Re: [Bacula-users] Security conserns. WAS: Job asks for label after "mount".

Fri, 14 Sep 2007 09:09:31 -0700 

On Thu, Sep 13, 2007 at 10:57:27PM +0200, Arno Lehmann wrote:
> Hi,
> 
> 13.09.2007 22:14,, root wrote::
> > On Thu, Sep 13, 2007 at 09:44:25PM +0200, Arno Lehmann wrote:
> >> Hello,
> >>
> > Thank you for taking the time to reply.
> > 
> >> 13.09.2007 20:59,, Mike Mestnik wrote::
> >>>
> >>> I'll attach some config.  I don't have access to the SD at this time,
> >>> I'm using 'ssh -i "key"' inside inetd to run 'nc' on the sd server.
> >>> If there is an interest I am posting this config here.
> >> I really don't understand what you say here...
> >>
> > The communications pass like so...
> > Dir -localhost:bacula-sd> inetd(exec ssh -vault7:22> sshd(exec nc 
> > -localhost:bacula-sd> bacula-sd))
> > Both bacula processes are unaware that they are not connecting
> > over a localhost:bacula-sd connection.  nc(AKA netcat) is used
> > to proxy the request to the bacula-sd as though it were the
> > director, inetd accepts connections from the Director as though
> > it were the sd.
> 
> Interesting setup... I assume this is to provide some sort of secure 
> communication, similar to what (earlier, for Bacula) was done using 
> stunnel or could be achieved both by using encrypted communications in 
> Bacula, or by setting up a VPN...
> 
It's more like a VPN, but it can ONLY be used to "run nc".  A server
side proxy is used to add greater security.

Bacula currently has the following vulnerability.
1. A "shared" secret.  The above method uses pub/priv keys.
2. Certificates used for SSL? Do you buy them or use self signed?
  2a. Setting up a CA and adding that to the root CAs on the DIR side?
        This would be more difficult and error prone, ssh automates
         most of this.  <With the "Is this the correct fingerprint?">

In this method the client and server "are authenticated" using *cheaper*
methods, perhaps just as secure.  I also add points for being easier
to setup, like not having to deal with signatures, only the keys need
to be setup.

> >>> bacula-sd   stream     tcp   nowait    root   /usr/bin/ssh -q -T -o
> >>> BatchMode=yes -i /etc/ssh/vault7-sd_dsa_key [EMAIL PROTECTED]
> >>>
> >>> # note for BatchMode to work the server's key needs to be added to the
> >>> # "system's" known_hosts file, you can also use DNS(but don't quote
> >>> # me.)  ""you will need BatchMode"" so you need to copy the key.
> >>>
> >>> vault7:~visi/.ssh/authorized_keys
> >>> from=mgmt8,command="nc localhost bacula-sd",<othersecureoptions> <the
> >>> dsa key>
> 
> >> Arno
> >>
> >>> ------------------------------------------------------------------------
> >>>
> >>> -------------------------------------------------------------------------
> >>> This SF.net email is sponsored by: Microsoft
> >>> Defy all challenges. Microsoft(R) Visual Studio 2005.
> >>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> >>>
> >>>
> >>> ------------------------------------------------------------------------
> >>>
> >>> _______________________________________________
> >>> Bacula-users mailing list
> >>> Bacula-users@lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/bacula-users
> >> -- 
> >> Arno Lehmann
> >> IT-Service Lehmann
> >> www.its-lehmann.de
> >>
> >> -------------------------------------------------------------------------
> >> This SF.net email is sponsored by: Microsoft
> >> Defy all challenges. Microsoft(R) Visual Studio 2005.
> >> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> >> _______________________________________________
> >> Bacula-users mailing list
> >> Bacula-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/bacula-users
> >>
> 
> -- 
> Arno Lehmann
> IT-Service Lehmann
> www.its-lehmann.de
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Bacula-users mailing list
> Bacula-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
> 

-- 
/****************************************************************
 *   Mike Mestnik: Junior Admin          612-395-8932           *
 *      [EMAIL PROTECTED]                  VISI Inc.            *
 ****************************************************************/
 Alt address: [EMAIL PROTECTED]

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Reply via email to