On 2/21/19 1:38 PM, Tom Smyth wrote: > Hello All , > > we have an in house shell script based deployment system for our > OpenBSD boxes in the field > this involves the boxes pulling config files over https but Im always > concerned that if the downloaded files are incomplete or empty that > this would break the configs and require heavy manual intervention to fix > and Im wondering is there a framework or best practices guide > or a good script example where OpenBSD folks have solved this issue > > At the moment im using native OpenBSD FTP client and the pull scripts > are simple shell scripts, > Im just-wondering is there shell scripts / functions that solve this problem > in a much more safe & elegant way than me manually verifying hashes > on each file download, > > Im concerned particularly that in the future that deployment scripts will > add services (and hence imply the downloading of shell scripts) and i need > to be certain > > im wondering if there is something like rcctl.subr > that my shell script could call with functions that have been written by > smarter > people than I, > any suggestions would be welcome , > > >
You may want to look into signify(1). Make your own signing keypair for configuration files and sign your data with signify(1) on the server; then use signify(1) on the client to verify what you download. Note that HTTPS itself already includes a layer of protection against incomplete or modified data (Content-Length HTTP header; TLS message authentication codes; TLS certificate PKI/server identity validation). Depending on your threat model, you may not actually need to add anything more to your setup.
