting – p. 15/17

Recommend

More recommend