Open Stack

On Wed, Oct 24, 2012 at 11:35 AM, 文剑 <wenjianhn at gmail.com> wrote:

> I have implemented a blueprint which solves a security problem last month,
> but didn't push
>  the code yet.
>
> https://blueprints.launchpad.net/nova/+spec/rysnc-without-ssh
>
> It's description:
>
> The disks are copied from source to destination via rysnc over ssh during
> resizing/migrating.
> It means that we will need a password-less ssh private key setup among all
> compute nodes.
> It is a security problem in some environment. This blueprint will use
> rsync itself(not over ssh)
> to copy/delete the disks.
>
Are you planning to improve rsync? I don't think its more secure to use
rsync without ssh, with rsync over ssh, not only we have the
authentication, but also the data encryption during the transportation.
 password-less ssh may have potential risk, but still its more secure than
rsync itself.

>
>
> 2012/10/24 Bryan D. Payne <bdpayne at acm.org>
>
> As the OpenStack Security Group (OSSG) begins to take shape, we are
>> looking to identify what work needs to be done.  We have lots of
>> things in our heads, but I know others have similar lists in their
>> heads as well.  I'd like to start this thread to collect security
>> related issues for any OpenStack core project.  These can be things
>> with existing bug reports, or things that have just been sitting in
>> your head without actually making it into a bug report yet.
>>
>> The idea is to have a list of problems where it would be useful for
>> security people to help.  I'll start with the following to get us
>> going.
>>
>> * Fix problems with clients using SSL (see slide 19 of
>> http://www.bryanpayne.org/storage/ossg-oct2012.pdf)
>> * Start a hardening guide
>> * Work with swift team on Swift Message Authentication
>> * Work with nova team on Nova RPC signing
>> * Work with keystone team on new PKI tokens and related code
>> * Work with oslo team on rootwrap code
>> * Add a 'SecurityImpact' tag to mark pull requests as needing a review
>> by someone in OSSG
>>
>> Please help us out by replying with your additions.
>>
>> Cheers,
>> -bryan
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
>
> --
> Best,
>
> Ivan
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121024/2d38e988/attachment.html>