[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [RFC][PATCH] Secure XML-RPC for Xend

On Fri, Jun 09, 2006 at 07:10:23AM -0500, Anthony Liguori wrote:

> Ian Pratt wrote:
> >>The following patch implements a secure XML-RPC protocol for Xend.
> >>Instead of using HTTPS with basic authentication and dealing with all
> >>that nasty OpenSSL/PAM integration, it just uses SSH.  This gives you
> >>all the properties you want (great security and PAM integration) with
> >>very little code.
> >>    
> >
> >I think we just have to bite the bullet on this one. OpenSSL/PAM
> >integration isn't that hard, and it makes things much cleaner from a
> >client point of view, which is what really matters.
> >  
> It's tempting to use https/basic auth since it seems like it ought to 
> just work with existing clients.  However, that doesn't appear to be the 
> case.
> Python doesn't seem to provide any real support for authentication 
> out-of-the-box.  It wouldn't be that hard to add but neither was an SSH 
> transport.

Personally, I'd use SSL to secure the connection and authenticate the server
to the client, but I'd not use HTTP's basic auth -- I'd add a "login" message
that checked the username/password using PAM, in other words, have the
authentication of the user handled at Xend's level, rather than relying on the
transport/session layer to do it.  Like you say, HTTP's authentication stuff
doesn't seem to be well supported.

> The other problem is that Python doesn't provide support for certificate 
> verification.  That's okay if you're just using Python to screen scrap 
> but if you're in an enterprise environment it's not a very good thing.
> The other problem I'm concerned about is certificate management on our 
> end.  The average user is going have to end up using snake oil certs and 
> I've always found configuring these things to be a real pain.

It's only not a pain with SSH because your distro has set it up for you to
generate a key at install time.  Hopefully, we could arrange or rely upon the
distros to arrange a similar thing for Xend.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.