cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <>
Subject proper SSL/ssh management
Date Fri, 03 Aug 2012 19:48:26 GMT
Arve's made a comment in the "Official ASF process for re-writing code" thread about accepting
SSL certs that I wanted to comment on, without hijacking that thread:

CloudStack (and most (maybe all) Cloud management platforms I've seen) blindly accept any
ssh host keys or SSL certificates they encounter. As a security guy, to me this is Bad - we're
throwing out a key ability to recognize impostors.

What I'd like to see is probably a "don't blindly trust keys" configuration option that's
disabled by default. That way, those who like the status quo can continue right along.

In my mind, I envision the following functionality to be enabled when the configuration flag
is enabled:
* ssh connections between mgmt server/hosts and between hosts/SSVMs would NOT blindly accept
ssh keys, but would log an error that's clearly logged specifying that either a host key mismatch
or an unrecognized key was encountered.  This then becomes an admin's problem to fix.
* SSL based connections would similarly not blindly trust a self-signed or mismatched SSL
certificate, but attempt the verification and only proceed if the cert was validated. Otherwise,
detailed error is logged specifying the service, host, and key. This then becomes an admin's
problem to fix.

Possibly a simple utility script similar to the SSVM test script could be written that would
check to make sure that various ssh/ssl connections are working properly, and if not would
clearly point them out.

Thoughts? I'm not expecting to fix this for CS4, but if we can come to a general agreement
we can throw it on the roadmap.


Stratosec - Secure Infrastructure as a Service
o: 415.315.9385

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message