[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

RE: conserver with encryption

Doug Hughes doug@gblx.net
Mon, 21 May 2001 08:38:47 -0700 (PDT)


I've done it. Yes, it is work. Doing it modularly will be even more work.
However, in order to do this right (not creating dependency hell), I
think it's the right way. (Kerberos would be a *whole* lot of work for
somebody wishing to incorporate that with modularity).

Just my $.02.

The easiest way would be to just add encryption using something like
cryptolib. Use DH to gen keys on both ends and then 3DES or IDEA
or blowfish or whatever to encrypt things. Then have a set of
#ifdefs in the appropriate place in the communication path to
initialize the session and before/after network reads/writes to
encrypt/decrypt.

This is bare bones. It doesn't provide for man in the middle
prevention, it doesn't verify authenticaticity. It does prevent
passwords from transiting in the clear. Using something like this
with tcp_wrappers provides some additional protection at marginal
effort increment.

On Mon, 21 May 2001, Chris Fowler wrote:

> You guys talk about encryption but has anyone actually tried to implement
> it in this type of software.  It takes a trmendous amount of work and
> investment from someone to do this.  It's easy to say I want SSH II or I
> want SSH I.  It is a very different thing to be the one to code it.  sorry
> to be blunt but we've been in this circumstance.   OpenSSH is very big.
> 
> Chris
> 
> 
> -----Original Message-----
> From: Doug Hughes [mailto:doug@gblx.net]
> Sent: Monday, May 21, 2001 11:19 AM
> To: Bryan Stansell
> Cc: users@conserver.com
> Subject: Re: conserver with encryption
> 
> 
> On Mon, 21 May 2001, Bryan Stansell wrote:
> 
> > On Mon, May 21, 2001 at 11:29:36AM +0100, Iain Rae wrote:
> > > Do we just want to have encrypted channels or to handle things like
> Kerberos 
> > > authentication?
> > 
> > Encryption would be extremely nice...whatever type (I'd like to not
> > have to install ssl certs, but others probably would, to verify it's
> > really their console server - just a thought).  Authentication, on the
> > other hand, is another beast and, while it too would be great
> > (kerberos, securid, s-key, ...), it's a whole different set of code
> > manipulation and I'd suggest thinking about them separately.
> > 
> > > Which protocols would we want (I suspect SSL will be the easiest way to
> get 
> > > some kind of encrypted channel, but we (dcs) would want Kerberos and
> possibly 
> > > ssh)?
> > > 
> > > Is it a compilation/configuration choice or should conserver support
> multiple 
> > > different systems?
> > 
> > My first thought is it should be a compilation choice - you don't want
> > to have to have kerberos, ssh, and ssl libraries to just compile the
> > thing.  Would anyone want to run multiple protocols within a conserver
> > installation?  I'd think not (beyond the "that would be cool" factor),
> > but, opinions?  I know I'd just pick one and compile it in.
> > 
> 
> I'd opt for:
> [configure]
> --with-openssl=... --with-ssl-cert=... --with-libcrypto=...
> --with-kerbv5=...
> (type of stuff - make them all independent modules)
> 
> 	Doug
> 
> 
> _______________________________________________
> users mailing list
> users@conserver.com
> https://www.conserver.com/mailman/listinfo/users
>