www.delorie.com/gnu/docs/cfengine/cfengine-Tutorial_97.html   search  
Buy GNU books!

GNU cfengine

[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

7.20 Trust and key races

Trust is the central issue in the security of any system. Public and private keys help you to trust other hosts, only after the genuine, legitimate public keys have been securely distributed to all relevant parties. Until that has happened, it is necessary to trust the identity of remote hosts. Cfengine provides trust policy options which decide whether keys should be exchanged on trust or not, when remote parties connect for the first time. If you do not want to blindly trust keys, you could arrange to exchange key files manually, e.g.

scp /var/cfengine/ppkeys/localhost.pub remote:/var/cfengine/ppkeys/root-IP-number.pub

or you could arrange to connect at a specific time, so minimize the chances of spoofer racing you to the finishing line in transferring a key for a given user at a given host.

Note that, even program like ssh which use "privileged ports" are no longer immune to spoofing. Privileged ports are ports which only the root user can bind to. The idea used to be, a connection on a privileged port must have come from a trusted user, because only someone with the root/Administrator password would be able to bind to a privileged port. Today, that idea is naive at best. Anyone can set up their own host, pull the plug on another and spoof an address or user identity -- there are so many ways to attack a system that it is impossible to know with certainty to whom one is talking over the net. The only security one has is in being able to keep a secret key. However, if someone gets there before you, with a fake key, and claims to be you, the receiver cannot know better. This applies to any and all cryptographic software.

Cfengine secure copy is not based on SSL/TLS (although it shares some of the lower level libraries). SSL is not appropriate for a system administration tool, because it uses a trust model based on a third party, such as Verisign. Most adminisrators are not prepared to pay a fee to register every host on their network, with a trusted third party. Cfengine does not use the Secure Shell protocol either. The ssh protocol is not directly appropriate for a system management tool, because it provides only unilateral authentication of user to server. Cfengine authenticates these parties mutually, i.e. user to server, and server to user. Moreover, ssh requires a user to manually accept a key on trust, when the public keys are unknown to the parties, whereas cfengine works non-interactively. SSh uses the notion of binding to a trusted port, to confirm privileged user identity. Cfengine does not make this assumption.

[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

  webmaster   donations   bookstore     delorie software   privacy  
  Copyright 2003   by The Free Software Foundation     Updated Jun 2003