On Thu, Oct 12, 2006 at 04:00:41PM -0400, Schwimmer, Eric E *HS wrote:
The subject pretty much says it all :) The top item on my hobbit wish list is to see some sort of client/server authentication & encryption. This will take care of three of my largest hobbit worries/problems:
I agree this would be a good thing. However, I am not sure that it really solves the problems you refer to:
- Having to poke a hole in my hobbit server's firewall every time I add a new hobbit client.
You'd still need to open the firewall for your clients, whether you run SSL or plain text across the wire. If you just open the firewall to allow anyone to connect to the ssl-enabled hobbit daemon, then an attacker may try to DoS the SSL service. And SSL protocol implementations have had security problems as well.
- The possibility that someone might compromise one machine running a hobbit client and use that machine to send false reports or DOS the hobbit server.
Someone with access to a machine with the Hobbit client could still run the "bb" program and send in a status report. Unless you protect the client-side certificate with a passphrase that is kept only in memory
- i.e. you'll have to enter it on the console whenever the machine is rebooted or the Hobbit client is restarted - then an attacker will have access to the client certificate, and therefore he can send forged data to the Hobbit server.
The client certificate does provide authentication, though - so you know what server the (forged) data originates from. And rogue clients - i.e. anyone with a network connection to your Hobbit server - are kept out.
- Prevent tender bits of info (such as my log files) that would otherwise traverse the network unencrypted.
True.
Of course, this would break a lot of existing scripts (devmon, bb-xsnmp, etc); perhaps it would be possible to have the secure server listen on a different port?
Perhaps. My ideas for implementing this have always been that this would best fit into the bbproxy utility; so you would have bbproxy handling the SSL-enabled connections from clients, then forwarding the data in plain text (via the loopback interface or a unix domain socket that cannot be eavesdropped upon) to the Hobbit daemon. That would avoid changing anything in the core daemon which I believe is a good thing.
Regards, Henrik