new: [rsync-backup-target] add recover key mechanism

This allows to get a one-time credential to have read access on specified backup slot. Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago · be42bd9076
10 changed files with 257 additions and 15 deletions
--- a/rsync-backup-target/README.org
+++ b/rsync-backup-target/README.org
@ -55,6 +55,24 @@ $ ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key ls
 $
 #+end_example
 ** Requesting a recover only key
 As an admin, by requesting a recover-only key on an ident that you
 own, you are allowed to read (and only read) the content of the given
 ident. This will allow you to give the credentials to any new host to
 have a direct read access so-as to deploy the backup on a new host.
 #+begin_example
 $ ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key request-recovery-key myident > /tmp/private_key
 $ chmod 500 /tmp/private_key
 $ rsync -e "ssh -p 22 -i /tmp/private_key -l rsync" \
      -azvArH --delete --delete-excluded \
      --partial --partial-dir .rsync-partial \
      --numeric-ids $RSYNC_BACKUP_TARGET:/var/mirror/myident/etc/ /tmp/etc
 #+end_example
 This key will expire after 15 mn of the last recovery.
 * Troubleshooting
--- a/rsync-backup-target/build/Dockerfile
+++ b/rsync-backup-target/build/Dockerfile
@ -3,7 +3,8 @@ FROM alpine:3.9
 MAINTAINER Valentin Lab <valentin.lab@kalysto.org>
 ## coreutils is for ``date`` support of ``--rfc-3339=seconds`` argument.
 RUN apk add rsync sudo bash openssh-server coreutils
 ## findutils is for ``find`` support of ``--newermt`` argument.
 RUN apk add rsync sudo bash openssh-server coreutils findutils
 RUN ssh-keygen -A
 ## New user/group rsync/rsync with home dir in /var/lib/rsync
--- a/rsync-backup-target/build/entrypoint.sh
+++ b/rsync-backup-target/build/entrypoint.sh
@ -16,7 +16,7 @@ if ! egrep '^[^:]+:x:101:101:' /etc/passwd; then
    ## Then it is a first run of this container, users
    ## need to be created. Notice that container will be
    ## re-created anew if user config was changed.
    for user_dir in /etc/rsync/keys/admin/*; do
    for user_dir in /etc/rsync/keys/admin/* /etc/rsync/keys/recover; do
        [ -d "$user_dir" ] || continue
        user="${user_dir##*/}"
        [ "$user" != "rsync" ] || continue
--- a/rsync-backup-target/build/src/etc/sudoers.d/recover
+++ b/rsync-backup-target/build/src/etc/sudoers.d/recover
@ -0,0 +1,7 @@
 ## allow admin users to request a recovery key, this is really not
 ## sufficient, but the real check is done on the
 ## ``ssh-admin-cmd-validate`` side.
 %rsync ALL=(root) NOPASSWD: /usr/local/sbin/request-recovery-key *
 %rsync ALL=(root) NOPASSWD: /bin/touch /etc/rsync/keys/recover/*
 %rsync ALL=(root) NOPASSWD: /usr/local/sbin/ssh-update-keys
--- a/rsync-backup-target/build/src/etc/sudoers.d/rsync
+++ b/rsync-backup-target/build/src/etc/sudoers.d/rsync
@ -4,3 +4,4 @@
 rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server * . /var/mirror/*
 %rsync ALL=(root) NOPASSWD: /usr/local/sbin/ssh-key *
 %rsync ALL=(root) NOPASSWD: /usr/local/sbin/ssh-update-keys
--- a/rsync-backup-target/build/src/usr/local/sbin/request-recovery-key
+++ b/rsync-backup-target/build/src/usr/local/sbin/request-recovery-key
