The walkthrough for checkout2.php explains the code needed to use a GPG key -- but of course, that assumes you've generated one. That's something you have to do outside of SimpleshoPHP from the command line. You may need to talk to your system administrator about some of the material in this section. No problem -- point to this page and buy him (or her) a pizza.
SSL is a secure way to get your customer's information into your server. We are not going to say much more about that here -- it's outside the scope of this tutorial, but it's mostly a matter of buying and installing an SSL certificate, and telling Apache to use it for certain pages. I recommend Comodo's InstantSSL. Their prices are reasonable, their customer support is good, and they provide online instructions on how to install their certificates on all the popular web servers.
This page is about how to get that information off of your server in a secure way.
GPG is GNU Privacy Guard, the Free Software Foundation's version of Phil Zimmermann's Pretty Good Privacy, PGP. GPG keys have two parts. There is a public part, which you can give to anyone, and a private part, which you keep secret. They work together. Anyone can use your public key to encrypt a message "for your eyes only." Only your private key can read that scrambled message, so your messages will be exactly as secure as your private key is. If you do a good job of keeping it secret, your messages will be very secure indeed.
You will need to set up two separate GPG usernames. I call them "roboclerk" and "orders." As the names imply, "roboclerk" is the automatic system, the Simpleshop system itself, while "orders" is the account of the person who will actually receive and fill orders.
The public key for orders will reside on the server in a GPG "keyring" file, which will be owned by roboclerk. GPG doesn't know how to cope with a user who has no key at all, so that means we have to give roboclerk a key as well. However, there is no point in trusting roboclerk's key to keep anything secure. Why not? First, because it resides on the server, and is always at risk of being seen; furthermore, since there's no one there to type in a password for it, it must be saved without a password. But that's okay; the only reason we are creating it is to keep GPG happy.
It makes some sense to generate roboclerk's key on the server, to give it an initial keyring. But resist the urge to generate the orders key there.
We encrypt orders before they are emailed, using the public half of the orders GPG key. We do not use the roboclerk key for this. We will use the roboclerk key to "sign" the message, but that's not critical to making the system work. We only created the roboclerk key so that there would be a keyring to hold the orders public key on the server.
Let me emphasize one more time: the private half of the order-taker's key does not reside on the server. It doesn't matter who sees the public half. The public half of the key can only encrypt messages; it can't unscramble them. As long as the order taker protects the private half of her key, she is the only person who can decrypt those messages.
So, on the server, we want to generate a key pair for roboclerk@example.com. On some OTHER machine, we will generate the key pair for orders@example.com. (Replace "example.com" with your domain(s); and you can use different names if you have ones you like better -- they must also be changed in your SimpleshoPHP pages, of course.)
Oddly enough, the roboclerk account does not need to have a login shell once you've set up the keyring. You will need to "su - roboclerk" while you run the GPG commands to create the keyring, but after you have done that, you (or your admin) can edit your /etc/passwd file and change the shell to one that does not allow interactive logins.
# mkdir /var/jail
# useradd -d /var/jail/roboclerk
# chown -R apache:apache /var/jail
# chmod 700 /var/jail/roboclerk
# ls -lF /var/jail/roboclerk
drwx------ 2 apache apache 4096 May 26 15:20 roboclerk/
# "Become" roboclerk by using the su command:
# su - roboclerk
[roboclerk@localhost roboclerk]$ PS1="robo$ " # change that ugly prompt
robo$ # There, that's better!
# We will generate only a small "signing" key for roboclerk.
robo$ gpg --gen-key
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
Your selection? 2
About to generate a new DSA keypair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048 bits
What keysize do you want? (1024) 768
Requested keysize is 768 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct (y/n)? y
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: ROBOCLERK
Email address: roboclerk@example.com
Comment: Demo Do Not Distribute
You selected this USER-ID:
"ROBOCLERK (Demo Do Not Distribute) <roboclerk@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
You don't want a passphrase - this is probably a *bad* idea!
[Well, the alternative of leaving the passphrase on the server
would be just as bad. So there!]
I will do it anyway. [Thanks, I think... GPG is such a nag at times.]
You can change your passphrase at any time, using this program with
the option "--edit-key".
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++.+++++.+++++++++++++++.++++++++++++ [many lines of this]
public and secret key created and signed.
