[Fusioninventory-devel] Dropping the authentication token
Tomás Abad
tabadgp at gmail.com
Fri Mar 1 09:46:01 UTC 2013
Hello Guillaume,
On Thu, Feb 28, 2013 at 5:05 PM, Guillaume Rousse
<guillomovitch at gmail.com> wrote:
> The master+nomoretoken branch I just commited today allows to get rid of the
> authentication token, simply by automatically trusting all target servers.
>
> Advantages:
> - one less variable to share with the http server thread
> - one less variable to ensure persistence on agent side
> - no more need to wait for initial dialog between agent and server to
> complete the server can control the agent
> - less code
>
> Disadvantages:
> - anything on the server host can force agent execution, not just the server
> itself (to be balanced against: anything able to bruteforce or the intercept
> the token can achieve it).
How does the agent know whether it must answer a request?. I suppose
that the agent just would answer (or it will answer) to requests which
origin be a server machine included in the option 'server' of the
agent. I would like confirming this fact.
Thank you in advance.
More information about the Fusioninventory-devel
mailing list