Page MenuHomeClusterLabs Projects

Implement PSK for remote CIB administration and deprecate insecure methods
Open, WishlistPublic

Assigned To
None
Authored By
kgaillot
Mon, Dec 23, 10:58 AM
Tags
  • Restricted Project
  • Restricted Project
Referenced Files
None
Subscribers

Description

Remote CIB administration currently supports unencrypted communication (completely insecure), keyless encryption (subject to man-in-the-middle attacks), and certificate-based encryption. Pacemaker Remote supports pre-shared key (PSK) encryption and certificate-based encryption.

For consistency and security, implement PSK encryption for remote CIB administration, and deprecate the ability to use keyless encryption and unencrypted communication. Currently, a slight mistake in configuring certificate-based encryption could leave the server in an insecure state.

Also create a task to drop the deprecated methods at a new release series.

Event Timeline

kgaillot triaged this task as Wishlist priority.Mon, Dec 23, 10:58 AM
kgaillot created this task.
kgaillot created this object with edit policy "Restricted Project (Project)".