Note that this key cannot be used for encryption. You may want to use
the command "--edit-key" to generate a secondary key for this purpose.
Repeat this at home for the "orders" account, but this time select the "sign and encrypt" choice, and a larger key size -- at least 1024 bits. Give it a GOOD passphrase -- something at least as elaborate as "Dingb@ts glory 20 ribish phlegm, Not? GO!" You're taking responsibility for other people's credit cards, after all, so your own pride should keep you from cutting corners. I won't repeat the whole process here, but it will look pretty much the same.
The next step is to export the roboclerk public key so you can import it at home, and export the orders public key so that you can install it on the server. On the server:
robo$ gpg --export --armor roboclerk@example.com roboclerk.asc # The output is a plain text file called roboclerk.asc, which # should look like this: robo$ cat roboclerk.asc -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQFCBD7mgLIRAwDW3j9rcjXEKzJFWPuqp0sgGe2CADAVsjrSKMDG5rVifASTs5cc X63NPghUrTxF9Qavp9fA68qq+foOhO/rxDnRnZ+suCSkfqrNgX068wG0kumgsrE7 ... DGWDQnqBOy0YS/Jpo24vAe7grzAAn2lhXQN2tZyHnU4B/qjpRxbXE+dW =Np37 -----END PGP PUBLIC KEY BLOCK----- robo$ gpg --export-secret-keys --armor roboclerk@example.com roboclerk.prv # Verify that roboclerk.prv looks like this: robo$ cat roboclerk.prv -----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org lQFbBD7mgLIRAwDW3j9rcjXEKzJFWPuqp0sgGe2CADAVsjrSKMDG5rVifASTs5cc X63NPghUrTxF9Qavp9fA68qq+foOhO/rxDnRnZ+suCSkfqrNgX068wG0kumgsrE7 .... FmKeA/p/xeFK8fVtuWpUVwg= =ecmP -----END PGP PRIVATE KEY BLOCK----- # Now come back to your office machine and export the public key # for the "orders" user: [orders@localhost orders]$ gpg --export --armor orders@example.com orders.asc
Copy the orders.asc text file to the server and import it. The roboclerk key should already be "trusted" and used by GPG without an argument, because GPG sees that it has both the public and private halves; but before it will use the orders key to encrypt messages, you have to force it to trust that key:
# import the orders public key into roboclerk's keyring: robo$ gpg --import orders.asc # It used to be that you would add a line to your .gnupg/options # file in the form "trusted-key [long key identifier]". But no! # You'll get a message saying that "The --trusted-key switch is # deprecated; use --edit instead." So here's how to do that. # First, you have to get the long form of the key identifier: robo$ gpg --list-key --with-colons orders@example.com # It will output a line similar to this one: # pub:u:1024:17:5DE249965B0358A2:1999-03-15:2006-02-04:59:f: # The 5th field is the one you need for the next command. You # are still logged in to the roboclerk account: robo$ gpg --edit-key trust 5DE249965B0358A2 # Whew! # You can import both halves of the roboclerk key at home, but # you only need the public half. It will only be used to verify # roboclerk's signature on orders you receive. [orders@localhost orders]$ gpg --import roboclerk.asc
Let's go back to checkout2.php... note the -u parameter on the gpg command. You are telling GPG where to find the roboclerk home directory, and that's important because otherwise, it's not going to have a clue where to find the GPG keyrings or "trust" database. The home directory needs to be readable and writable by the process that is running the web server (and hence, PHP); that's probably a user named "nobody" or "apache" or "httpd". (I strongly recommend that it NOT be "nobody" -- that name is used for a lot of system processes that should not be exposed to the Web.) Note that we put roboclerk's home directory somewhere other than the regular /home directory by using the -d option of useradd.
When you receive orders from roboclerk, they will be a solid block of stuff that looks like the key files above. You need a mail program that understands PGP or GPG, but that's fairly easy; there are Eudora plugins, Netscape plugins, and Mahogany mail (another SourceForge project). I use the plaintext Mutt mailer on Linux at home and have no worries about Windows viruses.
Next... Gee, that's all there is! Any questions? We have a support forum for them. See below.
|
|
|
You are invited to post comments or questions on the SimpleshoPHP forum at SourceForge.net.