<p>Seriously? There is a security environment where rsync is preferred over passwordless ssh? Raw rsync trusts the source that it is the ip address and user it says it is with no validation other than the use of a low numbered source port. </p>
<p>-Mandell Degerness</p>
<div class="gmail_quote">On Oct 23, 2012 8:39 PM, "文剑" <<a href="mailto:wenjianhn@gmail.com">wenjianhn@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I have implemented a blueprint which solves a security problem last month, but didn't push<br> the code yet.<br><br><a href="https://blueprints.launchpad.net/nova/+spec/rysnc-without-ssh" target="_blank">https://blueprints.launchpad.net/nova/+spec/rysnc-without-ssh</a><br>
<br>It's description:<br><br>The disks are copied from source to destination via rysnc over ssh during resizing/migrating.<br>
It means that we will need a password-less ssh private key setup among all compute nodes.<br>
It is a security problem in some environment. This blueprint will use rsync itself(not over ssh) <br>to copy/delete the disks.<br><br><br><div class="gmail_quote">2012/10/24 Bryan D. Payne <span dir="ltr"><<a href="mailto:bdpayne@acm.org" target="_blank">bdpayne@acm.org</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">As the OpenStack Security Group (OSSG) begins to take shape, we are<br>
looking to identify what work needs to be done. We have lots of<br>
things in our heads, but I know others have similar lists in their<br>
heads as well. I'd like to start this thread to collect security<br>
related issues for any OpenStack core project. These can be things<br>
with existing bug reports, or things that have just been sitting in<br>
your head without actually making it into a bug report yet.<br>
<br>
The idea is to have a list of problems where it would be useful for<br>
security people to help. I'll start with the following to get us<br>
going.<br>
<br>
* Fix problems with clients using SSL (see slide 19 of<br>
<a href="http://www.bryanpayne.org/storage/ossg-oct2012.pdf" target="_blank">http://www.bryanpayne.org/storage/ossg-oct2012.pdf</a>)<br>
* Start a hardening guide<br>
* Work with swift team on Swift Message Authentication<br>
* Work with nova team on Nova RPC signing<br>
* Work with keystone team on new PKI tokens and related code<br>
* Work with oslo team on rootwrap code<br>
* Add a 'SecurityImpact' tag to mark pull requests as needing a review<br>
by someone in OSSG<br>
<br>
Please help us out by replying with your additions.<br>
<br>
Cheers,<br>
-bryan<br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Best,<br><br>Ivan<br>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div>