Some comments inline: On Thu, 11 Oct 2007, Karl MacMillan wrote:
So func looks interesting and I wanted to ask a few questions about potential integration w/ LDAP and kerberos (and freeipa.org). * Any chance you would be interested in supporting kerberos in addition to certificates? The main advantage here is that you would be able to authenticate specific users or services on other systems more easily.
Sounds useful.
* For later versions of freeipa we plan to do machine identity. With that you would have a list of machines stored in ldap, groupings of those machines, and already have certs / kerberos principals to identify those machines. It would also enable you to obtain additional certs / principals for the func service securely.
Should be pretty trivial to just use a different cert. In theory, a cert is a cert is a cert; if the server can say "hello, do you trust me?" and the client can say "yes, I'm listening," func doesn't care what that mechanism is.
Speaking of which, it looks like you currently have clients automatically obtain certificates from the master server without authenticating the master server in any way. This seems like a security hole. Basically - if a rogue master server can spoof the master on the network (which would be easy) I can intercept registration requests, issue a cert, and fully control all of the other systems. It could even communicate with the real master and become a man-in-the-middle.
Yep. The question *very quickly* becomes, "is func useful enough in the general case to even bother solving that problem?" Which, I think, is the *first* question to figure out. Until we know that func is a viable codebase and something that people will rally to and use, overdeveloping the security model isn't useful.
Of course, the minute that people decide that func *is* useful, then the security model becomes *extremely* important, and there's nothing fundamental to the func design that precludes this work later, AIUI.
* Another security concern - is the funcd on the clients trusted to perform all of the actions? This will make it a huge target for attacks. Could you instead exec helper applications? This would also allow you to run the helper applications with lower privileges - either in an specific selinux context, have it drop some capabilities before exec of the script, or even as an unprivileged user.
Again: first let's validate that people find func (a) useful and (b) something they would want to extend with a community of modules. *Then* worry about things like "helper scripts with dropped privs." I think everyone's pretty well aware that, to start, func is nothing but a big ol' rootkit. *For now*, that's perfectly okay.
--g -- Greg DeKoenigsberg Community Development Manager Red Hat, Inc. :: 1-919-754-4255 "To whomsoever much hath been given... ...from him much shall be asked"