Allow it to create keyfile not in the hardcoded location. Drop root checks. Minor cosmetic fixes to the man-page. Signed-off-by: Vladislav Bogdanov <bubble@xxxxxxxxxxxxx> --- man/corosync-keygen.8 | 29 +++++++++++++++++--------- tools/corosync-keygen.c | 51 +++++++++++++++++++++------------------------- 2 files changed, 42 insertions(+), 38 deletions(-) diff --git a/man/corosync-keygen.8 b/man/corosync-keygen.8 index 5dc3f45..5aaae93 100644 --- a/man/corosync-keygen.8 +++ b/man/corosync-keygen.8 @@ -35,45 +35,47 @@ .SH NAME corosync-keygen \- Generate an authentication key for Corosync. .SH SYNOPSIS -.B "corosync-keygen [\-l]" +.B "corosync-keygen [\-k <filename>] [\-l]" .SH DESCRIPTION If you want to configure corosync to use cryptographic techniques to ensure authenticity -.br and privacy of the messages, you will need to generate a private key. .PP .B corosync-keygen -creates this key and writes it to /etc/corosync/authkey. +creates this key and writes it to /etc/corosync/authkey or to file specified by +-k option. .PP This private key must be copied to every processor in the cluster. If the -.br private key isn't the same for every node, those nodes with nonmatching private -.br keys will not be able to join the same configuration. .PP Copy the key to some security transportable storage or use ssh to transmit the -.br key from node to node. Then install the key with the command: .PP unix#: install -D --group=0 --owner=0 --mode=0400 /path_to_authkey/authkey /etc/corosync/authkey .PP If a message "Invalid digest" appears from the corosync executive, the keys -.br are not consistent between processors. .PP .B Note: corosync-keygen will ask for user input to assist in generating entropy unless the -l option is used. .SH OPTIONS .TP +.B -k <filename> +This specifies the fully qualified path to the shared key to create. +.br +The default is /etc/corosync/authkey. +.TP .B -l Use a less secure random data source that will not require user input to help generate -.br -entropy. This may be useful when this utility is used from a script. +entropy. This may be useful when this utility is used from a script or hardware random number +generator is not available (f.e. in virtual machine). + .SH EXAMPLES .TP Generate the key. .PP -$ corosync-keygen +# corosync-keygen .br Corosync Cluster Engine Authentication key generator. .br @@ -81,6 +83,13 @@ Gathering 1024 bits for key from /dev/random. .br Press keys on your keyboard to generate entropy. .br +.PP +$ corosync-keygen -l -k /tmp/authkey +.br +Corosync Cluster Engine Authentication key generator. +.br +Writing corosync key to /tmp/authkey. +.br .SH SEE ALSO .BR corosync_overview (8), .BR corosync.conf (5), diff --git a/tools/corosync-keygen.c b/tools/corosync-keygen.c index 71ea9d8..112ebaf 100644 --- a/tools/corosync-keygen.c +++ b/tools/corosync-keygen.c @@ -40,16 +40,19 @@ #include <unistd.h> #include <fcntl.h> #include <errno.h> +#include <string.h> #include <getopt.h> #include <sys/types.h> #include <sys/stat.h> #include <netinet/in.h> -#define KEYFILE COROSYSCONFDIR "/authkey" +#define DEFAULT_KEYFILE COROSYSCONFDIR "/authkey" static const char usage[] = - "Usage: corosync-keygen [-l]\n" + "Usage: corosync-keygen [-k <keyfile>] [-l]\n" + " -k / --key-file=<filename> - Write to the specified keyfile\n" + " instead of the default " DEFAULT_KEYFILE ".\n" " -l / --less-secure - Use a less secure random number source\n" " (/dev/urandom) that is guaranteed not to require user\n" " input for entropy. This can be used when this\n" @@ -60,6 +63,7 @@ int main (int argc, char *argv[]) { int authkey_fd; int random_fd; + char *keyfile = NULL; unsigned char key[128]; ssize_t res; ssize_t bytes_read; @@ -67,14 +71,18 @@ int main (int argc, char *argv[]) int option_index; int less_secure = 0; static struct option long_options[] = { - { "less-secure", no_argument, NULL, 'l' }, - { "help", no_argument, NULL, 'h' }, - { 0, 0, NULL, 0 }, + { "key-file", required_argument, NULL, 'k' }, + { "less-secure", no_argument, NULL, 'l' }, + { "help", no_argument, NULL, 'h' }, + { 0, 0, NULL, 0 }, }; - while ((c = getopt_long (argc, argv, "lh", + while ((c = getopt_long (argc, argv, "k:lh", long_options, &option_index)) != -1) { switch (c) { + case 'k': + keyfile = optarg; + break; case 'l': less_secure = 1; break; @@ -89,18 +97,13 @@ int main (int argc, char *argv[]) } printf ("Corosync Cluster Engine Authentication key generator.\n"); - if (geteuid() != 0) { - printf ("Error: Authorization key must be generated as root user.\n"); - exit (errno); - } - if (mkdir (COROSYSCONFDIR, 0700)) { - if (errno != EEXIST) { - perror ("Failed to create directory: " COROSYSCONFDIR); - exit (errno); - } + + if (!keyfile) { + keyfile = (char *)DEFAULT_KEYFILE; } if (less_secure) { + printf ("Gathering %lu bits for key from /dev/urandom.\n", (unsigned long)(sizeof (key) * 8)); random_fd = open ("/dev/urandom", O_RDONLY); } else { printf ("Gathering %lu bits for key from /dev/random.\n", (unsigned long)(sizeof (key) * 8)); @@ -134,17 +137,9 @@ retry_read: /* * Open key */ - authkey_fd = open (KEYFILE, O_CREAT|O_WRONLY, 600); + authkey_fd = open (keyfile, O_CREAT|O_WRONLY, 0600); if (authkey_fd == -1) { - perror ("Could not create " KEYFILE); - exit (errno); - } - /* - * Set security of authorization key to uid = 0 gid = 0 mode = 0400 - */ - res = fchown (authkey_fd, 0, 0); - if (res == -1) { - perror ("Could not fchown key to uid 0 and gid 0\n"); + fprintf (stderr, "Could not create %s: %s", keyfile, strerror(errno)); exit (errno); } if (fchmod (authkey_fd, 0400)) { @@ -152,19 +147,19 @@ retry_read: exit (errno); } - printf ("Writing corosync key to " KEYFILE ".\n"); + printf ("Writing corosync key to %s.\n", keyfile); /* * Write key */ res = write (authkey_fd, key, sizeof (key)); if (res != sizeof (key)) { - perror ("Could not write " KEYFILE); + fprintf (stderr, "Could not write %s: %s", keyfile, strerror(errno)); exit (errno); } if (close (authkey_fd)) { - perror ("Could not write " KEYFILE); + fprintf (stderr, "Could not close %s: %s", keyfile, strerror(errno)); exit (errno); } -- 1.7.1 _______________________________________________ discuss mailing list discuss@xxxxxxxxxxxx http://lists.corosync.org/mailman/listinfo/discuss