|
nk4um User
Posts: 31
|
hi randy, great work! i didn''t have to change anything and i''m very glad that the admin is secured now without me having to configure
firewalls and setting up ssh-tunnels. just one minor glitch: the closing comment from the Loggers section is missing. for the record: the command to generate the password and put it in a file named htpasswd is
htpasswd -c htpasswd [username] |
something else, btw: a cold restart through the console doesn''t free the ports on mac os x. i had to close the terminal window. thanks a lot, you really saved my day! thomas
|
|
nk4um Administrator
Posts: 158
|
Thomas, I have an example of HTTP authentication working now. I''ll give you my details and I think you can adapt them to your configuration. I set up a new directory /Users/NetKernel/tmpres/ and in that I put two file: htaccess:
AuthType Basic
AuthName "Monitor Admin"
AuthUserFile /Users/NetKernel/tmpres/htpasswd
<Limit GET>
satisfy all
require valid-user
</Limit> |
the other is htpasswd, created with the htpasswd utility program. Here is my TransportJettyConfig.xml file (with some edits)
<httpConfig>
<!--
*****************
Jetty HTTP Server
*****************
-->
<Configure class="org.mortbay.jetty.Server">
<!--
***********
Add Listeners
***********
-->
<!--Start addlisteners-->
<!-- Make this 8082 so that it does not conflict with a standard installation -->
<Call name="addListener">
<Arg>
<!--<New class="org.mortbay.http.SocketListener"> -->
<New class="org.mortbay.http.SunJsseListener">
<Set name="Port">8082</Set>
<Set name="MinThreads">5</Set>
<Set name="MaxThreads">50</Set>
<Set name="MaxIdleTimeMs">30000</Set>
<Set name="LowResourcePersistTimeMs">5000</Set>
<Set name="Keystore">/Users/NetKernel/keystore/keystore</Set>
</New>
</Arg>
</Call>
<!--End addlisteners-->
<!--
************
Add Server Contexts
************
-->
<!--Default context at root / -->
<Call name="addContext">
<Arg>
<New class="org.mortbay.http.HttpContext">
<!-- Set context Path to default of root ''/'' -->
<Set name="ContextPath">/</Set>
<Set name="ResourceBase">/Users/NetKernel/tmpres/</Set>
<!--
****************
Add Jetty Handler Chain for this Context
****************
-->
<!--Start Handler Chain-->
<!--Main NetKernel HTTP Transport Handler-->
<Call name="addHandler">
<Arg>
<New class="org.mortbay.http.handler.HTAccessHandler">
<Set name="AccessFile">htaccess</Set>
</New>
</Arg>
</Call>
<Call name="addHandler">
<Arg>
<New class="org.ten60.transport.jetty.HttpHandler">
<Set name="Name">PublicHTTPTransport</Set>
</New>
</Arg>
</Call>
<!--End Handler Chain-->
</New>
</Arg>
</Call>
<!--
************
Add Loggers
************
-->
<!--Configure Filename to point to log file-->
<!-- Uncomment to enable logging
<Set name="RequestLog">
<Arg>
<New class="org.mortbay.http.NCSARequestLog">
<Set name="Filename">/var/log/jetty/jetty.log</Set>
<Set name="Append" type="boolean">true</Set>
<Set name="Buffered" type="boolean">true</Set>
</New>
</Arg>
</Set>
</Configure>
</httpConfig>
|
This configuration uses https://localhost:8082/ and when requested, it will cause the browser to prompt for a user name and
password (that you must enter into htpasswd using the htpasswd utility). Randy
|
|
nk4um Moderator
Posts: 485
|
Hi Tom,
I''ve zipped up the secure backend fulcrum module and I''ll privately send you a link that you can download it from.
