[CRIU] [PATCH 2/2] p.haul: use ssh tunneling and controll it with ssh* cmdline opts
Ruslan Kuprieiev
kupruser at gmail.com
Mon Oct 27 14:00:44 PDT 2014
On 27.10.2014 21:50, Pavel Emelyanov wrote:
> On 10/27/2014 11:47 PM, Ruslan Kuprieiev wrote:
>> On 27.10.2014 20:38, Pavel Emelyanov wrote:
>>> On 10/27/2014 11:33 PM, Ruslan Kuprieiev wrote:
>>>> On 27.10.2014 20:23, Pavel Emelyanov wrote:
>>>>> On 10/27/2014 11:20 PM, Ruslan Kuprieiev wrote:
>>>>>> On 27.10.2014 20:13, Pavel Emelyanov wrote:
>>>>>>> On 10/27/2014 04:56 PM, Ruslan Kuprieiev wrote:
>>>>>>>> Currently we have such security holes:
>>>>>>>>
>>>>>>>> 1) All p.haul traffic goes without any encryption, which is
>>>>>>>> not safe at all, cosidering that attacker can easily peek memory pages
>>>>>>>> of migrating process. Lets solve that by using ssh tunnel which allows
>>>>>>>> us to easily encrypt and compress traffic.
>>>>>>>> Compressing is useful only when connection is very slow, but will only
>>>>>>>> slow down things on fast networks.
>>>>>>>> Using ssh tunnel also allows us to solve keys\certificates management
>>>>>>>> problem in a very common way that is familiar to any system administrator.
>>>>>>>>
>>>>>>>> 2) p.haul-service binds to 0.0.0.0 and is accesible from the outside
>>>>>>>> for anyone who is trying to connect to it. So attacket can easily connect
>>>>>>>> to p.haul-service and migrate some malicious process to the server.
>>>>>>>> Lets fix that by binding p.haul-service to 127.0.0.1 so it is accessible
>>>>>>>> only from its localhost.
>>>>>>>>
>>>>>>>> So, basically, we perform following actions when migrating process
>>>>>>>> from src to dest:
>>>>>>>> 1. (user at dest) Start p.haul-service on localhost:12345
>>>>>>>> 2. (user at src) Create ssh tunnel:
>>>>>>>> ssh -NC 54321:localhost:12345 remote_ip
>>>>>>> This is done by p.haul, right? What if ssh will need to ask for
>>>>>>> a password, what would it do?
>>>>>> http://www.linuxproblem.org/art_9.html
>>>>>> Good system administrators don't use passwords, they use keys =).
>>>>>> http://www.linuxproblem.org/art_9.html
>>>>> OK. Do you _enforce_ spawned ssh to use keys? And fail in case
>>>>> keys are missing.
>>>> It is common practice to not use passwords in scripts.
>>>> We call ssh using Popen, so there is actually no good way to
>>>> use ssh with password. Yes, it will fail if keys are not authorized.
>>> Why would it fail? ssh would inherit stdios from python, they
>>> can be terminal. There's a special option for ssh to enforce using
>>> keys and bail out otherwise.
>>>
>> Well, the problem is we can't tell from outside when ssh done asking
>> user about password. And if we use "-f" option, it will go into backround
>> and we will not be able to use ssh.terminate().
>> I've used os.system and "-f" option to allow asking user about password,
>> but the downside is that we should terminate it by using
>> os.system("pkill -f ..."),
>> which isn't nice.
>> I prefer to not ask user for password, because it is a lot safer. Every
>> system
>> administrator knows how to gen those keys.
> Yes, I agree. My point is that you should force ssh to use keys and
> not ask for password. The -o BatchMode=yes one.
>
Oh! Thanks! =)
More information about the CRIU
mailing list