From 8e612e071b8c0fc99ebf91673f53ca5f0d6bdd11 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 20 Feb 2021 19:56:15 +0100 Subject: Document `lacme-accountd --stdio`. It's an internal flag, but can be useful for authorized_keys(5) restrictions. --- Changelog | 3 ++- lacme-accountd.1.md | 8 ++++++++ lacme.8.md | 6 ++++-- tests/accountd-remote | 17 +++++++++++++++++ 4 files changed, 31 insertions(+), 3 deletions(-) diff --git a/Changelog b/Changelog index 966b0b0..baf67b9 100644 --- a/Changelog +++ b/Changelog @@ -62,7 +62,8 @@ lacme (0.7.1) upstream; accountd. + accountd: replace internal option --conn-fd=FD with flag --stdio. Using stdin/stdout makes it possible to tunnel the accountd - connection through ssh. + connection through ssh. The new flag is documented to allow safe + usage is authorized_keys(5) restrictions. + Remove dependency on List::Util (core module). - lacme: delay webserver socket shutdown to after the process has terminated. diff --git a/lacme-accountd.1.md b/lacme-accountd.1.md index 4c494f2..476a150 100644 --- a/lacme-accountd.1.md +++ b/lacme-accountd.1.md @@ -81,6 +81,14 @@ Options error when `lacme-accountd` doesn't run as and the `XDG_RUNTIME_DIR` environment variable is unset or empty). +`--stdio` + +: Read signature requests from the standard input and write signatures + to the standard output, instead of using a UNIX-domain socket for + communication with the [ACME] client. + This _internal_ flag should never be used by standalone + `lacme-accountd` instances, only for those [`lacme`(8)] spawns. + `-h`, `--help` : Display a brief help and exit. diff --git a/lacme.8.md b/lacme.8.md index aab448f..9a14d75 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -493,8 +493,10 @@ following in the [`[accountd]` section](#accountd-section): If the user running `lacme` can connect to `lacme@account.example.net` using (passwordless) key authentication, this setting will spawn a remote [`lacme-accountd`(1)] and use it to sign [ACME] requests. -Further hardening can be achieved my means of [`authorized_keys`(5)] -restrictions. +Further hardening can be achieved by means of [`authorized_keys`(5)] +restrictions: + + restrict,from="…",command="/usr/bin/lacme-accountd --stdio" ssh-rsa … See also ======== diff --git a/tests/accountd-remote b/tests/accountd-remote index 71bb8e2..bd5d99f 100644 --- a/tests/accountd-remote +++ b/tests/accountd-remote @@ -30,4 +30,21 @@ sed -ri 's|^#?config\s*=.*|config = /etc/lacme/lacme-accountd.conf|' /etc/lacme/ lacme newOrder --debug 2>"$STDERR" || fail # intentionally use --debug, ssh should tunnel stdin + stdout + stderr test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key +# and now with an authorized_keys(5) restriction +sed -ri "s|^[^#]|restrict,from=\"127.0.0.1\",command=\"/usr/bin/lacme-accountd --stdio\" &|" ~lacme-account/.ssh/authorized_keys +rm -vf /etc/lacme/simpletest.rsa.crt + +! lacme newOrder 2>"$STDERR" || fail # --config= (and --debug) should be ignored +grepstderr -Fxq "Error: 'privkey' is not specified" +grepstderr -Fxq "[simpletest-rsa] Error: Couldn't issue X.509 certificate!" + +install -olacme-account -glacme-account -Ddm0700 ~lacme-account/.config/lacme +mv -t ~lacme-account/.config/lacme /etc/lacme/account.key +cat >~lacme-account/.config/lacme/lacme-accountd.conf <<-EOF + privkey = file:%E/lacme/account.key +EOF + +lacme newOrder || fail +test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key + # vim: set filetype=sh : -- cgit v1.2.3