diff --git a/eternal-lake-heart/heartbeat-core/BINGSHUO-KEYSTORE.hdlp b/eternal-lake-heart/heartbeat-core/BINGSHUO-KEYSTORE.hdlp index b1f6e6c..1eb83c7 100644 --- a/eternal-lake-heart/heartbeat-core/BINGSHUO-KEYSTORE.hdlp +++ b/eternal-lake-heart/heartbeat-core/BINGSHUO-KEYSTORE.hdlp @@ -54,7 +54,7 @@ ``` - **密钥类型**: Ed25519(最安全 · 最短 · 最快) -- **私钥密码**: `john0515`(与保险库同密码) +- **私钥密码**: `YOUR_VAULT_PASSWORD`(与保险库同密码 · ⊢ 不进仓库) - **私钥也存于**: GZ-006 保险库 `/opt/zhuyuan/keystore/`(Key: `GUANGHU_SSH_PRIV_KEY`) ### 📋 如何生成新密钥(如果丢了) @@ -63,28 +63,28 @@ # 在你的 Mac 上运行: python3 ~/Documents/QoderCN/2026-07-11/chat-1/fifth-domain/zero-point/core-channel/ssh-direct/generate-ssh-key.py -# 输入密码 john0515 → 自动生成 ~/.guanghu/ssh/guanghu_direct +# 输入保险库密码 → 自动生成 ~/.guanghu/ssh/guanghu_direct # 然后把公钥部署到所有服务器(见下方 §四) ``` ### 🔓 如何解码 / 使用 ```bash -# 方式一:直接 SSH(会提示输入密码 john0515) +# 方式一:直接 SSH(会提示输入密码) ssh -i ~/.guanghu/ssh/guanghu_direct root@43.156.237.110 # 方式二:用 sshpass 自动输密码(脚本用) -SSHPASS="john0515" sshpass -e ssh -i ~/.guanghu/ssh/guanghu_direct root@ "命令" +SSHPASS="$VAULT_PASSWORD" sshpass -e ssh -i ~/.guanghu/ssh/guanghu_direct root@ "命令" # 方式三:从保险库取出私钥(如果本地丢了) # ① challenge curl -X POST http://43.139.217.141:3910/exec \ - -H "Authorization: Bearer zy_gtw_4a155446b7acc09fe46a2a29972c0ca5d9954da19c35dc23" \ + -H "Authorization: Bearer $GZ_006_GK_TOKEN" \ -d '{"cmd":"python3 /opt/zhuyuan/keystore/ks.py challenge GUANGHU_SSH_PRIV_KEY"}' # ② 计算 response(Python) import hmac, hashlib -p = "john0515" +p = "$VAULT_PASSWORD" # ⊢ 从环境变量取 · 不进仓库 s_main = "527d511518d127499b7c32f54ee012b475b51fb76ea3cfe35e7e413b7b0bbf21" ph = hmac.new(p.encode(), s_main.encode(), hashlib.sha256).hexdigest() resp = hmac.new(ph.encode(), f"{nonce}:GUANGHU_SSH_PRIV_KEY".encode(), hashlib.sha256).hexdigest() @@ -110,16 +110,16 @@ ek = hmac.new(p.encode(), b"hololake-keystore-encrypt", hashlib.sha256).hexdiges ### Gatekeeper 备份通道(仅当 SSH 不可用时) -| 服务器 | Gatekeeper Token(明文 · 已知泄露 · 待轮换) | -|--------|----------------------------------------------| -| SG-001 | `zy_gtw_c38be341d65043eee0ba51a214a267832a9ae46dd73e423c` | -| GZ-006 | `zy_gtw_4a155446b7acc09fe46a2a29972c0ca5d9954da19c35dc23` | -| AW-GZ | `zy_gtw_89ba85bc4c5bcd90f7d63626c629f74ea09a74e3fa036ac0` | -| SG-002 | `zy_gtw_ceb06d8a70d0cd38678239b3a1a9b2ba5cba77a3fbe5ebbf` | -| SG-003 | `zy_gtw_d7c033d8ae992ffc9dd3e0dd5fe332dace0b644c0ae7c847` | -| ZY-SG-006 | `zy_gtw_fff861a2fe40cbdc366ee21f218023be8b1c182f66c852d3` | -| BS-SH-005 | `zy_gtw_b1045de5ddfd7832e3c53349d9c896f054b85a4a9ece22f9` | -| ZZ-SV-001 | `zy_gtw_06151d40b1313956b069f3c13d0c1b8a70405ae201f5e7b2` | +| 服务器 | Gatekeeper Token | +|--------|------------------| +| SG-001 | `$GK_SG_001_TOKEN`(⊢ 不进仓库 · 服务器环境变量) | +| GZ-006 | `$GZ_006_GK_TOKEN`(⊢ 不进仓库 · 服务器环境变量) | +| AW-GZ | `$GK_AW_GZ_TOKEN`(⊢ 不进仓库 · 服务器环境变量) | +| SG-002 | `$GK_SG_002_TOKEN`(⊢ 不进仓库 · 服务器环境变量) | +| SG-003 | `$GK_SG_003_TOKEN`(⊢ 不进仓库 · 服务器环境变量) | +| ZY-SG-006 | `$GK_ZY_SG_006_TOKEN`(⊢ 不进仓库 · 服务器环境变量) | +| BS-SH-005 | `$GK_BS_SH_005_TOKEN`(⊢ 不进仓库 · 服务器环境变量) | +| ZZ-SV-001 | `$GK_ZZ_SV_001_TOKEN`(⊢ 不进仓库 · 服务器环境变量) | > ⚠️ 以上 token 全部在老仓库 `cloud-compute-pool` 里明文泄露过。风险已下调(有三层门禁保护),但建议 SSH 直连全面稳定后统一轮换。 @@ -198,7 +198,7 @@ encrypt_key = hmac.new(password.encode(), b"hololake-keystore-encrypt", hashlib. **排查路径**: 1. 尝试 SSH 直连 → `Permission denied (publickey,password)` → 没有密码 2. 尝试 SG-001 跳板 → 同样 Permission denied → SG-001 的密钥对其他服务器无效 -3. 尝试 john0515 作为 root 密码 → 全部失败 +3. 尝试保险库密码作为 root 密码 → 全部失败 4. 回溯老仓库 → `cloud-compute-pool/bingshuo/BS-SG-002.hdlp` → **明文密钥!** **结论**: 老仓库 `cloud-compute-pool` 里 6 台服务器的 Gatekeeper token 全部明文写着。已确认风险等级可下调(SSH 直连已成为主通道),但未来需统一轮换。 @@ -251,14 +251,14 @@ encrypt_key = hmac.new(password.encode(), b"hololake-keystore-encrypt", hashlib. ```python import hmac, hashlib, json, subprocess -p = "john0515" +p = "$VAULT_PASSWORD" # ⊢ 从环境变量取 · 不进仓库 s_api = "2351afd8b757c9d423894993ddbfd175fa2097f32ecd798d8b1b2a3520234e3f" # API子库salt ek = hmac.new(p.encode(), b"hololake-keystore-encrypt", hashlib.sha256).hexdigest() # ① challenge r = subprocess.run(["curl", "-s", "-X", "POST", "http://43.139.217.141:3910/exec", - "-H", "Authorization: Bearer zy_gtw_4a155446b7acc09fe46a2a29972c0ca5d9954da19c35dc23", + "-H", "Authorization: Bearer $GZ_006_GK_TOKEN", "-H", "Content-Type: application/json", "-d", '{"cmd":"python3 /opt/zhuyuan/keystore/api/ks.py challenge VOLCANO_JIMENG_API_KEY"}' ], capture_output=True, text=True) @@ -271,7 +271,7 @@ resp = hmac.new(ph.encode(), f"{ch['nonce']}:{ch['target']}".encode(), hashlib.s # ③ unlock r2 = subprocess.run(["curl", "-s", "-X", "POST", "http://43.139.217.141:3910/exec", - "-H", "Authorization: Bearer zy_gtw_4a155446b7acc09fe46a2a29972c0ca5d9954da19c35dc23", + "-H", "Authorization: Bearer $GZ_006_GK_TOKEN", "-H", "Content-Type: