[Csync2] Public cluster -- Letting a pre-shared key escape
Clifford Wolf
clifford at clifford.at
Wed Apr 19 12:27:18 CEST 2006
Hi,
On Sun, Apr 16, 2006 at 11:22:09AM +0200, Andreas J. Koenig wrote:
> >>>>> On Sat, 15 Apr 2006 08:43:00 +1000, "Michael Mansour" <mic at npgx.com.au> said:
>
> > Just to add my 1 cent, spoofing is impossible if the hostnames are contained
> > in the /etc/hosts file (and nsswitch looks there first). Is this a problem to
> > have in your setup?
>
> Were this setup secure enough, we could omit the storing of SSL
> certificates altogether:)
>
> Currently I prefer the option to write the certificate directly to the
> database similar to the way I described in my latest posting to this
> list, and as far as I can see, it seems to work reliably and I cannot
> see security holes left open by this setup.
unfortunately I have almost no idea about x509 certificates and all that
stuff (the best requisites for writing security relevant software for using
this techniques ;-) ..
imo it would be great if a admin could create his own CA and then create
host keys using this CA, so that csync2 could be configured with the CA
public key and would refuse certificates which aren't signed by the
configured CA.
actually it always was my plan to implement ssl in csync2 that way. but my
x509 and gnuTLS knowledge isn't sufficient to implement it and I have not
time at the moment to learn the missing things..
Andreas, are you interested in and do you know enough about x509 and the
gnuTLS api to implement this and send me a patch?
yours,
- clifford
--
***************** Free Software / Hacker Events ******************
Linuxwochen Austria ................... http://www.linuxwochen.at/
Linux-Kongress .................... http://www.linux-kongress.org/
Chemnitzer Linux-Tage ........... http://chemnitzer.linux-tage.de/
Chaos Communication Congress ......... http://www.ccc.de/congress/
************************** SEE YOU THERE *************************
Pascal /n./ A programming language named after a man who would turn over
in his grave if he knew about it.
More information about the Csync2
mailing list