[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libvir] PATCH: 3/10: auth configuration support



On Mon, Dec 03, 2007 at 01:43:01PM +0100, Jim Meyering wrote:
> "Daniel P. Berrange" <berrange redhat com> wrote:
> 
> > On Thu, Nov 29, 2007 at 05:18:06PM +0000, Daniel P. Berrange wrote:
> >> This patch provides the ability to configure what authentication mechanism
> >> is used on each socket - UNIX RW, UNIX RO, TCP, and TLS sockets - all can
> >> have independant settings. By default the UNIX & TLS sockets have no auth,
> >> and the TCP socket has SASL auth enabled. The /etc/libvirt/libvirtd.conf
> >> file lets you override these options.
> >>
> >> There is also a new  sasl_allowed_username_list = ["admin"]  config
> >> param to let you whitelist the users you want to allow.  This supports
> >> use of wildcards. The username is dependnat on the SASL auth mechanism.
> >> For DIGEST-MD5 it will be plain usernames, for Kerberos it will be a
> >> username + realm, eg  admin EXAMPLE COM
> >>
> >> After discussion with Rich, I also remove the tls_allowed_ip_list for
> >> whitelisting source IP addresses. This was a) not protecting us because
> >> it was only checked after the TLS handshake - thus allowing trivial DOS
> >> attack b) much easier to handle via tcp wrappers, or IPtables. c) only
> >> ever checked for the TLS socket d) IP addresses are easily spoofed.
> >>
> >> If summary, if you're using a real authentication mechanism, this is
> >> only useful for protecting against DOS attacks & that's better done by
> >> iptables.
> >
> > Rebased to take account of Jim's changes, and incorporated fixes to the
> > config file
> 
> This looks fine.
> Thanks for preserving my convention of "#var = ..." (no space after '#')
> in the config file.  I have a test that depends on that -- will post it
> after you commit this change.
> 
> I find code/diffs easier to read when the lines themselves fit in 80 columns.
> There are lots of 100+-byte lines here.  I know some are generated, but
> I'll be happy to normalize the others once this is checked in.

This is now comited.

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]