In my last post, I introduced the new utility bootmail, which can be configured to send you an email with the boot logs of your Ubuntu server each time it reboots. This could prove really handy for your unattended or cloud servers.
While working on that tool, I quickly realized that any local user on the system could "forge" such an email message. Truly, anyone can send email to anyone else. That message can contain any data in it. And even the sender and headers can be faked. :-(
Thus, for bootmail to be useful, you'd need to have confidence that someone isn't faking your bootmail messages. There's only one secure way to do that with email -- and that's a cryptographic signature of the message, signed with a private key known only to the root user of the system.
In retrospect, I realized that having a generic mechanism for the root user being able to sign any given text could actually be a useful tool to have. So I split that logic out of the bootmail executable, and put it into its own, called rootsign (provided by the bootmail binary).
rootsign operates on standard input, signing that data with a private key generated specifically for rootsign signatures, and outputs the ascii-armored message and signature on standard out (suitable for piping directly to mail).
To verify the signature, you'll need to grab the public signature and import it into your local gpg keyring:
cat /var/lib/rootsign/rsa.pub | gpg --import
And let's say I want to post a signed copy of my dmesg to a pastebin:
dmesg | sudo rootsign | pastebinit
http://paste.ubuntu.com/648604/
You can verify the signature from the public key at:
http://paste.ubuntu.com/648605/
Do you have cronjobs that automatically send you email? Have you ever wanted to assure yourself that these messages are authentic? If so, rootsign is your friend :-) Big thanks to Kees Cook who helped with a few design issues around the generation of the key to be used (that's a separate post!).
Can you think of any other cool uses of rootsign?
:-Dustin
I'd love to have a way to install something like rootsign and have it automatically sign all mail sent from root. I'm mostly thinking about mail sent by programs like apticron where I'm not doing any configuration, just installing the package.
ReplyDeleteI am not sure I would trust the authenticity of a rootsign'ed email, if the signing key was stored on the machine's file system. if the email was signed with a key stored in the machine's TPM, then at least you would know for sure the email originated from that specific machine. Just my 0.02$ ...
ReplyDelete