Fix to MXS-125: https://mariadb.atlassian.net/browse/MXS-125
Unified the usages of maxkeys and maxpasswd.
This commit is contained in:
Markus Makela
parent
97a06e4006
commit
466ee46d82
@ -1393,20 +1393,24 @@ In addition parameters may be added to define patterns to match against to eithe
|
||||
|
||||
## Encrypting Passwords
|
||||
|
||||
Passwords stored in the maxscale.cnf file may optionally be encrypted for added security. This is done by creation of an encryption key on installation of MaxScale. Encryption keys may be created manually by executing the maxkeys utility with the argument of the filename to store the key. The default location MaxScale stores the keys is `/var/cache/maxscale`.
|
||||
Passwords stored in the maxscale.cnf file may optionally be encrypted for added security. This is done by creation of an encryption key on installation of MaxScale. Encryption keys may be created manually by executing the maxkeys utility with the argument of the filename to store the key. The default location MaxScale stores the keys is `/var/lib/maxscale`.
|
||||
|
||||
```
|
||||
maxkeys /var/cache/maxscale/.secrets
|
||||
# Usage: maxkeys [PATH]
|
||||
maxkeys /var/lib/maxscale/
|
||||
```
|
||||
|
||||
Changing the encryption key for MaxScale will invalidate any currently encrypted keys stored in the maxscale.cnf file.
|
||||
|
||||
### Creating Encrypted Passwords
|
||||
|
||||
Encrypted passwords are created by executing the maxpasswd command with the password you require to encrypt as an argument.
|
||||
Encrypted passwords are created by executing the maxpasswd command with the location of the .secrets file and the password you require to encrypt as an argument.
|
||||
|
||||
maxpasswd MaxScalePw001
|
||||
61DD955512C39A4A8BC4BB1E5F116705
|
||||
```
|
||||
# Usage: maxpasswd PATH PASSWORD
|
||||
maxpasswd /var/lib/maxscale/ MaxScalePw001
|
||||
61DD955512C39A4A8BC4BB1E5F116705
|
||||
```
|
||||
|
||||
The output of the maxpasswd command is a hexadecimal string, this should be inserted into the maxscale.cnf file in place of the ordinary, plain text, password. MaxScale will determine this as an encrypted password and automatically decrypt it before sending it the database server.
|
||||
|
||||
|
||||
@ -32,19 +32,24 @@
|
||||
#include <skygw_utils.h>
|
||||
#include <log_manager.h>
|
||||
#include <gwdirs.h>
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
int arg_count = 6;
|
||||
int arg_count = 4;
|
||||
char *home;
|
||||
char *keyfile;
|
||||
char** arg_vector;
|
||||
int rval = 0;
|
||||
|
||||
if (argc != 2)
|
||||
if (argc < 2)
|
||||
{
|
||||
fprintf(stderr, "Usage: %s <filename>\n", argv[0]);
|
||||
return 1;
|
||||
keyfile = "/var/lib/maxscale/";
|
||||
fprintf(stderr, "Generating .secrets file in /var/lib/maxscale/ ...\n");
|
||||
}
|
||||
else
|
||||
{
|
||||
keyfile = argv[1];
|
||||
}
|
||||
|
||||
arg_vector = malloc(sizeof(char*)*(arg_count + 1));
|
||||
|
||||
if(arg_vector == NULL)
|
||||
@ -53,27 +58,16 @@ int main(int argc, char **argv)
|
||||
return 1;
|
||||
}
|
||||
|
||||
if(access("/var/log/maxscale/maxkeys/",F_OK) != 0)
|
||||
{
|
||||
if(mkdir("/var/log/maxscale/maxkeys/",0777) == -1)
|
||||
{
|
||||
if(errno != EEXIST)
|
||||
{
|
||||
fprintf(stderr,"Error: %d - %s",errno,strerror(errno));
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
arg_vector[0] = strdup("logmanager");
|
||||
arg_vector[1] = strdup("-j");
|
||||
arg_vector[2] = strdup("/var/log/maxscale/maxkeys");
|
||||
arg_vector[3] = NULL;
|
||||
arg_vector[0] = "logmanager";
|
||||
arg_vector[1] = "-j";
|
||||
arg_vector[2] = "/var/log/maxscale/maxkeys";
|
||||
arg_vector[3] = "-o";
|
||||
arg_vector[4] = NULL;
|
||||
skygw_logmanager_init(arg_count,arg_vector);
|
||||
free(arg_vector[2]);
|
||||
free(arg_vector);
|
||||
|
||||
|
||||
if (secrets_writeKeys(argv[1]))
|
||||
if (secrets_writeKeys(keyfile))
|
||||
{
|
||||
fprintf(stderr, "Failed to encode the password\n");
|
||||
rval = 1;
|
||||
|
||||
@ -46,9 +46,9 @@ main(int argc, char **argv)
|
||||
char** arg_vector;
|
||||
int rval = 0;
|
||||
|
||||
if (argc != 2)
|
||||
if (argc != 3)
|
||||
{
|
||||
fprintf(stderr, "Usage: %s <password>\n", argv[0]);
|
||||
fprintf(stderr, "Usage: %s <file> <password>\n", argv[0]);
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -79,9 +79,9 @@ main(int argc, char **argv)
|
||||
return 1;
|
||||
}
|
||||
|
||||
strncpy(pw,argv[1],80);
|
||||
strncpy(pw,argv[2],80);
|
||||
|
||||
if ((enc = encryptPassword(pw)) != NULL){
|
||||
if ((enc = encryptPassword(argv[1],pw)) != NULL){
|
||||
printf("%s\n", enc);
|
||||
}else{
|
||||
fprintf(stderr, "Failed to encode the password\n");
|
||||
|
||||
@ -53,15 +53,14 @@ int i;
|
||||
}
|
||||
|
||||
/**
|
||||
* secrets_readKeys
|
||||
*
|
||||
* This routine reads data from a binary file and extracts the AES encryption key
|
||||
* and the AES Init Vector
|
||||
*
|
||||
* This routine reads data from a binary file named ".secrets" and extracts the AES encryption key
|
||||
* and the AES Init Vector.
