[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-cvs] [116] New page: User-Authentication
From: |
Assaf Gordon |
Subject: |
[Savannah-cvs] [116] New page: User-Authentication |
Date: |
Fri, 21 Nov 2014 02:21:45 +0000 |
Revision: 116
http://svn.sv.gnu.org/viewvc/?view=rev&root=administration&revision=116
Author: agn
Date: 2014-11-21 02:21:42 +0000 (Fri, 21 Nov 2014)
Log Message:
-----------
New page: User-Authentication
Added Paths:
-----------
trunk/sviki/UserAuthentication.mdwn
Added: trunk/sviki/UserAuthentication.mdwn
===================================================================
--- trunk/sviki/UserAuthentication.mdwn (rev 0)
+++ trunk/sviki/UserAuthentication.mdwn 2014-11-21 02:21:42 UTC (rev 116)
@@ -0,0 +1,161 @@
+## User Authentication on GNU Savannah Systems
+
+### User Account Creation Work-flow
+
+1. Any person can register a GNU Savannah user account using the web interface
+ at <https://savannah.gnu.org/account/register.php> .
+2. These user accounts are used across all GNU Savannah systems.
+3. Users can upload SSH public keys using the web interface at:
+ <https://savannah.gnu.org/my/admin/editsshkeys.php>
+4. SSH public keys are stored in the mysql database server on
+ `internal.sv.gnu.org`. See [[SavannahServices]] for details about the MySQL
+ configuration.
+
+Users' information is can be viewed on the GNU Savannah web site.
+Example for user 'agn': <https://sv.gnu.org/users/agn/> .
+
+### Database Access
+
+On `internal.sv.gnu.org`, the following SQL commands can be used to examine
+user accounts:
+
+ $ echo "select
+ user_id, user_name, email, realname,
+ uidNumber, authorized_keys
+ from user
+ where user_name = 'agn'" \
+ | mysql savane
+
+
+---------+-----------+----------+--------------+-----------+-----------------+
+ | user_id | user_name | email | realname | uidNumber |
authorized_keys |
+
+---------+-----------+----------+--------------+-----------+-----------------+
+ | 94790 | agn | [email] | Assaf Gordon | 131035 | ssh-rsa
AAAAB3Nz|
+
+---------+-----------+----------+--------------+-----------+-----------------+
+
+The `authorized_keys` field contains all the user's SSH public keys,
+concatenated with `###` delimiter, as a one-line string.
+
+**NOTE**: The database currently contains some malformed/invalid keys - when
+users uploaded invalid keys.
+
+### User/group accounts
+
+In GNU Savannah systems, there is a unix user for *each* GNU Savannah
+registered user:
+
+ vcs:~# getent passwd agn
+ agn:x:131035:1003:Assaf Gordon:/srv:/usr/local/bin/sv_membersh
+
+and a unix group for *each* GNU Savannah registered project:
+
+ vcs:~# getent group datamash
+ datamash:x:77800:agn
+
+Access control is based on unix group membership.
+
+Example:
+
+The GNU Awk project (<http://sv.gnu.org/p/gawk>) has six members as of Nov.
2014
+(<http://sv.gnu.org/project/memberlist.php?group=gawk>).
+
+The GIT repository on `vcs.sv.gnu.org` is group-owned by `gawk` group:
+
+ vcs:~# ls -ld /srv/git/gawk.git/
+ drwxrwsr-x 8 root gawk 4096 Nov 4 01:23 /srv/git/gawk.git/
+
+The members of the `gawk` group are allowed to push code updates to the `gawk`
+repository:
+
+ vcs:~# getent group gawk
+ gawk:x:6731:ajschorr,arnold,eliz,jkahrs,scldad,wb8tyw
+
+### Authentication Mechanisms
+
+For VCS repositories (git/hg/bzr/svn/cvs on `vcs.sv.gnu.org`) and
+download/releases (on `dl.sv.gnu.org`), users are authenticated using SSH
+access and their public keys. See [[SavannahServices]] for details about the
+available services on these servers.
+
+These servers use the MySQL database in two ways:
+
+* Unix user management, using
+ [nsswitch](http://en.wikipedia.org/wiki/Name_Service_Switch) and
+ [libnss-mysql](http://libnss-mysql.sourceforge.net/).
+* SSH key authentication, using the custom `AuthorizedKeysExec` option.
+
+### nsswitch and libnss-mysql
+
+The files `dl:/etc/nsswitch.conf` and `vcs:/etc/nsswitch.conf` contain the
+following configuration:
+
+ ...
+ passwd: compat mysql
+ group: compat mysql
+ shadow: compat mysql
+ ...
+
+Bob Proulx
[explains](http://lists.gnu.org/archive/html/savannah-hackers-public/2014-11/msg00029.html):
+
+That is how libc is configured. 'compat' means /etc/passwd in the
+normal compatible way. 'mysql' means if not found in the first compat
+section then look it up in mysql. That is what allows libc to find
+users in the mysql database.
+
+ download:~# getent passwd agn
+ agn:x:131035:1003:Assaf Gordon:/srv:/usr/local/bin/sv_membersh
+
+(Notice the `uidNumber` from the mysql database is the user's unix account
number).
+
+The SQL statements (to extract information from the mysql database on
`internal`)
+are defined in `dl:/etc/libnss-mysql.cfg` and `vcs:/etc/libnss-mysql.cfg`.
+
+### SSH Authentication
+
+The file `/etc/ssh/sshd_config` on `dl:` and `vcs:` servers contains the
+following statement:
+
+ ...
+ AuthorizedKeysExec /usr/local/bin/sv_get_authorized_keys
+ ...
+
+> **Historical Note:**
+> `AuthorizedKeysExec` was a patch submitted by GNU Hacker
+> Michael J. Flickinger (<http://sv.gnu.org/u/mjflick>) to OpenSSH in
+>
[2011](http://lists.mindrot.org/pipermail/openssh-unix-dev/2011-December/030080.html).
+> It appears the patch was never formally accepted by upstream OpenSSH.
+> In 2012 a similar patch was
+> [accepted from RedHat](http://marc.info/?l=openbsd-cvs&m=135163261632479&w=2)
+> using a differntly named option `AuthorizedKeysCommand`.
+> This option (and not `AuthorizedKeysExec`) is available in most OpenSSH
+> installations.
+> If GNU Savannah servers are ever upgraded, these configuration files should
be
+> updated from `AuthorizedKeysExec` to `AuthorizedKeysCommand`.
+
+When users login to Savannah servers using SSH, they specify the user account:
+
+ git clone address@hidden:/srv/git/datamash.git
+
+The user is therefore known, and OpenSSH needs to find the user's public keys.
+The `/usr/local/bin/sv_get_authorized_keys` perl script simply queries
+the SSH public keys of the user (while splitting them by `###` delimiter):
+
+ ...
+ my ($authorized_keys) = $dbd->selectrow_array(q[
+ SELECT authorized_keys
+ FROM user
+ WHERE user_name = ?], undef, $user);
+
+ print join("\n", split('###', $authorized_keys));
+ ...
+
+Manually invoking `sv_get_authorized_keys` looks like:
+
+ vcs:~# /usr/local/bin/sv_get_authorized_keys agn
+ ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvs [...]
+ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ [...]
+
+
+### TODO
+
+* Explain SSH on fencepost
+* Explain SSH on mgt:/root/.ssh/vm_authorized_keys
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Savannah-cvs] [116] New page: User-Authentication,
Assaf Gordon <=