Apache

Apache is a webserver for git http backend.

https://www.pitt-pladdy.com/blog/_20160311-131130_0000_Git_on_Smart_HTTP_with_read_write_authentication/

Basic Authentication

cat > /etc/apache2/sites-available <<-'EOF'
<VirtualHost *:80>
        ServerName zanymumbler.chickenkiller.com
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/
        <Directory html>
                        Options Indexes FollowSymLinks
                        AllowOverride None
                        Require all granted
        </Directory>
        <Directory web>
                SSLRequireSSL
                AuthType Basic
                AuthName "Restricted Content"
                AuthUserFile /etc/htpasswd
                Require valid-user
        </Directory>
</VirtualHost>
EOF

SSL Certificates

Certificates are used to verify the owner of a website. There are multiple web services for verification. The letsencrypt service is simple to install. Self signed certificates can be used too. Visitors of websites with a self signed certificate get a warning the first time because there is no verification of the certificate. Once the self signed certificate is accepted there is only a warning if the certificate changes. The article on sslshopper has information about self signed certificates.

The following commands can be used to manage ssl certificates on a webserver. - https://certbot.eff.org/lets-encrypt/debianstretch-other

apache


# Create a new certificate which overwrites the existing
make-ssl-cert generate-default-snakeoil --force-overwrite

# Print contents and fingerprint of certificate
openssl x509 -in /etc/ssl/certs/ssl-cert-snakeoil.pem -text -noout
openssl x509 -in /etc/ssl/certs/ssl-cert-snakeoil.pem -outform der | openssl dgst -sha1

# disable apache
a2dissite 000-default

# Certbot manages certification with letsencrypt
certbot certonly --authenticator standalone --domain $(hostname)

sed \
    -i sites-available/default-ssl.conf \
    -e /ServerAdmin/aServerName\ $(hostname) \
    -e s@/etc/ssl/certs/ssl-cert-snakeoil.pem@/etc/letsencrypt/live/$(hostname)/fullchain.pem@ \
    -e s@/etc/ssl/private/ssl-cert-snakeoil.key@/etc/letsencrypt/live/$(hostname)/privkey.pem@ \

a2enmod ssl
a2enmod authz_groupfile
a2ensite default-ssl
systemctl restart apache2

RSA

Since RSA developed at MIT in 1977. In the US it was patented until 2000. This requires a pair of private and public keys. A certificate includes the public key and some additional information. SSL is a asynchron encryption implementation of RSA.

http://www.iusmentis.com/computerprograms/opensourcesoftware/patentrisks/

IRC

Secure IRC with asymmentric encryption

A secure connection in IRC communicates only to the server. Many users connect to same servers without encryption! With ngircd its possible to make a personal server.

openssl x509 -in freenode.pem -outform der | openssl dgst -sha256
openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1000 -nodes -out freenode.pem -keyout freenode.pem --batch
/server add -auto -ssl -ssl_cert ~/.irssi/certs/freenode.pem -network freenode chat.freenode.net 6697

# Generate private key and a certificate
openssl genrsa -out privkey.pem 4096
openssl req -x509 -key ~/privkey.pem -sha256 -out ~/freenode.pem -days 7200 --batch

# Add a new ssl freenode server in irssi.
# The colon is a shell built in command with no effect.
: <<IRSSI
# Replace freenode server with ssl configuration
/SERVER REMOVE chat.freenode.net 6667 freenode
/NETWORK REMOVE freenode
/SERVER ADD -ssl -ssl_verify -ssl_cert ~/freenode.pem -ssl_pkey ~/privkey.pem -network freenode chat.freenode.net 6697
/NETWORK add freenode

# The first connection requires registration, identification and certificate
/CONNECT freenode
/MSG NickServ REGISTER
/MSG NickServ IDENTIFY
/MSG NickServ CERT ADD
IRSSI

# Certificate
openssl x509 -in freenode.pem -text -noout

# Fingerprint
openssl x509 -in freenode.pem -outform der | openssl dgst -sha1
openssl x509 -in freenode.pem -fingerprint -sha256 -noout

# Verify key and certificate
openssl x509 -modulus -noout -in freenode.pem | openssl md5
openssl rsa -modulus -noout -in privkey.pem | openssl md5

# Fingerprint
openssl x509 -in freenode.pem -outform der | sha1sum -b | cut -d' ' -f1

# Private keys and public certificates can be generared in a single step
openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1000 -nodes -out freenode.pem -keyout freenode.pem --batch

Exim

# Test exim4 ssl and send 'ehlo testing'
openssl s_client -starttls smtp -crlf -connect localhost:25
/usr/share/doc/exim4-base/examples/exim-gencert --batch

- file:///usr/share/doc/exim4-base/
- file:///etc/exim4/conf.d/auth/30_exim4-config_examples

cat > /etc/exim4/exim4.conf.localmacros <<-'EOF'
        MAIN_TLS_ENABLE=1
        # MAIN_TLS_VERIFY_HOSTS=*
        MAIN_LOG_SELECTOR=+all -subject -arguments +tls_cipher
EOF

PAM Pluggable Authentication Modules Library

A user can be mapped to another user in the database.

#!/bin/sh
# This example maps a mysql user to a  mariadb user
apt-get install mariadb-server
apt-source mariadb-server
gcc mariadb-*-*/plugin/auth_pam/mapper/pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so
install --mode=0755 pam_user_map.so /lib64/security/

cat > /etc/security/user_map.conf <<-'EOF'
        #comments and empty lines are ignored
        john: jack
        bob:  admin
        top:  accounting
        foo:  bar
        @group_ro: readonly
EOF

cat /etc/pam.d/mysql <<-'EOF'
        auth required pam_unix.so audit
        account required pam_unix.so audit
        auth required pam_user_map.so
EOF

mysql <<-'SQL'
        INSTALL SONAME 'auth_pam';

        CREATE USER 'bar'@'%' IDENTIFIED via pam USING 'mysql';
        GRANT ALL PRIVILEGES ON *.* TO 'bar'@'%' ;

        CREATE USER ''@'%' IDENTIFIED VIA pam USING 'mariadb';
        GRANT PROXY ON 'bar'@'%' TO ''@'%';
        FLUSH PRIVILEGES;
        -- Verify
        SELECT USER(), CURRENT_USER();
SQL