<br><br><div class="gmail_quote">On Wed, Oct 24, 2012 at 11:35 AM, 文剑 <span dir="ltr"><<a href="mailto:wenjianhn@gmail.com" target="_blank">wenjianhn@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I have implemented a blueprint which solves a security problem last month, but didn't push<br> the code yet.<br><br><a href="https://blueprints.launchpad.net/nova/+spec/rysnc-without-ssh" target="_blank">https://blueprints.launchpad.net/nova/+spec/rysnc-without-ssh</a><br>
<br>It's description:<br><br>The disks are copied from source to destination via rysnc over ssh during resizing/migrating.<br>
It means that we will need a password-less ssh private key setup among all compute nodes.<br>
It is a security problem in some environment. This blueprint will use rsync itself(not over ssh) <br>to copy/delete the disks.<br></blockquote><div>Are you planning to improve rsync? I don't think its more secure to use rsync without ssh, with rsync over ssh, not only we have the authentication, but also the data encryption during the transportation. password-less ssh may have potential risk, but still its more secure than rsync itself. </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br><br><div class="gmail_quote">2012/10/24 Bryan D. Payne <span dir="ltr"><<a href="mailto:bdpayne@acm.org" target="_blank">bdpayne@acm.org</a>></span><div>
<div class="h5"><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">As the OpenStack Security Group (OSSG) begins to take shape, we are<br>
looking to identify what work needs to be done. We have lots of<br>
things in our heads, but I know others have similar lists in their<br>
heads as well. I'd like to start this thread to collect security<br>
related issues for any OpenStack core project. These can be things<br>
with existing bug reports, or things that have just been sitting in<br>
your head without actually making it into a bug report yet.<br>
<br>
The idea is to have a list of problems where it would be useful for<br>
security people to help. I'll start with the following to get us<br>
going.<br>
<br>
* Fix problems with clients using SSL (see slide 19 of<br>
<a href="http://www.bryanpayne.org/storage/ossg-oct2012.pdf" target="_blank">http://www.bryanpayne.org/storage/ossg-oct2012.pdf</a>)<br>
* Start a hardening guide<br>
* Work with swift team on Swift Message Authentication<br>
* Work with nova team on Nova RPC signing<br>
* Work with keystone team on new PKI tokens and related code<br>
* Work with oslo team on rootwrap code<br>
* Add a 'SecurityImpact' tag to mark pull requests as needing a review<br>
by someone in OSSG<br>
<br>
Please help us out by replying with your additions.<br>
<br>
Cheers,<br>
-bryan<br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div></div></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><br>-- <br>Best,<br><br>Ivan<br>
</font></span><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br>