From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 19051 invoked by alias); 6 Nov 2008 18:06:45 -0000 Received: (qmail 18977 invoked by uid 22791); 6 Nov 2008 18:06:43 -0000 X-Spam-Status: No, hits=-0.9 required=5.0 tests=AWL,BAYES_50,KAM_MX,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: sourceware.org Received: from mx1.redhat.com (HELO mx1.redhat.com) (66.187.233.31) by sourceware.org (qpsmtpd/0.31) with ESMTP; Thu, 06 Nov 2008 18:05:59 +0000 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id mA6I5vmT009874 for ; Thu, 6 Nov 2008 13:05:57 -0500 Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id mA6I5vXd010803 for ; Thu, 6 Nov 2008 13:05:57 -0500 Received: from ton.toronto.redhat.com (ton.yyz.redhat.com [10.15.16.15]) by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id mA6I5vWe002372; Thu, 6 Nov 2008 13:05:57 -0500 Received: from ton.toronto.redhat.com (localhost.localdomain [127.0.0.1]) by ton.toronto.redhat.com (8.13.1/8.13.1) with ESMTP id mA6I5umo015093; Thu, 6 Nov 2008 13:05:56 -0500 Received: (from fche@localhost) by ton.toronto.redhat.com (8.13.1/8.13.1/Submit) id mA6I5u6G015092; Thu, 6 Nov 2008 13:05:56 -0500 Date: Thu, 06 Nov 2008 18:06:00 -0000 From: "Frank Ch. Eigler" To: Dave Brolley Cc: systemtap Subject: Re: Network Security for the Systemtap Client/Server Message-ID: <20081106180556.GD32565@redhat.com> References: <4900E8AE.9090407@redhat.com> <491215D5.1060202@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <491215D5.1060202@redhat.com> User-Agent: Mutt/1.4.1i X-Scanned-By: MIMEDefang 2.58 on 172.16.52.254 Mailing-List: contact systemtap-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: systemtap-owner@sourceware.org X-SW-Source: 2008-q4/txt/msg00284.txt.bz2 Hi - On Wed, Nov 05, 2008 at 04:53:25PM -0500, Dave Brolley wrote: > >>Wire Level Security > [...] > If I understand correctly, the only way to ensure that the script has > not been modified on route is to have the client sign it with its own > certificate and private key. This can be easily done using the same > techniques used by the server to sign its response. [...] That could well be an overkill. Standard wire-level security like TLS/SSL, without extra explicit signatures, should be sufficient for protection against a hostile network. > [...] > Note that stap-client makes use of more than just the returned > module. Output from stap on the server side is also used and this is > why I'm proposing that the entire server response be > signed. stap-client needs to know that no part of the server > response has been tampered with. That's a good point, but that's adequately addressed by wire-level security. It may help to consider the wire-level stuff orthogonal - as indeed it is since we can theoretically connect stap-client and stap-server with a local unix pipe. > Some possibilities for verification of the module by staprun on the > client side are: > > 1) Separately sign the module within the signed server response, which > seems a bit redundant to me given that the entire server response is > already signed by the server and verified by the client. [...] Yes, but the client (stap-client) cannot be trusted by staprun. staprun need only care that the final module is built correctly. > >[...] > >All that must be automatable to death. The wire protocol part's user > >interface should be no clumsier than, say, svn talking to a https: > >server. > > Right. Bear in mind that these are sysadmin tasks performed once for > each client/server on the network. These tasks are analogous to using > ssh-keygen to generate key pairs for ssh and adding the public > identities to each machine one wants to access. I don't see a need yet for client-side *authentication* that might necessitate signing keys there, so that leaves only the ssh-keygen part. So, for module-signing purposes, sshd's host key is analogous to stap-server's signing key, and ssh's $HOME/.ssh/known_keys (treated more like authorized_keys) is analogous to the staprun's approved keys list. - FChE