@ -0,0 +1,76 @@
 #!/bin/bash
 RSYNC_KEY_PATH=/etc/rsync/keys
 RECOVER_KEY_PATH=${RSYNC_KEY_PATH}/recover
 ANSI_ESC=$'\e['
 NORMAL="${ANSI_ESC}0m"
 GRAY="${ANSI_ESC}1;30m"
 RED="${ANSI_ESC}1;31m"
 GREEN="${ANSI_ESC}1;32m"
 YELLOW="${ANSI_ESC}1;33m"
 BLUE="${ANSI_ESC}1;34m"
 PINK="${ANSI_ESC}1;35m"
 CYAN="${ANSI_ESC}1;36m"
 WHITE="${ANSI_ESC}1;37m"
 DARKGRAY="${ANSI_ESC}0;30m"
 DARKRED="${ANSI_ESC}0;31m"
 DARKGREEN="${ANSI_ESC}0;32m"
 DARKYELLOW="${ANSI_ESC}0;33m"
 DARKBLUE="${ANSI_ESC}0;34m"
 DARKPINK="${ANSI_ESC}0;35m"
 DARKCYAN="${ANSI_ESC}0;36m"
 DARKWHITE="${ANSI_ESC}0;37m"
 ssh:mk-private-key() {
    local comment="$1"
    (
        tmpdir=$(mktemp -d)
        chmod go-rwx "$tmpdir"
        ssh-keygen -t rsa -N "" -f "$tmpdir/rsync_rsa" -C "$service_name@$host" >/dev/null
        cat "$tmpdir/rsync_rsa"
        rm -rf "$tmpdir"
    )
 }
 md5() {
    local md5
    md5=$(cat | md5sum)
    echo "${md5%% *}"
 }
 request-recovery-key() {
    local label="$1" ident="$2" key public_key
    ## Admin should have claimed the ident with at least one backup key
    if ! [ -e "${RSYNC_KEY_PATH}/backup/$label/$ident.pub" ]; then
        echo "Error: Current admin '$label' has no ident '$ident' claimed." >&2
        return 1
    fi
    ## Find new label
    while true; do
        key=$(ssh:mk-private-key "recover@$ident")
        md5=$(printf "%s" "$key" | md5)
        [ -e "${RECOVER_KEY_PATH}/$md5" ] || break
    done
    mkdir -p "${RECOVER_KEY_PATH}"
    public_key=$(ssh-keygen -y -f <(printf "%s\n" "$key"))
    printf "%s %s\n" "$public_key" "recover@$ident" > "${RECOVER_KEY_PATH}/$md5.pub"
    touch "${RECOVER_KEY_PATH}/$md5"
    chmod go-rwx "${RECOVER_KEY_PATH}/$md5"
    printf "%s\n" "$key" | tee -a "${RECOVER_KEY_PATH}/$md5"
    /usr/local/sbin/ssh-update-keys
 }
 request-recovery-key "$@"
--- a/rsync-backup-target/build/src/usr/local/sbin/ssh-admin-cmd-validate
+++ b/rsync-backup-target/build/src/usr/local/sbin/ssh-admin-cmd-validate
@ -71,6 +71,15 @@ elif [[ "$SSH_ORIGINAL_COMMAND" =~ ^"ssh-key rm "[a-zA-Z0-9._-]+$ ]]; then
    # echo "Would accept: $SSH_ORIGINAL_COMMAND" >&2
 	exec sudo /usr/local/sbin/ssh-key rm "$label" "${ssh_args[@]:2}"
 elif [[ "$SSH_ORIGINAL_COMMAND" =~ ^"request-recovery-key "[a-zA-Z0-9._-]+$ ]]; then
 	log "ACCEPTED: $SSH_ORIGINAL_COMMAND"
    ## Interpret \ to allow passing spaces (want to avoid possible issue with \n)
    #read -a ssh_args <<< "${SSH_ORIGINAL_COMMAND}"
    ssh_args=(${SSH_ORIGINAL_COMMAND})
    # echo "Would accept: $SSH_ORIGINAL_COMMAND" >&2
 	exec sudo /usr/local/sbin/request-recovery-key "$label" "${ssh_args[@]:1}"
 else
    log "NOT MATCHING ANY ALLOWED COMMAND"
--- a/rsync-backup-target/build/src/usr/local/sbin/ssh-cmd-validate
+++ b/rsync-backup-target/build/src/usr/local/sbin/ssh-cmd-validate
@ -19,7 +19,7 @@ log() {
           >> "$LOG"
 }
 log "NEW CONNECTION"
 log "NEW BACKUP CONNECTION"
 if [ -z "$1" ] || ! [[ "$1" =~ ^[a-zA-Z0-9._-]+$ ]]; then
    log "INVALID SETUP, ARG IS: '$1'"
@ -37,6 +37,7 @@ reject() {
    exit 1
 }
 sudo /usr/local/sbin/ssh-update-keys
 if [[ "$SSH_ORIGINAL_COMMAND" =~ [\&\(\{\;\<\>\`\$\}] ]]; then
    log "BAD CHARS DETECTED"
