From 844cfd3bad93cc2a5066145b440f2c3ef6bfd7d9 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 9 Jan 2023 16:36:00 -0800 Subject: [PATCH 1/9] Generate and use independent provisioner and private key passwords --- docker/Dockerfile.step-ca | 4 ++-- docker/entrypoint.sh | 12 ++++++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/docker/Dockerfile.step-ca b/docker/Dockerfile.step-ca index ed6b5f56..32160e1d 100644 --- a/docker/Dockerfile.step-ca +++ b/docker/Dockerfile.step-ca @@ -7,7 +7,6 @@ RUN apk add --no-cache curl git make RUN make V=1 download RUN make V=1 bin/step-ca bin/step-awskms-init bin/step-cloudkms-init - FROM smallstep/step-cli:latest COPY --from=builder /src/bin/step-ca /usr/local/bin/step-ca @@ -20,6 +19,7 @@ USER step ENV CONFIGPATH="/home/step/config/ca.json" ENV PWDPATH="/home/step/secrets/password" +ENV PROVISIONER_PWDPATH="/home/step/secrets/provisioner_password" VOLUME ["/home/step"] STOPSIGNAL SIGTERM @@ -28,4 +28,4 @@ HEALTHCHECK CMD step ca health 2>/dev/null | grep "^ok" >/dev/null COPY docker/entrypoint.sh /entrypoint.sh ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] -CMD exec /usr/local/bin/step-ca --password-file $PWDPATH $CONFIGPATH +CMD exec /usr/local/bin/step-ca --password-file $PWDPATH --provisioner-password-file $PROVISIONER_PWDPATH $CONFIGPATH diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 74093b62..2c3321df 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -39,12 +39,12 @@ function step_ca_init () { --dns "${DOCKER_STEPCA_INIT_DNS_NAMES}" --provisioner "${DOCKER_STEPCA_INIT_PROVISIONER_NAME:-admin}" --password-file "${STEPPATH}/password" + --provisioner-password-file "${STEPPATH}/provisioner_password" --address ":9000" ) if [ -n "${DOCKER_STEPCA_INIT_PASSWORD}" ]; then echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/password" - else - generate_password > "${STEPPATH}/password" + echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/provisioner_password" fi if [ -n "${DOCKER_STEPCA_INIT_SSH}" ]; then setup_args=("${setup_args[@]}" --ssh) @@ -67,4 +67,12 @@ if [ ! -f "${STEPPATH}/config/ca.json" ]; then init_if_possible fi +if [ ! -f "${STEPPATH}/password" ]; then + generate_password > "${STEPPATH}/password" +fi + +if [ ! -f "${STEPPATH}/provisioner_password" ]; then + generate_password > "${STEPPATH}/provisioner_password" +fi + exec "${@}" From 824289590930357f0ea78fe0c8ccef21712d60fc Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 9 Jan 2023 16:39:34 -0800 Subject: [PATCH 2/9] Update hsm dockerfile as well --- docker/Dockerfile.step-ca.hsm | 3 ++- docker/entrypoint.sh | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/docker/Dockerfile.step-ca.hsm b/docker/Dockerfile.step-ca.hsm index 8f413cd7..42c481c1 100644 --- a/docker/Dockerfile.step-ca.hsm +++ b/docker/Dockerfile.step-ca.hsm @@ -24,6 +24,7 @@ USER step ENV CONFIGPATH="/home/step/config/ca.json" ENV PWDPATH="/home/step/secrets/password" +ENV PROVISIONER_PWDPATH="/home/step/secrets/provisioner_password" VOLUME ["/home/step"] STOPSIGNAL SIGTERM @@ -32,4 +33,4 @@ HEALTHCHECK CMD step ca health 2>/dev/null | grep "^ok" >/dev/null COPY docker/entrypoint.sh /entrypoint.sh ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] -CMD exec /usr/local/bin/step-ca --password-file $PWDPATH $CONFIGPATH +CMD exec /usr/local/bin/step-ca --password-file $PWDPATH --provisioner-password-file $PROVISIONER_PWDPATH $CONFIGPATH diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 2c3321df..97c50093 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -63,10 +63,6 @@ if [ -f /usr/sbin/pcscd ]; then /usr/sbin/pcscd fi -if [ ! -f "${STEPPATH}/config/ca.json" ]; then - init_if_possible -fi - if [ ! -f "${STEPPATH}/password" ]; then generate_password > "${STEPPATH}/password" fi @@ -75,4 +71,8 @@ if [ ! -f "${STEPPATH}/provisioner_password" ]; then generate_password > "${STEPPATH}/provisioner_password" fi +if [ ! -f "${STEPPATH}/config/ca.json" ]; then + init_if_possible +fi + exec "${@}" From c836c7ab40d4863a71f02f8dc6ee12551a37317d Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 9 Jan 2023 16:48:31 -0800 Subject: [PATCH 3/9] Backward compatibility --- docker/entrypoint.sh | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 97c50093..0a95bd14 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -45,6 +45,9 @@ function step_ca_init () { if [ -n "${DOCKER_STEPCA_INIT_PASSWORD}" ]; then echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/password" echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/provisioner_password" + else + generate_password > "${STEPPATH}/password" + generate_password > "${STEPPATH}/provisioner_password" fi if [ -n "${DOCKER_STEPCA_INIT_SSH}" ]; then setup_args=("${setup_args[@]}" --ssh) @@ -57,22 +60,22 @@ function step_ca_init () { fi step ca init "${setup_args[@]}" mv $STEPPATH/password $PWDPATH + mv $STEPPATH/provisioner_password $PROVISIONER_PWDPATH } if [ -f /usr/sbin/pcscd ]; then /usr/sbin/pcscd fi -if [ ! -f "${STEPPATH}/password" ]; then - generate_password > "${STEPPATH}/password" -fi - -if [ ! -f "${STEPPATH}/provisioner_password" ]; then - generate_password > "${STEPPATH}/provisioner_password" -fi - if [ ! -f "${STEPPATH}/config/ca.json" ]; then init_if_possible fi +if [ ! -f "${PROVISIONER_PWDPATH}" ]; then + # For backward compatibility, + # if the --provisioner-password-file doesn't exist, + # use the same password as the CA. + cp ${PWDPATH} ${PROVISIONER_PWDPATH} +fi + exec "${@}" From 640bd0b7c77d07d6361ba358b265b329bfcddd8a Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 9 Jan 2023 16:51:36 -0800 Subject: [PATCH 4/9] Tabs to spaces --- docker/entrypoint.sh | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 0a95bd14..268cc110 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -19,7 +19,7 @@ function init_if_possible () { fi done if [ ${missing_vars} = 1 ]; then - >&2 echo "there is no ca.json config file; please run step ca init, or provide config parameters via DOCKER_STEPCA_INIT_ vars" + >&2 echo "there is no ca.json config file; please run step ca init, or provide config parameters via DOCKER_STEPCA_INIT_ vars" else step_ca_init "${@}" fi @@ -36,18 +36,18 @@ function generate_password () { function step_ca_init () { local -a setup_args=( --name "${DOCKER_STEPCA_INIT_NAME}" - --dns "${DOCKER_STEPCA_INIT_DNS_NAMES}" - --provisioner "${DOCKER_STEPCA_INIT_PROVISIONER_NAME:-admin}" - --password-file "${STEPPATH}/password" - --provisioner-password-file "${STEPPATH}/provisioner_password" + --dns "${DOCKER_STEPCA_INIT_DNS_NAMES}" + --provisioner "${DOCKER_STEPCA_INIT_PROVISIONER_NAME:-admin}" + --password-file "${STEPPATH}/password" + --provisioner-password-file "${STEPPATH}/provisioner_password" --address ":9000" ) if [ -n "${DOCKER_STEPCA_INIT_PASSWORD}" ]; then echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/password" echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/provisioner_password" - else - generate_password > "${STEPPATH}/password" - generate_password > "${STEPPATH}/provisioner_password" + else + generate_password > "${STEPPATH}/password" + generate_password > "${STEPPATH}/provisioner_password" fi if [ -n "${DOCKER_STEPCA_INIT_SSH}" ]; then setup_args=("${setup_args[@]}" --ssh) @@ -60,22 +60,22 @@ function step_ca_init () { fi step ca init "${setup_args[@]}" mv $STEPPATH/password $PWDPATH - mv $STEPPATH/provisioner_password $PROVISIONER_PWDPATH + mv $STEPPATH/provisioner_password $PROVISIONER_PWDPATH } if [ -f /usr/sbin/pcscd ]; then - /usr/sbin/pcscd + /usr/sbin/pcscd fi if [ ! -f "${STEPPATH}/config/ca.json" ]; then - init_if_possible + init_if_possible fi if [ ! -f "${PROVISIONER_PWDPATH}" ]; then - # For backward compatibility, - # if the --provisioner-password-file doesn't exist, - # use the same password as the CA. - cp ${PWDPATH} ${PROVISIONER_PWDPATH} + # For backward compatibility, + # if the --provisioner-password-file doesn't exist, + # use the same password as the CA. + cp ${PWDPATH} ${PROVISIONER_PWDPATH} fi exec "${@}" From 313bf2354b59a9f4599452e5a96efddde26aab55 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 9 Jan 2023 17:08:24 -0800 Subject: [PATCH 5/9] Check for existance of pwdpath before copying --- docker/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 268cc110..4fa10c1e 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -71,7 +71,7 @@ if [ ! -f "${STEPPATH}/config/ca.json" ]; then init_if_possible fi -if [ ! -f "${PROVISIONER_PWDPATH}" ]; then +if [ -f "${PWDPATH}" ] && [ ! -f "${PROVISIONER_PWDPATH}" ]; then # For backward compatibility, # if the --provisioner-password-file doesn't exist, # use the same password as the CA. From a017238874171bc8a523063eb10302bbf9ddffa6 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 9 Jan 2023 17:23:47 -0800 Subject: [PATCH 6/9] No need for PROVISIONER_PWDPATH --- docker/Dockerfile.step-ca | 3 +-- docker/Dockerfile.step-ca.hsm | 3 +-- docker/entrypoint.sh | 8 -------- 3 files changed, 2 insertions(+), 12 deletions(-) diff --git a/docker/Dockerfile.step-ca b/docker/Dockerfile.step-ca index 32160e1d..8cf918df 100644 --- a/docker/Dockerfile.step-ca +++ b/docker/Dockerfile.step-ca @@ -19,7 +19,6 @@ USER step ENV CONFIGPATH="/home/step/config/ca.json" ENV PWDPATH="/home/step/secrets/password" -ENV PROVISIONER_PWDPATH="/home/step/secrets/provisioner_password" VOLUME ["/home/step"] STOPSIGNAL SIGTERM @@ -28,4 +27,4 @@ HEALTHCHECK CMD step ca health 2>/dev/null | grep "^ok" >/dev/null COPY docker/entrypoint.sh /entrypoint.sh ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] -CMD exec /usr/local/bin/step-ca --password-file $PWDPATH --provisioner-password-file $PROVISIONER_PWDPATH $CONFIGPATH +CMD exec /usr/local/bin/step-ca --password-file $PWDPATH $CONFIGPATH diff --git a/docker/Dockerfile.step-ca.hsm b/docker/Dockerfile.step-ca.hsm index 42c481c1..8f413cd7 100644 --- a/docker/Dockerfile.step-ca.hsm +++ b/docker/Dockerfile.step-ca.hsm @@ -24,7 +24,6 @@ USER step ENV CONFIGPATH="/home/step/config/ca.json" ENV PWDPATH="/home/step/secrets/password" -ENV PROVISIONER_PWDPATH="/home/step/secrets/provisioner_password" VOLUME ["/home/step"] STOPSIGNAL SIGTERM @@ -33,4 +32,4 @@ HEALTHCHECK CMD step ca health 2>/dev/null | grep "^ok" >/dev/null COPY docker/entrypoint.sh /entrypoint.sh ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] -CMD exec /usr/local/bin/step-ca --password-file $PWDPATH --provisioner-password-file $PROVISIONER_PWDPATH $CONFIGPATH +CMD exec /usr/local/bin/step-ca --password-file $PWDPATH $CONFIGPATH diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 