[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] 3.0.5 and Xen API security

xen-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 04/20/2007 01:22:45 PM:

> On Fri, Apr 20, 2007 at 05:20:15PM +0100, John Levon wrote:
> >
> > I talked with Ewan about this a little bit, but thinking some more it
> > seems like we really need to resolve this before 3.0.5.
> >
> > We need to change xend to use the 'xend' service, and deliver an
> > /etc/pam.d/xend file. Since there is no infrastructure yet for deciding
> > if a user can control xend, it seems like this should always refuse
> > authentication unless the certificate stuff has verified correctly. Or
> > at least we must actively disable connections except over the unix
> > socket or authenticated SSL.
> The question when using PAM is really what user database are we authenticating
> against ? Do we auth against 'root', or any local user, or a completely
> separate list of users. I'd really imagine the latter, since places may
> well want to separate the general sysadmin role, from the XenD management
> roles.

The xen-api has a class user that probably was meant for this purpose. There could be a 'sysadmin' user with a default password or the root password preinstalled on a system.
It looks like the record of a user should be extended with a (write-only) password field and maybe a change_password() method.


> Dan.
> --
> |=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
> |=-           Perl modules: http://search.cpan.org/~danberr/              -=|
> |=-               Projects: http://freshmeat.net/~danielpb/               -=|
> |=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=|
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel
Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.