enigform & mod_auth_openpgp, let's start

Specific forum for enigform and m_a_o bug reporting and discussion.

enigform & mod_auth_openpgp, let's start

Notapor lace el Sab May 12, 2007 8:26 pm

Hi Arturo,
just playing with enigform & mod_auth_openpgp.
Very interesting, thanks for them.

Seems enigform works like a charm, I download
http://enigformtest.buanzo.com.ar/enigformtest.tgz and updated to my box, works perfectly.
(I had only "big" problem with permission of keyring Very Happy.)

I would like to try mod_auth_openpgp, I installed it. I can see it in phpsysinfo().
I updated httpd.conf according to README and nothing Sad.

Please, how can I test it. Should I expect something similar as with enigformtest.tgz?
Firefox should show new window with enigform and I write passphrase?
Seems in enigformtest.tgz enigform is triggered by ##ENIGFORM_Sign## in HTML, how is enigform triggered with mod_auth_openpgp?

Where should be located keyring.pub for mod_auth_openpgp, is there some config file?

Thanks.

--
Ladislav Hagara
lace
 

enigform & mod_auth_openpgp, let's start

Sponsor

Sponsor
 

Re: enigform & mod_auth_openpgp, let's start

Notapor buanzo el Sab May 12, 2007 9:34 pm

lace escribió:Hi Arturo,just playing with enigform & mod_auth_openpgp.Very interesting, thanks for them.

Thank you for testing them out! Smile

lace escribió:Seems enigform works like a charm, I download
http://enigformtest.buanzo.com.ar/enigformtest.tgz and updated to my box, works perfectly.
(I had only "big" problem with permission of keyring Very Happy.)

I'm just in the process of adding certain key features to mod_auth_openpgp. Once those are ready, I'll update enigformtest.buanzo.com.ar's server to have mod_auth_openpgp enabled. Then you'll notice that m_a_o adds, once the HTTP request is verified, some extra HTTP headers (different from those enigform adds, yes). Those new extra headers are the ones you're gonna use from within Apache, PHP/Python/Perl/Ruby for auth.

lace escribió:I would like to try mod_auth_openpgp, I installed it. I can see it in phpsysinfo(). I updated httpd.conf according to README and nothing Sad.

Make sure the user under which your site runs has a fully-configured gpg. For example (adapt for your needs):

Código: Seleccionar todo
su - apache --shell=/bin/sh -c /usr/bin/gpg

Without that m_a_o will probably complain. Of course, check out mao's readme so you can see a VirtualHost example. Specifically, you want to "OpenPGPEngine On" for it.

lace escribió:Should I expect something similar as with enigformtest.tgz?

Not really. The enigformtest php code just shows you some info about the incoming http request, and calls gpg to verify it. Once enigformtest is upgraded to work with m_a_o, calling gpg wont be necessary anymore, as m_a_o will take care of that. In any case, enigformtest will still prove useful, as it outputs all the extra HTTP headers m_a_o adds after verifying the incoming Enigform-signed HTTP request.

lace escribió:Firefox should show new window with enigform and I write passphrase?

Depending on your setup, it might not even show the passphrase (when gpg-agent usage is turned on for Enigform). Of course, you need gpg configured and you should've a private key!

lace escribió:Seems in enigformtest.tgz enigform is triggered by ##ENIGFORM_Sign## in HTML, how is enigform triggered with mod_auth_openpgp?

Currently, Enigform signs requests, and m_a_o verifies them. Any request that gets to a mao-enabled Apache site will be verified.

m_a_o does NOT sign (YET), and Enigform does not verify server responses. I'm working on that, too.

lace escribió:Where should be located keyring.pub for mod_auth_openpgp, is there some config file?

I'm planning on adding a "Homedir" parameter to m_a_o, so gpgme is set to load keyrings from it. Currently, it will inherit the $HOME variable from your virtualhost's environment. With the newer Apache it is easy to make a virtualhost run under a specific UID/GID pair.
Avatarde Usuario
buanzo
Administrador
 
Posts: 673
Registrado: Sab Dic 09, 2006 11:17 am
Ubicación: Buanzonia (ok, Florida, Buenos Aires)

Re: enigform & mod_auth_openpgp, let's start

Notapor lace el Mie May 16, 2007 5:06 pm

Thanks for info. But still problems. Sad
mod_auth_openpgp could have at least some logging.
Still trying...
lace
 
Posts: 12
Registrado: Lun May 14, 2007 7:00 pm

Re: enigform & mod_auth_openpgp, let's start

Notapor buanzo el Mie May 16, 2007 10:42 pm

Yeah, sorry bout the logging! I know it's missing, but what do you expect from a 0.2.0 release? Smile

Anyway, let me know if I can be of any extra help.
Avatarde Usuario
buanzo
Administrador
 
Posts: 673
Registrado: Sab Dic 09, 2006 11:17 am
Ubicación: Buanzonia (ok, Florida, Buenos Aires)

Re: enigform & mod_auth_openpgp, let's start

Notapor miclaro el Vie Jun 15, 2007 4:35 pm

Hi:
I executed:
su - apache --shell=/bin/sh -c /usr/bin/gpg
then
su - apache --shell=/bin/sh -c "/usr/bin/gpg --import login.pub"
to import my pub key

but when I enter the site (without activating restriction, only with the module active)
It says I don't have access.
miclaro
 
