admin: Fix compatibility with OpenSSH 7

Motivation: DSA keys are disabled by default in OpenSSH 7. Modification: Add RSA keys in the install scripts. Fixes a bug in the admin door in which it erroneously included the public key as a private key. The public key file is not used by the door as the public key is embedded in the file with they private key. Generalizes the admin door to accept a list of private keys. Thus existing DSA keys will continue to work. Result: Switched admin to generate both DSA and RSA keys to make it compatible with OpenSSH 7 clients. Introduced admin.paths.host-keys. Target: trunk Request: 2.16 Request: 2.15 Request: 2.14 Request: 2.13 Require-notes: yes Require-book: yes Acked-by: Paul Millar <paul.millar@desy.de> Reviewed at https://rb.dcache.org/r/9416/ (cherry picked from commit 92fbe53)
dCache · Jun 17, 2016 · bdcef9d · bdcef9d
1 parent ee9880a
commit bdcef9d
Show file tree

Hide file tree

Showing 8 changed files with 74 additions and 52 deletions.
diff --git a/modules/dcache/src/main/java/org/dcache/services/ssh2/Ssh2Admin.java b/modules/dcache/src/main/java/org/dcache/services/ssh2/Ssh2Admin.java
@@ -1,8 +1,5 @@
 package org.dcache.services.ssh2;
 
-import dmg.cells.nucleus.CellCommandListener;
-import dmg.cells.nucleus.CellLifeCycleAware;
-
 import org.apache.sshd.SshServer;
 import org.apache.sshd.common.Factory;
 import org.apache.sshd.common.NamedFactory;
@@ -29,16 +26,22 @@
 import java.util.Arrays;
 import java.util.List;
 import java.util.concurrent.TimeUnit;
+import java.util.stream.Stream;
 
 import diskCacheV111.util.AuthorizedKeyParser;
 import diskCacheV111.util.CacheException;
 import diskCacheV111.util.PermissionDeniedCacheException;
 
-import org.dcache.auth.*;
-
-import java.util.stream.Stream;
+import dmg.cells.nucleus.CellCommandListener;
+import dmg.cells.nucleus.CellLifeCycleAware;
 
-import static org.dcache.util.Files.checkFile;
+import org.dcache.auth.LoginReply;
+import org.dcache.auth.LoginStrategy;
+import org.dcache.auth.Origin;
+import org.dcache.auth.PasswordCredential;
+import org.dcache.auth.Subjects;
+import org.dcache.auth.UnionLoginStrategy;
+import org.dcache.util.Files;
 
 /**
  * This class starts the ssh server. It is however not started in the
@@ -53,8 +56,7 @@ public class Ssh2Admin implements CellCommandListener, CellLifeCycleAware
     private static final Logger _log = LoggerFactory.getLogger(Ssh2Admin.class);
     private final SshServer _server;
     // UniversalSpringCell injected parameters
-    private String _hostKeyPrivate;
-    private String _hostKeyPublic;
+    private String[] _hostKeys;
     private File _authorizedKeyList;
     private String _host;
     private int _port;
@@ -100,22 +102,8 @@ public int getAdminGroupId() {
         return _adminGroupId;
     }
 
-    public String getHostKeyPrivate() {
-        return _hostKeyPrivate;
-    }
-
-    public void setHostKeyPrivate(String hostKeyPrivate) {
-        _hostKeyPrivate = hostKeyPrivate;
-        _log.debug("hostKeyPrivate set to: {}", _hostKeyPrivate);
-    }
-
-    public String getHostKeyPublic() {
-        return _hostKeyPublic;
-    }
-
-    public void setHostKeyPublic(String hostKeyPublic) {
-        _hostKeyPublic = hostKeyPublic;
-        _log.debug("hostKeyPublic set to: {}", _hostKeyPublic);
+    public void setHostKeys(String[] keys) {
+        _hostKeys = keys;
     }
 
     public File getAuthorizedKeyList() {
@@ -208,18 +196,14 @@ public void beforeStop() {
 
