9. Advanced Topics9.1 Encrypted Data Transfer with SSLSharity can be compiled with SSL (Secure Socket Layer) support. Sharity with SSL support is different from a normal Sharity run through an SSL converter: Server and client can automatically negotiate SSL mode. This mode of operation is currently supported by Samba and by SSL Proxy (available from our web site), which can transform any CIFS server into an SSL CIFS server.In this section, we assume that you are familiar with the basics of cryptography. If you don't know what the words "encryption", "digital signature" and "RSA" mean, please read one of the introductions available. A good starting point might be part 6 and 7 of the cryptography FAQ which is posted to the usenet newsgroup sci.crypt. It is also available from ftp://rtfm.mit.edu/pub/usenet/news.answers/cryptography-faqor http://www.cis.ohio-state.edu/hypertext/faq/usenet/cryptography-faq What is SSL and SSLeay/OpenSSL? SSLeay is a free implementation of the SSL protocol. It is available from ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/SSLeay has been superceded by OpenSSL. The home of OpenSSL is http://www.openssl.org/. Encryption is plagued by legal problems of all kinds. For a discussion of these problems please read the documentation of SSLeay, which is available at http://www.psy.uq.edu.au/~ftp/Crypto/To compile Sharity with SSL support, you must first compile and install SSLeay or OpenSSL (we will use the namem OpenSSL in the rest of the text, you may substitute SSLeay if you like). OpenSSL consists of a library (which can be linked to other applications like Sharity and Samba) and several utility programs needed for key generation, certification etc. The current version of Sharity has been tested with OpenSSL version 0.9.0. It should work with 0.8.x, too, although it may require some fine-tuning. Compiling Sharity with OpenSSL
About Certificates There has always been some confusion about the significance of certificates. In fact, there is no general answer to this question. The CA confirms something by signing the certificate. But the subject of this confirmation can be freely chosen by the CA itself. There might be a CA that signs everything it gets. You would better not add this CA to your list of trusted CAs, of course. Most CAs in the web simply attest that the given public key belongs the the given domain name. Company-wide CAs might attest that you are an employee of the company, that you have permissions to use a server or whatever. For a secure CIFS server you will most probably not want to get certificates from a well known CA. For the typical application of a distributed office you will want to operate a company-wide CA yourself. This company-wide CA can have its own policy for signing certificates. The policy "All our servers and all our clients will get a certificate and no one else" is probably a good idea. Setting up OpenSSL The first thing you should do is to change your PATH environment variable to include the bin directory of OpenSSL. E.g.: PATH=$PATH:/usr/local/ssl/binThen you should set up OpenSSL's random number generator. The state of this random number generator is held in the file ".rnd" in your home directory. To set a reasonable random seed, you need random data. Create a random file with cat >/tmp/rfile.txtThen type random keys on your keyboard for about one minute. Then type the EOF character (^D) to terminate input. You may also use your favorite editor to create the random file, of course. Now you can create a dummy key to initialize the random number generator: openssl genrsa -rand /tmp/rfile.txt > /dev/null rm -f /tmp/rfile.txtDon't forget to delete the file "/tmp/rfile.txt". It's more or less equivalent to your private key! How to create a Keypair openssl genrsa -des3 512 > key.pemYou will be asked for a pass phrase to protect this key. If you don't want to protect your private key with a pass phrase, just omit the parameter "-des3". If you want a different key size, replace the parameter "512". You really should use a pass phrase. If you want to remove the pass phrase from a key use: openssl rsa -in key.pem -out newkey.pemAnd to add or change a pass phrase: openssl rsa -des3 -in key.pem -out newkey.pem How to create a Dummy Certificate If you still have your keypair in the file "key.pem", the command openssl req -new -x509 -key key.pem -out cert.pemwill write a self-signed dummy certificate to the file "cert.pem". Please bear in mind that encryption without authentication (certification) can never be secure. It's open to (at least) "man-in-the-middle" attacks. How to create a Certificate Signing Request openssl req -new -key key.pem -out csr.pemThis command will ask you for the information which must be included in the certificate and will write the signing request to the file "csr.pem". This signing request is all the CA needs for signing, at least technically. Most CAs will demand bureaucratic material and money, too. How to set up a Certification Authority CATOP=/usr/local/ssl/CA CAKEY=./cakey.pem # relative to $CATOP/ CACERT=./cacert.pem # relative to $CATOP/private/Then create the directory "/usr/local/ssl/CA" and make it writable for the user that operates the CA. You should also initialize OpenSSL as CA user (set up the random number generator). Now you should call the shell script "CA.sh" to set up the initial database: CA.sh -newcaThis command will ask you whether you want to use an existing certificate or create one. Just press enter to create a new key pair and certificate. You will be asked the usual questions for certificates: the country, state, city, "Common Name", etc. Enter the appropriate values for the CA. When "CA.sh" finishes, it has set up a bunch of directories and files. A CA must publish its certificate, which is in the file "/usr/local/ssl/CA/cacert.pem". How to sign a Certificate Signing Request openssl ca -policy policy_anything -days 365 -infiles csr.pem > cert.pemThe resulting certificate (and additional information) will be in "cert.pem". If you want the certificate to be valid for a period different from 365 days, simply change the "-days" parameter. How to install a new CA Certificate The client must know the directory of the CA database. This can be configured. There may also be a configuration option to set up a CA database file which contains all CA certs in one file. Let's assume that the CA database is kept in the directory "/usr/local/ssl/certs". The following example assumes that the CA's certificate is in the file "cacert.pem" and the CA is known as "myCA". To install the certificate, do the following: cp cacert.pem /usr/local/ssl/cers/myCA.pem cd /usr/local/ssl/certs ln -s myCA.pem `openssl x509 -noout -hash < myCA.pem`.0The last command creates a link from the hashed name to the real file. From now on all certificates signed by the "myCA" authority will be accepted by clients that use the directory "/usr/local/ssl/certs/" as their CA certificate database. 9.2 The Configuration FileSharity's configuration is governed by two configuration files: sharity.cfg and cfgdb.ppl. The name and path of the first one can be given on the daemon's commandline, the name and path of the second is configured in sharity.cfg. These two files are hierarchical in most parts: Settings in cfgdb.ppl can override the defaults in sharity.cfg (except for some very basic settings in the main section). sharity.cfg contains the factory defaults and cfgdb.ppl contains the configurations you make from the GUI application.Both configuration files are parsed when the daemon starts and when a HUP signal is sent to the daemon. You can therefore edit the configuration and make the changes effective without restarting the daemon. Please note that not all configuration changes can work immediately. Many options are read into internal variables when they are used. Much of the server configuration, for instance, is transferred into internal structures when a connection to the server is opened. Therefore, if a change to the server configuration should become active, you should first unmount all shares and log out all users from that server. General Strucute
Remarks can be written in three forms: /* remark */as in C, // remark to end of lineas in C++ or Objective-C and # remark to end of lineas in shell scripts. Strings are sequences of alphanumeric characters, including the underscore. If a string should consist of other characters like spaces, it must be quoted in double quotes. Within double quotes, the same escape-sequences as in C strings can be used. There is no separate syntax for numeric arguments. Since numbers are read as strings and converted when they are used, you must quote negative numbers because they begin with a minus sign. Arrays are ordered lists of other properties. An array is delimited by parentheses and the properties constituting the array may be separated by commas. The following example is an array consisting of several string elements: (1, 2, 3, hello, "how are you") Dictionaries are unordered lists of named properties. They are delimited by curly braces. Each dictionary entry consists of a left hand side (key), which must be a string, an equal sign and a right hand side (value) which may be any property. Entries may be separated by semicolons. The following is an example of a dictionary consisting of three entries named "property1" to "property3" where the first one has a string value, the second an array value and the third a dictionary value: { property1 = "value of property1"; property2 = (value, of, property2); property3 = { firstWord = value; secondWord = of; thirdWord = property3; }; }The configuration file itself is a dictionary (the sourrounding curly braces are optional because other properties are not allowed). By convention, the top level keys are related to modules. Each module should have only one key at the top level which is a dictionary containing the module's configuration. Properties that have been parsed as strings may be interpreted in one of the following ways:
Configuration Variables 9.3 Sharity as a Framwork for Virtual FilesystemsAs already mentioned, Sharity 2 is more than just a CIFS client. It's also a framework for mapping arbitrary data into the filesystem by arbitrary means. There's a frontend, which implements the actual connection to the filesystem, and a backend, which provides the data that's mapped. Frontends and backends can be loadable modules. For more information, please see the developer documentation at source/doc/developer/.
Sharity Manual 2.9 Beta 7 | Copyright (C) 2004 OBJECTIVE DEVELOPMENT Software GmbH | http://www.obdev.at/
|