Différences entre versions de « CoSign »

De Cliss XXI
Sauter à la navigation Sauter à la recherche
imported>SylvainBeucler
imported>SylvainBeucler
Ligne 9 : Ligne 9 :
  
 
I'm using Apache2 here.
 
I'm using Apache2 here.
 +
Let's try to use [http://www.pathname.com/fhs/ FHS]-compliant paths.
  
 
  ./configure --enable-apache2=/usr/bin/apxs2 \
 
  ./configure --enable-apache2=/usr/bin/apxs2 \

Version du 16 mai 2007 à 12:49

HOWTO: I found it difficult to install CoSign 2.0.2a because the documentation contains inaccuracies, and because it can be hard to debug configuration errors. Here's a working test configuration:

CoSign is composed of 3 main parts:

  • filter: this is mod_cosign, allowing Apache to automatically check the user's CoSign cookie
  • cgi: cosign.cgi and logout.cgi, for initial login and full logout
  • cosignd: the daemon that centralises authentication sessions, can be called from different computers where filter and cgi are installed

Compilation and Installation

I'm using Apache2 here. Let's try to use FHS-compliant paths.

./configure --enable-apache2=/usr/bin/apxs2 \
	    --prefix=/var/lib/cosign \
	    --sbindir=/usr/local/sbin \
	    --mandir=/usr/local/share/man \
	    --with-filterdb=/var/lib/cosign/filter \
	    --with-cosigndb=/var/lib/cosign/daemon \
	    --with-cosignconf=/etc/cosign.conf \
	    --with-cosigncadir=/etc/cosign/certs/CA \
	    --with-cosigncert=/etc/cosign/certs/cert.pem \
	    --with-cosignkey=/etc/cosign/certs/key.pem

TODO: use /usr/lib and /usr/share appropriately, also allowing using the standard --prefix=/usr/local. Use FHS-compliant /usr/lib/cosign/cgi-ssl

make everything \
&& sudo make install-all \
&& sudo invoke-rc.d apache2 stop && sleep 1 && sudo invoke-rc.d apache2 start
# mod_cosign dir
mkdir -p /var/lib/cosign/filter
chown www-data: /var/lib/cosign/filter
# cosignd dir
sudo mkdir -p /var/lib/cosign/daemon
sudo useradd cosign
sudo chown cosign /var/lib/cosign/daemon

Apache2 configuration

/etc/apache2/sites-available/default:

# Automatically added in /etc/apache2/httpd.conf by 'make install-all'
LoadModule cosign_module /usr/lib/apache2/modules/mod_cosign.so

NameVirtualHost *:80
NameVirtualHost *:443
# TLS VirtualHost 'cause CoSign requires https login
<VirtualHost *:443>
  SSLEngine		On
  SSLCertificateFile	/etc/apache2/ssl/cert.pem
  SSLCertificateKeyFile	/etc/apache2/ssl/key.pem

  Alias /cosign/ "/var/lib/cosign/html/"
  ScriptAlias /cosign-bin/ "/var/lib/cosign/cgi-ssl/"

  Include sites-available/common.inc
</VirtualHost>

<VirtualHost *:80>
  Include sites-available/common.inc
</VirtualHost>

/etc/apache2/sites-available/common.inc:

CosignProtected         Off
CosignHostname          localhost
# Don't redirect to https if we come from http
CosignHttpOnly          On
CosignRedirect          https://localhost/cosign-bin/cosign.cgi
CosignPostErrorRedirect https://localhost/cosign/post_error.html
CosignService           simpleservice

CosignCrypto /usr/local/cosign/certs/mod_cosign.key /usr/local/cosign/certs/mod_cosign.crt /usr/local/cosign/certs/CA

Alias /cosign/ "/var/lib/cosign/html/"
ScriptAlias /cosign-bin/ "/var/lib/cosign/cgi-ssl/"

Alias /services/ "/usr/local/cosign/services/"
<Directory "/usr/local/cosign/services">
  CosignProtected On
</Directory>

CoSign configuration

Pitfalls:

