Registration script

The registration script is the recommended way to register new servers.

It’s always accessible on servers list by clicking on the Register a server button.

registration script
Figure 1. Registration command shown on the web interface

It packs all the required steps to correctly configure a server to accept SSH connections from the Operous Test Runner.

The Operous team works hard to make sure it’s safe, easy, and fast to use. Also bear in mind that if anything changes in the registration routine, the script is updated to accommodate the changes.

Always consider using the provided script first.

The Operous team is currently working on documentation and examples on how to register a server using traditional configuration management tools like Ansible and Puppet.

It’s possible to manually execute every step to register a server. For a complete description of the process, refer to the Manual registration guide.

Current script SHA256 sum
99a7758f560054c94e404f2bda7044e93bb97860becc300c401df53211ea0a87

Additional considerations

Running an arbitrary script from the internet is dangerous, that’s why some security concerns were in mind while developing it. Considered issues are listed here alongside the solution implemented.

Man-in-the-middle attack

Concern

An attacker between the web server and your server could change the script content and inject code into the script, changing its behavior.

Solution

Every content is delivered through HTTPS. It isn’t possible to download the script nor access any page through an insecure HTTP connection, significantly reducing the risk of content tampering.

Hidden text attack

Concern

Current JavaScript clipboard API allows a script to change a copied text content without any confirmation or warnings. This could be used to make you run something in your shell different from what you think you copied on the website.

Solution

There are absolutely no reason whatsoever to trick users like that. JavaScript injection by a third party through content tampering is protected ensuring all content is served exclusively through HTTPS.

Client detection attack

Concern

Make a web server return distinct responses based on the request User-Agent or through other client detection methods. The script you’d see in your browser might not be the same downloaded on your server.

Solution

Again, there is no reason to pull this trick. Nevertheless, in addition to serving content through HTTPS, a checksum is available alongside the script so you can download and validate the script with the checksum before running it.

Partial content and network issues

Concern

A network error between the script source and the Curl agent could result in an incomplete download, which would result in partial execution of the script. That is indeed dangerous because any incomplete command could be executed.

Solution

This was addressed by wrapping the script "body" inside a function that is called at the very end. If something wrong really happens, the script only define some functions but doesn’t do anything.

Compromised web server

Concern

Even using TLS to serve all content, there is room for tampering the script content by exploiting a vulnerability on the web server and changing its configuration to serve a different script. A similar attack could be made with a supply chain attack or exploiting some library vulnerability.

Solution

Operous infrastructure is automated to ensure it’s always running up-to-date software. Used libraries are also constantly audit to avoid known vulnerabilities. An isolated system continuously monitor the script by downloading it and checking the served content against the expected checksum. If this breach ever happens, it’s possible to cross the monitoring data with audit events to inform users that may have downloaded a rogue script.