savannah-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-cvs] [116] New page: User-Authentication

From: Assaf Gordon
Subject: [Savannah-cvs] [116] New page: User-Authentication
Date: Fri, 21 Nov 2014 02:21:45 +0000 
Revision: 116
          
http://svn.sv.gnu.org/viewvc/?view=rev&root=administration&revision=116
Author:   agn
Date:     2014-11-21 02:21:42 +0000 (Fri, 21 Nov 2014)
Log Message:
-----------
New page: User-Authentication

Added Paths:
-----------
    trunk/sviki/UserAuthentication.mdwn

Added: trunk/sviki/UserAuthentication.mdwn
===================================================================
--- trunk/sviki/UserAuthentication.mdwn                         (rev 0)
+++ trunk/sviki/UserAuthentication.mdwn 2014-11-21 02:21:42 UTC (rev 116)
@@ -0,0 +1,161 @@
+## User Authentication on GNU Savannah Systems
+
+### User Account Creation Work-flow
+
+1. Any person can register a GNU Savannah user account using the web interface
+   at <https://savannah.gnu.org/account/register.php> .
+2. These user accounts are used across all GNU Savannah systems.
+3. Users can upload SSH public keys using the web interface at:
+   <https://savannah.gnu.org/my/admin/editsshkeys.php>
+4. SSH public keys are stored in the mysql database server on
+   `internal.sv.gnu.org`. See [[SavannahServices]] for details about the MySQL
+   configuration.
+
+Users' information is can be viewed on the GNU Savannah web site.
+Example for user 'agn': <https://sv.gnu.org/users/agn/> .
+
+### Database Access
+
+On `internal.sv.gnu.org`, the following SQL commands can be used to examine
+user accounts:
+
+    $ echo "select
+              user_id, user_name, email, realname,
+              uidNumber, authorized_keys
+            from user
+            where user_name = 'agn'" \
+          | mysql savane
+
+    
+---------+-----------+----------+--------------+-----------+-----------------+
+    | user_id | user_name | email    | realname     | uidNumber | 
authorized_keys |
+    
+---------+-----------+----------+--------------+-----------+-----------------+
+    |   94790 | agn       | [email]  | Assaf Gordon |    131035 | ssh-rsa 
AAAAB3Nz|
+    
+---------+-----------+----------+--------------+-----------+-----------------+
+
+The `authorized_keys` field contains all the user's SSH public keys,
+concatenated with `###` delimiter, as a one-line string.
+
+**NOTE**: The database currently contains some malformed/invalid keys - when
+users uploaded invalid keys.
+
+### User/group accounts
+
+In GNU Savannah systems, there is a unix user for *each* GNU Savannah
+registered user:
+
+     vcs:~# getent passwd agn
+     agn:x:131035:1003:Assaf Gordon:/srv:/usr/local/bin/sv_membersh
+
+and a unix group for *each* GNU Savannah registered project:
+
+    vcs:~# getent group datamash
+    datamash:x:77800:agn
+
+Access control is based on unix group membership.
+
+Example:
+
+The GNU Awk project (<http://sv.gnu.org/p/gawk>) has six members as of Nov. 
2014
+(<http://sv.gnu.org/project/memberlist.php?group=gawk>).
+
+The GIT repository on `vcs.sv.gnu.org` is group-owned by `gawk` group:
+
+    vcs:~# ls -ld /srv/git/gawk.git/
+    drwxrwsr-x 8 root gawk 4096 Nov  4 01:23 /srv/git/gawk.git/
+
+The members of the `gawk` group are allowed to push code updates to the `gawk`
+repository:
+
+    vcs:~# getent group gawk
+    gawk:x:6731:ajschorr,arnold,eliz,jkahrs,scldad,wb8tyw
+
+### Authentication Mechanisms
+
+For VCS repositories (git/hg/bzr/svn/cvs on `vcs.sv.gnu.org`) and
+download/releases (on `dl.sv.gnu.org`), users are authenticated using SSH
+access and their public keys. See [[SavannahServices]] for details about the
+available services on these servers.
+
+These servers use the MySQL database in two ways:
+
+* Unix user management, using
+  [nsswitch](http://en.wikipedia.org/wiki/Name_Service_Switch) and
+  [libnss-mysql](http://libnss-mysql.sourceforge.net/).
+* SSH key authentication, using the custom `AuthorizedKeysExec` option.
+
+### nsswitch and libnss-mysql
+
+The files `dl:/etc/nsswitch.conf` and `vcs:/etc/nsswitch.conf` contain the
+following configuration:
+
+    ...
+    passwd:         compat mysql
+    group:          compat mysql
+    shadow:         compat mysql
+    ...
+
+Bob Proulx 
[explains](http://lists.gnu.org/archive/html/savannah-hackers-public/2014-11/msg00029.html):
+
+That is how libc is configured.  'compat' means /etc/passwd in the
+normal compatible way.  'mysql' means if not found in the first compat
+section then look it up in mysql.  That is what allows libc to find
+users in the mysql database.
+
+     download:~# getent passwd agn
+     agn:x:131035:1003:Assaf Gordon:/srv:/usr/local/bin/sv_membersh
+
+(Notice the `uidNumber` from the mysql database is the user's unix account 
number).
+
+The SQL statements (to extract information from the mysql database on 
`internal`)
+are defined in `dl:/etc/libnss-mysql.cfg` and `vcs:/etc/libnss-mysql.cfg`.
+
+### SSH Authentication
+
+The file `/etc/ssh/sshd_config` on `dl:` and `vcs:` servers contains the
+following statement:
+
+    ...
+    AuthorizedKeysExec      /usr/local/bin/sv_get_authorized_keys
+    ...
+
+> **Historical Note:**  
+> `AuthorizedKeysExec` was a patch submitted by GNU Hacker
+> Michael J. Flickinger (<http://sv.gnu.org/u/mjflick>) to OpenSSH in
+> 
[2011](http://lists.mindrot.org/pipermail/openssh-unix-dev/2011-December/030080.html).
+> It appears the patch was never formally accepted by upstream OpenSSH.  
+> In 2012 a similar patch was
+> [accepted from RedHat](http://marc.info/?l=openbsd-cvs&m=135163261632479&w=2)
+> using a differntly named option `AuthorizedKeysCommand`.  
+> This option (and not `AuthorizedKeysExec`) is available in most OpenSSH
+> installations.  
+> If GNU Savannah servers are ever upgraded, these configuration files should 
be
+> updated from `AuthorizedKeysExec` to `AuthorizedKeysCommand`.
+
+When users login to Savannah servers using SSH, they specify the user account:
+
+    git clone address@hidden:/srv/git/datamash.git
+
+The user is therefore known, and OpenSSH needs to find the user's public keys.
+The `/usr/local/bin/sv_get_authorized_keys` perl script simply queries
+the SSH public keys of the user (while splitting them by `###` delimiter):
+
+    ...
+    my ($authorized_keys) = $dbd->selectrow_array(q[
+        SELECT authorized_keys
+        FROM user
+        WHERE user_name = ?], undef, $user);
+
+    print join("\n", split('###', $authorized_keys));
+    ...
+
+Manually invoking `sv_get_authorized_keys` looks like:
+
+    vcs:~# /usr/local/bin/sv_get_authorized_keys agn
+    ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvs [...]
+    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ [...]
+
+
+### TODO
+
+* Explain SSH on fencepost
+* Explain SSH on mgt:/root/.ssh/vm_authorized_keys
reply via email to
[Prev in Thread] Current Thread [Next in Thread]