From 28b22dafa08ebe65a6549b6a411457a5780d7ad9 Mon Sep 17 00:00:00 2001 From: Christian Limpach Date: Wed, 13 Jan 2010 20:00:49 +0000 Subject: [PATCH] Add missing scripts and Revert "Revert "Add sec-* scripts for local auth and vm disk encryption keyfile access."" This reverts commit 5f157bceb35d11bc62fb6965c3b4aff8ec70e879. --- Makefile | 4 ++- scripts/sec-change-pass | 39 +++++++++++++++++++++++ scripts/sec-check-pass | 24 ++++++++++++++ scripts/sec-mount | 35 +++++++++++++++++++++ scripts/sec-new-user | 69 +++++++++++++++++++++++++++++++++++++++++ scripts/sec-umount | 19 ++++++++++++ 6 files changed, 189 insertions(+), 1 deletion(-) create mode 100755 scripts/sec-change-pass create mode 100755 scripts/sec-check-pass create mode 100755 scripts/sec-mount create mode 100755 scripts/sec-new-user create mode 100755 scripts/sec-umount diff --git a/Makefile b/Makefile index 3ce3256..11cbb57 100644 --- a/Makefile +++ b/Makefile @@ -19,7 +19,9 @@ SUBDIRS = libs/uuid libs/stdext libs/mmap \ INSTALL_PROGRAMS_BIN = \ xenstored/xenstored xenguest/xenguest closeandexec/closeandexec \ xenvm/xenops xenvm/xenvm xenvm/xenvm-cmd \ - scripts/qemu-dm-wrapper scripts/ctxusb-wrapper + scripts/qemu-dm-wrapper scripts/ctxusb-wrapper \ + scripts/sec-change-pass scripts/sec-mount scripts/sec-umount \ + scripts/sec-check-pass scripts/sec-new-user -include extra/Makefile diff --git a/scripts/sec-change-pass b/scripts/sec-change-pass new file mode 100755 index 0000000..8cafb1b --- /dev/null +++ b/scripts/sec-change-pass @@ -0,0 +1,39 @@ +#! /bin/sh + +user="$1" +userpass="$2" +serverpass="$3" + +LVPREFIX=s- +LVSIZE=12M +VGNAME=xenclient +DEVKEY=/config/sec/device.key +RAMDIR=/tmp +UKEY="${RAMDIR}/s-${user}.key" +TKEY="${RAMDIR}/s-t-${user}.key" +SECDM="s-${user}" + +( cat "${DEVKEY}" + echo "${user}" + cat "${userpass}" ) >"${UKEY}" + +( cat "${DEVKEY}" + echo "transmitter ${user}" + cat "${serverpass}" ) >"${TKEY}" + +cryptsetup -q -d "${TKEY}" \ + luksKillSlot "/dev/${VGNAME}/${LVPREFIX}${user}" 0 || { + echo $0: cryptsetup luksKillSlot failed: $? + rm "${TKEY}" "${UKEY}" + exit 2 + } + +cryptsetup -q -d "${TKEY}" -S 0 \ + luksAddKey "/dev/${VGNAME}/${LVPREFIX}${user}" "${UKEY}" || { + echo $0: cryptsetup luksAddKey failed: $? + rm "${TKEY}" "${UKEY}" + exit 3 + } + +rm "${TKEY}" "${UKEY}" + diff --git a/scripts/sec-check-pass b/scripts/sec-check-pass new file mode 100755 index 0000000..d781238 --- /dev/null +++ b/scripts/sec-check-pass @@ -0,0 +1,24 @@ +#! /bin/sh + +user="$1" +userpass="$2" + +LVPREFIX=s- +VGNAME=xenclient +DEVKEY=/config/sec/device.key +RAMDIR=/tmp +UKEY="${RAMDIR}/s-${user}.key" + +( cat "${DEVKEY}" + echo "${user}" + cat "${userpass}" ) >"${UKEY}" + +cryptsetup -d "${UKEY}" -S 0 \ + luksCheckKey "/dev/${VGNAME}/${LVPREFIX}${user}" || { + echo $0: