From 8227b83b7337c57d9c8a5820792626ab5c196426 Mon Sep 17 00:00:00 2001 From: Niko Tyni Date: Tue, 18 Mar 2008 16:12:13 +0000 Subject: add some security notes to the master/slave documentation --niko --- doc/smokeping_master_slave.pod | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) (limited to 'doc') diff --git a/doc/smokeping_master_slave.pod b/doc/smokeping_master_slave.pod index 009a6c2..bd3b41f 100644 --- a/doc/smokeping_master_slave.pod +++ b/doc/smokeping_master_slave.pod @@ -33,9 +33,9 @@ of probing it connects to the master again to deliver the results. If the assignment for a slave changes, the master will tell the slave after the slave has delivered its results. -The master and the slaves sign their messages by supplying an md5 hash of the -message appended with a shared secret. Optionally the whole communication -can run over ssl. +The master and the slaves sign their messages by supplying an HMAC-MD5 +code (RFC 2104) of the message and a shared secret. Optionally the whole +communication can run over ssl. [slave 1] [slave 2] [slave 3] | | | @@ -119,6 +119,19 @@ F. --cache-dir=/var/smokeping/ \ --shared-secret=/var/smokeping/secret.txt +=head1 SECURITY CONSIDERATIONS + +The master effectively has full access to slave hosts as the user the +slave smokeping instance is run as. The configuration is transferred as +Perl code that is evaluated on the slave. While this is done inside a +restricted C compartment, there are various ways that a malicious +master could use to embed arbitrary commands in the configuration and +get them to run when the slave probes its targets. + +The strength of the shared secret is thus of paramount importance. Brute +forcing the secret would enable a man-in-the-middle to inject a malicious +new configuration and compromise the slave. + =head1 COPYRIGHT Copyright (c) 2007 by Tobias Oetiker, OETIKER+PARTNER AG. All right reserved. -- cgit v1.2.3-24-g4f1b