# This is a combination of 3 commits.

# This is the 1st commit message: First bunch of major changes # This is the commit message #2: Renaming # This is the commit message #3: tmp
mettke · Apr 19, 2019 · c6b6fd3 · c6b6fd3
1 parent 38f1103
commit c6b6fd3
Show file tree

Hide file tree

Showing 98 changed files with 577 additions and 5,956 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,4 @@
 config/config.ini
-config/keys-sync
-config/keys-sync.pub
+config/cert-sync
+config/cert-sync.pub
 extensions/*.php
diff --git a/NOTICE b/NOTICE
@@ -17,7 +17,7 @@ Copyright 2019 Marc Mettke
 
 THIRD PARTY ACKNOWLEDGEMENTS
 
-Component: Original SSH Key Authority
+Component: Derived from on SSH Key Authority
 
 Copyright 2013-2017 Opera Software AS
 

diff --git a/README.md b/README.md
@@ -1,6 +1,4 @@
-> This is a maintained fork of [operasoftware/ssh-key-authority](https://github.com/operasoftware/ssh-key-authority). There should be no problem upgrading to this version, but it is not possible to migrate back to the old. Before migrating remember to make backups!
-
-SKA - SSH Key Authority
+SCA - SSL Cert Authority
 =======================
 
 A tool for managing user and server SSH access to any number of servers.
@@ -23,7 +21,7 @@ Features
 Demo
 ----
 
-You can view the SSH Key Authority in action on the [demonstration server](https://ska.xiven.com/).
+You can view the SSL Cert Authority in action on the [demonstration server](https://sca.xiven.com/).
 
 Use one of the following sets of username / password credentials to log in:
 
@@ -50,70 +48,70 @@ Installation
 
 2.  Add the following directives to your Apache configuration (eg. virtual host config):
 
-        DocumentRoot /path/to/ska/public_html
+        DocumentRoot /path/to/sca/public_html
         DirectoryIndex init.php
         FallbackResource /init.php
 
 3.  Create a MySQL user and database (run in MySQL shell):
 
-        CREATE USER 'ska-user'@'localhost' IDENTIFIED BY 'password';
-        CREATE DATABASE `ska-db` DEFAULT CHARACTER SET utf8mb4;
-        GRANT ALL ON `ska-db`.* to 'ska-user'@'localhost';
+        CREATE USER 'sca-user'@'localhost' IDENTIFIED BY 'password';
+        CREATE DATABASE `sca-db` DEFAULT CHARACTER SET utf8mb4;
+        GRANT ALL ON `sca-db`.* to 'sca-user'@'localhost';
 
 4.  Copy the file `config/config-sample.ini` to `config/config.ini` and edit the settings as required.
 
 5.  Set up authentication for your virtual host. The Auth-user variable must be passed to the application.
 
 6.  Set `scripts/cron.php` to run on a regular cron job.
 
-7.  Generate an SSH key pair to synchronize with. SSH Key Authority will expect to find the files as `config/keys-sync` and `config/keys-sync.pub` for the private and public keys respectively.
+7.  Generate an SSH key pair to synchronize with. SSL Cert Authority will expect to find the files as `config/cert-sync` and `config/cert-sync.pub` for the private and public keys respectively.
 
 8.  Install the SSH key synchronization daemon. 
 
     * For systemd:
 
-        1.  Copy `services/systemd/keys-sync.service` to `/etc/systemd/system/`
-        2.  Modify `ExecStart` path and `User` as necessary. If SSH Key Authority is installed under `/home`, disable `ProtectHome`.
+        1.  Copy `services/systemd/cert-sync.service` to `/etc/systemd/system/`
+        2.  Modify `ExecStart` path and `User` as necessary. If SSL Cert Authority is installed under `/home`, disable `ProtectHome`.
         3.  `systemctl daemon-reload`
-        4.  `systemctl enable keys-sync.service`
+        4.  `systemctl enable cert-sync.service`
 
     * For sysv-init:
 
-        1.  Copy `services/init.d/keys-sync` to `/etc/init.d/`
+        1.  Copy `services/init.d/cert-sync` to `/etc/init.d/`
         2.  Modify `SCRIPT` path and `USER` as necessary.
-        3.  `update-rc.d keys-sync defaults`
+        3.  `update-rc.d cert-sync defaults`
 
     * Manual:
 
-        1. Make sure that `scripts/syncd.php --user keys-sync` is executed whenever the system is restarted
+        1. Make sure that `scripts/syncd.php --user cert-sync` is executed whenever the system is restarted
 
 Usage
 -----
 
 If LDAP is enabed anyone in the LDAP group defined under `admin_group_cn` in `config/config.ini` will be able to manage accounts and servers.
 