--- a/rsync-backup-target/build/src/usr/local/sbin/ssh-recover-cmd-validate
+++ b/rsync-backup-target/build/src/usr/local/sbin/ssh-recover-cmd-validate
@ -0,0 +1,97 @@
 #!/bin/bash
 ## Note that the shebang is not used, but it's the login shell that
 ## will execute this command.
 RSYNC_KEY_PATH=/etc/rsync/keys
 RECOVER_KEY_PATH=${RSYNC_KEY_PATH}/recover
 exname=$(basename "$0")
 mkdir -p /var/log/rsync
 LOG="/var/log/rsync/$exname.log"
 ssh_connection=(${SSH_CONNECTION})
 SSH_SOURCE_IP="${ssh_connection[0]}:${ssh_connection[1]}"
 log() {
    printf "%s [%s] %s - %s\n" \
           "$(date --rfc-3339=seconds)" "$$" "$SSH_SOURCE_IP" "$*" \
           >> "$LOG"
 }
 log "NEW RECOVER CONNECTION"
 if [ -z "$1" ] || ! [[ "$1" =~ ^[a-z0-9]+$ ]]; then
    log "INVALID SETUP, ARG 1 SHOULD BE MD5 AND IS: '$1'"
    echo "Your command has been rejected. Contact administrator."
    exit 1
 fi
 md5="$1"
 log "RECOVER KEY $md5"
 if [ -z "$2" ] || ! [[ "$2" =~ ^[a-zA-Z0-9._-]+$ ]]; then
    log "INVALID SETUP, IDENT IS: '$1'"
    echo "Your command has been rejected. Contact administrator."
    exit 1
 fi
 ident="$2"
 log "IDENTIFIED AS $ident"
 reject() {
    log "REJECTED: $SSH_ORIGINAL_COMMAND"
    # echo "ORIG: $SSH_ORIGINAL_COMMAND" >&2
    echo "Your command has been rejected and reported to sys admin." >&2
    exit 1
 }
 if [[ "$SSH_ORIGINAL_COMMAND" =~ [\&\(\{\;\<\>\`\$\}] ]]; then
    log "BAD CHARS DETECTED"
    # echo "Bad chars: $SSH_ORIGINAL_COMMAND" >&2
    reject
 fi
 if [[ "$SSH_ORIGINAL_COMMAND" =~ ^"rsync --server --sender -"[vnloHgDtpArRzCeiLsfx\.]+(" --"[a-z=%-]+|" --partial-dir .rsync-partial")*" . /var/mirror/$ident"(|/.*)$ ]]; then
    ## Interpret \ to allow passing spaces (want to avoid possible issue with \n)
    #read -a ssh_args <<< "${SSH_ORIGINAL_COMMAND}"
    ssh_args=(${SSH_ORIGINAL_COMMAND})
    last_arg="${ssh_args[@]: -1:1}"
    if ! new_path=$(realpath "$last_arg" 2>/dev/null); then
        log "FINAL PATH INVALID"
        reject
    fi
    if [[ "$new_path" != "$last_arg" ]] &&
           [[ "$new_path" != "/var/mirror/$ident/"* ]] &&
           [[ "$new_path" != "/var/mirror/$ident" ]]; then
        log "FINAL PATH SUSPICIOUS"
        reject
    fi
    sudo /usr/local/sbin/ssh-update-keys
    if ! [ -e "${RECOVER_KEY_PATH}/$md5" ]; then
        log "RECOVERY KEY $md5 JUST EXPIRED"
        reject
    fi
 	log "ACCEPTED RECOVER COMMAND: $SSH_ORIGINAL_COMMAND"
 	sudo "${ssh_args[@]}"
    errlvl="$?"
