Bazaar

Merge lp:~nmb/bzr/admin-guide-security into lp:bzr

  1. admin-guide-security
  2. Merge into bzr.dev
Proposed by Neil Martinsen-Burrell
Status: Merged
Approved by: Martin Pool
Approved revision: not available
Merged at revision: not available
Proposed branch: lp:~nmb/bzr/admin-guide-security
Merge into: lp:bzr
Prerequisite: lp:~nmb/bzr/admin-guide-structure
Diff against target: 132 lines (+111/-0)
2 files modified
NEWS (+4/-0)
doc/en/admin-guide/security.txt (+107/-0)
To merge this branch: bzr merge lp:~nmb/bzr/admin-guide-security
Reviewer Review Type Date Requested Status
Martin Pool Approve
Review via email: mp+15850@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Neil Martinsen-Burrell (nmb) wrote :

This adds some discussion of authentication and access control to the Administrator's guide. It needs careful review since it makes representations about the security of Bazaar.

Revision history for this message
Martin Pool (mbp) wrote :

+in each user's ``~/.ssh/authorized_keys`` file, where `<type>` is the type of

just to make it clear I'd add "on the server" before the comma.

This should be mentioned in NEWS.

Otherwise good, thanks!

review: Approve
Revision history for this message
Max Bowsher (maxb) wrote :

Two thoughts:

1) Is it sensible to even mention the idea of using a single public/private keypair shared amongst all developers? Such a configuration would seem to be so very needlessly insecure that I would not even talk about it.

2) Where a line in authorized keys is mentioned, it is described as `ssh-<type> <key>` - I'm not sure it actually makes it clearer to try to decompose the key into parts. I'd imagine that the majority of users would consider the entire line, from ssh-rsa or ssh-dss onwards to be the key. (Also there's a possibility that some users might still be using v1 numeric keys, though they really shouldn't by now.) Another issue is that, for dsa keys, the 'type' you pass to ssh-keygen is "dsa" but the ID token in authorized_keys is "ssh-dss". Maybe something like:
    command="......" <normal-key-line>
would work?

Revision history for this message
Martin Pool (mbp) wrote :

2009/12/22 Max Bowsher <email address hidden>:
> Two thoughts:
>
> 1) Is it sensible to even mention the idea of using a single public/private keypair shared amongst all developers? Such a configuration would seem to be so very needlessly insecure that I would not even talk about it.

True.

--
Martin <http://launchpad.net/~mbp/>

Revision history for this message
Neil Martinsen-Burrell (nmb) wrote :

Changed in the branch. Thanks for the comments.

Revision history for this message
David Strauss (davidstrauss) wrote :

