This is a simple client/server system where the client asks for the authorization to execute a command to a server, by submitting a challenge using a REST API. If the challenge succeeds, the client can execute the command.
It is meant to run on machines without physical access.
In such a system where the client requests data from a server, the authenticity of each party should be ensured, otherwise the system is vulnerable to man-in-the-middle attacks. Besides, ensuring the confidentiality of the data would prevent an attacker from snooping data.
So one could think of using HTTPS with mutual authentication between client and server, which ensures both authenticity and confidentiality.
However Ostiarius does not use HTTPS for the following reason:
- it is written in Rust and uses secrets stored on PKCS#11 tokens: unfortunately Rust TLS stacks (such as RustTLS) do not support this (yet).
So to ensure authenticity, Ostiarius uses the exchange of a RSA encrypted random secret:
- client generates the challenge (a random number).
- client encrypts the challenge with the server public key.
- client sends the encrypted challenge to the server.
- server decrypts the encrypted challenge with its private key.
- server encrypts the challenge with the client public key.
- server sends the encrypted challenge to the client.
- client decrypts the encrypted challenge with its private key.
The client only proceeds if the random number decrypted in the response matches the one sent in the request.
This relies on the secrecy of the private keys, which should be stored on PKCS#11 tokens for maximum security.
This project is written in Rust, so you'll need to install a Rust toolchain to build it.
Client and server can easily be built using:
cargo build --releaseCross-compiling client and server fo different architectures can be done using cross. For example, to compile the client for an ARM target and the server for MS Windows, execute:
cross build --target x86_64-pc-windows-gnu -p ostiarius-server
cross build --target arm-unknown-linux-musleabi -p ostiarius-clientTo run, the server needs:
- a RSA-4096 private key (
server.privkey.pem) - a TOML-formatted file (
authorizations.toml) containing the list of the authorized clients with the commands and RSA-4096 public key. For example:
[[clients]]
name = "Client 1"
pub_key = """
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvPgcoaGScX4Hwu6MXBUI
NCvz+HNIKzro5GZGVW3/zJVvwee7E0dGC5CU/QVP9QxD8uoOawmY8nQoXQYX278Q
JG+QrUupiINrODMQ1qLagT6d9y8ODo2kPD07VQFVW6FSIKYe3GuvFSZ/Kdk3O4Ci
/A9fTJO9O8oquVyxI++BMnvgy93Ed2nBX9pUk22FeRbfYMQc9IEhJOaZ4aTApmOf
BOLUtKyFzFMGj4ZaZVbzJaPxiPTEZdFMRBq/4B4KvKIqo4uqSHttBdHUP1mPNqhn
d14eWcuGIwrXnlOILSdFPV3SpfFv7N6V1vyaGZ6/htnGHJP6wKCxEsnnMh2NVOZF
U59utWIBndYpun0uzRn39b+iJj/Deo3N/JhJnclCgW3EmA1TuaRHr3S5UItlHYe7
7w511DWaUvHeFlPLwssUiMTOvq6EyZGb5+kEOqNU182V2Qy3q+oHE+iJrGm3EvX5
OrUmaZcCpgfwOsH61+O5oJYgtNVPeGMK47OHsgksulKHEYF+twjzgrblm2UMPNS9
tIbew5uNOjzN9SIVVU23OBZ2NEIg0bp2gqhDb0HodBK0TPfdLh2UDdTQ5HOmx1Ft
eiKelWrzaBhXiUwymjDWp4BpPbAXSRSYn4q3Cp6pK/roMhfAx4BjgydOFl1bHFsG
hqxaKKp7ROkxDCuYhmHh7JECAwEAAQ==
-----END PUBLIC KEY-----
"""
commands = ["date"]
# ...To run, the client needs:
- a RSA-4096 private key (
client.privkey.pem) - the server RSA-4096 public key (
server.pubkey.pem)
All the keys can be generated using:
openssl genrsa -aes256 -out server.privkey.pem 4096
openssl rsa -in server.privkey.pem -pubout -out server.pubkey.pem
openssl genrsa -out client.privkey.pem 4096
openssl rsa -in client.privkey.pem -pubout -out client.pubkey.pemDo not forget to store the password of the private key somewhere safe, as it will be used when running the programs.
Start server on PC with address 192.168.1.10 on port 3000:
ostiarius-server --address 192.168.1.10 --port 3000Start client with name "Client 1" to check for the authorization to execute ls /etc:
ostiarius-client --name "Client 1" http://192.168.1.10:3000 'ls /etc'The server can also use a private key stored in a PKCS#11 token. See ostiarius-server/README.md for details.
Copyright (c) 2022 Eric Le Bihan
This program is distributed under the terms of the MIT License.
See the LICENSE file for license details.