[Xymon] XyMon client binaries default security is bad
novosirj at umdnj.edu
Fri Mar 1 22:53:49 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 03/01/2013 04:45 PM, Ralph Mitchell wrote:
> On Fri, Mar 1, 2013 at 3:40 PM, <cleaver at terabithia.org
> <mailto:cleaver at terabithia.org>> wrote:
> Perhaps user/pass authentication could be added, but "real"
> security at the report-submission level would be SSL-handshaking at
> the port with any local keys controlled by standard unix/host
> access controls, (or HTTPS and xymonmsgcgi.msg and appropriate
> user/pass auth info after the SSL tunnel is set up). The bits and
> pieces are in trunk, but I'm not sure what their current working
> state is...
> I'm currently using xymoncgimsg.cgi to catch status messages sent
> over HTTPS via curl. For what I'm doing, the client-side xymon
> binary can be replaced by a script.
> I'm not using client-side certificates, though that ought to be
> fairly easy to add. The problem with any client-side
> userid/password/certificate is that you have to have a plain text
> password or key somewhere, so the whole security chain could
> unravel if not done right.
Another piece of software I use, Bacula, can use SSL and does
validation against the CN field. I would think that would be a
reasonable solution. It also needs to pass a signature test. I would
think it would be pretty hard to fake a CN and then get it signed by
your in-house certificate authority, let alone VeriSign.
- ---- _ _ _ _ ___ _ _ _
|Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| | | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Xymon