Auth Shell (IAM)
Auth shell is designed to be used for key based authentication and session management for WEB APPs.
Base 64 key auth
Base64 key will be generated with accessing intialize URL. it will contain user_name and randome string. Because key length is long enough, we think it's secure. but please use Base APP with IP whitelisting and other security measure as well if possible.
FLow of Standard Auth
|--------| |--------|
| | ------ BASE64key ----------> | |
| client | | Server |
| | <------ Session Hash ------- | |
| | | |
| | ------ Page req {Session} -> | |
| | | |
| | <------ Link {NEW Sesesion} - | |
|--------| |--------|
Note
Base64 key will be sotred at localstorage on browser using random name per instance in the personal key initializing process.
PIN and Session Token
Session itself is temporary hash that will be generated using randome PIN (not stored anywhere) and user name. and session file will contain user name, client remote address and user-agent. Besides session hash will be changed when accessing new pages. Fraud access could be eliminated based on enough length of session key. also WEB APP will check change of IP address and user-agent.
Basic Authentication (bin/auth)
Basic authentication will be done bin/auth script. it will be used by Base APP mainly.
# CLI
sudo /usr/local/small-shell/bin/auth action:target{param}
params
# COMMON
#-----------------------------------------------------------------------
# remote_addr:ip_addr -> IP addreess will be used for audit log and security check
# user_agent:HTTP_USER_AGENT -> HTTP_USER_AGENT will be used for security check
#-----------------------------------------------------------------------
# AUTH REQUEST
#-----------------------------------------------------------------------
# initialize:user_id{initialize_key} -> get user_name and user_key
# key_auth:$base64_enc_key #user_key -> get user_name and session_token with pin
#-----------------------------------------------------------------------
# SESSION REQUEST
#-----------------------------------------------------------------------
# session_chk:$session_token -> get user_name and IP addr
# session_refresh:$session_token -> get user_name and new session token
# session_persist:$session_token -> get user_name and new session token, and make symlink from new session to last session.
# data_import_session:$session_token -> get user_name and new session token
# logout:$session_token
Extension auth
Extension auth is used for authentication of scratch APP.
# for Scratch App
sudo /usr/local/small-shell/bin/extension_auth action:target{param} app:${app}
#-----------------------------------------------------------------------
# COMMON
#-----------------------------------------------------------------------
# remote_addr:ip_addr -> IP addreess will be used for audit log and security check
# app:$app -> WEB app name for authentication
#-----------------------------------------------------------------------
# AUTH REQUEST
#-----------------------------------------------------------------------
# initialize:user_id{initialize_key} -> get user_name and user_key
# key_auth:$base64_enc_key #user_key -> get user_name and session_token with pin
# force_user:$external_auth_user -> overwrite APP user name, disabled this option as default
#-----------------------------------------------------------------------
# SESSION REQUEST
#-----------------------------------------------------------------------
# session_chk:$session_token -> get user_name and remote_addr
# session_refresh:$session_token -> get user_name and new session token
# session_persist:$session_token -> get user_name and new session token, and make symlink from new session to last session.
# data_import_session:$session_token -> get user_name and new session token
OPS
"ops" command can be used for the several types of the operation.
sudo /usr/local/small-shell/adm/ops action(L1).action(L2):target{param}
commands
#-----------------------------------
# Show all user
#-----------------------------------
# ops ls.usr
#-----------------------------------
# User management for Base APP
#-----------------------------------
# ops add.usr:$user
# ops initialize.usr:$user
# ops del.usr:$user
#-----------------------------------
# User management for Scratch APP
#-----------------------------------
# ops add.usr:$user app:$app
# ops del.usr:$user app:$app
# ops initialize.usr:$user app:$app
#-----------------------------------
# Set or Get permission/attribute to Base APP user
#-----------------------------------
# ops set.attr:$user{ro}
# ops set.attr:$user{rw}
# ops set.attr:$user{$attribute_key=$param}
# ops get.attr:$user
#-----------------------------------
# Set or Get permission/attribute to Scratch APP user
#-----------------------------------
# ops set.attr:$user{ro} app:$app
# ops set.attr:$user{rw} app:$app
# ops set.attr:$user{$attribute_key=$param} app:$app
# ops get.attr:$user app:$app
#-----------------------------------
# Add tag for Base APP table
#-----------------------------------
# ops add.tag:$databox{$filter}
# ops del.tag:$databox{$filter}
#-----------------------------------
# Add tag for Scratch APP table
#-----------------------------------
# ops add.tag:$databox{$filter} app:$app
# ops del.tag:$databox{$filter} app:$app
#------------------
# IP whitelisting
#------------------
# ops set.IP #IP whitelisting
Description of OPS command
| Param | Description |
|---|---|
| ls.usr | show user list |
| add.usr | add user |
| del.usr | delete user |
| initialize.usr | initialize user key of Base APP, it could generate URL for initialization |
| set.attr:$user{rw}, set.attr:$user{ro} | set attribute to the user. rw is read write, ro is read only permission |
| set.attr:$user{$attribute_key=$param} | set external attribute to the user if needed |
| get.attr:$user | get all attribute of the user |
| add.tag | add tag (#search_word) to Base APP table |
| del.tag | delet tag (#search_word) from Base APP table |
| app:$app | change target from Base APP to Dedicated Scratch APP |
Add User for Base APP
Following example is adding user name "test", "test" can initialize and get base64 key by accessing the URL that is generated by ops command
sudo /usr/local/small-shell/adm/ops add.usr:test
test successfully created
-----------------------------------------------------------------
Key initializing & generating URL for test on Base APP is here
-----------------------------------------------------------------
https://$server/cgi-bin/auth.base?initialize=*****fce76b37e4e93b7605022da52e6ccc26fd2,4c5a2ae68d20e530b4ce457c71eae42590135268e1fb933a945f7e188678ccf4
Add User for scratch APP
Following example is adding user name "test", "test" can initialize and get base64 key by accessing the URL that is generated by ops command
sudo /usr/local/small-shell/adm/ops add.usr:test app:${app}
test successfully created
Initialize url is here, please share this url to end user then he or she can generate a key to access Data box.
https://$FAQDN/cgi-bin/auth?initialize=$hashtoken
Logging
Admin can check access log for audit purpose. audit log dir is here. 90 days log is stored as default.
/usr/local/small-shell/users/audit
If you want to change the retantion, please update del_log.sh directory.
sudo vi /usr/local/small-shell/util/scripts/del_log.sh
Change persistence option
If you want to change option of persistence. you need to update code directly. target parameter is as following.
- IP_persistence: If this parameter set as "yes" and client IP address is changed, session will be gone.
- User_agent_persistence: If this parameter set as "yes" and client browser is changed, session will be gone.
Base APP
Need to update base and auth.base
$ sudo vi /var/www/base
--change option--
IP_persistence="no"
User_agent_persistence="yes"
----------------
$ sudo vi /var/www/cgi-bin/auth.base
--change option--
IP_persistence="no"
User_agent_persistence="yes"
----------------
Scratch APP
Need to update $app and auth.$app
$ sudo vi /var/www/$app
--change option--
IP_persistence="no"
User_agent_persistence="yes"
----------------
$ sudo vi /var/www/cgi-bin/auth.$app
--change option--
IP_persistence="no"
User_agent_persistence="yes"
----------------