[Ovirt-devel] gssapi/kerberos support for qpidd
Daniel P. Berrange
berrange at redhat.com
Thu Jan 29 16:56:10 UTC 2009
On Thu, Jan 29, 2009 at 08:45:08AM -0800, Ian Main wrote:
>
> This set of patches adds support gssapi/kerberos to qpidd. You'll
> note that it's still not secure as we allow 'plain' auth with a
> guest account for daemons that connect over localhost (taskomatic,
> dbomatic etc.) and unfortunately there's no way to constrain that
> to localhost connections at this time.
Doesn't QPidd have UNIX domain socket support ? We shouldn't really
use TCP over 'localhost' for local connections, since it is just
unneccessarily increasing latency & overheads.
Unless you really do need/want to authenticate local connections with GSSAPI
too, there'd be no particular need to run GSSAPI over the UNIX domain socket,
just rely on the filesystem permissioning on the socket to restrict access.
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the ovirt-devel
mailing list