     private void configureKeyFiles() {
         try {
-            checkFile(_hostKeyPrivate);
-            checkFile(_hostKeyPublic);
-        } catch (IOException ex) {
-            throw new RuntimeException("Problem with server ssh host keys, " + ex.getMessage());
+            for (String key : _hostKeys) {
+                Files.checkFile(key);
+            }
+            FileKeyPairProvider fKeyPairProvider = new FileKeyPairProvider(_hostKeys);
+            _server.setKeyPairProvider(fKeyPairProvider);
+        } catch (IOException e) {
+            throw new RuntimeException(e.getMessage(), e);
         }
-
-        String[] keyFiles = {_hostKeyPrivate, _hostKeyPublic};
-        FileKeyPairProvider fKeyPairProvider = new FileKeyPairProvider(
-                keyFiles);
-
-        _server.setKeyPairProvider(fKeyPairProvider);
-
     }
 
     private void startServer() {

diff --git a/modules/dcache/src/main/resources/org/dcache/services/ssh2/ssh2Admin.xml b/modules/dcache/src/main/resources/org/dcache/services/ssh2/ssh2Admin.xml
@@ -10,6 +10,18 @@
     <context:annotation-config/>
     <context:property-placeholder/>
 
+    <!-- Convert properties with multiple values separated by comma into an array of strings:
+     key=value1,value2,value3 : String[] {value1, value2, value3}
+     -->
+    <bean class="org.springframework.beans.factory.config.CustomEditorConfigurer">
+        <property name="customEditors">
+            <map>
+                <entry key="java.lang.String[]"
+                       value="org.springframework.beans.propertyeditors.StringArrayPropertyEditor"/>
+            </map>
+        </property>
+    </bean>
+
     <bean id="noroutetocell" class="org.dcache.cells.LogNoRouteToCellExceptionReceiver">
         <description>Undeliverable message logger</description>
         <property name="excludedDestinations" value="${admin.loginbroker.request-topic}"/>
@@ -98,8 +110,7 @@
     <bean id="ssh2Server" class="org.dcache.services.ssh2.Ssh2Admin">
         <property name="host" value="#{ T(com.google.common.base.Strings).emptyToNull('${admin.net.listen}') }"/>
         <property name="port"               value="${admin.net.port}"/>
-        <property name="hostKeyPrivate"     value="${admin.paths.dsa-host-key.private}"/>
-        <property name="hostKeyPublic"      value="${admin.paths.dsa-host-key.public}"/>
+        <property name="hostKeys"           value="${admin.paths.host-keys}"/>
         <property name="authorizedKeyList"  value="${admin.paths.authorized-keys}"/>
         <property name="loginStrategy"      ref="login-strategy"/>
         <property name="adminGroupId"       value="${admin.authz.gid}"/>

diff --git a/packages/fhs/src/main/deb/postinst b/packages/fhs/src/main/deb/postinst
@@ -42,6 +42,11 @@ Please fix this and reinstall this package." >&2
         chmod 640 /etc/dcache/admin/ssh_host_dsa_key
         chgrp dcache /etc/dcache/admin/ssh_host_dsa_key
     fi
+    if [ ! -f /etc/dcache/admin/ssh_host_rsa_key ]; then
+        ssh-keygen -q -t rsa -f /etc/dcache/admin/ssh_host_rsa_key -N ""
+        chmod 640 /etc/dcache/admin/ssh_host_rsa_key
+        chgrp dcache /etc/dcache/admin/ssh_host_rsa_key
+    fi
 fi
 
 #DEBHELPER#
diff --git a/packages/fhs/src/main/rpm/dcache-server.spec b/packages/fhs/src/main/rpm/dcache-server.spec
@@ -68,6 +68,11 @@ if [ ! -f /etc/dcache/admin/ssh_host_dsa_key ]; then
     chmod 640 /etc/dcache/admin/ssh_host_dsa_key
     chgrp dcache /etc/dcache/admin/ssh_host_dsa_key
 fi
+if [ ! -f /etc/dcache/admin/ssh_host_rsa_key ]; then
+    ssh-keygen -q -t rsa -f /etc/dcache/admin/ssh_host_rsa_key -N ""
+    chmod 640 /etc/dcache/admin/ssh_host_rsa_key
+    chgrp dcache /etc/dcache/admin/ssh_host_rsa_key
+fi
 
