[Xymon] XyMon client binaries default security is bad

Ralph Mitchell ralphmitchell at gmail.com
Fri Mar 1 22:45:04 CET 2013


On Fri, Mar 1, 2013 at 3:40 PM, <cleaver at terabithia.org> wrote:

> [snip]
>
> Perhaps user/pass authentication could be added, but "real" security at
> the report-submission level would be SSL-handshaking at the port with any
> local keys controlled by standard unix/host access controls, (or HTTPS and
> xymonmsgcgi.msg and appropriate user/pass auth info after the SSL tunnel
> is set up). The bits and pieces are in trunk, but I'm not sure what their
> current working state is...


I'm currently using xymoncgimsg.cgi to catch status messages sent over
HTTPS via curl.  For what I'm doing, the client-side xymon binary can be
replaced by a script.

I'm not using client-side certificates, though that ought to be fairly easy
to add.  The problem with any client-side userid/password/certificate is
that  you have to have a plain text password or key somewhere, so the whole
security chain could unravel if not done right.

Ralph Mitchell
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20130301/74bf6607/attachment.html>


More information about the Xymon mailing list