=======================================
 Chopwood: a password changing service
=======================================

:Author: Mark Wooding

.. sectnum::
	:depth: 3

.. contents::

Introduction
############


Congratulations.  You've just installed Squid, or nginx, or Exim, or
Dovecot, or, well, something.  And it has a marvellous access control
system with users and passwords and stuff.  Yet another little file with
*user*\ **:**\ *password* lines, or maybe a database or something.
Which will all be great.  Just as soon as your users can actually set
passwords, or change them.  Chopwood is a service for letting them do
that.

Of course, you could set up some single sign-on system.  They're quite
complicated.  Also, they probably aren't really what you wanted, because
these various services that you've set up probably have rather different
security levels and it's just not a good plan to feed high-value
credentials to a low-security service.

Chopwood isn't a single sign-on system: in fact it's the opposite.  It's
a tool to let users manage a number of passwords on the same system.

Chopwood has three user interfaces.

  * Local users can communicate with it as a `GNU Userv`_ service.  Most
    of the necessary plumbing is provided.  Local users don't need to do
    authenticate explicitly via Userv, so this is simple, convenient,
    reliable, and relatively pain free.  The only downside is that you
    have to give users shell access to your server.

  * Remote users can reach it using SSH, using OpenSSH_\ 's forced
    command feature.  Maintaining the ``authorized_keys`` file is a bit
    of a nuisance, especially if they need to keep changing their keys
    [#keymgmt]_.

  * Remote users can also get to it with a web browser, using good
    old-fashioned CGI.  Unfortunately, we don't have a better approach
    for authenticating users than more passwords.  Of course, Chopwood
    can manage its own password, but that's not really the point.

.. [#keymgmt] Maybe someone should build a similar tool for managing
	      authorized keys for SSH services.

.. _GNU Userv: http://www.gnu.org/software/userv/

.. _OpenSSH: http://www.openssh.org/



Installation
############


Chopwood is written in Python, and doesn't depend on any additional
libraries.  The program is tested with Python 2.7, but I expect that it
works with Python 2.6, and it's intended to work with 2.5 too.

You'll also need GNU Make and at least of

  * GNU Userv;

  * OpenSSH, or some other SSH server with a forced-command feature;

  * a web server which can run CGI scripts as some other user; or

  * some willingness to get your hands dirty hooking Chopwood up to some
    other interface.

Chopwood is designed to be run from a Git working tree.  You can clone
it from

  * <git://git.distorted.org.uk/~mdw/chopwood/>
  * <http://git.distorted.org.uk/~mdw/chopwood/>
  * <https://git.distorted.org.uk/~mdw/chopwood/>

I recommend that you use the HTTPS transport if you can; unfortunately,
at the moment, that server doesn't have a certificate from a well-known
CA.  Please check the certificate against the TLSA record, which is
secured using DNSsec.

The working tree needs a very quick build step, which you can accomplish
by running ::

	$ make

This does three things:

  * it generates the ``auto.py`` file which tells Chopwood its
    installation directory, version number, and various other
    automatically discovered things; and

  * it generates the static files for the web interface; and

  * it causes Python to byte-compile the various Python modules.


Basic configuration
-------------------

Great so far.  Now it's time to shut up the warning about not having a
configuration file.  


Configuration parameters
------------------------

**ALLOWOP**:
	An object holding three boolean attributes.  If **ALLOWOP.set**
	is true then users are allowed to set passwords to values of
	their choosing; if **ALLOWOP.reset** is true then they're
	allowed to ask for passwords to be reset to a value chosen by
	Chopwood; and if **ALLOWOP.clear** is true then they're allowed
	to clear passwords, leaving them unable to log into the
	applicable service.

**AUTHHASH**:
	The hash function to use when making HTTP authentication
	cookies.  This should be a function (or other callable) which
	behaves like one of the **hashlib** hash functions.  The default
	is **hashlib**.\ **sha256**, which is likely to be good enough.

**DB**:
	The database which Chopwood should use to store its state.  This
	should be a pair (*module*, *modargs*), where *module* names a
	PEP 249 database module and *modargs* is a sequence or
	dictionary of arguments to pass to its **connect** function.
	The default is to create a SQLite3 database in Chopwood's
	working directory.

**HASH**:
	The password hash to use for Chopwood's own user database.  See
	`Chopwood password hashes`_ for more information about the
	password hashes provided and the protocol in which hash objects
	participate.  The default is to use a **crypt**\ (3)-style hash
	with MD5.

**LOCKDIR**:
	A string naming the directory in which Chopwood should store
	its lockfiles.

**RQCLASS** and **RQMIXIN**:
	Classes used to determine password policies.  See `Applying
	local policy`_ for details.  The default is to allow everything.

**SCRIPT_NAME**:
	A (possibly relative) URL referring to Chopwood's CGI script.
	This will usually be set appropriately by the webserver, but
	this setting exists so that you can override it if it's wrong.

**SECRETFRESH**:
	The time in seconds for which a cookie authentication key is
	used for issuing fresh cookies.  After this, a new key is
	generated, and the old ones kept and used to validate existing
	cookies until their lifetime expires (see **SECRETLIFE** below).
	The default is five minutes.

**SECRETLIFE**:
	The total lifetime, in seconds, of a key used to ensure
	cryptographically the integrity of session cookies.  See
	**SECRETFRESH** above.  Users' browsers are instructed to
	discard the cookie after `**SECRETLIFE** - **SECRETFRESH**`:m:
	seconds.  The default is half an hour.

**STATIC**:
	The URL prefix for static content: the location of static
	resource *file* is reported to the user agent as *STATIC*\
	**/**\ *file*.  The default is to attempt (see **SCRIPT_NAME**
	above) to link back to Chopwood's CGI script to generate the
	content dynamically.  You can improve responsiveness by
	configuring Chopwood and your webserver to serve actual static
	files instead.


..  LocalWords:  nginx www userv CGI keymgmt https TLSA py ALLOWOP sha
..  LocalWords:  AUTHHASH RQCLASS RQMIXIN modargs