Check trust #130

Add a very simple tcp service on port 236 to clusterd which can be used by other hosts to query, if they are still trusted. clusterd replies with either "I trust you\n" or "I don't trust you\n" depending on whether the connecting host has the amd hostconfig flag or not. After sending the message, clusterd will hang up.

Add a script to determine whether the system has lost the trust of other systems. Query a few remote systems which are supposed to be online most of the time. Note, that this script has a tristate result (trusted, not trusted, unknown) so we don't communicate the result via exit status, but output "trusted", "not trusted" or nothing.

Install three new files into the system: - /etc/xdg/lightdm/lightdm.conf.d/50-use-wrapper.conf - /usr/libexec/lightdm-greeter-wrapper - /usr/libexec/lightdm-show-trust-warning The first file adds a configuration option to lightdm to invoke the greeter via a wrapper. The second file is the wrapper script, which forks of the third script before exec-ing into the greeter. The third script uses /usr/sbin/trustcheck to find out whether we lost trust of the other nodes. If it gets a negative verdict, it shows a dialog on top of the login screen to alert the user about the condition. If it doesn't get a verdict, it keeps asking (e.g. when the network is not plugged in). xdotool is used to raise the dialog above the (full screen) login window. This has to be done in a loop, because we don't know how long the login windows needs to appear and pop up in front of the dialog.

Create a service "checktrust" which is run before getty is started. If this service detects that the system has lost trust, a warning message is dropped into /node/issue.d/notrust.issue. Create a symlink for agetty in /etc/issue.d to the (only possibly existing) file in the /node path. agetty shows this message before the login prompt. checktrust-for-getty: Use checktrust command

Check trust #130

Check trust #130

Commits on Jul 9, 2020