[Nut-upsdev] Client certificates
Arjen de Korte
nut+devel at de-korte.org
Wed Jan 12 09:59:59 UTC 2011
Citeren EmilienKia op Eaton.com:
> If you think that login/password is enought to authenticate clients,
> I can remove SSL client authentication parts. It is not a problem.
Well, I don't think it adds something, other than another option that
we'll get loads of questions about.
[...]
>> I'm still not convinced that client certificates are
>> needed/useful for upsmon.
> I have implemented SSL/NSS in the upscli part, not directly in upsmon.
I know that. But you've added this to the upsd server as well.
> Actually, just upsmon uses it but, ideally, all clients should use
> SSL to dialog with upsd.
Not necessarily.
The reason for adding SSL to upsmon, is that upsmon is a program that
runs in the background. Although it would be possible to run it in a
SSL tunnel through an external means, it is much easier to configure
if you do this in the client itself.
It's different for the other clients (like upsrw and upscmd). Since
these are commandline tools, it is quite possible to run them in a
secure shell without having to worry that username/password can be
sniffed (if you're using an unprotected network). So unlike upsmon, it
is easy to secure the connection and quite possibly, the means are
also available already. Adding SSL to these clients would require
either using a configuration file to add the information needed, or
adding loads of commandline options. I don't think either of these is
worth the effort.
Best regards, Arjen
--
Please keep list traffic on the list (off-list replies will be rejected)
More information about the Nut-upsdev
mailing list