stash

a private dropbox

Stars
17
Committers
1
View Code on GitHub
Ecosystems: Python
  • stash
    stash is a private dropbox.

If you want someone to be able to upload files from their browser directly onto your computer at home, install stash once, and allow dedicated access to your friends to share files with you. Maybe your dad wants to send you the video from the family event, or a colleague a huge database, stash might be the right thing. If you run stash on a server on the internet, your uploads are encrypted and only accessible with your secret PGP key. There's a short time when the file is unencrypted in memory (but not on disk!) on your server while uploading, but you can get around that uploading stuff that is already encrypted.

where's the screenshots? here: [[screenshots/]]

stash should be easy to use for uploaders, while providing the following attributes:

  • Allow upload of huge files (I know, it's HTTP, still).
  • The only private information retained is the public PGP keys of the
    stash owners. No passwords even. Just make an extra PGP key and
    email for an added anon factor.
  • Uploaded files are automatically encrypted with the stash owners
    key. This can be disabled, if you want to upload data that is
    already encrypted.
  • Stash owners are automatically emailed to the email address listed
    in their public key about new uploads. These emails are also PGP
    encrypted.
  • User authentication is done using [[https://github.com/stef/tlsauth/][tlsauth]]: uploaders do not need a
    cert, new stash owners registering either, but all other parts
    require valid certs.
  • Stash IDs are generated randomly and should be hard to guess, this
    the only protection - tlsauth does not protect these upload forms -
    this is intentional to make it useful for "mom". however you can
    also specify your own human parseable stash ID if needed, tlsauth
    should be mandatory then for uploads as well.
  • Even though stash uses certificates for authentication, the user
    management is very simple and similar to normal user admin
    workflows, the only difference is that users have to import their
    cert into their browser after certification.
  • Installation
    If you are of the adventurous type you might want to try out the
    automatic and never-before tested install.sh, which does all -
    except the last two: "import" and "done" - these below
    automagically. Otherwise you'll be setting up an onion service,
    nginx, a CA and related certificates, importing some of them into
    browsers and also configuring the stash.
    ** Depends
    tlsauth, nginx
    ** Setup a tor hidden service
    If you don't need a hidden service (why not? - it's nice to go behind
    NAT), then you can skip this, but the install script does it anyway.

Create this hidden service in your /etc/tor/torrc file: #+BEGIN_SRC sh sudo cat >>/etc/tor/torrc <<EOT HiddenServiceDir /var/lib/tor/stash/ HiddenServicePort 443 127.0.0.1:23443 HiddenServicePort 80 127.0.0.1:23080 EOT #+END_SRC then restart tor and get the hostname: #+BEGIN_SRC sh sudo /etc/init.d/tor restart sudo cat /var/lib/tor/stash/hostname #+END_SRC remember this hostname and use it in all later steps. ** Get stash and dependencies #+BEGIN_SRC sh git clone https://github.com/stef/stash cd stash pip install -r requirements.txt #+END_SRC After also installing the necessary dependencies, we can ** Create the CAs *** create a Root CA ...for signing the https server certificate and the subCA. #+BEGIN_SRC sh ./tlsauth.py CA createca http:///crl.pem " CA" email1@ #+END_SRC *** create a subCA ...for the client auth keys #+BEGIN_SRC sh ./tlsauth.py subCA createca http:///client-crl.pem " client CA" email@ CA #+END_SRC *** create https server certificate #+BEGIN_SRC sh ./tlsauth.py CA newcsr root@ >CA/server.key #+END_SRC *** Sign server cert with Root CA #+BEGIN_SRC sh ./tlsauth.py CA sign <CA/server.key >CA/public/server.pem #+END_SRC *** Remove Root CA private key It is important to remove and store the root CA private key in a safe offline location, as it can be used to mount a MITM attack against all users, who trust this key. You need this key in 1 year, when you need to renew your client CA certificate (per default it's only valid for one year!) #+BEGIN_SRC sh mv root-ca/private/root.key #+END_SRC ** Setup nginx Adapt the path "/var/run/stash" and the hostname in stash.nginx.conf, then #+BEGIN_SRC sh cp stash.nginx.conf /etc/nginx/sites-available/stash ln -s /etc/nginx/sites-available/stash /etc/nginx/sites-enabled/ /etc/init.d/nginx restart #+END_SRC ** Create your own client certificate This step is like setting up the admin account on other systems: #+BEGIN_SRC sh ./tlsauth.py subCA newcsr joe joe@localhost >joe.key ./tlsauth.py subCA sign <joe.key >joe.cert ./tlsauth.py root-ca p12 joe.key <joe.cert >joe.p12 #+END_SRC Store the files ending in .key and .cert in some safe offline storage. ** Configure stash edit cfg.py and set:

  • 'sender' to some email address for the origin of mails sent by stash
  • 'admins' is a list of emails, that when presented a certificate with
    an email in this list, the user will have admin privileges.
  • 'secret' to some long random string
  • 'root' to some path which will serve as root for all file operations.
  • 'ca' to the directory containing your CA files under 'root'
  • 'notify' to False if you don't want any notifications being sent out after uploads.
    ** Start stash wsgi daemon
    #+BEGIN_SRC sh
    uwsgi --socket 127.0.0.1:23023 --chdir $PWD --pp $PWD/.. -w stash -p 1 --py-auto-reload 1
    #+END_SRC
    ** Importing certificates
    Open in your favorite browser the following url:
    http:///cert.pem

Which should offer you to automatically import the CA root certificate into your browsers, and it also asks you what you want to trust it, allow your browser to trust this CA with servers and user, but not software.

Also download and import the .p12 certificate generated in "Create your own client Certificate" into your browser. ** Done visit:

  • To create a new stash: https:///settings/newstash
  • to list stashes: https:///settings/stashes
  • to list user access requests: https:///settings/requests

Your friends can now request access to your stash by going to: https:///settings/register

However this generates the certificate in your browser, and if you - as I - do not trust your browser, you might want to generate your keys and certs offline in a more controlled environment and upload your CSR here: https:///settings/request

Also my firefox did not store the generated key in the keystore, so i had to use a proper CSR anyway.

Related Projects
stash

StaSh - Shell for Pythonista

21 Nov 2014 1,935
bless

Repository for BLESS, an SSH Certificate Authority that runs as a AWS Lambda function

18 May 2016 2,734
certauth

Simple CertificateAuthority and host certificate creation, useful for man-in-the-middle HTTPS proxy

29 Mar 2015 25
tlsauth

a simple framework for nginx based tls auth with a flask example

19 Mar 2013 22
flask-tlsauth

flask extension for doing TLS client cert authentication

24 Mar 2013 31
certidude

Easy to use Certificate Authority web service for OpenVPN, StrongSwan and HTTPS

12 Jul 2015 126