-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/01/2013 04:45 PM, Ralph Mitchell wrote:
On Fri, Mar 1, 2013 at 3:40 PM, <cleaver at terabithia.org <mailto:cleaver at terabithia.org>> wrote:
[snip]
Perhaps user/pass authentication could be added, but "real" security at the report-submission level would be SSL-handshaking at the port with any local keys controlled by standard unix/host access controls, (or HTTPS and xymonmsgcgi.msg and appropriate user/pass auth info after the SSL tunnel is set up). The bits and pieces are in trunk, but I'm not sure what their current working state is...
I'm currently using xymoncgimsg.cgi to catch status messages sent over HTTPS via curl. For what I'm doing, the client-side xymon binary can be replaced by a script.
I'm not using client-side certificates, though that ought to be fairly easy to add. The problem with any client-side userid/password/certificate is that you have to have a plain text password or key somewhere, so the whole security chain could unravel if not done right.
Another piece of software I use, Bacula, can use SSL and does validation against the CN field. I would think that would be a reasonable solution. It also needs to pass a signature test. I would think it would be pretty hard to fake a CN and then get it signed by your in-house certificate authority, let alone VeriSign.
- ---- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$&| |__| | | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlExI20ACgkQmb+gadEcsb4BgwCgyifmXeCCHou/X5qVYRp05hMN 2yUAmgKjxYEhHfSH8f2P6jZ48ZwhROk1 =YI8p -----END PGP SIGNATURE-----