Authors: | Peter Fedorow
Brian Tiffin
John Caldwell
|
---|---|
Version: | 0.99.7 |
Date: | 2014Aug05Tue |
Revision: | 2015Mar13Fri |
IAR replicates POSIX user credentials over the Internet.
It is like NIS, but:
NIS (a.k.a. yp) is a name service for Unix/Linux (hereafter referred to as *nix) credentials. The credentials is the data stored in the files: passwd, group, shadow, and (optionally) gshadow. Despite NIS’s lack of security, it is still in widespread use due to being easy to setup and administer when compared to LDAP, scales reasonably well, and is supported by nearly all forms of *nix.
Internet Account Replication (IAR) is intended to provide a modern alternative to NIS. It does not use RPC (portmapper) for data transport, instead it uses a ssh connection. The use of a SSH connection means the data is encrypted in transit, and only a single TCP port is used.
GNU/POSIX compatible OS (main program is written to be easy to port, but the NSS module is only supported in GNU land). Tested under:
- Ubuntu
- Fedora
sh - dash, bash, or compatible
GNU Privacy Guard
ssh client
sshpass
IAR is available packaged as both .deb (for Debian/Ubuntu), and .rpm (for Fedora). If you are not running a .deb or .rpm-based system, we have designed the software to be easy to install from source. Directions are in the Installing From Source section.
(Need to add directions on how to point to the repo.)
Recommended: Ensure you have a sufficient supply of true random numbers in /dev/urandom. This is necessary to prevent key generation from hanging. This can be accomplished by setting up a hardware random number generator to feed /dev/urandom. If you do not have a hardware random number generator, install ‘haveged’.
After installing the packages:
iar server-setup
and follow the on-screen prompts.
nano /etc/ssh/sshd_config
Port 22322
service restart ssh
Note: Do not change the existing Port 22 line unless you no longer want sshd to listen on port 22.
passwd _iar
Remember to set the client password to match in /etc/iar.conf. See Configuration File section for instructions about this.
Still not working? Try e-mailing rai<reversed> AT hcn-inc.com to politely ask for help.
IAR builds upon SSH, and adds GNU Privacy Guard validation of the data sent from the master server to the clients. This protects against man-in-the-middle attacks due to both compromised network connections and compromised intermediary hosts.
Out of consideration of convenience for basic (not expert) users, IAR servers and clients install with a default password. This does not readily expose the data on the server to attack because any client attempting to talk to the server requires explicit approval on the server. (This is performed with the iar approve command.) However, the default password does enable an attacker to spoof the server, which means an approved client would login to it, thinking it is the actual server and send its authentication credentials to the fake server. The attacker could then take the captured client credentials, spoof the client’s IP, and replay the credentials to the real server to retrieve the replicated credentials, including password hashes from the server. This would require a moderate level of proficiency with networking, and a willingness to do so. Any reasonably determined attacker with access to your network can accomplish this. Though in most cases, it is easier to boot a workstation from a USB key, and copy the database off it.
To protect against the above described attack scenario, change the IAR client login password from the default to a strong password.
Note: Like NIS and LDAP – without the addition of a Kerberos authentication layer – retrieval of your password authentication hashes, such as from any compromised host on your network, means you are only secure if none of your users have passwords that cannot be cracked by the power of a bot-net of GPU-equipped PCs. As users tend to choose very weak passwords, be warned, and consider deploying a secure authentication layer.
Caution
Please see https://stribika.github.io/2015/01/04/secure-secure-shell.html for some information on configuring ssh(secure shell) to be secure.
/etc/ssh/sshd_config settings:
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
# disable password authentication (AFTER more secure forms are in place)
PasswordAuthentication no
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
/etc/ssh/ssh_config settings:
# Github needs diffie-hellman-group-exchange-sha1 some of the time but not always.
#Host github.com
# KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Host *
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
PasswordAuthentication no
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
The configuration file (by default /etc/iar/iar.conf) contains script lines that are sourced into the IAR script after assigning default values.
The configuration file on the client may need to be edited to instruct the client about how to reach and login to one or more servers. Client-setup attempts to populate the first entry with reasonable values.
Most users will never need to alter the configuration file on the server.
Security Note: Keep the permissions of the configuration file secure. If you do not, you have handed root-access to others.
One or more fields must be populated for each server to be polled. Any unpopulated values are pre-populated with defaults.
Replace <Num> with the sequential numbers. The number must be sequential starting from 1.
Server<Num>Host=<hostname | IP address>
Server<Num>User=<login username>
Server<Num>Password=<login password>
Server<Num>Port=<SSH port to connect to>
ie.
Server1Host=iar
Server1User=_iar
Server1Password=iar
Server1Port=22322
Server2Host=cattle
Server2Port=22
Server3Host=foxtrot
Server3Password='dolphin1234567890XYZ@$Y'
Server4Host=192.168.200.1
Server4User=AccountServer
Server4Password='$$$twistedWIND123456'
Server4Port=9001
iar [-h|--help|help] | [
status
client
client-dynamicpolling
server
client-setup
server-setup
servermode master|slave
approve
approve-subnet <CIDR>
adduser <username>
deluser <username>
passwd <username>
lock <username>
unlock <username>
lockpasswd <username>
unlockpasswd <username>
addgroup <groupname>
delgroup <groupname>
remove
purge
]
Displays the program’s status.
