[openstack-dev] [OSSG] OpenStack Security Group Task List
Adam Young
ayoung at redhat.com
Wed Oct 24 13:50:29 UTC 2012
On 10/24/2012 09:13 AM, Mandell Degerness wrote:
>
> Seriously? There is a security environment where rsync is preferred
> over passwordless ssh? Raw rsync trusts the source that it is the ip
> address and user it says it is with no validation other than the use
> of a low numbered source port.
>
rsync over ssh. He specifically mentions using passwordless ssh. rsync
is a binary as well as a line protocol, and here it is specifically
using ssh for the file transfer.
> -Mandell Degerness
>
> On Oct 23, 2012 8:39 PM, "??" <wenjianhn at gmail.com
> <mailto:wenjianhn at gmail.com>> wrote:
>
> I have implemented a blueprint which solves a security problem
> last month, but didn't push
> the code yet.
>
> https://blueprints.launchpad.net/nova/+spec/rysnc-without-ssh
>
> It's description:
>
> The disks are copied from source to destination via rysnc over ssh
> during resizing/migrating.
> It means that we will need a password-less ssh private key setup
> among all compute nodes.
> It is a security problem in some environment. This blueprint will
> use rsync itself(not over ssh)
> to copy/delete the disks.
>
This last line is what, I think, is causing the confusion. I assume
you mean "we will use rsync itself as proof-of-concept until we have
the passwordless ssh solution."
>
>
> 2012/10/24 Bryan D. Payne <bdpayne at acm.org <mailto:bdpayne at acm.org>>
>
> As the OpenStack Security Group (OSSG) begins to take shape,
> we are
> looking to identify what work needs to be done. We have lots of
> things in our heads, but I know others have similar lists in their
> heads as well. I'd like to start this thread to collect security
> related issues for any OpenStack core project. These can be
> things
> with existing bug reports, or things that have just been
> sitting in
> your head without actually making it into a bug report yet.
>
> The idea is to have a list of problems where it would be
> useful for
> security people to help. I'll start with the following to get us
> going.
>
> * Fix problems with clients using SSL (see slide 19 of
> http://www.bryanpayne.org/storage/ossg-oct2012.pdf)
> * Start a hardening guide
> * Work with swift team on Swift Message Authentication
> * Work with nova team on Nova RPC signing
> * Work with keystone team on new PKI tokens and related code
> * Work with oslo team on rootwrap code
> * Add a 'SecurityImpact' tag to mark pull requests as needing
> a review
> by someone in OSSG
>
> Please help us out by replying with your additions.
>
> Cheers,
> -bryan
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> <mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
> --
> Best,
>
> Ivan
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> <mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121024/333acff3/attachment.html>
More information about the OpenStack-dev
mailing list