RIAPS / riaps-integration

Tested collection of RIAPS packages for releases
Apache License 2.0
6 stars 4 forks source link

Update Security Key Management Scripts #48

Closed MMetelko closed 5 years ago

MMetelko commented 5 years ago

As we add the RIAPS security features to the codebase (pycom and core), we need to update the tools for managing keys and certs. We can utilize the riaps_gen_cert script (in riaps-pycom/src/scripts) to create update the self signed cert for development purposes (30 day limit).

nie93 commented 5 years ago

Hi Mary,

I use the update VM image (v1.1.15) and when I was trying to use the new secure_keys scripts to setup the ssh connection, it returns the following messages:

riaps@riaps-devbox:~$ ./secure_keys -H 192.168.1.51
Rekeying hostnames:  192.168.1.51
=== ['ssh-add', '-d', '/home/riaps/.ssh/id_rsa.pub']
Could not remove identity "/home/riaps/.ssh/id_rsa.pub": agent refused operation
=== ['riaps_gen_cert', '-o', '/home/riaps/.ssh']
=== ['chmod', '400', '/home/riaps/.ssh/id_rsa.key']
=== ['rm', '/home/riaps/.ssh/riaps.key']
=== ['ssh-add', '/home/riaps/.ssh/id_rsa.key']
Identity added: /home/riaps/.ssh/id_rsa.key (/home/riaps/.ssh/id_rsa.key)
=== ['sudo', 'cp', '/home/riaps/.ssh/id_rsa.key', '/usr/local/riaps/keys/.']
=== ['sudo', 'chown', 'root:riaps', '/usr/local/riaps/keys/id_rsa.key']
=== ['sudo', 'chmod', '440', '/usr/local/riaps/keys/id_rsa.key']
=== ['sudo', 'cp', '/home/riaps/.ssh/id_rsa.pub', '/usr/local/riaps/keys/.']
=== ['sudo', 'chown', 'root:riaps', '/usr/local/riaps/keys/id_rsa.pub']
=== ['sudo', 'chmod', '440', '/usr/local/riaps/keys/id_rsa.pub']
=== ['sudo', 'cp', '/home/riaps/.ssh/riaps-sys.cert', '/usr/local/riaps/keys/.']
=== ['sudo', 'chown', 'root:riaps', '/usr/local/riaps/keys/riaps-sys.cert']
=== ['sudo', 'chmod', '440', '/usr/local/riaps/keys/riaps-sys.cert']
=== ['sudo', 'chmod', '400', '/home/riaps/.ssh/riaps-sys.cert']
=== ['sudo', 'cp', '/home/riaps/.ssh/x509.pem', '/usr/local/riaps/keys/.']
=== ['sudo', 'chown', 'root:riaps', '/usr/local/riaps/keys/x509.pem']
=== ['sudo', 'chmod', '440', '/usr/local/riaps/keys/x509.pem']
=== ['sudo', 'chmod', '400', '/home/riaps/.ssh/x509.pem']
rekeyed development machine with newly generated keys and certificates.
=== ['ssh-add', '/home/riaps/.ssh/id_rsa.key.old']
/home/riaps/.ssh/id_rsa.key.old: Permission denied
=== ['sudo', 'chmod', '444', '/home/riaps/.ssh/id_rsa.key']
=== ['sudo', 'chmod', '444', '/home/riaps/.ssh/riaps-sys.cert']
=== ['sudo', 'chmod', '444', '/home/riaps/.ssh/x509.pem']
[192.168.1.51] Executing task 'riaps.updateBBBKey'
[192.168.1.51] put: /home/riaps/.ssh/id_rsa.key -> .ssh/id_rsa.key

Fatal error: put() encountered an exception while uploading '/home/riaps/.ssh/id_rsa.key'

Underlying exception:
    Permission denied

Aborting.

Fatal error: One or more hosts failed while executing task 'riaps.updateBBBKey'

Aborting.
=== ['sudo', 'chmod', '400', '/home/riaps/.ssh/id_rsa.key']
=== ['sudo', 'chmod', '400', '/home/riaps/.ssh/riaps-sys.cert']
=== ['sudo', 'chmod', '400', '/home/riaps/.ssh/x509.pem']
=== ['ssh-add', '-d', '/home/riaps/.ssh/id_rsa.pub.old']
Could not remove identity "/home/riaps/.ssh/id_rsa.pub.old": agent refused operation
Rekeyed beaglebones with development machine keys and certificates.

Additionally, I have turned off the security argument in the /usr/local/riaps/etc/riaps.conf file.

Please let me know if there is any further information you need, thanks!

Cordially, Jack

MMetelko commented 5 years ago

Did you make sure you have communication with 192.168.1.51 prior to running the script? If you are using riaps v1.1.15, run riaps_fab sys.check -H 192.168.1.51 to make sure you are in communication with the device.

nie93 commented 5 years ago

It is actually the VM itself (as a RIAPS node). I did cat ./.ssh/id_rsa >> ./.ssh/authorized_keys, and I can ssh into it without any password prompt.

MMetelko commented 5 years ago

There is no need to run this script on a VM only setup. The hosts used should never represent the VM (either IP address or localhost). The first part of the script changes the keys and certificates and places on the VM (which seemed to work for you). The second half (where the error occurred is because you do not have passwordless connection to the VM itself. This is probably because the permissions on the private key is temporarily opened up to allow it to be passed to the VM using the riaps.updateBBBKey RIAPS specific fab command. So, if your goal was to create new security keys and certificates on the VM, you have succeeded. You might want to use a new bash window to run RIAPS since a recent addition to the VM was to have the local private key added to the ssh-agent when opening a window (using .bashrc).