Shows if ‘client’ or ‘server’ mode.
Then, the polling interval is adjusted based-upon the battery capacity.
Battery Level:
<=10% : Skip invoking client poll
11 - 19% : Invoke client poll once every 90 minutes
20 - 50% : Invoke client poll once every 60 minutes
51 - 100% : Invoke client poll once every 20 minutes
This is what the cron job invokes.
Add user account for _iar
Selects between serving data in master mode or slave mode.
Approve pending client hosts, interactively.
Approve all client connections from an IP address that is within range of the given subnet mask, in CIDR form.
i.e. approve-subnet 10.0.0.0/24
would automatically approve any client from 10.0.0.0 through 10.0.0.255.
This function is specifically intended for virtualation and other special uses. It is UNSAFE and illadvised for general use.
Subnet masks are accumulated in IAR configuration variable, ApprovedSubnets, separated by spaces.
Add a user account
Delete a user account
Change a user account’s password
Lock a user account
Unlock a user account
Lock a user account from password login (Keypair login remains enabled.)
Unlock a user account for password login
Add a group
Delete a group
Removes all client and/or server hooks which are required for operation (Configuration files and logs are preserved.)
Performs a remove then deletes all configuration files and logs
IAR leverages the GNU Autotools system for builds. For most systems you should be able to:
tar xvf iar-VERSION.tar.gz
cd iar-VERSION
./configure --help
./configure
make
make check
sudo make install
./configure --help shows the available options for installing, in particular
./configure --prefix=/usr
This will install files to the /usr system tree, overriding the default of /usr/local.
If something goes wrong, or there are special requirements involved, the system includes the Autotools bootstrap code. Any changes to configure.ac or Makefile.am should be followed by
autoreconf
./configure
If the mode is server-master, set data-destination to “/etc/iar/master/” else set data-destination to “/var/lib/iar/server/”
Retrieve the public key from the config file.
Mark the public key as ‘trusted’.
For each server hostname in /etc/iar/config (i.e. Server1Hostname=”iar.example.com”):
- Set sync destination to “/tmp/_iar/transfer/[server hostname:<port>]/” if writable, else set destination to “/var/lib/iar/transfer/[server hostname:<port>]/”
- ssh to hostname ignoring host-keys, send query data on command-line. #. untar files to sync destination. [passwd group shadow gshadow TimeStamp HashDigest HashDigest.signed] #. Verify HashDigest signature, if not successful, delete transfer. #. Verify auth files against HashDigest, if not successful, delete transfer.
Determine newest file-set version which is not newer than current ms since epoch.
Copy files (passwd group shadow gshadow TimeStamp HashDigest HashDigest.signed) from selected file-set to “/var/lib/iar/client/”
Acquire lock.
Ensure we have files to serve.
If in master mode:
- If needed, generate a key-pair and store in config-file
- Set datapath to “/etc/iar/master/”, else slave mode, datapath “/var/lib/iar/”
Calculate checksum of the current version of the data-files.
Exit if hashes match.
If in master mode:
- Generate tar (passwd group shadow gshadow TimeStamp HashDigest HashDigest.signed).
- Retrieve key-pair from config file.
- Sign transfer file using GPG.
Send signed transfer file.
The IAR application attempts to keep external dependencies to a minimum, but there are a small few.
IAR server relies on ‘nixhash’, for encrypting password entries.
It is not required for Debian-based systems, but it can be used inplace of the ‘whois’ package on embedded systems.
Built with Autotools, there is nixhash.c, nixhash.h with a dependency on -lcrypt.
nixhash is available from the IAR distribution source.
IAR uses ‘sshpass’ to allow clients to connect with an IAR server, without need of shared keys.
sshpass is an external dependency.
Most of the IAR testing is manual. sudo or root privilege is required for most IAR operations, as there are confidential authentication files and shared keys involved.
(This section is in need of update to reflect using the iar “purge” and “remove” commands.)
Ensure there is the most recent copy of iar available.
Some of this testing can be influenced by what files are on the server as well.
Clean-out the configuration file /etc/iar/iar.conf
rm /etc/iar/iar.conf
Clean-out any transfer files that may have accumulated
sudo rm -r /tmp/_iar/
Clean-out any existing authentication files
sudo rm -r /var/lib/iar/
Generate a clean configuration file, edit /etc/iar/iar.conf
This will use a default user account and password.
Then kick an initial test with
sudo ./iar client
The main IAR script, iar is commented with ROBODoc comment blocks. API documentation generated with
List robobash.rc, and fill in the proper command line
(cd .. ; robodoc --rc docs/robobash.rc)
options:
--src ./
--doc ./docs/robodoc/
--masterindex "Master index,index"
--html
--syntaxcolors
--multidoc
--nosort
--index
--tabsize 4
--tell
ignore files:
debian
autom4te.cache
docs
accept files:
iar
The IAR application bundle is documented with ReStructuredText and Sphinx.
make singlehtml
Requires creation of a server key pair for the sshd for the _iar account:
Command: ssh-keygen -f /home/_iar/ssh_host_rsa_key -N '' -t rsa -b8192
Command: /usr/sbin/sshd -oPort=22322 -oAllowUsers=_iar -oHostKey=/home/_iar/ssh_host_rsa_key
(You don’t need to do this, it only needed to be done once.)
dh_make -p iar_123.45 --native --email <e-mail address>