It's possible for the same key to be used for multiple usernames, too, as another workaround to the single-branch restriction.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'NEWS'
--- NEWS 2009-12-21 17:25:06 +0000
+++ NEWS 2009-12-22 04:58:17 +0000
@@ -42,6 +42,10 @@
42Documentation42Documentation
43*************43*************
4444
45* There is a System Administrator's Guide in ``doc/en/admin-guide``,
46 including discussions of installation, relevant plugins, security and
47 backup.
48
45API Changes49API Changes
46***********50***********
4751
4852
=== modified file 'doc/en/admin-guide/security.txt'
--- doc/en/admin-guide/security.txt 2009-12-07 18:12:21 +0000
+++ doc/en/admin-guide/security.txt 2009-12-22 04:58:17 +0000
@@ -4,6 +4,113 @@
4Authentication4Authentication
5--------------5--------------
66
7Bazaar's philosophy on authentication is that it is best to reuse existing
8authentication technologies, rather than trying to reinvent potentially
9complicated methods for securely identifying users. As such, we describe two
10such uses of existing software for authentication purposes.
11
12Using SSH
13~~~~~~~~~
14
15SSH is a very well tested and featureful technology for authenticating users.
16For situations where all of the developers have local accounts on the server,
17it is trivial to provide secure, authenticated ``bzr+ssh://`` access. One
18concern with this method is that it may not be desirable to grant shell access
19to developers on the server machine. In this case, Bazaar provides
20``bzr_ssh_path_limiter``, a script that runs the Bazaar smart server on the
21server machine at a specified path, and allows no other access.
22
23To set it up, specify::
24
25 command="/path/to/bzr_ssh_path_limiter <path>" <typical key line>
26
27in each user's ``~/.ssh/authorized_keys`` file on the server, where `<path>` is
28the path to limit access to (and its subdirectories). For more documentation
29on the syntax of the ``authorized_keys`` file see the documentation of the SSH
30server. This will only permit Bazaar access to the specified path and no other
31SSH access for that user.
32
33If it isn't desired to give each user an account on the server, multiple
34private/public key pairs can be included under one single SSH account (say
35sshuser) in the ``~sshuser/.ssh/authorized_keys`` file and then each developer
36can be given their own private key. They can then use
37``bzr+ssh://sshuser@server.example.com/`` URLs to access the server.
38
39Using HTTP authentication methods
40~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
41
7Access Control42Access Control
8--------------43--------------
944
45Many projects need fine-grained access control on who may read and write to
46which branches. Incorporating these controls into OS-level user accounts
47using groups and filesystem permissions can be difficult or even not permitted
48in some instances. Bazaar provides a script called ``bzr_access`` that can be
49used to provide access control based on usernames, with authentication
50performed by SSH. To do so, we need to set up private-key authentication in
51SSH. This can be done using a single SSH user on the server, or one account
52per user. The idea is to use the SSH's ``authorized_keys`` file to specify
53the ``bzr_access`` script as the only command that can be run by a user
54identified by a particular key pair.
55
56First, you will need to generate a private/public key pair for each user who
57will be accessing the repository. The private key should be distributed to
58the user and the public key will be needed on the server to identify the user.
59On the server, in the SSH user's ``~/.ssh/authorized_keys`` file, use the
60following line for each repository user and the corresponding public key::
61
62 command="/path/to/bzr_access /path/to/bzr /path/to/repository <username>",no- port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-<type> <key>
63
64where `<key>` is the (possibly very long) public key, `<type>` is the type of
65SSH key and `<username>` is the username to associate with that public key.
66
67The ``bzr_access`` script obtains its configuration information from the file
68``/path/to/repository/bzr_access.conf``. This file should not be placed under
69version control in a branch located at ``/path/to/repository`` since that
70would allow anyone with access to the repository to change the access control
71rules. The ``bzr_access.conf`` file is in a simple INI-style format with
72sections defined by ``[groups]`` and ``[/]``. The options in the ``[groups]``
73section are the names of groups and the values of those options should be the
74usernames in that group. Inside the ``[/]`` section, the options are
75usernames or group names (prefixed with ``@``) and the values are either
76``rw``, ``r`` or nothing, representing read-write access, read-only access or
77no access at all. A sample of ``bzr_access.conf`` could be::
78
79 [groups]
80 admins = alpha
81 devels = beta, gamma, delta
82
83 [/]
84 @admins = rw
85 @devels = r
86 upsilon =
87
88where the user whose key is associated with `alpha` would have read-write
89access, the users `beta`, `gamma` and `delta` would have read-only access and
90user `upsilon` would not be able to access any branches under
91``/path/to/repository``.
92
93Additional Considerations with ``bzr_access``
94~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
95
96As currently written, ``bzr_access`` only allows each public key to be
97associated with a single repository location. This means that if developers
98need to access two or more different repositories, then each developer will
99need to have two or more private keys for SSH and be able to select between
100them (see ``man ssh`` for more information on configuring multiple private
101keys).
102
103Also, each repository can only have a single configuration file, with access
104configured for all branches in the repository. This means that if different
105access rules are needed for different projects, then those projects must be in
106different repositories. This then necessitates the use of multiple private
107keys as just described.
108
109Finally, as noted above under `Using SSH`_ all of the public keys may be
110included in the ``authorized_keys`` file of a single user on the server. It
111is also possible to use a single private/public key pair for all of the
112developers, but this only allows a single username for access control to the
113repository (since the username is associated with the public key in
114``authorized_keys``. While this is certainly possible it seems to defeat the
115purpose of fine-grained access control, although it does provide the same
116limited SSH access as that described above.