From: Dan Mick Date: Wed, 18 Dec 2024 21:44:51 +0000 (-0800) Subject: Initial version of tarball as it is on download.ceph.com today X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=7ab5e17a8f989479675dfb53faed9b65e8a19876;p=ceph-cm-ansible.git Initial version of tarball as it is on download.ceph.com today Signed-off-by: Dan Mick --- diff --git a/tools/openvpn/maketar.sh b/tools/openvpn/maketar.sh new file mode 100755 index 0000000..113e37e --- /dev/null +++ b/tools/openvpn/maketar.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# +# make a tarball for distribution of this configuration and +# secret generator +# +tar cfz sepia-vpn-client.tar.gz sepia/ca.crt sepia/client.conf sepia/new-client sepia/tlsauth diff --git a/tools/openvpn/sepia/ca.crt b/tools/openvpn/sepia/ca.crt new file mode 100644 index 0000000..54cb98d --- /dev/null +++ b/tools/openvpn/sepia/ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDVzCCAj+gAwIBAgIUOAVvdnT5AeNHmQVerBNGyBipF+0wDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPb3BlbnZwbmNhLXNlcGlhMB4XDTI0MTIwMjE3MTc1MloX +DTM0MTEzMDE3MTc1MlowGjEYMBYGA1UEAwwPb3BlbnZwbmNhLXNlcGlhMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApPbQdUr74nVphtcdV9VhJs1cgKGq +iZNBRdVxW92JurMJuIJXSiBwGochYTs4NQprlD5jYStnpzoe7c1HsFKwVEY3xSmT +h7wdj0JIRgAdspG2XxxSU63k2t4Ezm6z7W7jnRvXjNhD55AMpxHAQpS0YhpxTm95 +SJDlk7gCmdIN087ioTYW8Fh+NI/ASjz5m3XWjsF/mTOHLYmlRL4bSWLwpKXuxpPW +YVeScyDC6olc0MOfNKihxY3Q4IJiLcBPXQhGp3pnKCSut+f+nHu+sSLssliuvGBh +6rn5c/5TceGbVvK1BX53F5Znx/AGC7XEEXKddUQbZDVN8pg1VygKt8tDIQIDAQAB +o4GUMIGRMB0GA1UdDgQWBBSCoc5pUrxKfAoguqWqY25PhYuYrjBVBgNVHSMETjBM +gBSCoc5pUrxKfAoguqWqY25PhYuYrqEepBwwGjEYMBYGA1UEAwwPb3BlbnZwbmNh +LXNlcGlhghQ4BW92dPkB40eZBV6sE0bIGKkX7TAMBgNVHRMEBTADAQH/MAsGA1Ud +DwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAIPJAeutTT6llsHQcC8CUPxSGe98l +IPGHFX3AE9tRU1C2jfsidovNnxfpYksctjVcv3Zo6UbY6w83+UXciu4uusfjgJ/X +dc5na7J+PCNcgNY34fsFmX4yQNF7ffTEUAS91FJ2bXs+Ob/dIQvZ0ZJopLia4C0m +IT0DJfQV6Xx+R+mQ+MB1c2bmW17C88PCOygTUyn8ssrUkttkrf9xebp2TqyggdSH +myw4nD/iQz+l7lwmDitEJY6cyLBDihhpKEyeCcIMp2+ytEsqaCKOASvjKnG24O19 +N0+ctqX/JPZzCEEpYhlFtZEFKjnYV7DiGvC6GiGZAMWNB3oY2bm+Gf2mNQ== +-----END CERTIFICATE----- diff --git a/tools/openvpn/sepia/client.conf b/tools/openvpn/sepia/client.conf new file mode 100644 index 0000000..c51ace0 --- /dev/null +++ b/tools/openvpn/sepia/client.conf @@ -0,0 +1,18 @@ +script-security 1 +client +remote vpn.sepia.ceph.com 1194 +dev tun +remote-random +resolv-retry infinite +nobind +user nobody +group nogroup +persist-tun +persist-key +comp-lzo +verb 2 +mute 10 +remote-cert-tls server +tls-auth sepia/tlsauth 1 +ca sepia/ca.crt +auth-user-pass sepia/secret diff --git a/tools/openvpn/sepia/new-client b/tools/openvpn/sepia/new-client new file mode 100755 index 0000000..9a48188 --- /dev/null +++ b/tools/openvpn/sepia/new-client @@ -0,0 +1,65 @@ +#!