    for key_file in "${RECOVER_KEY_PATH}/$md5"{,.pub}; do
        [ -e "$key_file" ] || continue
        sudo touch "$key_file"  ## Update modified time to keep key longer
    done
    exit "$errlvl"
 else
    log "REFUSED COMMAND AS IT DOESN'T MATCH ANY EXPECTED COMMAND"
 	reject
 fi
--- a/rsync-backup-target/build/src/usr/local/sbin/ssh-update-keys
+++ b/rsync-backup-target/build/src/usr/local/sbin/ssh-update-keys
@ -1,36 +1,68 @@
 #!/bin/bash
 ## Keep in mind possible race conditions as this script will be called
 ## from different place to update the access tokens.
 ##
 ## code
 ## Code
 ##
 KEYS=/etc/rsync/keys
 RSYNC_KEY_PATH=/etc/rsync/keys
 RSYNC_HOME=/var/lib/rsync
 BACKUP_KEY_PATH=${RSYNC_KEY_PATH}/backup
 RECOVER_KEY_PATH=${RSYNC_KEY_PATH}/recover
 mkdir -p "$RSYNC_HOME/.ssh" "$RECOVER_KEY_PATH"
 ## delete old recovery keys
 find "${RECOVER_KEY_PATH}" \
    -maxdepth 1 -not -newermt "-15 minutes" \
    -type f -delete
 mkdir -p "$RSYNC_HOME/.ssh"
 ##
 ## New
 ##
 touch "$RSYNC_HOME"/.ssh/authorized_keys.new
 pid=$$
 new="$RSYNC_HOME"/.ssh/authorized_keys.tmp."$pid"
 touch "$new"
 for f in "$KEYS"/backup/*/*.pub; do
 for f in "$BACKUP_KEY_PATH"/*/*.pub "$RECOVER_KEY_PATH"/*.pub; do
    [ -e "$f" ] || continue
    content=$(cat "$f")
    if [[ "$content" == *" "*" "*@* ]]; then
        ident="${content##*@}"
    else
        ident="${f##*/}"
        ident="${ident%.pub}"
    fi
    if ! [[ "$ident" =~ ^[a-zA-Z0-9._-]+$ ]]; then
        echo "bad: '$ident'" >&2
        continue
    fi
    echo "command=\"/usr/local/sbin/ssh-cmd-validate \\\"$ident\\\"\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $content"
 done >> "$RSYNC_HOME"/.ssh/authorized_keys.new
    if [[ "$f" == "${RECOVER_KEY_PATH}"/*.pub ]]; then
        basename=${f##*/}
        basename=${basename%.pub}
        cmd="/usr/local/sbin/ssh-recover-cmd-validate $basename"
    else
        cmd=/usr/local/sbin/ssh-cmd-validate
    fi
    echo "command=\"$cmd \\\"$ident\\\"\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $content"
 done >> "$new"
 [ -e ""$RSYNC_HOME"/.ssh/authorized_keys" ] &&
 [ -e "$RSYNC_HOME"/.ssh/authorized_keys ] &&
  mv "$RSYNC_HOME"/.ssh/authorized_keys{,.old}
 mv "$RSYNC_HOME"/.ssh/authorized_keys{.new,}
 chown rsync:rsync -R "$RSYNC_HOME"/.ssh -R
 ## XXXvlab: Atomic operation. It's the last call to this instruction
 ## that will prevail. There are some very special cases where some
 ## added key would not be added as expected: for instance an older
 ## call to ``ssh-update-key``, if made before a specific public key
 ## file was added to directory, could take a longer time to reach this
 ## next instruction than a more recent call (that would be after
 ## the specific public key was added).
 mv "$new" "$RSYNC_HOME"/.ssh/authorized_keys
 chown rsync:rsync "$RSYNC_HOME"/.ssh -R