On 4 Jun 2004 at 10:15, Gregory (Grisha) Trubetskoy wrote: > > IMHO snmp is very complex by design and as a consequence of that is a > significant security threat. If I was a potential customer of your and > you insisted that I must run snmpd in my server, I'd balk. The SNMPD application is supposed to run on the host, not within the vserver itself... That, I agree, would be a security threat, and an unnecessary resoource allocation.
> There are probably ways to accomplish anything you do via snmp by > other means. E.g. to count bits in and out, I found that using > iptables (as described in Paul Sladen's Vserver FAQ) works great. It works great, I agree, however, SNMP is a generic and proven way to do monitoring of a wide variety of devices (routers, servers, switches, etc.) > As to handling authentication, it's not hard to verify the user's > password against the hash in their passwd file. Here is the source for > a little program that we use: Authentication handling is not a hard task, handling a distributed authentication mechanism involves a lot more work (database authentication, session management, etc.) > http://dev.openhosting.com/cvs/viewcvs.cgi/oh-host/src/ohchkpwd/ohchkp > wd.c?rev=1.1.1.1&content-type=text/vnd.viewcvs-markup > > You give this program one argument, the root of the vserver, pipe > "userid:password" to its stdin, and its exit code will tell you > whether the credentials are satisfied. It has to be a setuid program > if you're going to be running it from a webserver (which I'm assuming > isn't running as root). Think of a 100 vserver nodes, running 500 vservers, this involves a lot of administration and is almost undoable by hand. The configuration data, etc. - in our case - is already in the database. Maintainance can be done from a central management server. And monitoring as well... Monitoring is done via SNMP, why not do the management via SNMP as well ? That was the question I intended to ask ;) Regards, Dennis Roos Network Engineer InTouch N.V. Middenweg 76 1097 BS Amsterdam Tel: +31 (0)20 6752060 Fax: +31 (0)20 6758429 _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
