[hobbit] Alternate to msgcache/hobbitfetch?

Hobbit User hobbit at epperson.homelinux.net
Wed Jun 6 01:03:17 CEST 2007


On Tue, June 5, 2007 16:32, Henrik Stoerner wrote:
> First - yes, there are bugs in msgcache/hobbitfetch, and I'll try to get
> those sorted out.

It's good to know that.  Considering how well most of it works, I'm sure
that a reliable solution to the msgcache/hobbitfetch issues will be
forthcoming.  There are also some troublesome things about the
initialization scripts.  I see environment files being sourced, then paths
being hard-coded that could have been constructed from the sourced values.
 There are also stop functions that don't shut down everything that the
start function starts.  I know there's a lot of work in preparing these
for the different environments.  Is the right way to help to contribute
"upgraded" scripts back to you, Henrik?  Or would you prefer to have them
posted here or to the Shire?
>
>> *5. Regardless, I would like to see some sort of encryption of the
>> hobbit protocol. Nothing extreme, just not plaintext. Even a simple XOR
>
> I must disagree here.
>
> Poorly implemented cryptography is much worse than no cryptography.
> It gives people the impression that confidentiality "has been taken care
> of with encryption", when in fact it hasn't. And then people tend to
> forget about the *other* things they need to do to get a secure
> environment.
>
Absolutely the right thinking.  Trivial encryption not only gives a false
sense of security, it adds unnecessary overhead given the ease of cracking
it.

> Inventing your own crypto protocol is usually the *worst* way to
> begin doing any kind of encryption.  History is full of examples.
> I do not want to become part of it.
>
> If Hobbit is going to have an encrypted link between clients and the
> Hobbit server, it will be using TLS (SSL). It's a well-tested protocol,
> it has support for not only encryption but also authentication (both
> server and client), and there are standard libraries available
> implementing it - which Hobbit already uses for network tests.

That could be useful, but I find that ssh lends itself to tunneling
hobbitfetch and the network-based tests if you want to do that, is
ubiquitous, and it's simpler to set up the PKI authentication than doing
full-blown TLS.  It's worth considering how to ride on that as an
alternative in the way Hobbit works.  Of course, I'm biased because I
already set up that relationship on all the monitored machines for general
systems management purposes.

Thanks, Henrik, for the enormous amount of time you must put into this. 
And thanks to everyone for this active support community.

regards,
j.





More information about the Xymon mailing list