[Freedombox-discuss] Kerberos and remctl instead of exmachina?

Jonas Smedegaard dr at jones.dk
Tue Sep 3 07:08:21 UTC 2013 

Quoting Petter Reinholdtsen (2013-09-03 08:08:00)
> [Jonas Smedegaard]
> > I am still unfamiliar with exmachina, but seems to me that its 
> > purpose is to handle execution of cross-account yet same-host, 
> > whereas purpose of remctl seems to be remote-host execution.
> 
> Yes.
> 
> > Seems wrong for me to expect non-technical users of some "black box" 
> > to be in possesion of Kerberos-enabled systems needed for 
> > controlling their box.
> 
> My idea was to use Kerberos also locally using a keytab file to store 
> the password (instead of the current approach, which is storing the 
> password in some home made mechanism), while providing two extra and 
> useful services - kerberos and remctl.
> 
> Part of the reason was that exmachina isn't used anywhere else, and do 
> not seem to get much upstream attention, which made me worry about the 
> sustainability of the solution.
> 
> A few days ago I wrote to Bryan Newbold about merging rules to make a 
> Debian package:
> 
> [Petter Reinholdtsen]
> > Hi.  I just made a branch with the changes needed to create a deb of 
> > exmachina, to make it easier to set up a freedombox using deb 
> > packages.  Please have a look at <URL: 
> > http://gitorious.org/exmachina/petterreinholdtsens-exmachina > and 
> > consider including it in the "official" version of exmachina.
> 
> I got this fairly surprising reply (checked with him if it was OK to 
> quote him here :):
> 
> [Bryan Newbold]
> > There is no "official" version of exmachina, it was only a thought 
> > experiment to solicit feedback. I have removed the repository from 
> > github to prevent future use of the example code; you are of course 
> > welcome to re-implement the concept, though I never received enough 
> > feedback to convince myself that it was a good idea.
> 
> So the "upstream" repository is gone, and the source now live in a 
> brach with Nick and me, I guess. :)
> 
> I suspect we are better of finding some alternative, preferably 
> something also used elsewhere. :)

Fully acknowledged.

Regarding use of remctl for this, that sounds heavyweight to me.  Why is 
password storage needed at all?  If this is about providing trusted 
access from a web interface to changing config files, then it seems to 
me with *any* trust-gaining method that the real issue is in limiting 
how big a door we leave open, and seems to me we don't need Kerberos at 
all.

What I am thinking is a CGI interface run as an isolated user (e.g. via 
uwsgi or apache2-suexec) talking to debconf.  I don't see how Kerberos 
kan strengthen security - only complicate the setup adding amount of 
potential attack vectors.

For a GeekBox I would find it a quite interesting approach to use remctl 
- but not for a FreedomBox (i.e. a box for non-geeks with no sysadmin).


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130903/3b7efb57/attachment.sig>

More information about the Freedombox-discuss mailing list