Cryptography

Setup and Dependency installation

During the installation of the userdir-ldap and other dependencies, the charm uses an APT repository key (commonly referred to as a GPG key or public key) for apt-repo-spec to ensure the integrity and authenticity of the software packages downloaded from the repositories.

The charm will also set up the root SSH key for any access related to file synchronization. The key can be provided via the root-id-rsa charm config option (which accepts an OpenSSH-format RSA private key with no passphrase). The charm will then derive the public key using ssh-keygen -f <private_key> -y and write it alongside the private key with 0o644 permissions. If the private key is unavailable, the Charm will generate a new keypair using the 2048-bit RSA algorithm via the ssh-keygen CLI (ssh-keygen docs).

Additionally, during the installation, the charm will try to add entries listed in the userdb-known-hosts charm config option to /root/.ssh/known_hosts to seed the userdb trust. The charm will use ssh-keyscan against userdb.internal host to find and add new entries if no hosts are specified, similar to step two in the Consumer/Client relation setup (see below).

User data rsync

The charm uses rsync over SSH to synchronize user data from a specified remote host to a local host. The key_file option, which defines the path to the private SSH key, is used in the spec for SSH authentication and encryption of the data in motion.

SSH daemon reconfiguration

The charm reconfigures the ssh daemon of the Juju unit in the following ways:

• Blacklisting host keys using the DSA and ECDSA algorithms
• Adding allowed KEX (Key Exchange) algorithms using the kex-algorithm charm config option. The charm default one is curve25519-sha256
• Adding a list of allowed ciphers using ciphers charm config option. The charm default ones are:
  • chacha20-poly1305
  • aes256-gcm
  • aes128-gcm
• Adding a list of allowed MAC (message authentication code) algorithms using macs charm config option. The charm default ones are:
  • umac-128-etm
  • hmac-sha2-512-etm
  • hmac-sha2-256-etm
  • hmac-sha2-256

Consumer/Client relation

Every unit provides a public SSH key to a user data producer (server) via the pub_key relation setting. The keypair generated during the setup and dependency installation step is used.

Additionally, when the relation is configured, the charm adds/updates the known SSH host keys of the unit in the /root/.ssh/known_hosts file. The process includes:

• Removing the old host keys using ssh-keygen -R <hostname> -f /root/.ssh/known_hosts
• Scanning for and adding new host keys using ssh-keyscan -t rsa <host1> <host2> ... >> /root/.ssh/known_hosts (see ssh-keyscan docs) against userdb.internal.

Producer/Client relation

The charm collects SSH pubkeys of the consumer/client units from the relation data bag to set up the cron jobs for the rsync. Collected keys are then used to configure a custom /etc/ssh/user-authorized-keys/<user> file, which provides limited access to the specified user to pull files via rsync. The configuration is done via a templated command override to prevent shell access and only allow rsync.

Copy of authorized_keys

The charm copies each specified user’s authorized_keys file in the users-to-migrate charm config option to the /etc/ssh/user-authorized-keys directory of the unit with the permissions set to 0o444 and root ownership.