cryptsetup luksCheckKey failed: $? + rm "${UKEY}" + exit 2 +} + +rm "${UKEY}" + diff --git a/scripts/sec-mount b/scripts/sec-mount new file mode 100755 index 0000000..aef4422 --- /dev/null +++ b/scripts/sec-mount @@ -0,0 +1,35 @@ +#! /bin/sh + +user="$1" +userpass="$2" + +LVPREFIX=s- +VGNAME=xenclient +DEVKEY=/config/sec/device.key +RAMDIR=/tmp +UKEY="${RAMDIR}/s-${user}.key" +SECDIR=/config/sec +SECDM="s-${user}" +SECPATH="${SECDIR}/s-${user}" + +( cat "${DEVKEY}" + echo "${user}" + cat "${userpass}" ) >"${UKEY}" + +cryptsetup -d "${UKEY}" \ + luksOpen "/dev/${VGNAME}/${LVPREFIX}${user}" "${SECDM}" || { + echo $0: cryptsetup luksOpen failed: $? + rm "${UKEY}" + exit 2 +} + +mkdir -p "${SECPATH}" +mount "/dev/mapper/${SECDM}" "${SECPATH}" || { + echo $0: mount failed: $? + cryptsetup luksClose "${SECDM}" + rm "${UKEY}" + exit 3 +} + +rm "${UKEY}" + diff --git a/scripts/sec-new-user b/scripts/sec-new-user new file mode 100755 index 0000000..767317d --- /dev/null +++ b/scripts/sec-new-user @@ -0,0 +1,69 @@ +#! /bin/sh + +user="$1" +userpass="$2" +serverpass="$3" + +LVPREFIX=s- +LVSIZE=12M +VGNAME=xenclient +DEVKEY=/config/sec/device.key +RAMDIR=/tmp +UKEY="${RAMDIR}/s-${user}.key" +TKEY="${RAMDIR}/s-t-${user}.key" +SECDM="s-${user}" + +lvcreate -L "${LVSIZE}" -n "${LVPREFIX}${user}" "${VGNAME}" || { + echo $0: lvcreate failed: $? + exit 2 +} + +( cat "${DEVKEY}" + echo "${user}" + cat "${userpass}" ) >"${UKEY}" + +cryptsetup -q -S 0 \ + luksFormat "/dev/${VGNAME}/${LVPREFIX}${user}" "${UKEY}" || { + echo $0: cryptsetup luksFormat failed: $? + rm "${UKEY}" + exit 3 +} + +[ -z "${serverpass}" ] || { + + ( cat "${DEVKEY}" + echo "transmitter ${user}" + cat "${serverpass}" ) >"${TKEY}" + + cryptsetup -q -S 1 -d "${UKEY}" \ + luksAddKey "/dev/${VGNAME}/${LVPREFIX}${user}" "${TKEY}" || { + echo $0: cryptsetup luksAddKey failed: $? + rm "${TKEY}" "${UKEY}" + exit 4 + } + + rm "${TKEY}" +} + +cryptsetup -d "${UKEY}" \ + luksOpen "/dev/${VGNAME}/${LVPREFIX}${user}" "${SECDM}" || { + echo $0: cryptsetup luksOpen failed: $? + rm "${UKEY}" + exit 5 +} + +mkfs.ext2 "/dev/mapper/${SECDM}" || { + echo $0: mkfs.ext2 failed: $? + cryptsetup luksClose "${SECDM}" + rm "${UKEY}" + exit 6 +} + +cryptsetup luksClose "${SECDM}" || { + echo $0: cryptsetup luksClose failed: $? + rm "${UKEY}" + exit 7 +} + +rm "${UKEY}" + diff --git a/scripts/sec-umount b/scripts/sec-umount new file mode 100755 index 0000000..62c4efe --- /dev/null +++ b/scripts/sec-umount @@ -0,0 +1,19 @@ +#! /bin/sh + +user="$1" + +SECDIR=/config/sec +SECDM="s-${user}" +SECPATH="${SECDIR}/s-${user}" + +umount "${SECPATH}" || { + echo $0: umount failed: $? + cryptsetup luksClose "${SECDM}" + exit 2 +} + +cryptsetup luksClose "${SECDM}" || { + echo $0: cryptsetup luksClose failed: $? + exit 3 +} + -- 2.39.5