4fa10c1e..5091eeb5 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -60,7 +60,6 @@ function step_ca_init () { fi step ca init "${setup_args[@]}" mv $STEPPATH/password $PWDPATH - mv $STEPPATH/provisioner_password $PROVISIONER_PWDPATH } if [ -f /usr/sbin/pcscd ]; then @@ -71,11 +70,4 @@ if [ ! -f "${STEPPATH}/config/ca.json" ]; then init_if_possible fi -if [ -f "${PWDPATH}" ] && [ ! -f "${PROVISIONER_PWDPATH}" ]; then - # For backward compatibility, - # if the --provisioner-password-file doesn't exist, - # use the same password as the CA. - cp ${PWDPATH} ${PROVISIONER_PWDPATH} -fi - exec "${@}" From ad5cbd9a0e7c255342d48d63271721e98a8a5f92 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 9 Jan 2023 17:59:33 -0800 Subject: [PATCH 7/9] Print and delete provisioner password on setup --- docker/entrypoint.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 5091eeb5..1f967827 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -59,6 +59,13 @@ function step_ca_init () { setup_args=("${setup_args[@]}" --remote-management) fi step ca init "${setup_args[@]}" + echo "" + if [ -n "${DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT}" ]; then + echo "👉 Your CA administrative username is: step" + fi + echo "👉 Your CA administrative password is: $(< $STEPPATH/provisioner_password )" + echo "🤫 This will only be displayed once." + rm $STEPPATH/provisioner_password mv $STEPPATH/password $PWDPATH } From 328276eaebf0592e74904295569538738fb3a604 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 9 Jan 2023 18:01:14 -0800 Subject: [PATCH 8/9] Shred provisioner password --- docker/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 1f967827..fcdf72b2 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -65,7 +65,7 @@ function step_ca_init () { fi echo "👉 Your CA administrative password is: $(< $STEPPATH/provisioner_password )" echo "🤫 This will only be displayed once." - rm $STEPPATH/provisioner_password + shred -u $STEPPATH/provisioner_password mv $STEPPATH/password $PWDPATH } From dc8b196823b0eb165455472a4e3556837d69e838 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Tue, 10 Jan 2023 09:57:47 -0800 Subject: [PATCH 9/9] Print admin username and pw after init --- docker/entrypoint.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index fcdf72b2..437c617d 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -34,12 +34,16 @@ function generate_password () { # Initialize a CA if not already initialized function step_ca_init () { + DOCKER_STEPCA_INIT_PROVISIONER_NAME="${DOCKER_STEPCA_INIT_PROVISIONER_NAME:-admin}" + DOCKER_STEPCA_INIT_ADMIN_SUBJECT="${DOCKER_STEPCA_INIT_ADMIN_SUBJECT:-step}" + local -a setup_args=( --name "${DOCKER_STEPCA_INIT_NAME}" --dns "${DOCKER_STEPCA_INIT_DNS_NAMES}" - --provisioner "${DOCKER_STEPCA_INIT_PROVISIONER_NAME:-admin}" + --provisioner "${DOCKER_STEPCA_INIT_PROVISIONER_NAME}" --password-file "${STEPPATH}/password" --provisioner-password-file "${STEPPATH}/provisioner_password" + --admin-subject "${DOCKER_STEPCA_INIT_ADMIN_SUBJECT}" --address ":9000" ) if [ -n "${DOCKER_STEPCA_INIT_PASSWORD}" ]; then @@ -61,7 +65,7 @@ function step_ca_init () { step ca init "${setup_args[@]}" echo "" if [ -n "${DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT}" ]; then - echo "👉 Your CA administrative username is: step" + echo "👉 Your CA administrative username is: ${DOCKER_STEPCA_INIT_ADMIN_SUBJECT}" fi echo "👉 Your CA administrative password is: $(< $STEPPATH/provisioner_password )" echo "🤫 This will only be displayed once."