[rrd-developers] [PATCH] rrdcached server-side authentication

Tobias Oetiker tobi at oetiker.ch
Mon May 4 19:33:28 CEST 2009 

Hi Sebastian,

Yesterday Sebastian Harl wrote:

> > I am very happy with Kevins patch, since it significantly raises
> > the level of effort required to penetrate the system.
>
> So, are you saying that your goal was to provide some "moderate level"
> of security? Do you accept that there are known issues with the current
> implementation? In that case, this should be documented - however, I
> cannot image you'd want to document known security related issues in the
> manpages.

no problem with pointing out that the authentication is not
preventing people from hijacking the tcp connection, and it does
not help us detect data corruption in any way. both things would be
taken care of nicely by ssl ...

> I might just be that I do not understand what kind of problem you're
> trying to solve. Whatever that is, if you really think that the current
> solution is a way to go, that problem should be documented so people
> will know what kind of problems have _not_ been solved by the daemon
> itself and should be taken care of by additional precautions - just the
> way it was originally meant (and documented) for everything related to
> authentication as well.

there are two hosts, both with multiple usere, if I want to have a
connection between rrdtool on one host and rrdcached on the other
host, there must be some authentication between the two ... since
hostbased authentication is not enough ...

>
> > There is nothing in the patch, preventing a future addition of
> > a STARTTLS command with all SSL goodness (and complexity).
> >
> > So I am not quite sure what you are aiming at at the moment. Does
> > this patch in any way hinder the future addition of encryption ?
>
> No, of course, it does not. I'm mostly just saying that authentication
> without encryption is incomplete and provides a false sense of security.
> I think that the current implementation plus the ability to sign data
> might be a reasonable first step.
>
> What this patch / the current implementation imho _does_ hinder though
> is the ability to provide a reasonable more powerful way to manage
> permissions (see below).

[...]
> I agree that imagination might cause people to over-design stuff.
> However, I do not see how the current situation is related to the second
> system syndrome. We've got two suggestions where one is much more power-
> ful than the other but, I suppose, does not add a lot of complexity. In
> contrast, if we later decide that the other solution would have been the
> better choice, we'd either end up braking backward compatibility or
> having two solutions for very closely related issues thus increasing
> confusion and error-proneness.

you got a point there ... I think it would not be all that
difficult to add a username now ...

cheers
tobi


-- 
Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
http://it.oetiker.ch tobi at oetiker.ch ++41 62 775 9902 / sb: -9900

More information about the rrd-developers mailing list