Xen project Mailing List

Re: [Xen-devel] [RFC][PATCH] Secure XML-RPC for Xend

To: Anthony Liguori <aliguori@xxxxxxxxxx>

From: Ewan Mellor <ewan@xxxxxxxxxxxxx>

Date: Wed, 14 Jun 2006 09:43:48 +0100

Cc: Ian Pratt <m+Ian.Pratt@xxxxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>

Delivery-date: Wed, 14 Jun 2006 01:44:11 -0700

List-id: Xen developer discussion <xen-devel.lists.xensource.com>

On Fri, Jun 09, 2006 at 07:10:23AM -0500, Anthony Liguori wrote: > Ian Pratt wrote: > >>The following patch implements a secure XML-RPC protocol for Xend. > >>Instead of using HTTPS with basic authentication and dealing with all > >>that nasty OpenSSL/PAM integration, it just uses SSH. This gives you > >>all the properties you want (great security and PAM integration) with > >>very little code. > >> > > > >I think we just have to bite the bullet on this one. OpenSSL/PAM > >integration isn't that hard, and it makes things much cleaner from a > >client point of view, which is what really matters. > > > > It's tempting to use https/basic auth since it seems like it ought to > just work with existing clients. However, that doesn't appear to be the > case. > > Python doesn't seem to provide any real support for authentication > out-of-the-box. It wouldn't be that hard to add but neither was an SSH > transport. Personally, I'd use SSL to secure the connection and authenticate the server to the client, but I'd not use HTTP's basic auth -- I'd add a "login" message that checked the username/password using PAM, in other words, have the authentication of the user handled at Xend's level, rather than relying on the transport/session layer to do it. Like you say, HTTP's authentication stuff doesn't seem to be well supported. > The other problem is that Python doesn't provide support for certificate > verification. That's okay if you're just using Python to screen scrap > but if you're in an enterprise environment it's not a very good thing. > > The other problem I'm concerned about is certificate management on our > end. The average user is going have to end up using snake oil certs and > I've always found configuring these things to be a real pain. It's only not a pain with SSH because your distro has set it up for you to generate a key at install time. Hopefully, we could arrange or rely upon the distros to arrange a similar thing for Xend. Ewan. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.