WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] [RFC][PATCH] Secure XML-RPC for Xend

To: Anthony Liguori <aliguori@xxxxxxxxxx>
Subject: Re: [Xen-devel] [RFC][PATCH] Secure XML-RPC for Xend
From: Ewan Mellor <ewan@xxxxxxxxxxxxx>
Date: Wed, 14 Jun 2006 09:43:48 +0100
Cc: Ian Pratt <m+Ian.Pratt@xxxxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 14 Jun 2006 01:44:11 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <4489652F.7040702@xxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <A95E2296287EAD4EB592B5DEEFCE0E9D4BAA21@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <4489652F.7040702@xxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.9i
On Fri, Jun 09, 2006 at 07:10:23AM -0500, Anthony Liguori wrote:

> Ian Pratt wrote:
> >>The following patch implements a secure XML-RPC protocol for Xend.
> >>Instead of using HTTPS with basic authentication and dealing with all
> >>that nasty OpenSSL/PAM integration, it just uses SSH.  This gives you
> >>all the properties you want (great security and PAM integration) with
> >>very little code.
> >>    
> >
> >I think we just have to bite the bullet on this one. OpenSSL/PAM
> >integration isn't that hard, and it makes things much cleaner from a
> >client point of view, which is what really matters.
> >  
> 
> It's tempting to use https/basic auth since it seems like it ought to 
> just work with existing clients.  However, that doesn't appear to be the 
> case.
> 
> Python doesn't seem to provide any real support for authentication 
> out-of-the-box.  It wouldn't be that hard to add but neither was an SSH 
> transport.

Personally, I'd use SSL to secure the connection and authenticate the server
to the client, but I'd not use HTTP's basic auth -- I'd add a "login" message
that checked the username/password using PAM, in other words, have the
authentication of the user handled at Xend's level, rather than relying on the
transport/session layer to do it.  Like you say, HTTP's authentication stuff
doesn't seem to be well supported.

> The other problem is that Python doesn't provide support for certificate 
> verification.  That's okay if you're just using Python to screen scrap 
> but if you're in an enterprise environment it's not a very good thing.
> 
> The other problem I'm concerned about is certificate management on our 
> end.  The average user is going have to end up using snake oil certs and 
> I've always found configuring these things to be a real pain.

It's only not a pain with SSH because your distro has set it up for you to
generate a key at install time.  Hopefully, we could arrange or rely upon the
distros to arrange a similar thing for Xend.

Ewan.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel