Arve's made a comment in the "Official ASF process for re-writing code" thread about accepting SSL certs that I wanted to comment on, without hijacking that thread:
CloudStack (and most (maybe all) Cloud management platforms I've seen) blindly accept any ssh host keys or SSL certificates they encounter. As a security guy, to me this is Bad - we're throwing out a key ability to recognize impostors. What I'd like to see is probably a "don't blindly trust keys" configuration option that's disabled by default. That way, those who like the status quo can continue right along. In my mind, I envision the following functionality to be enabled when the configuration flag is enabled: * ssh connections between mgmt server/hosts and between hosts/SSVMs would NOT blindly accept ssh keys, but would log an error that's clearly logged specifying that either a host key mismatch or an unrecognized key was encountered. This then becomes an admin's problem to fix. * SSL based connections would similarly not blindly trust a self-signed or mismatched SSL certificate, but attempt the verification and only proceed if the cert was validated. Otherwise, detailed error is logged specifying the service, host, and key. This then becomes an admin's problem to fix. Possibly a simple utility script similar to the SSVM test script could be written that would check to make sure that various ssh/ssl connections are working properly, and if not would clearly point them out. Thoughts? I'm not expecting to fix this for CS4, but if we can come to a general agreement we can throw it on the roadmap. John Stratosec - Secure Infrastructure as a Service o: 415.315.9385 @johnlkinsella
