2011/1/26 nap <napar...@gmail.com>
>
>
> On Wed, Jan 26, 2011 at 2:56 PM, Laurent Guyon <lgu...@adelux.fr> wrote:
>
>> Hi,
>>
>> Le 26 janvier 2011 à 13:57, David Voit <da...@codersau.de> a écrit :
>>
> Hi,
>
> and welcome on board :)
>
Thanks.
>
>
>>
>> > 2.) Do we really need client authentication, for every component? For
>> the
>> > arbiter, sure we need it - else we get a botnet like system. But the
>> other
>> > components?
>> > Reactoner and broker, need to authenticate too, else the "bad guys"
>> > could get secret data (all theoretical)
>>
>>
>>
>>
>>
>> I'd say yes, all components must securely connect to others to avoid any
>> security breach.
>>
> Yes, there are list of servers and some things like that. It's better to
> crypt all of this if the admin want it. and it's not so harder to add such
> feature for all daemons, and after all, it's already done :p
>
It's not about encryption, it's about authentication. If you call a https
site, all the traffic is still encrypted, even without a client cert.
You are responsible, if you connect willingly to the bad guys. With shinken
we have a problem, if the arbiter is not authenticated, couse it could send
any shell code, to all instances after it.
>
>
>>
>>
>>
>> > 3.) What about self-signed keys? We could add know_hosts and
>> > autheriezed_keys infrastructure instead of the CA handling. I have
>> sample
>> > code for this,
>> > but this needs a callback infrastucure in pyro (set_verify callback
>> > interface). Is it worth it?
>>
>>
>>
>>
>>
>> Pyro is already not very smart, and you wanna make this even more dirty :p
>>
> Yes indeed. There are strange things. The server.pem and client.pem are not
> very clear. you never know which one it is using, adn there is no Pyro way
> to change the name of client.pem for example. It's not good but I didn't
> find how to avoid this :(
>
client.pem is never used. Or do i overlook something?
>
>
>>
>> More seriously, I personnaly prefer the CA way, more natural and
>> "professionnal" imho.
>>
> Yes, it's more "harder" but far better than just a crypt channel. We also
> got auth with it.
>
>>
>>
>
I share the points with you two guys. I only looked at shinken's ssl support
like a webserver would do, etc. The setup of self-signed certs goes quicker,
but on the managment side we pay the price. Leave it that way.
> We discussed also on the future possibility to make the certificates
>> creation automatic for components (scheduler, poller, roker, reactionner),
>> like done in the Prelude IDS project.
>>
>>
>>
>>
>> > I also recommend that we don't ship certs with the tarball, but
>> generate
>> > them at install time.
>>
>>
>>
>>
>>
>> +1, I've already pointed that out ;)
>>
> Yes, it can be a very interesting feature :)
> I don't know where is the best place for this (hook in setup.py or in the
> packager code for installing)? Is ther a packager guy to help us on this
> point? How is this thing manage in the other projects?
>
>
I would say on both sides. setup.py for the developer and gentoo typed guy
:-). The package way for everybody else.
The apache2 package does this on suse (not checked, from memory).
> We propose sample certificate that are good for crypt the channel for
> dummies attack, but it's not safe enough (every one got them!) for true
> attack in the real world. so auto-generation should be a good thing if we
> achieve it.
>
>
If every body on the world use the same private key, we need no encryption
at all. We get exactly nothing.
I think the point with set_allow_unknow_ca
Is really a security problem. I will call the pyro guys.
David
> Jean
>
>
>>
>>
>>
>>
>> Laurent
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
>> Finally, a world-class log management solution at an even better
>> price-free!
>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
>> February 28th, so secure your free ArcSight Logger TODAY!
>> http://p.sf.net/sfu/arcsight-sfd2d
>> _______________________________________________
>> Shinken-devel mailing list
>> Shinken-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shinken-devel
>>
>>
>
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better
> price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> Shinken-devel mailing list
> Shinken-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shinken-devel
>
>
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Shinken-devel mailing list
Shinken-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shinken-devel