Posts: 3
Registrado: Vie Jun 15, 2007 4:08 pm

Re: enigform & mod_auth_openpgp, let's start

Notapor buanzo el Vie Jun 15, 2007 5:51 pm

What version did you install? What actions did you take after compiling the module? Are you using an RPM package, or similar? What is the EXACT error Apache shows to the browser, and in the error_log?
Avatarde Usuario
buanzo
Administrador
 
Posts: 673
Registrado: Sab Dic 09, 2006 11:17 am
Ubicación: Buanzonia (ok, Florida, Buenos Aires)

Re: enigform & mod_auth_openpgp, let's start

Notapor miclaro el Dom Jun 17, 2007 9:57 pm

I've got RHEL 5
httpd-2.2.3-6.el5 rpm
gpgme-1.1.4 compiled from source
mod_auth_openpgp-0.2.0 compiled from source

then added de module with
Código: Seleccionar todo
<IfModule !mod_auth_openpgp.c>
        LoadModule auth_openpgp_module    modules/mod_auth_openpgp.so
</IfModule>


restart apache, all works fine

then activated the module in the default ssl virtual host:
Código: Seleccionar todo
OpenPGPEngine on


restarted apache

when browsing I get:
Forbidden

You don't have permission to access / on this server.


no errors on the logs.
miclaro
 
Posts: 3
Registrado: Vie Jun 15, 2007 4:08 pm

Re: enigform & mod_auth_openpgp, let's start

Notapor buanzo el Dom Jun 17, 2007 11:28 pm

Mmm... so if you turn off the OpenPGPEngine then you don't get the error?
Let's just be sure about that, first!

Can you, also, post the entire ssl virtual host's VirtualHost config?
Avatarde Usuario
buanzo
Administrador
 
Posts: 673
Registrado: Sab Dic 09, 2006 11:17 am
Ubicación: Buanzonia (ok, Florida, Buenos Aires)

Re: enigform & mod_auth_openpgp, let's start

Notapor miclaro el Lun Jun 18, 2007 10:10 am

that's correct, disabling the pgp line y get no errors, it displays the standard redhat welcome page.

i'm attaching my conf.d/ssl.conf

Código: Seleccionar todo
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned. 
#

LoadModule ssl_module modules/mod_ssl.so

#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#
#   Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism
#   to use and second the expiring timeout (in seconds).
#SSLSessionCache        dc:UNIX:/var/cache/mod_ssl/distcache
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization.
SSLMutex default

#   Pseudo Random Number Generator (PRNG):
#   Configure one or more sources to seed the PRNG of the
#   SSL library. The seed data should be of good random quality.
#   WARNING! On some platforms /dev/random blocks if not enough entropy
#   is available. This means you then cannot use the /dev/random device
#   because it would lead to very long connection times (as long as
#   it requires to make more entropy available). But usually those
#   platforms additionally provide a /dev/urandom device which doesn't
#   block. So, if available, use this one instead. Read the mod_ssl User
#   Manual for more details.
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names.  NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol all -SSLv2

#   SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional, require and optional_no_ca.  Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth  10

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the `one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the user
#     file needs this password: `xxj31ZMTZzkVA'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't wait for
#   the close notify alert from client. When you need a different shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed, i.e. no
#     SSL close notify alert is send or allowed to received.  This violates
#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
#     this when you receive I/O errors because of the standard approach where
#     mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed, i.e. a
#     SSL close notify alert is send and mod_ssl waits for the close notify
#     alert of the client. This is 100% SSL/TLS standard compliant, but in
#     practice often causes hanging connections with brain-dead browsers. Use
#     this only for browsers where you know that their SSL implementation
#     works correctly.
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#   "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"


# Turn on the OpenPGP Engine for this VirtualHost
#OpenPGPEngine on

# To Allow user buanzo@buanzo.com.ar use SetEnvIf like this:
# If the X-Auth-OpenPGP-Email header begins with the email value,
# then set the valid_user env var to be used as
# decisive factor in the Allow sentence of mod_access.
# X-Auth-OpenPGP* headers cannot be spoofed, as they get resetted
# if the module has been enabled for the vhost.

#SetEnvIf X-Auth-OpenPGP-Email myemail@gmail.com valid_user
#<Location "/">
#        Order Deny,Allow
#        Deny from all
#        Allow from env=valid_user
#</Location>

</VirtualHost>


this is the only line that I change:
Código: Seleccionar todo
#OpenPGPEngine on
miclaro
 
Posts: 3
Registrado: Vie Jun 15, 2007 4:08 pm

Re: enigform & mod_auth_openpgp, let's start

Notapor buanzo el Lun Jun 18, 2007 10:41 am

First, raise the LogLevel parameter. "warn" might not be useful.
If that shows anything with OpenPGPEngine "on", send it here.
If not, let me know, and I will try to debug it on my home lab ASAP.

But, I'll say that the virtual host is not receiving a signed request. Is it?

Because the ONLY "FORBIDDEN" response the module throws is under this circumstance:

if (openpgp_version == NULL || openpgp_sig == NULL || openpgp_type==NULL || openpgp_type[0] != 'S') return HTTP_FORBIDDEN;

So, if the request IS signed, then you might be having a gnupg server-side configuration issue. If it is NOT signed, then try enabling enigform for firefox.
Avatarde Usuario
buanzo
Administrador
 
Posts: 673
Registrado: Sab Dic 09, 2006 11:17 am
Ubicación: Buanzonia (ok, Florida, Buenos Aires)

Siguiente

Volver a Bug Hunting

¿Quién está conectado...?

Usuarios navegando este Foro: Exabot [Bot] y 1 invitado

cron