-Without LDAP, only the `keys-sync` users will be available after installation. With that user, it is possible to add new administrators or normal users.
+Without LDAP, only the `cert-sync` users will be available after installation. With that user, it is possible to add new administrators or normal users.
 
 Key distribution
 ----------------
 
-SSH Key Authority distributes authorized keys to your servers via SSH. It does this by:
+SSL Cert Authority distributes authorized keys to your servers via SSH. It does this by:
 
-1.  Connecting to the server with SSH, authorizing as the `keys-sync` user.
-2.  Writing the appropriate authorized keys to named user files in `/var/local/keys-sync/` (eg. all authorized keys for the root user will be written to `/var/local/keys-sync/root`).
+1.  Connecting to the server with SSH, authorizing as the `cert-sync` user.
+2.  Writing the appropriate authorized keys to named user files in `/var/local/cert-sync/` (eg. all authorized keys for the root user will be written to `/var/local/cert-sync/root`).
 
-This means that your SSH installation will need to be reconfigured to read authorized keys from `/var/local/keys-sync/`.
+This means that your SSH installation will need to be reconfigured to read authorized keys from `/var/local/cert-sync/`.
 
 Please note that doing so will deny access to any existing SSH public key authorized in the default `~/.ssh` directories.
 
 Under OpenSSH, the configuration changes needed are:
 
-    AuthorizedKeysFile /var/local/keys-sync/%u
+    AuthorizedKeysFile /var/local/cert-sync/%u
     StrictModes no
 
-StrictModes must be disabled because the files will all be owned by the keys-sync user.
+StrictModes must be disabled because the files will all be owned by the cert-sync user.
 
-The file `/var/local/keys-sync/keys-sync` must exist, with the same contents as the `config/keys-sync.pub` file in order for the synchronization daemon to authenticate.
+The file `/var/local/cert-sync/cert-sync` must exist, with the same contents as the `config/cert-sync.pub` file in order for the synchronization daemon to authenticate.
 
 Screenshots
 -----------

diff --git a/config/config-sample.ini b/config/config-sample.ini
@@ -1,7 +1,7 @@
-; SSH Key Authority config file
+; SCA Key Authority config file
 [web]
 enabled = 1
-baseurl = https://ska.example.com
+baseurl = https://sca.example.com
 logo = /logo-header-itmettke.png
 ; footer may contain HTML. Literal & " < and > should be escaped as &amp;
 ; &quot; &lt; $gt;
@@ -14,23 +14,17 @@ timeout_util = GNU coreutils
 ; used on e.g. alpine
 ; timeout_util = BusyBox
 
-key_expiration_enabled = 0
-key_expiration_days = 180
-
-minimum_rsa_key_size = 4096
-minimum_ecdsa_key_size = 384
-
 [security]
-; It is important that SKA is able to verify that it has connected to the
+; It is important that SCA is able to verify that it has connected to the
 ; server that it expected to connect to (otherwise it could be tricked into
 ; syncing the wrong keys to a server). The simplest way to accomplish this is
 ; through SSH host key verification. Setting either of the 2 options below to
 ; '0' can weaken the protection that SSH host key verification provides.
 
-; Determine who can reset a server's SSH host key in SKA:
+; Determine who can reset a server's SSH host key in SCA:
 ;  0: Allow server admins to reset the SSH host key for servers that they
 ;     administer
-;  1: Full SKA admin access is required to reset a server's host key
+;  1: Full SCA admin access is required to reset a server's host key
 host_key_reset_restriction = 1
 
 ; Determine what happens if multiple servers have the same SSH host key:
@@ -47,35 +41,25 @@ host_key_collision_protection = 1
 ; Determine how hostname verification is performed:
 ;  0: Do not perform hostname verification
 ;  1: Compare with the result of `hostname -f`
-;  2: Compare with /var/local/keys-sync/.hostnames, fall back to `hostname -f`
+;  2: Compare with /var/local/cert-sync/.hostnames, fall back to `hostname -f`
 ;     if the file does not exist
-;  3: Compare with /var/local/keys-sync/.hostnames, abort sync if the file
+;  3: Compare with /var/local/cert-sync/.hostnames, abort sync if the file
 ;     does not exist
 ; The last option provides the most solid verification, as a server will only
 ; be synced to if it has been explicitly allowed on the server itself.
 hostname_verification = 0
 
