[openstack-dev] [OSSG] OpenStack Security Group Task List

Mandell Degerness mandell at pistoncloud.com
Wed Oct 24 13:13:57 UTC 2012


Seriously? There is a security environment where rsync is preferred over
passwordless ssh? Raw rsync trusts the source that it is the ip address and
user it says it is with no validation other than the use of a low numbered
source port.

-Mandell Degerness
On Oct 23, 2012 8:39 PM, "文剑" <wenjianhn at gmail.com> wrote:

> I have implemented a blueprint which solves a security problem last month,
> but didn't push
>  the code yet.
>
> https://blueprints.launchpad.net/nova/+spec/rysnc-without-ssh
>
> It's description:
>
> The disks are copied from source to destination via rysnc over ssh during
> resizing/migrating.
> It means that we will need a password-less ssh private key setup among all
> compute nodes.
> It is a security problem in some environment. This blueprint will use
> rsync itself(not over ssh)
> to copy/delete the disks.
>
>
> 2012/10/24 Bryan D. Payne <bdpayne at acm.org>
>
>> As the OpenStack Security Group (OSSG) begins to take shape, we are
>> looking to identify what work needs to be done.  We have lots of
>> things in our heads, but I know others have similar lists in their
>> heads as well.  I'd like to start this thread to collect security
>> related issues for any OpenStack core project.  These can be things
>> with existing bug reports, or things that have just been sitting in
>> your head without actually making it into a bug report yet.
>>
>> The idea is to have a list of problems where it would be useful for
>> security people to help.  I'll start with the following to get us
>> going.
>>
>> * Fix problems with clients using SSL (see slide 19 of
>> http://www.bryanpayne.org/storage/ossg-oct2012.pdf)
>> * Start a hardening guide
>> * Work with swift team on Swift Message Authentication
>> * Work with nova team on Nova RPC signing
>> * Work with keystone team on new PKI tokens and related code
>> * Work with oslo team on rootwrap code
>> * Add a 'SecurityImpact' tag to mark pull requests as needing a review
>> by someone in OSSG
>>
>> Please help us out by replying with your additions.
>>
>> Cheers,
>> -bryan
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
>
> --
> Best,
>
> Ivan
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121024/e94fba47/attachment.html>


More information about the OpenStack-dev mailing list