[Openstack-security] [Bug 1320056] Re: Cinder utils SSHPool should allow customized ssh host keys and missing policy
Thierry Carrez
thierry.carrez+lp at gmail.com
Mon May 26 14:53:50 UTC 2014
OK, so this would be considered a missing security feature (weak
security for internal communications). That needs to be fixed in future
versions for sure. But we typically don't issue OSSA for those.
** Changed in: ossa
Status: Incomplete => Won't Fix
** Tags added: security
** Information type changed from Public Security to Public
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1320056
Title:
Cinder utils SSHPool should allow customized ssh host keys and missing
policy
Status in Cinder:
Fix Committed
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
In cinder/utils.py, SSHPool is using paramiko.AutoAddPolicy() as
default. This may lead security issue without being notified. The
utility should allow customized usage when create the pool or session.
Also the host_keys file should be allowed to be customized so that any
driver utilizing the SSHPool should have their customized security
setting or delegate to customer's scenario & configuration to
determine the policy and key files.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1320056/+subscriptions
More information about the Openstack-security
mailing list