wiki:SecurityMechanismForCmdctlAndBindctl

Security Mechanism for Cmdctl and Bindctl

  1. Introduction
  2. Cmdctl
    1. Certificate Management
    2. Client Authentication
    3. Username/Password? Database
    4. Configurable Items
  3. Bindctl
    1. Cmdctl Certificate Authentication
    2. Password Transmission
  4. Questions & Proposed Answers
    1. Bindctl(Client) Certificate Authentication
    2. Change Certificate of Cmdctl

Introduction

Cmdctl is the gateway between administrators and BIND 10 system. It provides a RESTful interface for accessing and controlling BIND 10. Cmdctl is designed as one HTTPS server, all the connections between Cmdctl and controlling clients(Bindctl or other tools) are secured with SSL procotol.

Bindctl is one command-line tools which provides an interactive prompt for controlling BIND 10 system. Instead of communicating with BIND 10 components directly, all commands from Bindctl will be sent to Cmdctl, then Cmdctl dispatches the commands to proper BIND 10 components.

This document will describe how to build trust between Cmdctl and Bindctl.

Cmdctl

Certificate Management

When cmdctl is installed, one private key and self-signed certificate should be generated and installed for Cmdctl automatcally, they will be used as the default private key and certificate when running installed Cmdctl.

One sample private key and self-signed certificate are also provided in the source code, to make sure Cmdctl works when running in source code tree.

Client Authentication

User name/password pair will be used to do client authentication. user name and password sent to Cmdctl should be plain text with the format like:

{'username':'root', 'password':'bind10'}

When Cmdctl get the password of an existed user, a SHA1 digest will be generated according the salt of user, then Cmdctl will check whether the user is legal or not by comparing the genereated digest with the one saved in username/password database.

Username/Password? Database

All users' name and password are saved in one csv file. Password is not saved in plaintext, instead, one salt and password's SHA1 digest is saved, see the example for user 'root'.

root,6f0c73bd33101a5ec0294b3ca39fec90ef4717fe,"^?{5hV&$^(]!uV,3H>E~=f`I;,HgMl""`Eyao4^0l|Nlz|%R9Y0v)#/t'u@CzJ$U^?)"

Configurable Items

There are three configurable items for Cmdctl: 'key_file', 'cert_file' and 'accounts_file'. All of them can be configurated by Bindctl.

    "config_data": [
      {
        "item_name": "key_file",                   //the private key file.
        "item_type": "string",
        "item_optional": False,
        "item_default": '@@LOCALSTATEDIR@@/@PACKAGE@/cmdctl-keyfile.pem'
      },
      {
        "item_name": "cert_file",                  //certificate file.
        "item_type": "string",
        "item_optional": False,
        "item_default": '@@LOCALSTATEDIR@@/@PACKAGE@/cmdctl-certfile.pem'
      },
      {
        "item_name": "accounts_file",             //username/password database of Cmdctl
        "item_type": "string",
        "item_optional": False,
        "item_default": '@@LOCALSTATEDIR@@/@PACKAGE@/cmdctl-accounts.csv'
      }
      ]

Bindctl

Cmdctl Certificate Authentication

By default, Bindctl will not validate any Cmdctl certificate. If users want to do validation, a PEM formatted certificate chain file should be provided to Bindctl, like:

bindctl -c /path/of/certificate_chain_file

or

bindctl --certificate-chain /path/of/certificate_chain_file

Password Transmission

User password will be tranmitted over HTTPS as plain text, I think it's safe enough since HTTPS cannot be intercepted in theory.

Questions & Proposed Answers

Bindctl(Client) Certificate Authentication

No plan to do it now although It's not hard to support it, since it will bring more configuration items for Cmdctl(eg., whether and how to validate client certificate if it's self-signed).

Change Certificate of Cmdctl

If running Bindctl with '-c' option(Need to validate Cmdctl's certificate), when the certificate of cmdctl is changed by commands from bindctl, all the following commands sent to Cmdctl will fail except to restart Bindctl.

Last modified 7 years ago Last modified on Jun 18, 2010, 8:17:03 AM