From: Stefan Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 12/12] auth: us ec keys as auth keys
Date: Thu, 15 Feb 2024 16:20:01 +0100 [thread overview]
Message-ID: <20240215152001.269490-13-s.sterz@proxmox.com> (raw)
In-Reply-To: <20240215152001.269490-1-s.sterz@proxmox.com>
this commit moves new installations from our default rsa keys toward
smaller and more efficient ec keys. this uses the `PrivateKey` and
`PublicKey` structs from proxmox-auth-api to handle generating the
keys.
this means we can move aways from using openssl directly in the
auth_helpers and instead rely on the implementation in
`proxmox-auth-api`. thus, further unifying key handling in
`proxmox-auth-api`. this should make it easier to switch keys in the
future if necessary.
Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
---
note that this breaks the following scenario:
- a user installs pbs from a version after this patch was packaged
- proxmox-backup then creates a new ed25519 authkey
- the user manually forces a downgrade
proxmox-backup-api and proxmox-backup-proxy will now fail to start as
they cannot read the, from their perspective, malformed authkey.
src/auth.rs | 4 ++--
src/auth_helpers.rs | 53 ++++++++++++++-------------------------------
2 files changed, 18 insertions(+), 39 deletions(-)
diff --git a/src/auth.rs b/src/auth.rs
index 3379577f..20d2e39f 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -262,9 +262,9 @@ pub(crate) fn authenticate_user<'a>(
}
static PRIVATE_KEYRING: Lazy<Keyring> =
- Lazy::new(|| Keyring::with_private_key(crate::auth_helpers::private_auth_key().clone().into()));
+ Lazy::new(|| Keyring::with_private_key(crate::auth_helpers::private_auth_key().clone()));
static PUBLIC_KEYRING: Lazy<Keyring> =
- Lazy::new(|| Keyring::with_public_key(crate::auth_helpers::public_auth_key().clone().into()));
+ Lazy::new(|| Keyring::with_public_key(crate::auth_helpers::public_auth_key().clone()));
static AUTH_CONTEXT: OnceCell<PbsAuthContext> = OnceCell::new();
pub fn setup_auth_context(use_private_key: bool) {
diff --git a/src/auth_helpers.rs b/src/auth_helpers.rs
index 375ce190..f518c2ee 100644
--- a/src/auth_helpers.rs
+++ b/src/auth_helpers.rs
@@ -3,12 +3,9 @@ use std::path::PathBuf;
use std::sync::OnceLock;
use anyhow::{format_err, Error};
-use lazy_static::lazy_static;
-use openssl::pkey::{PKey, Private, Public};
-use openssl::rsa::Rsa;
use pbs_config::BackupLockGuard;
-use proxmox_auth_api::HMACKey;
+use proxmox_auth_api::{HMACKey, PrivateKey, PublicKey};
use proxmox_sys::fs::{file_get_contents, replace_file, CreateOptions};
use pbs_buildcfg::configdir;
@@ -87,26 +84,22 @@ pub fn generate_auth_key() -> Result<(), Error> {
return Ok(());
}
- let rsa = Rsa::generate(4096).unwrap();
-
- let priv_pem = rsa.private_key_to_pem()?;
+ let key = proxmox_auth_api::PrivateKey::generate_ec()?;
use nix::sys::stat::Mode;
replace_file(
&priv_path,
- &priv_pem,
+ &key.private_key_to_pem()?,
CreateOptions::new().perm(Mode::from_bits_truncate(0o0600)),
true,
)?;
- let public_pem = rsa.public_key_to_pem()?;
-
let backup_user = pbs_config::backup_user()?;
replace_file(
&public_path,
- &public_pem,
+ &key.public_key_to_pem()?,
CreateOptions::new()
.perm(Mode::from_bits_truncate(0o0640))
.owner(nix::unistd::ROOT)
@@ -134,36 +127,22 @@ pub fn csrf_secret() -> &'static HMACKey {
})
}
-fn load_public_auth_key() -> Result<PKey<Public>, Error> {
- let pem = file_get_contents(configdir!("/authkey.pub"))?;
- let rsa = Rsa::public_key_from_pem(&pem)?;
