aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Changelog3
-rw-r--r--lacme-accountd.1.md8
-rw-r--r--lacme.8.md6
-rw-r--r--tests/accountd-remote17
4 files changed, 31 insertions, 3 deletions
diff --git a/Changelog b/Changelog
index 966b0b0..baf67b9 100644
--- a/Changelog
+++ b/Changelog
@@ -62,7 +62,8 @@ lacme (0.7.1) upstream;
accountd.
+ accountd: replace internal option --conn-fd=FD with flag --stdio.
Using stdin/stdout makes it possible to tunnel the accountd
- connection through ssh.
+ connection through ssh. The new flag is documented to allow safe
+ usage is authorized_keys(5) restrictions.
+ Remove dependency on List::Util (core module).
- lacme: delay webserver socket shutdown to after the process has
terminated.
diff --git a/lacme-accountd.1.md b/lacme-accountd.1.md
index 4c494f2..476a150 100644
--- a/lacme-accountd.1.md
+++ b/lacme-accountd.1.md
@@ -81,6 +81,14 @@ Options
error when `lacme-accountd` doesn't run as and the `XDG_RUNTIME_DIR`
environment variable is unset or empty).
+`--stdio`
+
+: Read signature requests from the standard input and write signatures
+ to the standard output, instead of using a UNIX-domain socket for
+ communication with the [ACME] client.
+ This _internal_ flag should never be used by standalone
+ `lacme-accountd` instances, only for those [`lacme`(8)] spawns.
+
`-h`, `--help`
: Display a brief help and exit.
diff --git a/lacme.8.md b/lacme.8.md
index aab448f..9a14d75 100644
--- a/lacme.8.md
+++ b/lacme.8.md
@@ -493,8 +493,10 @@ following in the [`[accountd]` section](#accountd-section):
If the user running `lacme` can connect to `lacme@account.example.net`
using (passwordless) key authentication, this setting will spawn a
remote [`lacme-accountd`(1)] and use it to sign [ACME] requests.
-Further hardening can be achieved my means of [`authorized_keys`(5)]
-restrictions.
+Further hardening can be achieved by means of [`authorized_keys`(5)]
+restrictions:
+
+ restrict,from="…",command="/usr/bin/lacme-accountd --stdio" ssh-rsa …
See also
========
diff --git a/tests/accountd-remote b/tests/accountd-remote
index 71bb8e2..bd5d99f 100644
--- a/tests/accountd-remote
+++ b/tests/accountd-remote
@@ -30,4 +30,21 @@ sed -ri 's|^#?config\s*=.*|config = /etc/lacme/lacme-accountd.conf|' /etc/lacme/
lacme newOrder --debug 2>"$STDERR" || fail # intentionally use --debug, ssh should tunnel stdin + stdout + stderr
test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key
+# and now with an authorized_keys(5) restriction
+sed -ri "s|^[^#]|restrict,from=\"127.0.0.1\",command=\"/usr/bin/lacme-accountd --stdio\" &|" ~lacme-account/.ssh/authorized_keys
+rm -vf /etc/lacme/simpletest.rsa.crt
+
+! lacme newOrder 2>"$STDERR" || fail # --config= (and --debug) should be ignored
+grepstderr -Fxq "Error: 'privkey' is not specified"
+grepstderr -Fxq "[simpletest-rsa] Error: Couldn't issue X.509 certificate!"
+
+install -olacme-account -glacme-account -Ddm0700 ~lacme-account/.config/lacme
+mv -t ~lacme-account/.config/lacme /etc/lacme/account.key
+cat >~lacme-account/.config/lacme/lacme-accountd.conf <<-EOF
+ privkey = file:%E/lacme/account.key
+EOF
+
+lacme newOrder || fail
+test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key
+
# vim: set filetype=sh :