|
||||
* If the path parameter is not null the custom path is interpreted as a folder
|
||||
* containing the .secrets file. Otherwise the default location is used.
|
||||
* @return The keys structure or NULL on error
|
||||
*/
|
||||
static MAXKEYS *
|
||||
secrets_readKeys()
|
||||
secrets_readKeys(char* path)
|
||||
{
|
||||
char secret_file[PATH_MAX+1];
|
||||
char *home;
|
||||
@ -70,9 +69,10 @@ struct stat secret_stats;
|
||||
int fd;
|
||||
int len;
|
||||
static int reported = 0;
|
||||
|
||||
snprintf(secret_file, PATH_MAX, "%s/.secrets", get_datadir());
|
||||
|
||||
if(path != NULL)
|
||||
snprintf(secret_file, PATH_MAX, "%s/.secrets", path);
|
||||
else
|
||||
snprintf(secret_file, PATH_MAX, "%s/.secrets", get_datadir());
|
||||
/* Try to access secrets file */
|
||||
if (access(secret_file, R_OK) == -1)
|
||||
{
|
||||
@ -221,11 +221,14 @@ static int reported = 0;
|
||||
* @param secret_file The file with secret keys
|
||||
* @return 0 on success and 1 on failure
|
||||
*/
|
||||
int secrets_writeKeys(char *secret_file)
|
||||
int secrets_writeKeys(char *path)
|
||||
{
|
||||
int fd,randfd;
|
||||
unsigned int randval;
|
||||
MAXKEYS key;
|
||||
char secret_file[PATH_MAX + 10];
|
||||
|
||||
sprintf(secret_file,"%s/.secrets",path);
|
||||
|
||||
/* Open for writing | Create | Truncate the file for writing */
|
||||
if ((fd = open(secret_file, O_CREAT | O_WRONLY | O_TRUNC, S_IRUSR)) < 0)
|
||||
@ -328,7 +331,7 @@ char *ptr;
|
||||
unsigned char encrypted[80];
|
||||
int enlen;
|
||||
|
||||
keys = secrets_readKeys();
|
||||
keys = secrets_readKeys(NULL);
|
||||
if (!keys)
|
||||
return strdup(crypt);
|
||||
/*
|
||||
@ -365,12 +368,12 @@ int enlen;
|
||||
* Encrypt a password that can be stored in the MaxScale configuration file.
|
||||
*
|
||||
* Note the return is always a malloc'd string that the caller must free
|
||||
*
|
||||
* @param path Path the the .secrets file
|
||||
* @param password The password to encrypt
|
||||
* @return The encrypted password
|
||||
*/
|
||||
char *
|
||||
encryptPassword(char *password)
|
||||
encryptPassword(char* path, char *password)
|
||||
{
|
||||
MAXKEYS *keys;
|
||||
AES_KEY aeskey;
|
||||
@ -379,7 +382,7 @@ char *hex_output;
|
||||
unsigned char padded_passwd[80];
|
||||
unsigned char encrypted[80];
|
||||
|
||||
if ((keys = secrets_readKeys()) == NULL)
|
||||
if ((keys = secrets_readKeys(path)) == NULL)
|
||||
return NULL;
|
||||
|
||||
memset(padded_passwd, 0, 80);
|
||||
|
||||
@ -53,5 +53,5 @@ typedef struct maxkeys {
|
||||
|
||||
extern int secrets_writeKeys(char *filename);
|
||||
extern char *decryptPassword(char *);
|
||||
extern char *encryptPassword(char *);
|
||||
extern char *encryptPassword(char*,char *);
|
||||
#endif
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user