[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-API] Use of PAM for authentication & SSL comms

On Wed, Nov 01, 2006 at 11:38:47AM +0000, Alastair Tse wrote:

> > - XenD should install its own PAM config file into /etc/pam.d
> >   rather than re-using the context from the 'login' program
> Well, the problem I ran into is that every distro has their own  
> custom PAM stack and any PAM stack we write will only work on one  
> distro and not another. I believe this is a distro packaging problem.  
> But your concern is still valid, maybe we have to provide a PAM stack  
> for one at least one distro. Let's fight to see which one that will  
> be :)

Back off, Gentoo-freak ;-)

> > - If we're using PAM then we must switch all communications to use
> >   SSL by default - no network daemon should be using system
> >   passwords over a cleartext network channel anymore. If we want
> >   to keep a cleartext channel, then we should use a separate
> >   password database & certainly not system logins
> Definitely. I've only been testing with a local UNIX domain socket.  
> Anything that goes over the network needs SSL encryption, but the API  
> docs don't make any mention of this, presumably because it doesn't  
> really fall into the API.

Actually, I agreed at the last Xen Summit that we would add a list of
supported transports to that API document.  The intention is that any server
meeting the spec can talk to any client meeting the spec, so of course we need
a list of supported transports too.

This list is something we need to write down -- HTTP/local, HTTP/TCP,
HTTP/SSL/TCP are the obvious ones, but if someone needs something else, it's
still open to discussion.

> My guess is we'll need to put some  
> certificate configuration options in xend-config.sxp or run the Xen  
> API on a different XMLRPC server than the one that currently serves xm.

Yeah, I think that we're certainly going to need to use a different port, even
if we're using the same dispatcher behind that.  I'm not sure what to do about
certificate management -- any suggestions?


xen-api mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.