Signed-off-by: Vladislav Bogdanov <bubble@xxxxxxxxxxxxx>
---
man/corosync-keygen.8 | 27 +++++++++++++++++++--------
tools/corosync-keygen.c | 38 ++++++++++++++++++++++----------------
2 files changed, 41 insertions(+), 24 deletions(-)
diff --git a/man/corosync-keygen.8 b/man/corosync-keygen.8
index 5dc3f45..71ca40e 100644
--- a/man/corosync-keygen.8
+++ b/man/corosync-keygen.8
@@ -39,26 +39,22 @@ corosync-keygen \- Generate an authentication key for Corosync.
.SH DESCRIPTION
If you want to configure corosync to use cryptographic techniques to ensure authenticity
-.br
and privacy of the messages, you will need to generate a private key.
.PP
.B corosync-keygen
-creates this key and writes it to /etc/corosync/authkey.
+creates this key and writes it to /etc/corosync/authkey or to file specified by
+COROSYNC_TOTEM_AUTHKEY_FILE environment variable.
.PP
This private key must be copied to every processor in the cluster. If the
-.br
private key isn't the same for every node, those nodes with nonmatching private
-.br
keys will not be able to join the same configuration.
.PP
Copy the key to some security transportable storage or use ssh to transmit the
-.br
key from node to node. Then install the key with the command:
.PP
unix#: install -D --group=0 --owner=0 --mode=0400 /path_to_authkey/authkey /etc/corosync/authkey
.PP
If a message "Invalid digest" appears from the corosync executive, the keys
-.br
are not consistent between processors.
.PP
.B Note: corosync-keygen
@@ -67,13 +63,21 @@ will ask for user input to assist in generating entropy unless the -l option is
.TP
.B -l
Use a less secure random data source that will not require user input to help generate
+entropy. This may be useful when this utility is used from a script or hardware random number
+generator is not available (f.e. in virtual machine).
+.SH ENVIRONMENT VARIABLES
+.TP
+COROSYNC_TOTEM_AUTHKEY_FILE
+This specifies the fully qualified path to the shared key to create.
.br
-entropy. This may be useful when this utility is used from a script.
+
+The default is /etc/corosync/authkey.
+
.SH EXAMPLES
.TP
Generate the key.
.PP
-$ corosync-keygen
+# corosync-keygen
.br
Corosync Cluster Engine Authentication key generator.
.br
@@ -81,6 +85,13 @@ Gathering 1024 bits for key from /dev/random.
.br
Press keys on your keyboard to generate entropy.
.br
+.PP
+$ COROSYNC_TOTEM_AUTHKEY_FILE=/tmp/authkey corosync-keygen -l
+.br
+Corosync Cluster Engine Authentication key generator.
+.br
+Writing corosync key to /tmp/authkey.
+.br
.SH SEE ALSO
.BR corosync_overview (8),
.BR corosync.conf (5),
diff --git a/tools/corosync-keygen.c b/tools/corosync-keygen.c
index 71ea9d8..519e8d9 100644
--- a/tools/corosync-keygen.c
+++ b/tools/corosync-keygen.c
@@ -40,14 +40,13 @@
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
+#include <string.h>
#include <getopt.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <netinet/in.h>
-#define KEYFILE COROSYSCONFDIR "/authkey"
-
static const char usage[] =
"Usage: corosync-keygen [-l]\n"
" -l / --less-secure - Use a less secure random number source\n"
@@ -60,6 +59,7 @@ int main (int argc, char *argv[])
{
int authkey_fd;
int random_fd;
+ const char *keyfile = getenv("COROSYNC_TOTEM_AUTHKEY_FILE");
unsigned char key[128];
ssize_t res;
ssize_t bytes_read;
@@ -89,14 +89,18 @@ int main (int argc, char *argv[])
}
printf ("Corosync Cluster Engine Authentication key generator.\n");
- if (geteuid() != 0) {
+ if (geteuid() != 0 && !keyfile) {
printf ("Error: Authorization key must be generated as root user.\n");
exit (errno);
}
- if (mkdir (COROSYSCONFDIR, 0700)) {
- if (errno != EEXIST) {
- perror ("Failed to create directory: " COROSYSCONFDIR);
- exit (errno);
+
+ if (!keyfile) {
+ keyfile = COROSYSCONFDIR "/authkey";
+ if (mkdir (COROSYSCONFDIR, 0700)) {
+ if (errno != EEXIST) {
+ perror ("Failed to create directory: " COROSYSCONFDIR);
+ exit (errno);
+ }
}
}
@@ -134,37 +138,39 @@ retry_read:
/*
* Open key
*/
- authkey_fd = open (KEYFILE, O_CREAT|O_WRONLY, 600);
+ authkey_fd = open (keyfile, O_CREAT|O_WRONLY, 0600);
if (authkey_fd == -1) {
- perror ("Could not create " KEYFILE);
+ fprintf (stderr, "Could not create %s: %s", keyfile, strerror(errno));
exit (errno);
}
/*
* Set security of authorization key to uid = 0 gid = 0 mode = 0400
*/
- res = fchown (authkey_fd, 0, 0);
- if (res == -1) {
- perror ("Could not fchown key to uid 0 and gid 0\n");
- exit (errno);
+ if (geteuid() == 0) {
+ res = fchown (authkey_fd, 0, 0);
+ if (res == -1) {
+ perror ("Could not fchown key to uid 0 and gid 0\n");
+ exit (errno);
+ }
}
if (fchmod (authkey_fd, 0400)) {
perror ("Failed to set key file permissions to 0400\n");
exit (errno);
}
- printf ("Writing corosync key to " KEYFILE ".\n");
+ printf ("Writing corosync key to %s.\n", keyfile);
/*
* Write key
*/
res = write (authkey_fd, key, sizeof (key));
if (res != sizeof (key)) {
- perror ("Could not write " KEYFILE);
+ fprintf (stderr, "Could not write %s: %s", keyfile, strerror(errno));
exit (errno);
}
if (close (authkey_fd)) {
- perror ("Could not write " KEYFILE);
+ fprintf (stderr, "Could not write %s: %s", keyfile, strerror(errno));
exit (errno);
}
--
1.7.1
_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss
