diff options
| -rw-r--r-- | Changelog | 3 | ||||
| -rw-r--r-- | lacme-accountd.1.md | 8 | ||||
| -rw-r--r-- | lacme.8.md | 6 | ||||
| -rw-r--r-- | tests/accountd-remote | 17 |
4 files changed, 31 insertions, 3 deletions
@@ -62,7 +62,8 @@ lacme (0.7.1) upstream; accountd. + accountd: replace internal option --conn-fd=FD with flag --stdio. Using stdin/stdout makes it possible to tunnel the accountd - connection through ssh. + connection through ssh. The new flag is documented to allow safe + usage is authorized_keys(5) restrictions. + Remove dependency on List::Util (core module). - lacme: delay webserver socket shutdown to after the process has terminated. diff --git a/lacme-accountd.1.md b/lacme-accountd.1.md index 4c494f2..476a150 100644 --- a/lacme-accountd.1.md +++ b/lacme-accountd.1.md @@ -81,6 +81,14 @@ Options error when `lacme-accountd` doesn't run as and the `XDG_RUNTIME_DIR` environment variable is unset or empty). +`--stdio` + +: Read signature requests from the standard input and write signatures + to the standard output, instead of using a UNIX-domain socket for + communication with the [ACME] client. + This _internal_ flag should never be used by standalone + `lacme-accountd` instances, only for those [`lacme`(8)] spawns. + `-h`, `--help` : Display a brief help and exit. @@ -493,8 +493,10 @@ following in the [`[accountd]` section](#accountd-section): If the user running `lacme` can connect to `lacme@account.example.net` using (passwordless) key authentication, this setting will spawn a remote [`lacme-accountd`(1)] and use it to sign [ACME] requests. -Further hardening can be achieved my means of [`authorized_keys`(5)] -restrictions. +Further hardening can be achieved by means of [`authorized_keys`(5)] +restrictions: + + restrict,from="…",command="/usr/bin/lacme-accountd --stdio" ssh-rsa … See also ======== diff --git a/tests/accountd-remote b/tests/accountd-remote index 71bb8e2..bd5d99f 100644 --- a/tests/accountd-remote +++ b/tests/accountd-remote @@ -30,4 +30,21 @@ sed -ri 's|^#?config\s*=.*|config = /etc/lacme/lacme-accountd.conf|' /etc/lacme/ lacme newOrder --debug 2>"$STDERR" || fail # intentionally use --debug, ssh should tunnel stdin + stdout + stderr test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key +# and now with an authorized_keys(5) restriction +sed -ri "s|^[^#]|restrict,from=\"127.0.0.1\",command=\"/usr/bin/lacme-accountd --stdio\" &|" ~lacme-account/.ssh/authorized_keys +rm -vf /etc/lacme/simpletest.rsa.crt + +! lacme newOrder 2>"$STDERR" || fail # --config= (and --debug) should be ignored +grepstderr -Fxq "Error: 'privkey' is not specified" +grepstderr -Fxq "[simpletest-rsa] Error: Couldn't issue X.509 certificate!" + +install -olacme-account -glacme-account -Ddm0700 ~lacme-account/.config/lacme +mv -t ~lacme-account/.config/lacme /etc/lacme/account.key +cat >~lacme-account/.config/lacme/lacme-accountd.conf <<-EOF + privkey = file:%E/lacme/account.key +EOF + +lacme newOrder || fail +test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key + # vim: set filetype=sh : |