[Nut-upsdev] Client certificates

EmilienKia at Eaton.com EmilienKia at Eaton.com
Wed Jan 12 09:30:57 UTC 2011 

 

> -----Message d'origine-----
> De : 
> nut-upsdev-bounces+emilienkia=eaton.com at lists.alioth.debian.or
> g 
> [mailto:nut-upsdev-bounces+emilienkia=eaton.com at lists.alioth.d
> ebian.org] De la part de Arjen de Korte
> Envoyé : mercredi 12 janvier 2011 09:59
> À : nut-upsdev at lists.alioth.debian.org
> Objet : Re: [Nut-upsdev] Client certificates
> 
> Citeren EmilienKia at Eaton.com:
> 
> > I have added client certificate checking mainly to avoid 
> > man-in-the-middle attacks or identity usurpation.
> 
> A man-in-the-middle attack is impossible if you verify the 
> server certificate (CERTVERIFY 1). If someone manages to 
> stage a man-in-the-middle attack by providing a certificate 
> that is trusted by your clients CA store, you have bigger 
> worries than this.
> 
> > Indeed If you just have server authentication (like 99% the 
> web where 
> > just the sertver auth is required), you are just sure of 
> the server's 
> > identity, but not the client's one.
> 
> That's why we have users defined in 'upsd.users'. Generally 
> speaking, we want to grant/limit access to a role/person 
> (user/password) rather than a machine (client).
> 
> > If you do not want that a vilain execute vicious commands 
> (if it has 
> > the login/password), the server must be sure of the 
> client's identity.
> 
> I see no difference here. You're using the same file 
> (upsmon.conf) to store the existing user/password mechanism 
> and the information to use a client certificate. If someone 
> unauthorized is able to read this file, you're toast either 
> way, so the client certificate is not adding to the security here.
> 
> In general, you should have at least three different users defined in
> upsd.users:
> 
>      upsslave - only able to read status information from the server
>      upsmaster - same as the above, but can also initiate a FSD
>      admin - can issue instant commands and change settings
> 
> The admin account should *never* be used in 'upsmon.conf' and 
> only be used by operators for changing settings or initiating 
> instant commands. Practically they should use a secure shell 
> to connect to the upsd server and issue the commands there. 
> So most of the time, you'll want to limit access to this 
> account to the localhost interface only (maybe additionally 
> the webserver too, if you use that for remote administration).
> 

If you think that login/password is enought to authenticate clients, I can remove SSL client authentication parts. It is not a problem.

> > Moreover, note that the password is exchenaged uncrypted or 
> unhashed 
> > (do not take in account the SSL tunnel) so nothing can prevent a 
> > manè-in-the-middle attack because the server can not detect 
> it speaks 
> > to a vilain (or a client via a vilain) and not directly to the real 
> > client.
> 
> If you can't trust your network (which in the vast majority 
> of the cases is not the case, because it will be internal), 
> use SSL encryption. It is then the responsibility of the 
> client to not sent username/password if it can't verify the 
> server certificate (which is the case in upsmon already).
> 
> Generally speaking a client will be aware that it is talking 
> to the server over an untrusted network (for instance, an 
> operator monitoring a UPS in a remote location). In that 
> case, 'CERTVERIFY 1' will make sure the user/password 
> information remains secure.
> 
> Also note that the amount of mischief a upsmon client can do, 
> is limited to initiating a FSD if it is in master mode only. 
> Changing settings and initiating instant commands is limited 
> to the upsrw and upscmd tools respectively, which don't use 
> encryption at all. This means that these can only be run 
> securely on the remote system itself (for instance in a ssh).
> 
> I'm still not convinced that client certificates are 
> needed/useful for upsmon.


I have implemented SSL/NSS in the upscli part, not directly in upsmon.
Actually, just upsmon uses it but, ideally, all clients should use SSL to dialog with upsd.

BR
Emilien

--------------------------------------------------------------------------

More information about the Nut-upsdev mailing list