<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 10/24/2012 09:13 AM, Mandell
Degerness wrote:<br>
</div>
<blockquote
cite="mid:CA+jddaMHCNT60R7fiQ_7Z-maoJTa-D4a3Ff8dfPKS2U8BMTEkw@mail.gmail.com"
type="cite">
<p>Seriously? There is a security environment where rsync is
preferred over passwordless ssh? Raw rsync trusts the source
that it is the ip address and user it says it is with no
validation other than the use of a low numbered source port. </p>
</blockquote>
<br>
rsync over ssh. He specifically mentions using passwordless ssh.
rsync is a binary as well as a line protocol, and here it is
specifically using ssh for the file transfer.<br>
<br>
<br>
<blockquote
cite="mid:CA+jddaMHCNT60R7fiQ_7Z-maoJTa-D4a3Ff8dfPKS2U8BMTEkw@mail.gmail.com"
type="cite">
<p>-Mandell Degerness</p>
<div class="gmail_quote">On Oct 23, 2012 8:39 PM, "文剑" <<a
moz-do-not-send="true" href="mailto:wenjianhn@gmail.com">wenjianhn@gmail.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
I have implemented a blueprint which solves a security problem
last month, but didn't push<br>
the code yet.<br>
<br>
<a moz-do-not-send="true"
href="https://blueprints.launchpad.net/nova/+spec/rysnc-without-ssh"
target="_blank">https://blueprints.launchpad.net/nova/+spec/rysnc-without-ssh</a><br>
<br>
It's description:<br>
<br>
The disks are copied from source to destination via rysnc over
ssh during resizing/migrating.<br>
It means that we will need a password-less ssh private key
setup among all compute nodes.<br>
It is a security problem in some environment. This blueprint
will use rsync itself(not over ssh) <br>
to copy/delete the disks.<br>
</blockquote>
</div>
</blockquote>
This last line is what, I think, is causing the confusion. I
assume you mean "we will use rsync itself as proof-of-concept until
we have the passwordless ssh solution."<br>
<br>
<br>
<br>
<blockquote
cite="mid:CA+jddaMHCNT60R7fiQ_7Z-maoJTa-D4a3Ff8dfPKS2U8BMTEkw@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
<div class="gmail_quote">2012/10/24 Bryan D. Payne <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:bdpayne@acm.org" target="_blank">bdpayne@acm.org</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">As the
OpenStack Security Group (OSSG) begins to take shape, we
are<br>
looking to identify what work needs to be done. We have
lots of<br>
things in our heads, but I know others have similar lists
in their<br>
heads as well. I'd like to start this thread to collect
security<br>
related issues for any OpenStack core project. These can
be things<br>
with existing bug reports, or things that have just been
sitting in<br>
your head without actually making it into a bug report
yet.<br>
<br>
The idea is to have a list of problems where it would be
useful for<br>
security people to help. I'll start with the following to
get us<br>
going.<br>
<br>
* Fix problems with clients using SSL (see slide 19 of<br>
<a moz-do-not-send="true"
href="http://www.bryanpayne.org/storage/ossg-oct2012.pdf"
target="_blank">http://www.bryanpayne.org/storage/ossg-oct2012.pdf</a>)<br>
* Start a hardening guide<br>
* Work with swift team on Swift Message Authentication<br>
* Work with nova team on Nova RPC signing<br>
* Work with keystone team on new PKI tokens and related
code<br>
* Work with oslo team on rootwrap code<br>
* Add a 'SecurityImpact' tag to mark pull requests as
needing a review<br>
by someone in OSSG<br>
<br>
Please help us out by replying with your additions.<br>
<br>
Cheers,<br>
-bryan<br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org"
target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
Best,<br>
<br>
Ivan<br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>