[Xymon] XyMon client binaries default security is bad

[Novosielski, Ryan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/01/2013 04:45 PM, Ralph Mitchell wrote:
> On Fri, Mar 1, 2013 at 3:40 PM, <cleaver at terabithia.org 
> <mailto:cleaver at terabithia.org>> wrote:
> 
> [snip]
> 
> Perhaps user/pass authentication could be added, but "real"
> security at the report-submission level would be SSL-handshaking at
> the port with any local keys controlled by standard unix/host
> access controls, (or HTTPS and xymonmsgcgi.msg and appropriate
> user/pass auth info after the SSL tunnel is set up). The bits and
> pieces are in trunk, but I'm not sure what their current working
> state is...
> 
> 
> I'm currently using xymoncgimsg.cgi to catch status messages sent
> over HTTPS via curl.  For what I'm doing, the client-side xymon
> binary can be replaced by a script.
> 
> I'm not using client-side certificates, though that ought to be
> fairly easy to add.  The problem with any client-side 
> userid/password/certificate is that  you have to have a plain text 
> password or key somewhere, so the whole security chain could
> unravel if not done right.

Another piece of software I use, Bacula, can use SSL and does
validation against the CN field. I would think that would be a
reasonable solution. It also needs to pass a signature test. I would
think it would be pretty hard to fake a CN and then get it signed by
your in-house certificate authority, let alone VeriSign.

- -- 
- ---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlExI20ACgkQmb+gadEcsb4BgwCgyifmXeCCHou/X5qVYRp05hMN
2yUAmgKjxYEhHfSH8f2P6jZ48ZwhROk1
=YI8p
-----END PGP SIGNATURE-----