Ostiary Daemon

WIP DELETEME

Ostiaryd is designed to allow you to run a fixed set of commands remotely, without giving everyone else access to the same commands.

The following are the key design goals:

  • "First, do no harm." It should not be possible to use the Ostiary system itself to damage the host it's running on. In particular, it's willing to accept false negatives (denying access to legitimate users) in order to prevent false positives (allowing access to invalid users).
  • Insofar as possible, eliminate any possibility of bugs causing undesired operations. Buffer overflows, timing attacks, etc. should be impossible for an external attacker to execute. There's no point in installing security software if it makes you less secure.
  • Be extremely modest in memory and CPU requirements. (eg. running on a Mac SE/30, a 16MHz 68030 machine) and connecting from a Palm Pilot (a 16MHz 68000 machine).
  • Keep things simple. This is not an ssh replacement. Each successful challenge/response will result in executing a corresponding script.
  • It is immune to replay attacks

This wiki is a quick summary of the author's documentation followed by openwrt specific usage instructions. For any technical info you may wish to view the author's site: http://ingles.homeunix.net/software/ost/index.html .

How it works

The algorithm used is as follows:

  1. Ostiaryd waits on a port for connections from remote machines. When one is received, ostiaryd checks to see if the ip address is locked out. (If compiled in, it will consult /etc/hosts.allow and hosts.deny, too.) If so, it drops the connection immediately.
  2. If the address is not locked out, ostiaryd sends a seed value. Currently this is a SHA256 hash (32 bytes) of the the current time, plus either the output of random() or (if available) bytes from /dev/urandom, plus the process' PID.
  3. The client takes the seed value and hashes it, HMAC-style, with the password the user provides.
  4. Ostiaryd then reads the response (32 bytes), and closes the connection.
  5. Now ostiaryd goes through a list of passwords, and hashes them (HMAC style) with the hash value it sent. It compares these new hashes with the response it received.
  6. If it finds a match, the command corresponding to that password is run. (E.g., it could start up sshd so you could log in remotely.) The ip address of the client is given as an argument to the command.
  7. If the hash does not match any of the listed hashes, the ip address that the bogus hash was sent from gets put on a list of bad addresses. If it exceeds the a defined limit of bad connections, that address is locked out and no further communication is accepted.
  8. Now, ostiaryd sleeps a user-defined interval, at least one second.
  9. Finally, it jumps back to step 1.

How to get it

Grab it from the repository (Note, its not there yet, the package makefile is pending review. If you want it now, grab the source from the author's site, and follow the crosscompile and single.package guidelines. You can find compiled objects under backfire 10.03.1-RC6 for AR71xx platform in http://tamadite.no-ip.biz/ostiary. FIXME)

$ opkg update
$ opkg install ostiary

This package installs both the ostiaryd service, and the ostclient client. Both located in /usr/bin

Service Configuration

The configuration file is installed by default at /etc/ostiary/ostiary.cfg

At a minimum, you will need to set at least the following sections:

  • PORT=????
  • KILL=panicpassword
  • ACTION="secretpassword","/full/path/to/script", "uid", "gid"

(upto 8 ACTION scripts are allowed by default. More can be added but you would need to edit the header file ost.h and recompile. See author's site here.)

Eg:

ACTION="enablepassword","/etc/ostiaryd/scripts/ssh_enable","0","0"              
ACTION="disablepassword","/etc/ostiaryd/scripts/ssh_disable","0","0"            

Note: By the author's design, you can't inline a shell command into the ACTION script definition. You need to put your command(s) into a separate file, make it executable, and then call the file using the syntax above. (I know, I wasted a couple of hours on this one…)

Be sure to always restart the ostiaryd daemon after making any changes!

Stopping and Starting ostiaryd

/etc/init.d/ostiaryd ARGUMENT
where ARGUMENT is one of "stop", "start", or "restart".

"Action" Scripts

Each "secret" passphrase you defined above needs a corresponding action script (i.e. one-to-one). Place them in the folder below:

/etc/ostiaryd/scripts

Eg. To enable and disable ssh access through your WAN you might tweak iptables using scripts like these:

"../scripts/ssh_enable":

#!/bin/sh
 
/usr/bin/logger Ostiary is enabling SSH
/usr/sbin/iptables -I zone_wan -p tcp --dport 22 -j ACCEPT

"../scripts/ssh_disable":

#!/bin/sh
 
/usr/bin/logger Ostiary is dis-abling SSH
/usr/sbin/iptables -D zone_wan -p tcp --dport 22 -j ACCEPT

Clients

Clients for connecting to the ostiaryd service are listed below.

    • included in the package you just installed at /usr/bin/ostclient (It can be deleted if you dont need it or really need the 9kb space back… )
    • available in RPM and Debian packages, plus source from the author's site

Back to top

doc/howto/ostiary.server.txt · Last modified: 2013/11/23 11:21 by tamadite