 # fix file /var/lib/dcache directory ownership
 chown dcache:dcache /var/lib/dcache

diff --git a/packages/system-test/src/main/skel/etc/admin/ssh_host_rsa_key b/packages/system-test/src/main/skel/etc/admin/ssh_host_rsa_key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEoAIBAAKCAQEAspj9O1KvIrXzSqClOdWyXOxX4WBFUacVNq20Cb/OjJFTjYf9
+4ayMt97ckQbT83nteL5D9si7qFLSw+smeJd3TaJmuPuSMgrlDm9SVr1s1u8qM+oz
+beuOCP7n+pcfDzDhAQRdwBqEl6P/DVf/DE5iAy4ldW4B+KJ+aqubTz3eCYX1WZiC
+n6h3b9VY4BSBPdxvnVGzVte9je1ZjcI8F6UA9Bac+AuY96S6HgbhJbEBTH4sLzqC
+bs7oMjNYrhA2mFDpIMHwW9wKLYOp20gDOE3jZ78nspXfSbwBxCuaNvyWtnYgtT4s
+XbCB0lJuVtaJucZZVjlOmMfGwrttYuWsrdOwMQIDAQABAoH/IuG+k9eSXTUsT2cQ
+3jrem0eN4nbrEwePHR7QCxdrQAkiSIJHE8yfr0nXynuK6gLmXq7Kl2idPkLu51UG
+LodmxcLyTS7VXvDBzA/yBP76QwBzPbCAWvemxhsDM+5QIqdpSsmPhfWn7/YX2oNV
+TRICEpzws/7IY8dY6Xya2N88fp9XnKcHvumdu22x5OUn4hhBNC5Wgy3/OioXwa9c
+NbBl+8BgwbBMl8OKcqw1t65l/9tO5NsYwcqPIauq08y8/qHAkNBsWsF6byNI7FSM
+BuyI68UyDF7Y+O/VTBZ0eD50hl7IGDpk7k+kif9wbAYXXwBXjgTD0a65SOTB6QYW
+xbLhAoGBAON9KdefwO4xkZ0oLpsjpYqUprlybdh7D0TWclXGthdIE8Wuyv0B3c+j
+o2AF4l3jpIf2n1WU4xKYR0QGnGLkWXwFMQRFBgsTScpQhBkq7KghzJ9cl2z9xf27
+fcKMkMzaQi0p+tMRaS92XpZMiOOZvpjO9lr/K/qVMm60nRL5wHj9AoGBAMj7LfCk
+CYXxPG1EPK7q2gdYW2b7XQvzUjPXK3Y3FMJjkFnOCADrNt8nYCL3Z6ULYk51NNKs
+ajdG04K+qUBGjTPGvw8QzJzZobZFDk6fctWqyPnnk3WpOZIyC0VzpH4+YHZIpz7i
+RGJ8g1DFX4BDZWGFakZZ4LK+2rLimoZEhaRFAoGAIV8lGjqXRNoEsHdKjvultzSj
+WKUOtCkpTkHfN/IUmEm8jM1dfcweS+2Hc/ipAnj4k/F74kQbI4kvOy11F5TEA8uH
+K0cs4ccMlh9FoaOIYAnFSMN+e0CnINe2VSnlvAdwmcuEvh3Zvlqw+X90vV66dRQ3
+U5YHT5U/droMKNJ2h8kCgYAvtI9fA1DPXkd9mCjfTBecjriDZT7cy1DDxVsnoENp
+MMDe0CzOKwbHSU1kf102q9EV1nRHXW2I2WLzMdZyz0xM8ev/43jt8iqUXSfcObTE
+StmRmApEb3qe3QoX3i85WA0FhpFMN+ELj4qL7Y2RoG28DDMBp+vSAcNfmrIbFMC0
+EQKBgAC1bKPabrMl8T8N+UAVLK4yoyzioZ0H47BlaC+3b+FvGBl+DjrbC40HO54T
+qJ3niOgIlDOpbZV829q13ADNaC/XFYfwOL1o18fxnWOJ9jlsrM31Ix3Tegfl1g+c
+Hz9Fsee7Su5dJNNfHTtFA8UhjQpXz9vUHz2tRtnGtd4tlc/z
+-----END RSA PRIVATE KEY-----
diff --git a/packages/system-test/src/main/skel/etc/admin/ssh_host_rsa_key.pub b/packages/system-test/src/main/skel/etc/admin/ssh_host_rsa_key.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCymP07Uq8itfNKoKU51bJc7FfhYEVRpxU2rbQJv86MkVONh/3hrIy33tyRBtPzee14vkP2yLuoUtLD6yZ4l3dNoma4+5IyCuUOb1JWvWzW7yoz6jNt644I/uf6lx8PMOEBBF3AGoSXo/8NV/8MTmIDLiV1bgH4on5qq5tPPd4JhfVZmIKfqHdv1VjgFIE93G+dUbNW172N7VmNwjwXpQD0Fpz4C5j3pLoeBuElsQFMfiwvOoJuzugyM1iuEDaYUOkgwfBb3Aotg6nbSAM4TeNnvyeyld9JvAHEK5o2/Ja2diC1PixdsIHSUm5W1om5xllWOU6Yx8bCu21i5ayt07Ax behrmann@Gerds-MacBook-Pro.local
diff --git a/skel/share/defaults/admin.properties b/skel/share/defaults/admin.properties
@@ -59,10 +59,11 @@ admin.paths.authorized-keys = ${dcache.paths.admin}/authorized_keys2
 
