Page MenuHomeClusterLabs Projects
Create Task
Maniphest T961

Implement PSK for remote CIB administration and deprecate insecure methods
Open (Work In Progress), WishlistPublic
Actions

Assigned To
clumens
Authored By
kgaillot
Dec 23 2024, 10:58 AM
Tags
  • Restricted Project
  • Restricted Project
  • Restricted Project
Referenced Files
None
Subscribers
clumens
kgaillot

Description

Remote CIB administration currently supports unencrypted communication (completely insecure), keyless encryption (subject to man-in-the-middle attacks), and certificate-based encryption. Pacemaker Remote supports pre-shared key (PSK) encryption and certificate-based encryption.

For consistency and security, implement PSK encryption for remote CIB administration, and deprecate the ability to use keyless encryption and unencrypted communication. Currently, a slight mistake in configuring certificate-based encryption could leave the server in an insecure state.

Also create a task to drop the deprecated methods at a new release series.

Event Timeline

kgaillot triaged this task as Wishlist priority.Dec 23 2024, 10:58 AM
kgaillot created this task.
kgaillot created this object with edit policy "Restricted Project (Project)".
clumens added a project: Restricted Project.Thu, Jan 2, 3:44 PM
clumens added a subscriber: clumens.

With the recent TLS changes, I think we have all the pieces in place and this should be a simple matter of gluing them together. Most everything in remote CIB admin/Pacemaker Remote gnutls connection management land is pretty well broken into functions now. It might simply be a matter of passing the right cred_type around - it's probably more work to check the environment or command line (or whatever) to decide what connection type it is than it will be to actually implement this.

clumens changed the task status from Open to WIP.Fri, Jan 3, 11:13 AM
clumens claimed this task.