I have recently begun work on the Review Security of LCFG Profile Access project. So far I have mostly been considering the various aspects of the project with the aim being to produce a list of ideas which can be discussed at some future Development Meeting.
The first aspect of the project I have looked at in more depth is the LCFG server which has support for generating Apache
.htaccess files. These can be used to limit access to each individual LCFG profile when fetched over http/https. We have traditionally supported both http and https protocols and relied on IP addresses to limit access but would like to move over to https-only along with using GSSAPI authentication, the LCFG client would then use a keytab to get the necessary credentials. To help with this change I have introduced a new schema (4) for the profile component and made some modifications to the LCFG server code which makes it easier to use the Apache mod_auth_gssapi module. In particular there is new
auth_tmpl_$ resource which allows the selection of a different template (e.g. the
apache_gssapi.tt template which is provided in the package) which more closely meets local requirements. There are also
auth_val_$_$ resources which can be used to specify any additional information that is required. For example:
!profile.version_profile mSET(4) /* not yet the default */ !profile.auth mADD(ssl) !profile.auth_tmpl_ssl mSET(apache_gssapi.tt) !profile.acl_ssl mSET(host/<%profile.node%>.<%profile.domain%>@<%kerberos.realm%>) !profile.acl_ssl mADD(@admin) !profile.auth_vars_ssl mADD(groupfile) !profile.auth_val_ssl_groupfile mSET(/etc/httpd/conf.d/lcfgadmins.group)
which results in the the LCFG server generating the following
AuthType GSSAPI AuthName "firstname.lastname@example.org" GssapiBasicAuth Off GssapiBasicAuthMech krb5 GssapiSSLonly On GssapiCredStore "keytab:/etc/httpd.keytab" AuthGroupFile "/etc/httpd/conf.d/lcfgadmins.group" <RequireAny> Require user "host/foo.inf.ed.ac.uk@INF.ED.AC.UK" Require group "admin" </RequireAny>
profile.acl_ssl resource holds a list of users and groups (which have an ‘@’ prefix). In a real deployment it might make more sense to use an
lcfg/ principal rather
host/. The groupfile support is provided by the
mod_authz_groupfile module which needs to be loaded.
I have tested this with curl and it works as required. The LCFG client doesn’t currently have support for doing a kinit (or launching something like k5start in the background) prior to fetching the profile so it isn’t yet possible to actively use this authentication method.