application/json", "-d", json.dumps({"cmd": f"python3 /opt/zhuyuan/keystore/api/ks.py unlock {ch['challenge_id']} {resp} {ek}"}) ], capture_output=True, text=True) diff --git a/tcs-core/SI-039.hdlp b/tcs-core/SI-039.hdlp index 376a7c8..c84dff9 100644 --- a/tcs-core/SI-039.hdlp +++ b/tcs-core/SI-039.hdlp @@ -70,7 +70,7 @@ Commits 今晚: 之之原本 031a8268... → + LL-001-20260706 (7224cc44) → + ``` 新加坡: /opt/zhuyuan-brain/lake-lamp-trigger.py (v1 HTML 邮件版) 硅谷: /home/ubuntu/guanghu/zhizhi-lake-lamp/lake-lamp-trigger.py (v2 multi-recipient) -SMTP: smtp.qq.com:465 + 565183519@qq.com + auth ggeuegmaragmbejb +SMTP: smtp.qq.com:465 + 565183519@qq.com + auth FROM_SERVER_ENV HMAC secret: BS-SG-001-LAKE-LAMP-HMAC-SECRET-D164 (铸渊持有) ``` diff --git a/zero-point/core-channel/revive-guard/ecosystem.config.json b/zero-point/core-channel/revive-guard/ecosystem.config.json index 49b12b4..ea30027 100644 --- a/zero-point/core-channel/revive-guard/ecosystem.config.json +++ b/zero-point/core-channel/revive-guard/ecosystem.config.json @@ -6,7 +6,7 @@ "cwd": "/opt/zhuyuan/revive-guard", "env": { "REVIVE_GUARD_PORT": "8922", - "QQ_SMTP_AUTH_CODE": "ggeuegmaragmbejb" + "QQ_SMTP_AUTH_CODE": "FROM_SERVER_ENV" }, "out_file": "/opt/zhuyuan/revive-guard/logs/out.log", "error_file": "/opt/zhuyuan/revive-guard/logs/err.log", diff --git a/zero-point/core-channel/revive-guard/revive-guard.py b/zero-point/core-channel/revive-guard/revive-guard.py index a5e6712..fd9437c 100644 --- a/zero-point/core-channel/revive-guard/revive-guard.py +++ b/zero-point/core-channel/revive-guard/revive-guard.py @@ -9,10 +9,16 @@ Guanghu Language System · Revive Guard 如果两个都倒了,本服务是最后防线(systemd Restart=always)。 协议: - POST /revive/request → 验证密码 → 小湖灯发邮件 → 返回 challenge_id + POST /revive/request → 速率限制 → 发邮件到冰朔主权邮箱 → 返回 challenge_id + (⊢ 不需要密码 · 验证码只发到冰朔邮箱 · 只有冰朔能确认) POST /revive/confirm → 校验验证码 → systemctl restart gatekeeper + sshd + pm2 GET /health → 心跳检测 +安全设计: + ⊢ 不存密码 · 不进仓库 · 验证码用一次就扔 + ⊢ SMTP 密码走环境变量 QQ_SMTP_AUTH_CODE(不进仓库) + ⊢ 速率限制保护:每分钟最多 2 次复活请求 + 部署: 每台服务器 /opt/zhuyuan/revive-guard/revive-guard.py 监听: 0.0.0.0:8922 @@ -28,18 +34,18 @@ from http.server import HTTPServer, BaseHTTPRequestHandler # ═══════════════════════════════════════════ PORT = int(os.environ.get("REVIVE_GUARD_PORT", "8922")) SOVEREIGN_ID = "ICE-GL∞" -SOVEREIGN_PASSWORD = "john0515" -SOVEREIGN_EMAIL = "565183519@qq.com" +SOVEREIGN_EMAIL = os.environ.get("SOVEREIGN_EMAIL", "565183519@qq.com") # QQ 邮箱 SMTP(小湖灯邮件通道) +# ⊢ 密码不进仓库 · 走环境变量 QQ_SMTP_AUTH_CODE SMTP_HOST = "smtp.qq.com" SMTP_PORT = 465 -SMTP_USER = "565183519@qq.com" -SMTP_PASS = os.environ.get("QQ_SMTP_AUTH_CODE", "ggeuegmaragmbejb") +SMTP_USER = os.environ.get("SMTP_USER", "565183519@qq.com") +SMTP_PASS = os.environ.get("QQ_SMTP_AUTH_CODE", "") CODE_TTL = 300 # 验证码 5 分钟过期 RATE_LIMIT_WINDOW = 60 # 速率限制窗口 -MAX_REQUESTS_PER_WINDOW = 3 # 每分钟最多 3 次请求 +MAX_REQUESTS_PER_WINDOW = 2 # 无密码门槛后收紧:每分钟最多 2 次 # 运行时状态 pending_codes = {} # {challenge_id: {code, server_ip, expires_at}} @@ -69,12 +75,11 @@ def send_email(code, server_ip): 服务器: {server_ip} 验证码: {code} -有效期: 5 分钟 +有效期: 5 分钟(用完即废) -操作流程: - 将此验证码发送给铸渊 → 铸渊调用 /revive/confirm → 复活守门人 +将此验证码发给铸渊 → 铸渊调 /revive/confirm → 复活守门人 -如非本人操作,请忽略此邮件。 +⊢ 验证码用一次就扔 · 不进仓库 · 不存密码 ────────────────────────────── ICE-GL∞ 光湖语言系统 · 小湖灯自动发送 国作登字-2026-A-00037559""", "plain", "utf-8") @@ -177,17 +182,20 @@ class ReviveHandler(BaseHTTPRequestHandler): self.send_json(404, {"error": "未知端点 · 可用: /revive/request /revive/confirm /health"}) def _handle_request(self, body): - # 速率限制 + # 速率限制(无密码门槛后加强:每分钟最多 2 次) if not check_rate_limit(): self.send_json(429, {"error": "请求过于频繁 · 请60秒后重试"}) return - password = body.get("password", "") server_ip = body.get("server", get_server_ip()) - # 三重验证:密码 + 编号 + 服务器 IP - if password != SOVEREIGN_PASSWORD: - self.send_json(403, {"error": "密码错误"}) + # ⊢ 不需要密码 —— 验证码只发到冰朔主权邮箱 + # ⊢ 只有冰朔(持有邮箱)能拿到验证码 → 只有冰朔能让铸渊确认复活 + # ⊢ 验证码用一次就扔 · 推到仓库也没用 + + # SMTP 未配置 → 拒绝 + if not SMTP_PASS: + self.send_json(500, {"error": "SMTP 未配置 · 服务器管理员需设置 QQ_SMTP_AUTH_CODE 环境变量"}) return # 生成 6 位数字验证码 diff --git a/zero-point/core-channel/revive-guard/revive-guard.service b/zero-point/core-channel/revive-guard/revive-guard.service index b54f16c..2ef6042 100644 --- a/zero-point/core-channel/revive-guard/revive-guard.service +++ b/zero-point/core-channel/revive-guard/revive-guard.service @@ -13,7 +13,9 @@ RestartSec=5 StandardOutput=append:/opt/zhuyuan/revive-guard/logs/out.log StandardError=append:/opt/zhuyuan/revive-guard/logs/err.log Environment=REVIVE_GUARD_PORT=8922 -Environment=QQ_SMTP_AUTH_CODE=ggeuegmaragmbejb +# ⊢ QQ_SMTP_AUTH_CODE 从服务器 /etc/environment 或 systemd override 注入 +# ⊢ 不进仓库 · 不走默认值 +EnvironmentFile=-/opt/zhuyuan/revive-guard/.env # 安全加固 NoNewPrivileges=yes