Hi Martins,
----- Original Message -----
> Hi,
> We have a few systems we'd like to setup with security and
> authentication:
>
> http://www.pcp.io/docs/lab.secure.html
> http://www.pcp.io/docs/lab.auth.html
>
> I have 2 questions:
>
> 1. In the "Secure Connections" documentation, the documentation seems
> to be about certificates on the server side and ensuring the
> authenticity of the of the server(pmcd). Has anyone looked into
> implementing support for client(pmlogger, pminfo, etc) side certificates
> for authentication/access-control?
>
> Alternatively, should this be done through SASL authentication and
> something like X509 certificates, which seem to be supported by SASL,
> but I can't find any documentation on.
>
> 2. Is it possible to configure pmcd to reject all
> non-secure/non-authenticated remote connections?
Yes - there's a -S option to pmcd that does this. It works, but there
are gotchas to watch out for, like the rc scripts we provide use tools
like pmcd_wait(1) to check pmcd started up ... can be problematic when
these check tools are not setup to authenticate with pmcd. :)
> Basically I would like to do authentication based on a client side
> certificate, and reject all other connections. Sorry if my terminology
> is a little wrong, just starting to get my head around this stuff.
No problem. So, there's multiple parts to the puzzle - the "secure
connection" aspect is the first part, which is done by the NSS code -
this is the part that uses certificates. This sets up the equivalent
of an https connection, but for PCP protocol - both ends need to use
certificates.
The second part is the authentication side of things, which is where
SASL is used. SASL has a plugin model, where authentication methods
(i.e. answering questions like - is this really user "minnus"?) can
be used - e.g. username/password, gss, kerberos, ... etc.
cheers.
--
Nathan
|