Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Local auth example #40

Closed
wants to merge 5 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions config/config-sample.ini
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ password = password
database = ska-db

[ldap]
enabled = 0
; Address to connect to LDAP server
host = ldaps://ldap.example.com:636
; Use StartTLS for connection security (recommended if using ldap:// instead
Expand Down
10 changes: 6 additions & 4 deletions core.php
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,12 @@
require('ldap.php');
require('email.php');

$ldap_options = array();
$ldap_options[LDAP_OPT_PROTOCOL_VERSION] = 3;
$ldap_options[LDAP_OPT_REFERRALS] = !empty($config['ldap']['follow_referrals']);
$ldap = new LDAP($config['ldap']['host'], $config['ldap']['starttls'], $config['ldap']['bind_dn'], $config['ldap']['bind_password'], $ldap_options);
if ($config['ldap']['enabled'] == 1) {
$ldap_options = array();
$ldap_options[LDAP_OPT_PROTOCOL_VERSION] = 3;
$ldap_options[LDAP_OPT_REFERRALS] = !empty($config['ldap']['follow_referrals']);
$ldap = new LDAP($config['ldap']['host'], $config['ldap']['starttls'], $config['ldap']['bind_dn'], $config['ldap']['bind_password'], $ldap_options);
}
setup_database();

$relative_frontend_base_url = (string)parse_url($config['web']['baseurl'], PHP_URL_PATH);
Expand Down
39 changes: 39 additions & 0 deletions docker/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
FROM alpine:3.8
LABEL maintainer="Marc Mettke <[email protected]>"

ENV SYSTEM https://github.com/operasoftware/ssh-key-authority.git
ADD entrypoint.sh /entrypoint.sh
ADD healthcheck.sh /healthcheck.sh
ADD cron /var/spool/cron/crontabs/root

RUN mkdir -p /var/log/keys/ /run/php/ /ska/ && \
adduser --system --disabled-password keys-sync && \
apk add openssh \
php \
php-fpm \
php7-json \
php7-ldap \
php7-mbstring \
php7-mysqli \
php7-pcntl \
php7-posix \
php7-ssh2 \
rsync \
ssmtp \
sudo && \
sed -i -e '/listen =/ s/= .*/= 0.0.0.0:9000/' /etc/php7/php-fpm.d/www.conf && \
sed -i -e '/;pid =/ s/.*/pid = \/var\/run\/php-fpm.pid/' /etc/php7/php-fpm.conf && \
echo "" >> /etc/php7/php-fpm.conf && \
chmod +x /entrypoint.sh /healthcheck.sh && \
ln -sf /dev/stderr /var/log/php7/error.log
RUN apk add git && \
git clone ${SYSTEM} /ska && \
apk del git && \
chown -R keys-sync:nogroup /ska/config

EXPOSE 9000
VOLUME /ska/config
VOLUME /public_html

ENTRYPOINT "/entrypoint.sh"
HEALTHCHECK CMD /healcheck.sh
2 changes: 2 additions & 0 deletions docker/cron
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
0 1 * * * /ska/scripts/ldap_update.php
*/1 * * * * /bin/ash -c "PID=$(cat /var/run/keys-sync.pid) && [ -n ${PID} -a -d /proc/${PID} ] || /ska/scripts/syncd.php --user keys-sync"
35 changes: 35 additions & 0 deletions docker/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
#!/usr/bin/env ash
if [ `whoami` == 'keys-sync' ]; then
if [ ! -r /ska/config/config.ini ]; then
echo "config.ini not found or incorrect permissions."
echo "Permissions must be $(id -u keys-sync):$(id -g keys-sync) with at least 400"
exit 1
fi
if [ ! -r /ska/config/keys-sync ]; then
echo "private key not found or incorrect permissions."
echo "Permissions must be $(id -u keys-sync):$(id -g keys-sync) with 400"
exit 1
fi
if [ ! -r /ska/config/keys-sync.pub ]; then
echo "public key not found or incorrect permissions."
echo "Permissions must be $(id -u keys-sync):$(id -g keys-sync) with at least 400"
exit 1
fi
if ! grep "^timeout_util = BusyBox$" /ska/config/config.ini > /dev/null; then
echo "timeout_util must be set to BusyBox."
echo "Change it to: timeout_util = BusyBox"
exit 1
fi
elif [ $(id -u) = 0 ]; then
if ! sudo -u keys-sync /entrypoint.sh; then
exit 1
fi
rsync -a --delete /ska/public_html/ /public_html/
/usr/sbin/crond
echo "Waiting for database..."
sleep 5
/ska/scripts/syncd.php --user keys-sync
/usr/sbin/php-fpm7 -F
else
echo "Must be executed with root"
fi
7 changes: 7 additions & 0 deletions docker/healthcheck.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/usr/bin/env ash
for PID_FILE in /var/run/crond.pid /var/run/keys-sync.pid /var/run/php-fpm.pid; do
PID=$(cat ${PID_FILE})
if ! [ -n "${PID}" -a -d "/proc/${PID}" ]; then
exit 1
fi
done
2 changes: 2 additions & 0 deletions examples/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
db/
public_html/
27 changes: 27 additions & 0 deletions examples/httpd-ldap/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Example: httpd + ldap

This Example shows how to use ska with httpd and ldap using docker.