  • The cgi doesn't take more than 1 parameter - only service does.
  • set cosignhost is used by cgi, not cosignd. It specifies the host where cosignd runs, and is not related to replication.
  • Afaics 'factor' lines will always be ran and returns the name of the validated factor. This among others allows to filter which users can access to which service.
  • TODO: fix documentation
  • TODO: explain what service is for

/etc/cosign.conf:

# Allow CGI access from this host
cgi localhost

set cosignhost localhost
set cosigncadir /etc/cosign/certs/CA/
set cosigncert /etc/cosign/certs/cgi.crt
set cosignkey /etc/cosign/certs/cgi.key

# Grant the given session type if credentials match the given factor
cookie cosign-simpleservice reauth FACTOR-LDAP
# Argument 3 and later are name of <FORM> fields from the template
factor /usr/share/cosign/factor/ldap login password

set cosignlogouturl http://localhost/
set cosignloopurl https://localhost/cosign/looping.html

Certificates generation

We'll generate our own Certificate Authority.

TODO: during tests it's frequent to remove and rebuild everything. Typing password is really inconvenient in this case, and -passin doesn't work for 'ca'. Please find a way to make this unattented!

# Base OpenSSL install
mkdir -p -m 755 /etc/cosign/certs/CA
cd mkdir -p /etc/cosign/certs
umask 0027
mkdir -m 700 demoCA
pushd demoCA
mkdir -m 755 newcerts
mkdir -m 700 private
echo "01" > serial
touch index.txt
popd

# Root CA
# subj model from `openssl x509 -noout -text -in machin.cert`
openssl req -new -subj "/C=FR/ST=NPDC/L=Lievin/O=Cliss XXI/OU=SSO/CN=Root CA/" \
  -x509 -days 365 -keyout demoCA/private/cakey.pem -out demoCA/cacert.pem
chmod a+r demoCA/cacert.pem

# Certificate request and private key
# cosignd
openssl req -new -subj "/C=FR/ST=NPDC/L=Lievin/O=Cliss XXI/OU=SSO cosignd/CN=localhost/" \
  -nodes -keyout "cosignd.key" -out "cosignd.csr"
# Sign certificate
openssl ca -in "cosignd.csr" -out "cosignd.crt"

# CGI
openssl req -new -subj "/C=FR/ST=NPDC/L=Lievin/O=Cliss XXI/OU=SSO cgi/CN=localhost/" \
  -nodes -keyout "cgi.key" -out "cgi.csr"
# Sign certificate
openssl ca -in "cgi.csr" -out "cgi.crt"
chgrp www-data cgi.key cgi.crt

# mod_cosign
openssl req -new -subj "/C=FR/ST=NPDC/L=Lievin/O=Cliss XXI/OU=SSO mod_cosign/CN=localhost/" \
  -nodes -keyout "mod_cosign.key" -out "mod_cosign.csr"
# Sign certificate
openssl ca -in "mod_cosign.csr" -out "mod_cosign.crt"

# Allowed certs path
mkdir -m 755 CA
ln demoCA/cacert.pem CA/
c_rehash CA/

# Tests - cf. http://www.umich.edu/~umweb/software/cosign/faq.html
openssl verify -CApath CA/ -purpose sslclient cgi.crt mod_cosign.crt
openssl verify -CApath CA/ -purpose sslserver cosignd.crt
openssl s_client -connect localhost:6663 -cert cgi.crt -key cgi.key -CApath CA/ \
  -showcerts -state -debug -crlf -starttls smtp
# DO CHECK THAT YOU GET "Verify return code: 0 (ok)"!!!
# (s_client won't stop on error)

cosignd server start

TODO: use/adapt scripts/startup/cosignd

# Launch server with different keys just in case:
cd /var/lib/cosign/certs/
/usr/local/sbin/cosignd -y cosignd.crt -z cosignd.key -x /usr/local/cosign/certs/CA/
# CA path must be a full path, because cosignd chdir to /var/lib/cosign/daemon

Test

Now hit https://localhost/services/

Beyond

Check what monsterd is :)