Cheers,
Tony
|
|
nk4um User
Posts: 31
|
hi tab,
i''d be glad to have a look into that backend fulcrum with additional gatekeeper. even if it''s unsupported i might at least
get an idea from it.
while i still would like to finish the http authentification - because it will be very usefull for me - i doubt that it''s
usefull for the client. i really need a web-frontend where people can manage the admin-stuff just for the forum, not the whole
netkernel, and without generating sshkeys and such upfront. http will do in that case, at least for a start.
ciao,
thomas
|
|
nk4um User
Posts: 31
|
2007-07-02T22:19:08.000ZJuly 2, 2007 22:19it works!
sorry, my fault! i hadn''t restarted the server properly. ctrl^c didn''t kill it properly and the port was still in use. closing
the terminal window did the trick...
and now: HTTP Auth?
|
|
nk4um User
Posts: 31
|
2007-07-02T21:33:43.000ZJuly 2, 2007 21:33
sort of. the server starts up and ask for a password now, like you said. but results as before: no connection on https://localhost:1060, while http://localhost:1060 runs as usual what i did: i generated the key like you said (with a password). keytool generated no jetty key, only a file named keystore
within the /Users/thomas/keystore directory. for ultimate transparency, here is the full TransportJettyConfig.xml: <?xml version="1.0" encoding="UTF-8"?> <httpConfig> <Configure class="org.mortbay.jetty.Server"> <Call name="addListener"> <Arg> <New class="org.mortbay.http.SunJsseListener"> <Set name="Port">1060</Set> <Set name="MinThreads">5</Set> <Set name="MaxThreads">50</Set> <Set name="MaxIdleTimeMs">30000</Set> <Set name="LowResourcePersistTimeMs">5000</Set> <Set name="Keystore">/Users/thomas/keystore/keystore</Set> <Set name="KeyPassword">foobar</Set> </New> </Arg> </Call> <Call name="addContext"> <Arg> <New class="org.mortbay.http.HttpContext"> <Set name="ContextPath">/</Set> <Call name="addHandler"> <Arg> <New class="org.ten60.transport.jetty.HttpHandler"> <Set name="Name">BackendHTTPTransport</Set> </New> </Arg> </Call> </New> </Arg> </Call> </Configure> </httpConfig> well, at least hope is looming again :-)
|
|
nk4um Administrator
Posts: 158
|
2007-07-02T21:00:14.000ZJuly 2, 2007 21:00
I meant to have the same user structure in both parts - /Users/NetKernel/...
Randy
|
|
nk4um Administrator
Posts: 158
|
2007-07-02T20:58:49.000ZJuly 2, 2007 20:58
Thomas, Sorry for the delay in my reply. I have something that is working for me. I use the keytool utility from the /Users/me/keystore directory as:
keytool -keystore keystore -alias jetty -genkey -keyalg RSA |
and I used the passphrase "foobar" (I guess you can leave this empty). This generates some files in the ../keystore directory such as keystore (a file) and jetty.key. I then made sure that I use the following tag:
<New class="org.mortbay.http.SunJsseListener"> |
and the following subelements:
<Set name="Keystore">/Users/NetKernel/keystore/keystore</Set>
<Set name="KeyPassword">foobar</Set> |
I then run NetKernel from the command line and while it is booting I get a prompt to enter the password (which I do). I then get a listener listening on the desired port and I can access the port using Safari. Please let me know if you can duplicate this! Randy
|
|
nk4um User
Posts: 31
|
2007-07-02T20:05:42.000ZJuly 2, 2007 20:05
hi randy,
the question is justified as i already strayed from that path earlier today but returned on it on myself. yes, i''m working
in the 1060 transport (the upper, non-disabled part of TransportJettyConfig.xml).
but i didn''t try https so far, only http. the situation is now: i can''t load https://localhost:1060/. safari says: "Safari
can’t open the page “https://localhost:1060/� because it couldn’t establish a secure connection to the server “localhost""
otoh http://localhost:1060/ works as usual
now some details to give you an idea of what might have gone wrong
(revealing some most sensitive data about my workspace to the public). i tried the following configs:
<Set name="Keystore">/Users/thomas/.ssh/id_rsa.pub</Set>
<Set name="Password"></Set>
<Set name="KeyPassword"></Set>
and
<Set name="Keystore">/Users/thomas/.ssh/id_rsa</Set>
<Set name="Password"></Set>
<Set name="KeyPassword"></Set>
and
<Set name="Keystore">/Users/thomas/.ssh</Set>
<Set name="Password"></Set>
<Set name="KeyPassword"></Set>
and the keys _are_ there, in /Users/thomas/.ssh. (together with some other keys). as i already mentioned i used no further
optins when generating the keys, just "ssh-keygen".
now i hope you have an idea ;-)
thomas
|
|
nk4um Administrator
Posts: 158
|
2007-07-02T19:21:37.000ZJuly 2, 2007 19:21
Thomas,
Just to confirm - you are changing the Jetty configuration for the transport that listens on port 1060? (You mentioned port
1061 earlier, but I think that was only because the example configuration used port 1060).