## Prepare setup

1. Start system using `docker-compose up -d`
1. Visit http://localhost
1. Login using one of the following credentials:

|Username|Password|Type|
|---|---|---|
|rainbow|password|admin|
|proceme|password|user|

If something goes wrong, check the log using:
```
docker logs -f httpd-ldap_ska_1
```

## Using ska

1. Login using the admin account `rainbow`.
1. Connect to the docker container using: `docker exec -it httpd-ldap_ska-php_1 /bin/ash`
1. Execute `/ska/scripts/ldap_update.php`. This will add the `admin` group and the `keys-sync` user
1. Add the server `test.example.com` at http://localhost/servers#add
1. Ska should be able to connet to the system and update its authorized_keys file. You can verify this by checking whether there is an `Synced successfully` next to the server.
70 changes: 70 additions & 0 deletions examples/httpd-ldap/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
version: '2.2'
services:
test:
image: alpine:3.8
command: /bin/ash -c "(id keys-sync || adduser -h /var/local/keys-sync -S -D -s /bin/sh keys-sync) && chmod 711 /var/local/keys-sync && cp /key /var/local/keys-sync/keys-sync && chown keys-sync:nogroup /var/local/keys-sync/keys-sync && chmod 644 /var/local/keys-sync/keys-sync && apk add openssh && ssh-keygen -A && sed -i -e '/#StrictModes/ s/.*/StrictModes yes/' /etc/ssh/sshd_config && sed -i -e '/AuthorizedKeysFile/ s/.*/AuthorizedKeysFile \/var\/local\/keys-sync\/%u/' /etc/ssh/sshd_config && passwd keys-sync -d test && /usr/sbin/sshd -D"
restart: always
expose:
- "22"
depends_on:
- ska-php
volumes:
- ../shared/config-ldap/keys-sync.pub:/key:ro
networks:
net:
aliases:
- test.example.com

mail:
image: mwader/postfix-relay
restart: always
environment:
- POSTFIX_myhostname=ska.example.de
- POSTFIX_mynetworks=0.0.0.0/0
expose:
- "25"
networks:
- net

ska-db:
image: mariadb
restart: always
environment:
- MYSQL_ROOT_PASSWORD=root-password
- MYSQL_DATABASE=ska-db
- MYSQL_USER=ska-user
- MYSQL_PASSWORD=password
volumes:
- ./db:/var/lib/mysql:rw
networks:
- net

ska-php:
build:
context: ../../docker
restart: always
depends_on:
- ska-db
- mail
volumes:
- ../shared/config-ldap/:/ska/config/:rw
- ../shared/ssmtp.conf:/etc/ssmtp/ssmtp.conf:ro
- ./public_html:/public_html:rw
networks:
- net

ska:
image: httpd:alpine
restart: always
ports:
- "80:80"
depends_on:
- ska-php
volumes:
- ./public_html:/ska/public_html:ro
- ./httpd.conf:/usr/local/apache2/conf/httpd.conf:ro
networks:
- net

networks:
net:
136 changes: 136 additions & 0 deletions examples/httpd-ldap/httpd.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,136 @@
LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule filter_module modules/mod_filter.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_express_module modules/mod_proxy_express.so
LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
LoadModule proxy_http2_module modules/mod_proxy_http2.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule watchdog_module modules/mod_watchdog.so


<IfModule unixd_module>
User daemon
Group daemon
</IfModule>

<IfModule dir_module>
DirectoryIndex index.html
</IfModule>

<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common

<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>

CustomLog /proc/self/fd/1 common
</IfModule>

<IfModule alias_module>
ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
</IfModule>

<IfModule headers_module>
RequestHeader unset Proxy early
</IfModule>

<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
</IfModule>

<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

<IfModule proxy_module>
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://ska-php:9000/ska/public_html/$1
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
</IfModule>


<Directory />
AllowOverride none
Require all denied
</Directory>

<Directory "/usr/local/apache2/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>

<Directory "/ska/public_html">
AuthType Basic
AuthName "SSH Key Authority"
AuthBasicProvider ldap

AuthLDAPBindDN "uid=rainbow,ou=users,dc=test,dc=itmettke,dc=de"
AuthLDAPBindPassword "password"
AuthLDAPURL "ldap://ldap-test.itmettke.de:389/ou=users,dc=test,dc=itmettke,dc=de?uid?sub?(&(objectClass=person))" STARTTLS

Require valid-user
AllowOverride none
DirectoryIndex init.php
FallbackResource /init.php
Order allow,deny
Allow from all
</Directory>

<Files ".ht*">
Require all denied
</Files>


Listen 80
ServerAdmin [email protected]
ServerRoot "/usr/local/apache2"
DocumentRoot "/ska/public_html"

ErrorLog /proc/self/fd/2
LogLevel warn

LDAPVerifyServerCert off
AllowEncodedSlashes NoDecode
34 changes: 34 additions & 0 deletions examples/httpd-local/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Example: httpd + htpasswd

This Example shows how to use ska with httpd and ldap using docker.

## Prepare setup

1. Start system using `docker-compose up -d`
1. Visit http://localhost
1. Login using one of the following credentials (Only keys-sync account exists at first):

|Username|Password|Type|
|---|---|---|
|keys-sync|password|admin|
|rainbow|password|admin|
|proceme|password|user|

If something goes wrong, check the log using:
```
docker logs -f httpd-local_ska_1
```

## Using ska

_The `keys-sync` user should only be used for the first setup. Afterwards its best to create a dedicated account per user._

1. Login using the admin account `keys-sync`.
1. Create user `rainbow` as admin and user `proceme` as user at http://localhost/users#add
1. Add the server `test.example.com` at http://localhost/servers#add
1. Ska should be able to connet to the system and update its authorized_keys file. You can verify this by checking whether there is an `Synced successfully` next to the server.

## Add/Change passwords for users

1. Either install `htpasswd` on your system or connect to the httpd container using `docker exec -it httpd-local_ska_1 /bin/ash`.
1. Run `htpasswd` on the htpasswd file. Inside the container it is `htpasswd /allowed_users <username>`
Loading