diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2016-05-24 17:11:11 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2016-05-24 17:12:10 +0200 |
| commit | 1af3c572eedb0eaddcdc5c9c41d98ff59bb7b2c9 (patch) | |
| tree | 6af69fd639a051b483528b03959985ab806b2c1c /roles/common | |
| parent | 61ee02ffb5402d93eae59001b91197957a8dcfe2 (diff) | |
IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication.
There is no need to bother with X.509 cruft here.
Diffstat (limited to 'roles/common')
| -rwxr-xr-x | roles/common/files/usr/local/bin/genkeypair.sh | 5 | ||||
| -rw-r--r-- | roles/common/tasks/ipsec.yml | 17 | ||||
| -rw-r--r-- | roles/common/templates/etc/ipsec.conf.j2 | 5 |
3 files changed, 15 insertions, 12 deletions
diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh index 45e2181..01b279a 100755 --- a/roles/common/files/usr/local/bin/genkeypair.sh +++ b/roles/common/files/usr/local/bin/genkeypair.sh @@ -30,40 +30,41 @@ hash= force=0 config= pubkey=pubkey.pem privkey=privkey.pem dns= ou= cn= usage= mode= owner= group= usage() { cat >&2 <<- EOF Usage: $0 command [OPTIONS] Command: x509: generate a self-signed X.509 server certificate csr: generate a Certificate Signing Request dkim: generate a private key (to use for DKIM signing) + keypair: generate a key pair Options: -t type: key type (default: rsa) -b bits: key length or EC curve (default: 2048 for RSA, 1024 for DSA, secp224r1 for ECDSA) -h digest: digest algorithm --ou: organizational Unit Name; can be repeated --cn: common Name (default: \$(hostname --fqdn) --dns: hostname for AltName; can be repeated -f: force; can be repeated (0: don't overwrite, default; 1: reuse private key if it exists; 2: overwrite both keys if they exist) --config: configuration file --pubkey: public key file (default: pubkey.pem) --privkey: private key file (default: privkey.pem) --usage: key usage (default: digitalSignature,keyEncipherment,keyCertSign) --mode: set privkey's permission mode (default: 0600) --owner: set privkey's owner (default: the process' current owner) --group: set privkey's group (default: the process' current group) Return values: @@ -71,41 +72,41 @@ usage() { 1 The public or private key file exists, and -f is not set 2 The key generation failed EOF } dkiminfo() { echo "Add the following TXT record to your DNS zone:" echo "${cn:-$(date +%Y%m%d)}._domainkey\tIN\tTXT ( " # See https://tools.ietf.org/html/rfc4871#section-3.6.1 # t=s: the "i=" domain in signature headers MUST NOT be a subdomain of "d=" # s=email: limit DKIM signing to email openssl pkey -pubout <"$privkey" | sed '/^--.*--$/d' \ | { echo -n "v=DKIM1; k=$type; t=s; s=email; p="; tr -d '\n'; } \ | fold -w 250 \ | { sed 's/.*/\t"&"/'; echo ' )'; } } [ $# -gt 0 ] || { usage; exit 2; } cmd="$1"; shift case "$cmd" in - x509|csr|dkim) ;; + x509|csr|dkim|keypair) ;; *) echo "Unrecognized command: $cmd" >&2; exit 2 esac nou=1 while [ $# -gt 0 ]; do case "$1" in -t) shift; type="$1";; -t*) type="${1#-t}";; -b) shift; bits="$1";; -b*) bits="${1#-b}";; -h) shift; hash="$1";; -h*) hash="${1#-h}";; --dns=?*) dns="${dns:+$dns, }DNS:${1#--dns=}";; --cn=?*) cn="${1#--cn=}";; --ou=?*) ou="${ou:+$ou\n}$nou.organizationalUnitName = ${1#--ou=}" nou=$(( 1 + $nou ));; @@ -184,21 +185,23 @@ if [ -s "$privkey" -a $force -eq 0 ]; then exit 1 elif [ ! -s "$privkey" -o $force -ge 2 ]; then install --mode="${mode:-0600}" ${owner:+--owner="$owner"} ${group:+--group="$group"} /dev/null "$privkey" || exit 2 openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2 [ "$cmd" = dkim ] && { dkiminfo; exit; } fi if [ "$cmd" = x509 -a "$pubkey" = "$privkey" ]; then pubkey=$(mktemp) openssl req -config "$config" -new -x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2 cat "$pubkey" >>"$privkey" || exit 2 rm -f "$pubkey" elif [ "$cmd" = x509 -o "$cmd" = csr ]; then if [ -s "$pubkey" -a $force -eq 0 ]; then echo "Error: public key exists: $pubkey" >&2 exit 1 else [ "$cmd" = x509 ] && x509=-x509 || x509= openssl req -config "$config" -new $x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2 fi +elif [ "$cmd" = keypair -a "$pubkey" ]; then + openssl pkey -pubout <"$privkey" >"$pubkey" fi diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml index b82c281..ca03c98 100644 --- a/roles/common/tasks/ipsec.yml +++ b/roles/common/tasks/ipsec.yml @@ -37,60 +37,59 @@ template: src=etc/ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=0600 register: r2 notify: - Restart IPSec - name: Configure Charon copy: src=etc/strongswan.d/{{ item }} dest=/etc/strongswan.d/{{ item }} owner=root group=root mode=0644 with_items: - charon.conf - charon/socket-default.conf register: r3 notify: - Restart IPSec -- name: Generate a private key and a X.509 certificate for IPSec - command: genkeypair.sh x509 +- name: Generate a key pair for IPSec public key authentication + command: genkeypair.sh keypair --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem --privkey=/etc/ipsec.d/private/{{ inventory_hostname_short }}.key - --ou=IPSec --cn={{ inventory_hostname_short }} - -t rsa -b 4096 -h sha512 + -t rsa -b 4096 register: r4 changed_when: r4.rc == 0 failed_when: r4.rc > 1 notify: - Restart IPSec tags: - genkey -- name: Fetch IPSec X.509 certificate +- name: Fetch the public part of IPSec host key # Ensure we don't fetch private data become: False - fetch_cmd: cmd="openssl x509" - stdin=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem - dest=certs/ipsec/{{ inventory_hostname_short }}.pem + fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem + dest=certs/ipsec/{{ inventory_hostname_short }}.pem + fail_on_missing=yes flat=yes tags: - genkey # Don't copy our pubkey due to a possible race condition. Only the # remote machine has authority regarding its key. -- name: Copy IPSec X.509 certificates (except ours) +- name: Copy the public part of IPSec peers' key copy: src=certs/ipsec/{{ hostvars[item].inventory_hostname_short }}.pem dest=/etc/ipsec.d/certs/{{ hostvars[item].inventory_hostname_short }}.pem owner=root group=root mode=0644 with_items: "{{ groups.all | difference([inventory_hostname]) }}" register: r5 tags: - genkey notify: - Restart IPSec - name: Start IPSec service: name=ipsec state=started when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed) diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2 index 4d6aa68..938f6b8 100644 --- a/roles/common/templates/etc/ipsec.conf.j2 +++ b/roles/common/templates/etc/ipsec.conf.j2 @@ -1,43 +1,44 @@ # {{ ansible_managed }} # Do NOT edit this file directly! config setup charondebug = "dmn 0, lib 0, cfg 0, ike 0, enc 0, net 0" conn %default keyexchange = ikev2 keyingtries = %forever ike = aes128gcm16-prfsha256-ecp256,aes256gcm16-prfsha384-ecp384! esp = aes128gcm16-ecp256,aes256gcm16-ecp384! {% if 'NATed' not in group_names %} mobike = no {% endif %} {% if 'DynDNS' in group_names %} leftallowany = yes {% endif %} leftauth = pubkey left = %defaultroute leftsubnet = {{ ipsec[inventory_hostname_short] | ipv4 }}/32 - leftcert = {{ inventory_hostname_short }}.pem + leftid = {{ inventory_hostname }} + leftsigkey = {{ inventory_hostname_short }}.pem leftfirewall = yes lefthostaccess = yes rightauth = pubkey auto = route dpdaction = hold inactivity = 30m modeconfig = push {% for host in groups.all | difference([inventory_hostname]) | sort %} conn {{ hostvars[host].inventory_hostname_short }} right = {{ hostvars[host].inventory_hostname }} {% if 'DynDNS' in hostvars[host].group_names %} rightallowany = yes {% endif %} - rightcert = {{ hostvars[host].inventory_hostname_short }}.pem + rightsigkey = {{ hostvars[host].inventory_hostname_short }}.pem rightsubnet = {{ ipsec[ hostvars[host].inventory_hostname_short ] | ipv4 }}/32 {% if 'NATed' not in group_names and 'NATed' in hostvars[host].group_names %} mobike = yes {% endif %} {%- endfor %} |