/usr/bin/python3 + +# How to set up a client (on Ubuntu/Debian): +# +# sudo apt-get install openvpn +# cd /etc/openvpn +# sudo tar xvzf ~/sepia-vpn-client.tar.gz +# sudo ./sepia/new-client MYUSERNAME@MYHOST +# +# ... submit the secret to admin and wait for acknowledgment ... +# +# sudo service openvpn start sepia + +import base64 +import hashlib +import os +import re +import sys + +path = os.path.dirname(sys.argv[0]) +os.chdir(path) + +try: + (user,) = sys.argv[1:] +except ValueError: + raise SystemExit('Usage: new-client USERNAME@HOST') + +# From openvpn(8): +# +# To protect against a client passing a maliciously formed username or +# password string, the username string must consist only of these +# characters: alphanumeric, underbar ('_'), dash ('-'), dot ('.'), or +# at ('@'). The password string can consist of any printable +# characters except for CR or LF. Any illegal characters in either the +# username or password string will be converted to underbar ('_'). +# +# Verifying this here to avoid confusion down the road. +if not re.match(r'^[a-zA-Z0-9_.@-]+$', user): + raise SystemExit('new-client: Invalid characters in username') + +salt = base64.b64encode(os.urandom(16)).rstrip(b'=') +secret = base64.b64encode(os.urandom(64)).rstrip(b'=') + +inner = hashlib.new('sha256') +inner.update(salt) +inner.update(secret) +outer = hashlib.new('sha256') +outer.update(inner.digest()) +outer.update(salt) +hashed = outer.hexdigest() + +with open('secret', 'wb') as f: + os.fchmod(f.fileno(), 0o600) + f.write('{user}\n{secret}\n'.format(user=user, secret=secret.decode()).encode('utf-8')) + +base = os.path.basename(path) +os.symlink(os.path.join(base, 'client.conf'), '../sepia.conf') + +sys.stdout.write( + "\n!!!!! DO NOT RUN THIS SCRIPT MORE THAN ONCE !!!!!\n\nPlease paste the following line in your Sepia Lab Access Request tracker ticket:\n\n") +sys.stdout.write("{user} {salt} {hashed}\n\n".format( + user=user, + salt=salt.decode('utf-8'), + hashed=hashed, +)) diff --git a/tools/openvpn/sepia/tlsauth b/tools/openvpn/sepia/tlsauth new file mode 100644 index 0000000..bc0af9c --- /dev/null +++ b/tools/openvpn/sepia/tlsauth @@ -0,0 +1,21 @@ +# +# 2048 bit OpenVPN static key +# +-----BEGIN OpenVPN Static key V1----- +45839625d348b4d5c0af603d94110313 +9d6960d0b3c3b22365f0e5ded5281664 +3473d1ece7bfc8fcb990232886aec346 +db726c28f8f6423648a7274d975abd1a +587953b38323cf13b763724d5c8e2b77 +b6a9d12ca751d8e3de0e56be37300855 +e6864c047148a30cb0b7d87fbd7f5f80 +d19c05a808ba1b48e9a8139051b63e47 +02ab07478c34d75f77d16ecafcaae81c +303c64f334e73d9b6ba71d2397941402 +51bbd5ab903e89a85cf05ae1158e6258 +d39b9f9e9a3b00cd96d6b6c8a3b93bf1 +9fd3fab9ce8513a525a55feb731ca46c +185555b2771351422b703b2c3ecbc809 +05cf68e6fd95226c5a45adc01e7645e6 +aaadeb236c0f44fb42c01decd819e849 +-----END OpenVPN Static key V1-----