incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <>
Subject Re: proper SSL/ssh management
Date Mon, 06 Aug 2012 17:32:46 GMT
Hardening guide's a good idea as well.

I don't see a general road map in the wiki? I'm going to start working on a security roadmap
("wish list" is probably more accurate for now, not going to put dates/releases on it) but
that can either be merged into or linked from a "general" road map when that exists.


On Aug 3, 2012, at 3:29 PM, Hugo Trippaers wrote:

> Hey John,
> Completely agree!
> I think it's pretty easy to make a central config flag for that. If it is there I will
use that flag to check before loading the trust managers.
> Cheers,
> Hugo 
> P.S. what about a hardening guide for CS?
> Sent from my iPhone
> On 3 aug. 2012, at 21:49, "John Kinsella" <> wrote:
>> Arve's made a comment in the "Official ASF process for re-writing code" thread about
accepting SSL certs that I wanted to comment on, without hijacking that thread:
>> CloudStack (and most (maybe all) Cloud management platforms I've seen) blindly accept
any ssh host keys or SSL certificates they encounter. As a security guy, to me this is Bad
- we're throwing out a key ability to recognize impostors.
>> What I'd like to see is probably a "don't blindly trust keys" configuration option
that's disabled by default. That way, those who like the status quo can continue right along.
>> In my mind, I envision the following functionality to be enabled when the configuration
flag is enabled:
>> * ssh connections between mgmt server/hosts and between hosts/SSVMs would NOT blindly
accept ssh keys, but would log an error that's clearly logged specifying that either a host
key mismatch or an unrecognized key was encountered.  This then becomes an admin's problem
to fix.
>> * SSL based connections would similarly not blindly trust a self-signed or mismatched
SSL certificate, but attempt the verification and only proceed if the cert was validated.
Otherwise, detailed error is logged specifying the service, host, and key. This then becomes
an admin's problem to fix.
>> Possibly a simple utility script similar to the SSVM test script could be written
that would check to make sure that various ssh/ssl connections are working properly, and if
not would clearly point them out.
>> Thoughts? I'm not expecting to fix this for CS4, but if we can come to a general
agreement we can throw it on the roadmap.
>> John
>> Stratosec - Secure Infrastructure as a Service
>> o: 415.315.9385
>> @johnlkinsella

Stratosec - Secure Infrastructure as a Service
o: 415.315.9385

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message