 #  ---- Hostkey location
 #
-#  Defines the location of the ssh2 server host keys
+#  A comma separated list paths of of ssh server host keys.
 #
 admin.paths.dsa-host-key.private = ${dcache.paths.admin}/ssh_host_dsa_key
 admin.paths.dsa-host-key.public = ${dcache.paths.admin}/ssh_host_dsa_key.pub
+admin.paths.host-keys = ${admin.paths.dsa-host-key.private},${dcache.paths.admin}/ssh_host_rsa_key
 
 # Cell addresses and timeouts of other services
 admin.service.gplazma=${dcache.service.gplazma}

diff --git a/skel/share/services/admin.batch b/skel/share/services/admin.batch
@@ -4,8 +4,7 @@ check -strong admin.cell.name
 check admin.cell.subscribe
 check -strong admin.history.size
 check -strong admin.net.port
-check -strong admin.paths.dsa-host-key.private
-check -strong admin.paths.dsa-host-key.public
+check -strong admin.paths.host-keys
 check -strong admin.service.gplazma
 check -strong admin.service.gplazma.timeout
 check -strong admin.service.gplazma.timeout.unit
@@ -29,17 +28,6 @@ check admin.paths.authorized-keys
 check -strong dcache.service.spacemanager
 route add -alias SrmSpaceManager ${dcache.service.spacemanager}
 
-define env failMissingServerKey.exe endDefine
-   say -level=esay "The host key file ${admin.paths.dsa-host-key.private} is missing.  Please generate it with:"
-   say -level=esay "     ssh-keygen -t dsa -f ${admin.paths.dsa-host-key.private} -N \"\""
-   exit 1
-endDefine
-onerror continue
-test -f ${admin.paths.dsa-host-key.private}
-set env have_server_key ${rc}
-onerror shutdown
-exec env failMissingServerKey.exe -ifnotok=have_server_key
-
 create org.dcache.cells.UniversalSpringCell ${admin.cell.name} \
     "classpath:org/dcache/services/ssh2/ssh2Admin.xml \
      -subscribe=${admin.cell.subscribe}"