GLOME login is first application of the GLOME protocol. It is used to authorize serial console access to Linux machines.
To achieve that, a client program called glome-login
is executed by getty (or
a similar process) instead of the conventional /sbin/login
. Instead of
prompting the user for the password, it generates an URL that points at the
authorization server and contains the GLOME handshake information and the action
requested by the operator. The operator follows that URL and upon successful
authentication and authorization, the server provides the operator with an
authorization code response that needs to be returned to glome-login
.
If the authorization code matches the one calculated internally by
glome-login
, the user is authorized and glome-login executes the requested
action - e.g. providing the login shell or rebooting the machine.
The current version of the GLOME login protocol uses the
standard GLOME variant.
Counters are set to constant 0
since only a single set of messages
is exchanged.
- GLOME handshake information and tags are encoded as Base64-encoded URLs or "base64url" [RFC4648 section 5].
- Initial message from the GLOME login client to the server contains the context required for authorization (i.e. host identity, requested action).
- The authorization context is sent in clear for easier debuggability and reducing the likelihood of human errors (e.g. incomplete URL copy and paste).
- Server's public key can be identified by:
- 7-bit service key identifier and message tag prefix (of any length, including 0).
- 7-bit service key prefix and message tag prefix (of any length, including 0),
- Using a message tag prefix provides an additional protection against channel errors (e.g. caused by operator errors).
- The message sent from the GLOME login client to the server contains the context required for authorization (i.e. host identity, requested action).
- In this protocol the client and the server sign identical messages. the client to the server, and therefore is omitted.
The GLOME login client generates the challenge in the form of an URL:
<url-prefix>/v<V>/<glome-handshake>[/<message>]/
glome-handshake := base64url(
<prefix-type>
<prefix7>
<eph-key>
[<prefixN>]
)
message := [<hostid-type>:]<hostid>[/<action>]
where have the following meanings:
Field | Length | Description |
---|---|---|
url-prefix | arbitrary | |
V | 1 byte | URL format version. Currently always 1. |
prefix-type | 1 bits | Determines the meaning of (prefix7; prefixN) fields:
with the public key (to be administrator configurable) |
prefix7 | 7 bits | Purpose determined by prefix-type. |
eph-key | 32 bytes | Client's public key (ephemeral). |
prefixN | 0..32 bytes | Purpose determined by prefix-type, right now message tag prefix. |
hostid-type | 0..n bytes | Type of identity; hostname if not set |
hostid | 1..n bytes | Identity of the target (e.g. hostname, serial number, etc.) |
action | 0..n bytes | Action that is being authorized (e.g. reboot, shell). Both parties should agree what the default action is if not set. |
The client should then output the resulting challenge as a fully-qualified URL, with the server portion set to the GLOME server able to sign responses for this request and the protocol preferably set to HTTPS.
The URL should always end in a /
to make it easy for the GLOME login server to
detect truncated requests and reject those early. Without the trailing slash
requirement the request will likely look correct and may result in an invalid
request being signed causing confusion for the operator.
The <action>
field represents the action being authorized and should not
be ambiguous in a way that affects security. The format of the action is left
up to the implementer to decide but it has to take into account these points:
- The
<action>
needs to be suitable for embedding in a URL. - The
<action>
should be human readable and easy to understand both as part of the URL and stand alone.
Good examples:
shell/root
starts a shell as the given user, root in this case.reboot
reboots the target.show-logs/httpd
outputs debug logs for the HTTPD application.
Bad examples:
exec
executes a command.- This is bad because it does not specify which command is being executed.
exec/cm0gLWZyIC8=
executes a given command (Base64 encoded).- This is not human readable.
shell
starts a shell as an user-provided but undisclosed user.- This is bad if there exists ambiguity on which user the shell will launch as. E.g. if the system is hard-coded to only allow login as root, this example is OK - otherwise not.
Care must be taken to ensure that the URL outputted by the GLOME login client is a well-formed URL.
A GLOME login client should make sure to format the URL as per [RFC 3986 Section 2.4]. The intent should be to maximize the human readability of the URL.
Example: If the GLOME login server is running on https://glome.example.com/
and the challenge is /v1/AAAAAAA.../serial:ab@!c/action/
the resulting URL
should be presented as
https://glome.example.com/v1/AAAAAAA.../serial:ab@!c/action/.
The important lesson from this example is that serial:ab@!c
is not encoded
using percent encoding as there is no reason to and would sacrifice human
readability needlessly.
Finally it is recommended to verify that commonly used terminal emulators correctly identify the whole URL when outputted.
The message tag prefix is calculated by the client as the MAC tag over the
<message>
field. The client can choose to include as much of the tag as it
prefers.
The server can verify the integrity of the message doing the same calculation and performing a prefix comparison of the expected tag and the received message tag prefix.
The message tag prefix does not offer any additional security properties unless the server enforces its inclusion. However, the message tag prefix is still useful to detect accidental message corruption. It can also be used to resolve ambiguity in which service key was used by the client.
The response is a Base64 URL-safe (base64url) MAC tag computed over the
<message>
field as provided by the client. The GLOME login client can accept a
shortened tag (prefix) to reduce the message cost. Ephemeral keys are valid only
for one attempt, thus the brute forcing is severely limited, and can be further
slowed down by introducing an artificial delay before comparing the tags.
These are some example test cases that can be used to verify an implementation of the GLOME login protocol. Octet strings (keys and tags) are represented in hexadecimal encoding, message counters in their decimal represenation and messages and strings in ASCII encoding.
For in-depth definition of the GLOME variables, see the protocol specification. In summary note that is the private key and is the associated public key.
Login request using service key index 1, message tag prefix length of 16 bits, and response tag length of 60 bits.
Login request using service key prefix, no message tag prefix, and full response tag.
The GLOME protocol is based on the assumption that the cost of transmitting messages in the server-to-client direction is higher than in the opposite direction.
If that is not the case, then using an existing proven signature scheme (e.g, Ed25519) is recommended.