* dan (ddp) <[email protected]> [2014-05-30 17:12:08 -0400]:
On May 30, 2014 4:42 PM, "rgamurphy" <[email protected]> wrote:
Maybe that's where my issue is then; confusing the key based auth with
what I know of similar systems and what's been proposed in issue 166. So,
the only verification is server of client keys and no way for client to
verify server. Now that I'm browsing the source the keys themselves seem
to be a concatenation of 2 md5 hashes. Is there a timeframe associated
with issue 166? I know it was recently opened so probably not soon.
Thanks for helping me walk through this.
What issue 166 does is allow authd to verify the client/server certs.
This was not available before and the pull request is still being tested.
Here is a simple break down of current code (not using anything from issue 166)
1. client-authd users SSL to connect server-authd and allow *any* cert
2. Server accepts the connection and allows *any* certs
3. Server generates a key and id for client
4. Server sends key and id to client
5. Client disconnects
6. Client use key and id to connect to server using OSSEC UDP+blowfish
We don't want to amke make any misunderstanding about the above: Please
note that ZERO, NONE, NADA authentication / authorization is happening
during setups 1 to 5. All that is happening is transport is not plain
text.
We have had some discussion about this: https://github.com/ossec/ossec-hids/issues/178
Brings us to issue 166. This changes the things and allows steps 1
and 2 to verify certs based on rules. Thus enabling authentication and
authorization. But it should be pointed our that it does not change
anything that happens in steps 3 - 6 as OSSEC does not use SSL for
communications between Agents and Central Manager.
Hope this makes it cleared for what authd does and hopefully soon can do
:)
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