-[defaults]
-; This setting will cause new servers to always have a managed account called
-; "root" and for that account to be automatically added into the
-; "root-accounts" group:
-;
-; account_groups[root] = "root-accounts"
-;
-; Any number of these can be specified
-account_groups[root] = "accounts-root"
-
 [email]
 enabled = 1
 ; The mail address that outgoing mails will be sent from
-from_address = ska@example.com
-from_name = "SSH Key Authority system"
+from_address = sca@example.com
+from_name = "SCA Key Authority system"
 ; Where to mail security notifications to
 report_address = [email protected]
-report_name = "SSH Key Authority reports"
+report_name = "SCA Key Authority reports"
 ; Where users should contact for help
 admin_address = [email protected]
-admin_name = "SSH Key Authority administrators"
+admin_name = "SCA Key Authority administrators"
 ; You can use the reroute directive to redirect all outgoing mail to a single
 ; mail address - typically for temporary testing purposes
 ;reroute = [email protected]
@@ -84,9 +68,9 @@ admin_name = "SSH Key Authority administrators"
 ; Connection details to the MySQL database
 hostname = localhost
 port     = 3306
-username = ska-user
+username = sca-user
 password = password
-database = ska-db
+database = sca-db
 
 [ldap]
 enabled = 0
@@ -114,48 +98,16 @@ user_name = cn
 user_email = mail
 ;user_superior = superioremployee
 
-; If inactive users exist in your LDAP directory, filter with the following
-; settings:
-; Field to filter on:
-;user_active = organizationalstatus
-; Use *one* of user_active_true or user_active_false
-; user_active_true means user is active if the user_active field equals its
-; value
-;user_active_true = 'current'
-; user_active_false means user is active if the user_active field does not
-; equal its value
-;user_active_false = 'former'
-
-; Group membership attributes. Examples below are for typical setups:
-;
-; POSIX groups
-;  group_member = memberUid
-;  group_member_value = uid
-;
-; Group-of-names groups
-;  group_member = member
-;  group_member_value = dn
-;
-; Attribute of group where members are stored
-group_member = memberUid
-; User attribute to compare with
-group_member_value = uid
-
-; Members of admin_group are given full admin access to SSH Key Authority web
-; interface
-admin_group_cn = ska-administrators
-; By default only the admin_group_cn will be synced. This option enabled 
-; synchronisation of every group a user is in
-full_group_sync = 0
+filter = sca-administrators
 
 [inventory]
-; SSH Key Authority will read the contents of the file /etc/uuid (if it
+; SCA Key Authority will read the contents of the file /etc/uuid (if it
 ; exists) when syncing with a server. If a value is found, it can be used as a
 ; link to an inventory system.
 ; %s in the url directive will be replaced with the value found in /etc/uuid
 ;url = "https://inventory.example.com/device/%s"
 
 [gpg]
-; SSH Key Authority can GPG sign outgoing emails sent from the
+; SCA Key Authority can GPG sign outgoing emails sent from the
 ; email.from_address. To do this it needs to know an appropriate key ID to use
 ;key_id = 0123456789ABCDEF0123456789ABCDEF01234567
diff --git a/core.php b/core.php
@@ -49,7 +49,7 @@ function autoload_model($classname) {
 
 // Setup database connection and models
 function setup_database() {
-	global $config, $database, $driver, $pubkey_dir, $user_dir, $group_dir, $server_dir, $server_account_dir, $event_dir, $sync_request_dir;
+	global $config, $database, $driver, $user_dir, $server_dir, $event_dir, $sync_request_dir;
 	try {
 		$database = new mysqli($config['database']['hostname'], $config['database']['username'], $config['database']['password'], $config['database']['database'], $config['database']['port']);
 	} catch(ErrorException $e) {
@@ -59,11 +59,8 @@ function setup_database() {
 	$driver = new mysqli_driver();
 	$driver->report_mode = MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT;
 	$migration_dir = new MigrationDirectory;
-	$pubkey_dir = new PublicKeyDirectory;
 	$user_dir = new UserDirectory;
-	$group_dir = new GroupDirectory;
 	$server_dir = new ServerDirectory;
-	$server_account_dir = new ServerAccountDirectory;
 	$event_dir = new EventDirectory;
 	$sync_request_dir = new SyncRequestDirectory;
 }

diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,13 +1,13 @@
 FROM alpine
 LABEL maintainer="Marc Mettke <[email protected]>"
 
-ENV SYSTEM https://github.com/mettke/ssh-key-authority.git
+ENV SYSTEM https://github.com/mettke/ssl-cert-authority.git
 ADD entrypoint.sh /entrypoint.sh
 ADD healthcheck.sh /healthcheck.sh
 ADD cron /var/spool/cron/crontabs/root
 