- let key = PKey::from_rsa(rsa)?;
-
- Ok(key)
-}
-
-pub fn public_auth_key() -> &'static PKey<Public> {
- lazy_static! {
- static ref KEY: PKey<Public> = load_public_auth_key().unwrap();
- }
-
- &KEY
-}
-
-fn load_private_auth_key() -> Result<PKey<Private>, Error> {
- let pem = file_get_contents(configdir!("/authkey.key"))?;
- let rsa = Rsa::private_key_from_pem(&pem)?;
- let key = PKey::from_rsa(rsa)?;
+pub fn public_auth_key() -> &'static PublicKey {
+ static KEY: OnceLock<PublicKey> = OnceLock::new();
- Ok(key)
+ KEY.get_or_init(|| {
+ let pem = file_get_contents(configdir!("/authkey.pub")).unwrap();
+ PublicKey::from_pem(&pem).unwrap()
+ })
}
-pub fn private_auth_key() -> &'static PKey<Private> {
- lazy_static! {
- static ref KEY: PKey<Private> = load_private_auth_key().unwrap();
- }
+pub fn private_auth_key() -> &'static PrivateKey {
+ static KEY: OnceLock<PrivateKey> = OnceLock::new();
- &KEY
+ KEY.get_or_init(|| {
+ let pem = file_get_contents(configdir!("/authkey.key")).unwrap();
+ PrivateKey::from_pem(&pem).unwrap()
+ })
}
const LDAP_PASSWORDS_FILENAME: &str = configdir!("/ldap_passwords.json");
--
2.39.2
next prev parent reply other threads:[~2024-02-15 15:20 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-15 15:19 [pbs-devel] [PATCH proxmox{, -backup} 00/12] authentication cleanup and Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 01/12] auth-api: move signing into the private key Stefan Sterz
2024-02-26 20:22 ` Esi Y
2024-02-27 9:12 ` Stefan Sterz
2024-02-27 18:13 ` Esi Y
2024-02-29 16:07 ` Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 02/12] auth-api: move to Ed25519 signatures Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 03/12] auth-api: add ability to use hmac singing in keyring Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 04/12] auth-api: move to hmac signing for csrf tokens Stefan Sterz
2024-02-19 16:02 ` Max Carrara
2024-02-20 12:54 ` Max Carrara
2024-02-23 9:26 ` Stefan Sterz
2024-02-23 10:48 ` Thomas Lamprecht
2024-02-23 10:52 ` Stefan Sterz
2024-02-23 13:06 ` Wolfgang Bumiller
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 05/12] sys: crypt: move to yescrypt for password hashing Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 06/12] sys: crypt: use constant time comparison for password verification Stefan Sterz
2024-02-19 16:11 ` Max Carrara
2024-02-23 9:26 ` Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 07/12] sys: crypt: add helper to allow upgrading hashes Stefan Sterz
2024-02-19 18:50 ` Max Carrara
2024-02-23 9:26 ` Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox 08/12] auth-api: fix types `compilefail` test Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox-backup 09/12] auth: move to hmac keys for csrf tokens Stefan Sterz
2024-02-19 18:55 ` Max Carrara
2024-02-23 9:26 ` Stefan Sterz
2024-02-15 15:19 ` [pbs-devel] [PATCH proxmox-backup 10/12] auth: upgrade hashes on user log in Stefan Sterz
2024-02-19 18:58 ` Max Carrara
2024-02-23 9:26 ` Stefan Sterz
2024-02-15 15:20 ` [pbs-devel] [PATCH proxmox-backup 11/12] auth/manager: add manager command to upgrade hashes Stefan Sterz
2024-02-19 19:06 ` Max Carrara
2024-02-23 9:26 ` Stefan Sterz
2024-02-15 15:20 ` Stefan Sterz [this message]
2024-02-19 19:10 ` [pbs-devel] [PATCH proxmox-backup 12/12] auth: us ec keys as auth keys Max Carrara
2024-02-23 9:26 ` Stefan Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240215152001.269490-13-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.