class OpenKey::KeyIdent
This class knows how to derive information from the machine environment to aide in producing identifiers unique to the machine and/or workstation, with functionality similar to that required by licensing software.
Identity is Similar to Licensing Software | Except Deeper¶ ↑
Deriving the identity string follows similar principles to licensing software that attempts to determine whether the operating environment is the same or different. But it goes deeper than licensing software as it is not only concerned about the same workstation - it is also concerned about the same shell or command line interface.
Known Issues¶ ↑
The dependent macaddr gem is known to fail in scenarios where a VPN tunnel is active and a tell tale sign is the ifconfig command returning the tun0 interface rather than “eth0” or something that resembles “ensp21”.
This is one of the error messages resulting from such a case.
macaddr.rb:86 from_getifaddrs undefined method pfamily (NoMethodError)
Public Class Methods
This method uses a one-way function to return a combinatorial digested machine identification string using a number of distinct input parameters to deliver the characteristic of producing the same identifier for the same machine, virtual machine, workstation and/or compute element, and reciprocally, a different one on a different machine.
The userspace is also a key machine identifier so a different machine user generates a different identifier when all other things remain equal.
@return [String]
a one line textual machine workstation or compute element identifier that is (surprisingly) different when the machine user changes.
# File lib/keytools/key.ident.rb, line 155 def self.derive_machine_identifier require 'socket' identity_text = [ Etc.getlogin, get_machine_id(), Socket.gethostname() ].join.reverse return identity_text end
This method returns a plaintext string hat is guaranteed to be the same whenever called within the same shell for the same user on the same workstation, virtual machine, container or SSH session and different whenever a new shell is acquired.
What is really important is that the shell identity string changes when
-
the command shell changes
-
the user switches to another workstation user
-
the workstation or machine host is changed
-
the user SSH's into another shell
Unchanged | When Should it Remain Unchanged?
Remaining unchanged is a feature that is as important and this must be so when and/or after
-
the user returns to a command shell
-
the user switches back to using a domain
-
the user exits their remote SSH session
-
sudo is used to execute the commands
-
the user comes back to their workstation
-
the clock ticks into another day, month, year …
@param use_grandparent_pid [Boolean]
Optional boolean parameter. If set to true the PID (process ID) used as part of an obfuscator key and normally acquired from the parent process should now be acquired from the grandparent's process. Set to true when accessing the safe's credentials from a sub process rather than directly through the logged in shell.
@return [String]
Return a one line textual shell identity string. As key derivation algorithms enforcing a maximum length may be length may be applied, each character must add value so non-alphanumerics (mostly hyphens) are cleansed out before returning.
# File lib/keytools/key.ident.rb, line 70 def self.derive_shell_identifier( use_grandparent_pid = false ) require 'socket' # -- Ensure that the most significant data points # -- come first just like with numbers. identity_text = [ get_ancestor_pid( use_grandparent_pid ), get_bootup_id(), Etc.getlogin(), Socket.gethostname() ].join return identity_text.to_alphanumeric end
Return an ancestor process ID meaning return either the parent process ID or the grandparent process ID. The one returned depends on the paremeter boolean value.
Command Used to find the grandparent process ID.¶ ↑
$ ps -fp 31870 | awk "/tty/"' { print $3 } ' $ ps -fp 31870 | awk "/31870/"' { print $3 } '
The one liner finds the parental process ID of the process with the given parameter process ID.
$ ps -fp 31870 UID PID PPID C STIME TTY TIME CMD joe 31870 2618 0 12:55 tty2 00:01:03 /usr/bin/emacs25
The ps command outputs two (2) lines and awk is employed to select the line containing the already known ID. We then print the 3rd string in the line which we expect to be the parent PID of the PID.
Warning | Do Not Use $PPID¶ ↑
Using $PPID is fools gold because the PS command itself runs as another process so $PPID is this (calling) process ID and the number returned is exactly the same as the parent ID of this process - which is actually the grandparent of the invoked ps process.
@param use_grandparent_pid [Boolean]
Set to true if the grandparent process ID is required and false if only the parent process ID should be returned.
@return [String]
Return ancestor process ID that belongs to either the parent process or the grandparent process.
# File lib/keytools/key.ident.rb, line 125 def self.get_ancestor_pid( use_grandparent_pid ) parental_process_id = Process.ppid.to_s() grandparent_pid_cmd = "ps -fp #{parental_process_id} | awk \"/#{parental_process_id}/\"' { print $3 } '" raw_grandparent_pid = %x[#{grandparent_pid_cmd}] the_grandparent_pid = raw_grandparent_pid.chomp log.debug(x) { "QQQQQ ~> QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ" } log.debug(x) { "QQQQQ ~> Request Bool Use GPPID is ~> [[ #{use_grandparent_pid} ]]" } log.debug(x) { "QQQQQ ~> Main Parent Process ID is ~> [[ #{parental_process_id} ]]" } log.debug(x) { "QQQQQ ~> GrandParent Process ID is ~> [[ #{the_grandparent_pid} ]]" } log.debug(x) { "QQQQQ ~> QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ" } return ( use_grandparent_pid ? the_grandparent_pid : parental_process_id ) end
If you need to know whether a Linux computer has been rebooted or you need an identifier that stays the same until the computer reboots, look no further than the read only (non sudoer accessible) **boot id**.
In the modern era of virtualization you should always check the behaviour of the above identifiers when used inside
-
docker containers
-
Amazon EC2 servers (or Azure or GCE)
-
vagrant (VirtualBox/VMWare)
-
Windows MSGYWIN (Ubuntu) environments
-
Kubernetes pods
@return [String] the bootup ID hash value
# File lib/keytools/key.ident.rb, line 184 def self.get_bootup_id bootup_id_cmd = "cat /proc/sys/kernel/random/boot_id" bootup_id_str = %x[ #{bootup_id_cmd} ] return bootup_id_str.chomp end
If the system was rebooted on April 23rd, 2018 at 22:00:16 we expect this method not to return 2018-04-23 22:00:16, but to return the 8 least significant digits bootup time digits which in this case are 23220016.
Investigate all Linux flavours to understand whether this command works (or is it just Ubuntu). Also does Docker return a sensible value here?
This method is not production ready. Not only is the time within a small range, also the most significant digit can fluctuate up or down randomly (in a non-deterministic manner.
@return [String] the time when the system was booted.
# File lib/keytools/key.ident.rb, line 231 def self.get_bootup_time_digits boot_time_cmd = "uptime -s" uptime_string = %x[ #{boot_time_cmd} ] return uptime_string.chomp.to_alphanumeric[ 6 .. -1 ] end
The machine identifier is a UUID based hash value that is tied to the CPU and motherboard of the machine. This read-only identifier can be accessed without sudoer permissions so is perfect for license generators and environment sensitive software.
In the modern era of virtualization you should always check the behaviour of the above identifiers when used inside
-
docker containers
-
Amazon EC2 servers (or Azure or GCE)
-
vagrant (VirtualBox/VMWare)
-
Windows MSGYWIN (Ubuntu) environments
-
Kubernetes pods
@return [String] the machine ID hash value
# File lib/keytools/key.ident.rb, line 208 def self.get_machine_id machine_id_cmd = "cat /etc/machine-id" machine_id_str = %x[ #{machine_id_cmd} ] return machine_id_str.chomp end