Return-Path: X-Original-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 039C7D79E for ; Fri, 3 Aug 2012 22:30:14 +0000 (UTC) Received: (qmail 71060 invoked by uid 500); 3 Aug 2012 22:30:13 -0000 Delivered-To: apmail-incubator-cloudstack-dev-archive@incubator.apache.org Received: (qmail 71034 invoked by uid 500); 3 Aug 2012 22:30:13 -0000 Mailing-List: contact cloudstack-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cloudstack-dev@incubator.apache.org Delivered-To: mailing list cloudstack-dev@incubator.apache.org Received: (qmail 71025 invoked by uid 99); 3 Aug 2012 22:30:13 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Aug 2012 22:30:13 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [195.66.90.41] (HELO sbprmx2.schubergphilis.com) (195.66.90.41) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Aug 2012 22:30:06 +0000 Received: from localhost (localhost.localdomain [127.0.0.1]) by sbprmx2.schubergphilis.com (Postfix) with ESMTP id 236D312E69 for ; Sat, 4 Aug 2012 00:29:45 +0200 (MEST) X-Virus-Scanned: amavisd-new at schubergphilis.com Received: from sbprmx2.schubergphilis.com ([127.0.0.1]) by localhost (sbprmx2.schubergphilis.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6EYpaxC6Y88F for ; Sat, 4 Aug 2012 00:29:45 +0200 (MEST) Received: from SBPOTMG401.sbp.lan (edge.schubergphilis.com [195.66.90.11]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by sbprmx2.schubergphilis.com (Postfix) with ESMTP id 1657512E63 for ; Sat, 4 Aug 2012 00:29:45 +0200 (MEST) Received: from SBPOMF101.sbp.lan (10.71.2.130) by SBPOTMG401.sbp.lan (10.71.3.110) with Microsoft SMTP Server (TLS) id 14.1.339.1; Sat, 4 Aug 2012 00:29:44 +0200 Received: from SBPOMB402.sbp.lan ([fe80::2410:c2c8:67bf:d067]) by SBPOMF101.sbp.lan ([fe80::253f:3a21:d553:7947%15]) with mapi id 14.02.0298.004; Sat, 4 Aug 2012 00:29:43 +0200 From: Hugo Trippaers To: "" CC: "cloudstack-dev@incubator.apache.org" Subject: Re: proper SSL/ssh management Thread-Topic: proper SSL/ssh management Thread-Index: AQHNcbEPgWpnmBSKfU2SpKIchiP/iZdIq5JT Date: Fri, 3 Aug 2012 22:29:42 +0000 Message-ID: References: <3894C846-6687-4381-B456-043FEADD5CBC@stratosec.co> In-Reply-To: <3894C846-6687-4381-B456-043FEADD5CBC@stratosec.co> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org Hey John, Completely agree! I think it's pretty easy to make a central config flag for that. If it is t= here I will use that flag to check before loading the trust managers. Cheers, Hugo=20 P.S. what about a hardening guide for CS? Sent from my iPhone On 3 aug. 2012, at 21:49, "John Kinsella" wrote: > Arve's made a comment in the "Official ASF process for re-writing code" t= hread about accepting SSL certs that I wanted to comment on, without hijack= ing that thread: >=20 > CloudStack (and most (maybe all) Cloud management platforms I've seen) bl= indly accept any ssh host keys or SSL certificates they encounter. As a sec= urity guy, to me this is Bad - we're throwing out a key ability to recogniz= e impostors. >=20 > What I'd like to see is probably a "don't blindly trust keys" configurati= on option that's disabled by default. That way, those who like the status q= uo can continue right along. >=20 > In my mind, I envision the following functionality to be enabled when the= configuration flag is enabled: > * ssh connections between mgmt server/hosts and between hosts/SSVMs would= NOT blindly accept ssh keys, but would log an error that's clearly logged = specifying that either a host key mismatch or an unrecognized key was encou= ntered. This then becomes an admin's problem to fix. > * SSL based connections would similarly not blindly trust a self-signed o= r mismatched SSL certificate, but attempt the verification and only proceed= if the cert was validated. Otherwise, detailed error is logged specifying = the service, host, and key. This then becomes an admin's problem to fix. >=20 > Possibly a simple utility script similar to the SSVM test script could be= written that would check to make sure that various ssh/ssl connections are= working properly, and if not would clearly point them out. >=20 > Thoughts? I'm not expecting to fix this for CS4, but if we can come to a = general agreement we can throw it on the roadmap. >=20 > John >=20 > Stratosec - Secure Infrastructure as a Service > o: 415.315.9385 > @johnlkinsella >=20