-RUN mkdir -p /var/log/keys/ /run/php/ /ska/ && \
-    adduser --system --disabled-password keys-sync && \
+RUN mkdir -p /var/log/keys/ /run/php/ /sca/ && \
+    adduser --system --disabled-password cert-sync && \
     apk add openssh \ 
             php7 \
             php7-fpm \
@@ -25,13 +25,13 @@ RUN mkdir -p /var/log/keys/ /run/php/ /ska/ && \
     echo "" >> /etc/php7/php-fpm.conf && \
     chmod +x /entrypoint.sh /healthcheck.sh && \
     ln -sf /dev/stderr /var/log/php7/error.log
-RUN apk add git && \
-    git clone ${SYSTEM} /ska && \
-    apk del git && \
-    chown -R keys-sync:nogroup /ska/config
+# RUN apk add git && \
+#    git clone ${SYSTEM} /sca && \
+#    apk del git && \
+#    chown -R cert-sync:nogroup /sca/config
 
 EXPOSE 9000
-VOLUME /ska/config
+VOLUME /sca/config
 VOLUME /public_html
 
 ENTRYPOINT "/entrypoint.sh"

diff --git a/docker/cron b/docker/cron
@@ -1,2 +1 @@
-0 1 * * * /ska/scripts/cron.php
-*/1 * * * * /bin/ash -c "PID=$(cat /var/run/keys-sync.pid) && [ -n ${PID} -a -d /proc/${PID} ] || /ska/scripts/syncd.php --user keys-sync"
+*/1 * * * * /bin/ash -c "PID=$(cat /var/run/cert-sync.pid) && [ -n ${PID} -a -d /proc/${PID} ] || /sca/scripts/syncd.php --user cert-sync"
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
@@ -1,42 +1,42 @@
 #!/usr/bin/env ash
-if [ `whoami` == 'keys-sync' ]; then
-  if [ ! -r /ska/config/config.ini ]; then
+if [ `whoami` == 'cert-sync' ]; then
+  if [ ! -r /sca/config/config.ini ]; then
       echo "config.ini not found or incorrect permissions."
-      echo "Permissions must be $(id -u keys-sync):$(id -g keys-sync) with at least 400"
+      echo "Permissions must be $(id -u cert-sync):$(id -g cert-sync) with at least 400"
       exit 1
   fi
-  if [ ! -r /ska/config/keys-sync ]; then
+  if [ ! -r /sca/config/cert-sync ]; then
       echo "private key not found or incorrect permissions."
-      echo "Permissions must be $(id -u keys-sync):$(id -g keys-sync) with 400"
+      echo "Permissions must be $(id -u cert-sync):$(id -g cert-sync) with 400"
       exit 1
   fi
-  if [ ! -r /ska/config/keys-sync.pub ]; then
+  if [ ! -r /sca/config/cert-sync.pub ]; then
       echo "public key not found or incorrect permissions."
-      echo "Permissions must be $(id -u keys-sync):$(id -g keys-sync) with at least 400"
+      echo "Permissions must be $(id -u cert-sync):$(id -g cert-sync) with at least 400"
       exit 1
   fi
-  if ! grep "^timeout_util = BusyBox$" /ska/config/config.ini > /dev/null; then
+  if ! grep "^timeout_util = BusyBox$" /sca/config/config.ini > /dev/null; then
       echo "timeout_util must be set to BusyBox."
       echo "Change it to: timeout_util = BusyBox"
       exit 1
   fi
 elif [ $(id -u) = 0 ]; then
-  if ! sudo -u keys-sync /entrypoint.sh; then
+  if ! sudo -u cert-sync /entrypoint.sh; then
     exit 1
   fi
-  rsync -a --delete /ska/public_html/ /public_html/
+  rsync -a --delete /sca/public_html/ /public_html/
   echo "Waiting for database..."
   for i in $(seq 1 10); do 
-    if /ska/scripts/apply_migrations.php; then
+    if /sca/scripts/apply_migrations.php; then
       echo "Success"
       break
     fi
     echo "Trying again in 1 sec"
     sleep 1
   done
-  
+
   /usr/sbin/crond
-  /ska/scripts/syncd.php --user keys-sync
+  /sca/scripts/syncd.php --user cert-sync
   /usr/sbin/php-fpm7 -F
 else
   echo "Must be executed with root"

diff --git a/docker/healthcheck.sh b/docker/healthcheck.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env ash
-for PID_FILE in /var/run/crond.pid /var/run/keys-sync.pid /var/run/php-fpm.pid; do
+for PID_FILE in /var/run/crond.pid /var/run/cert-sync.pid /var/run/php-fpm.pid; do
 	PID=$(cat ${PID_FILE})
     if ! [ -n "${PID}" -a -d "/proc/${PID}" ]; then
         exit 1