[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-API] Use of PAM for authentication & SSL comms

To: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
From: Alastair Tse <atse@xxxxxxxxxxxxx>
Date: Wed, 1 Nov 2006 11:38:47 +0000
Cc: xen-api@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 02 Nov 2006 13:43:56 -0800
List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>


On 31 Oct 2006, at 23:29, Daniel P. Berrange wrote:


 - The XML-RPC api is using a login method where you explicitly
   pass in a username & password as the two params. This doesn't
   really match up with the PAM model of conversation functions
   which request one or more pieces of auth info in sequence. It
   strikes me that since XML-RPC is a bi-directional protocol it
   would make alot more sense to allow the PAM conversation callbacks
   to go back & forth over the XML-RPC channel to collect data from
   the client as needed, rather than having the client provide
   the username & password ahead of time.

Is that over complicating the login protocol, at least for user nameand password? Then we will have to keep track of not onlyauthenticated sessions, but also login sessions.


   By removing the fixed user/passwd at the client end of the API
   it'll be possible to add in support for all the different types
   of auth people can configure with PAM. The obvious one being
   kerberos GSSAPI single sign on.

Could we just add a new login_with_kerberos_... call to the API forthat and any other method that people can come up with?


 - XenD should install its own PAM config file into /etc/pam.d
   rather than re-using the context from the 'login' program

Well, the problem I ran into is that every distro has their owncustom PAM stack and any PAM stack we write will only work on onedistro and not another. I believe this is a distro packaging problem.But your concern is still valid, maybe we have to provide a PAM stackfor one at least one distro. Let's fight to see which one that willbe :)


 - If we're using PAM then we must switch all communications to use
   SSL by default - no network daemon should be using system
   passwords over a cleartext network channel anymore. If we want
   to keep a cleartext channel, then we should use a separate
   password database & certainly not system logins

Definitely. I've only been testing with a local UNIX domain socket.Anything that goes over the network needs SSL encryption, but the APIdocs don't make any mention of this, presumably because it doesn'treally fall into the API. My guess is we'll need to put somecertificate configuration options in xend-config.sxp or run the XenAPI on a different XMLRPC server than the one that currently serves xm.


Cheers,

Alastair



_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-api

Follow-Ups:
- Re: [Xen-API] Use of PAM for authentication & SSL comms
  - From: Ewan Mellor

References:
- [Xen-API] Use of PAM for authentication & SSL comms
  - From: Daniel P. Berrange

Prev by Date: [Xen-API] Xen API call Wed 8-9am PT
Next by Date: [Xen-API] Use of PAM for authentication & SSL comms
Previous by thread: [Xen-API] Use of PAM for authentication & SSL comms
Next by thread: Re: [Xen-API] Use of PAM for authentication & SSL comms
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.