cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arve Paalsrud <Arve.Paals...@bayonette.no>
Subject RE: proper SSL/ssh management
Date Sat, 04 Aug 2012 09:28:16 GMT
I totally agree with John on this. My rewrite remark did not take security into consideration
as it is a P1 release blocking issue that has to be resolved quickly, but for a future release
it should be addressed without doubt. It will also make it harder for man-in-the-middle attacks.

-Arve

-----Original Message-----
From: John Kinsella [mailto:jlk@stratosec.co] 
Sent: 3. august 2012 21:48
To: cloudstack-dev@incubator.apache.org
Subject: proper SSL/ssh management

Arve's made a comment in the "Official ASF process for re-writing code" thread about accepting
SSL certs that I wanted to comment on, without hijacking that thread:

CloudStack (and most (maybe all) Cloud management platforms I've seen) blindly accept any
ssh host keys or SSL certificates they encounter. As a security guy, to me this is Bad - we're
throwing out a key ability to recognize impostors.

What I'd like to see is probably a "don't blindly trust keys" configuration option that's
disabled by default. That way, those who like the status quo can continue right along.

In my mind, I envision the following functionality to be enabled when the configuration flag
is enabled:
* ssh connections between mgmt server/hosts and between hosts/SSVMs would NOT blindly accept
ssh keys, but would log an error that's clearly logged specifying that either a host key mismatch
or an unrecognized key was encountered.  This then becomes an admin's problem to fix.
* SSL based connections would similarly not blindly trust a self-signed or mismatched SSL
certificate, but attempt the verification and only proceed if the cert was validated. Otherwise,
detailed error is logged specifying the service, host, and key. This then becomes an admin's
problem to fix.

Possibly a simple utility script similar to the SSVM test script could be written that would
check to make sure that various ssh/ssl connections are working properly, and if not would
clearly point them out.

Thoughts? I'm not expecting to fix this for CS4, but if we can come to a general agreement
we can throw it on the roadmap.

John

Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella


Mime
View raw message