Open Stack

* Create a report on the state of SSL within OpenStack

* Start a hardening guide (really big interest in this at the talk)

* Work on Swift Message Authentication

* Work on Nova RPC signing/encryption

* Work on Nova messaging RBAC

 

 

From: Mandell Degerness [mailto:mandell at pistoncloud.com] 
Sent: 24 October 2012 14:14
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] [OSSG] OpenStack Security Group Task List

 

Seriously? There is a security environment where rsync is preferred over passwordless ssh? Raw rsync trusts the source that it is the ip address and user it says it is with no validation other than the use of a low numbered source port. 

-Mandell Degerness

On Oct 23, 2012 8:39 PM, "文剑" <wenjianhn at gmail.com> wrote:

I have implemented a blueprint which solves a security problem last month, but didn't push
 the code yet.

https://blueprints.launchpad.net/nova/+spec/rysnc-without-ssh

It's description:

The disks are copied from source to destination via rysnc over ssh during resizing/migrating.
It means that we will need a password-less ssh private key setup among all compute nodes.
It is a security problem in some environment. This blueprint will use rsync itself(not over ssh) 
to copy/delete the disks.



2012/10/24 Bryan D. Payne <bdpayne at acm.org>

As the OpenStack Security Group (OSSG) begins to take shape, we are
looking to identify what work needs to be done.  We have lots of
things in our heads, but I know others have similar lists in their
heads as well.  I'd like to start this thread to collect security
related issues for any OpenStack core project.  These can be things
with existing bug reports, or things that have just been sitting in
your head without actually making it into a bug report yet.

The idea is to have a list of problems where it would be useful for
security people to help.  I'll start with the following to get us
going.

* Fix problems with clients using SSL (see slide 19 of
http://www.bryanpayne.org/storage/ossg-oct2012.pdf)
* Start a hardening guide
* Work with swift team on Swift Message Authentication
* Work with nova team on Nova RPC signing
* Work with keystone team on new PKI tokens and related code
* Work with oslo team on rootwrap code
* Add a 'SecurityImpact' tag to mark pull requests as needing a review
by someone in OSSG

Please help us out by replying with your additions.

Cheers,
-bryan

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




-- 
Best,

Ivan

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121024/2ec7ec1f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6190 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121024/2ec7ec1f/attachment-0001.bin>