Once you have the keys set up you should be able to use https://localhost:1060/ .
The browser client will not ask for a password unless you set up one of the levels of HTTP authentication.
So far, they keys will simply allow you to communicate with NetKernel over an encrypted link.
Randy
|
|
nk4um User
Posts: 31
|
2007-07-02T18:19:43.000ZJuly 2, 2007 18:19
maybe i didn''t understand properly. i generated a pair of ssh-keys with the command ssh-keygen, put them under my home-directory
and pointed the "keystore" there.i left "password" and "keypassword" empty since i''m not sure what to enter there. i restarted
netkernel (i stopped it with ctrl^c and started it again) but it still connects to the admin at port 1060 without asking
for a password.
|
|
nk4um Administrator
Posts: 158
|
2007-07-02T17:27:10.000ZJuly 2, 2007 17:27
That''s my environment also - Mac OS X on a G4 chip.
The keystore information is for the SSH setup for Jetty. You need to generate the SSH keys and put them in the directory pointed
to by the configuration. Since you are on OS X it would be /Users/user-name/keystore (or where ever you want to put them).
HTTP auth is another configuration set. Can you get the SSH keys generated first and then confirm that you are connecting
properly? Then we can work on the HTTP Auth, if you want that.
Randy
|
|
nk4um User
Posts: 31
|
2007-07-02T17:02:31.000ZJuly 2, 2007 17:02
thanks for jumping in :-) and sorry for not providing more details right away. i''m testing on MAC OS X 10.4.10, Java(TM)
2 Runtime Environment, Standard Edition (build 1.5.0_07-164). the production server wil be a linux box, debian, relatively
new i assume, but i''m not sure about the details. i adjusted the values to fit my directory structure but i didn''t put anything
into the keystore directory (since i don''t know what).
|
|
nk4um Administrator
Posts: 158
|
2007-07-02T16:44:48.000ZJuly 2, 2007 16:44
Thomas, I thought I would jump in and try to help. Did you change the entries to match your computer configuration? For example, the
should be changed to match your directory structure. Also note that this example configuration is for a Unix or Linux computer. When you do make the proper changes you then need to restart the transport by doing a restart of NetKernel. Randy
|
|
nk4um User
Posts: 31
|
2007-07-02T16:09:52.000ZJuly 2, 2007 16:09
thanks for the prompt response! i''d like to go for #1. can you help me a bit more there? in the file TransportJettyConfig.xml
i found the following configuration for the disabled Jetty SSL HTTP Server (running on 1061):
<Set name="Keystore">/home/pjr/keystore</Set>
<Set name="Password">password</Set>
<Set name="KeyPassword">password</Set> |
but copying that snippet it into the 1060 part seemingly had no effect at all.
|
|
nk4um Moderator
Posts: 485
|
Hi Thomas,
this really is the best approach! The alternatives are:
1) Modify Jetty config in backend fulcrum to force authentication. HTTP authentication isn''t all that secure but it does
work. Jetty makes this a little fiddly to do but it is certainly possible.
2) A custom backend fulcrum which maps through an additional gatekeeper. This forces cookies onto every request and forces
authentication on the first request. We did develop this for a customer that decided not to use it. Again this isn''t very
secure unless you move over to a https port. I have the code for this fulcrum but it is completely unsupported code and may
not be up to date.
3) Move from port 1060 to some random high numbered port! Security through obscurity. If this is just a play server running
on virtual machine then maybe this solution is ok?
Cheers,
Tony
|
|
nk4um User
Posts: 31
|
hi, i''d like to install netkernel on a public server but i''m not up to the task of closing ports and tunneling connections
through ssh. so my question is: is there an easier way to protect the admin interface? a simple password-protection would
do for the moment. thanks for any help! thomas
|
