diff options
author | Niko Tyni <ntyni@iki.fi> | 2008-03-18 17:12:13 +0100 |
---|---|---|
committer | Niko Tyni <ntyni@iki.fi> | 2008-03-18 17:12:13 +0100 |
commit | 8227b83b7337c57d9c8a5820792626ab5c196426 (patch) | |
tree | 67b66e6ab3f0fe04793afb33f8daf5a18ad5675d | |
parent | ce9013c52ea8299c608d9cdf3f3697454057a5d4 (diff) | |
download | smokeping-8227b83b7337c57d9c8a5820792626ab5c196426.tar.gz smokeping-8227b83b7337c57d9c8a5820792626ab5c196426.tar.xz |
add some security notes to the master/slave documentation --niko
-rw-r--r-- | CHANGES | 2 | ||||
-rw-r--r-- | doc/smokeping_master_slave.pod | 19 | ||||
-rw-r--r-- | lib/Smokeping.pm | 5 |
3 files changed, 23 insertions, 3 deletions
@@ -1,3 +1,5 @@ +* add some security notes to the master/slave documentation --niko + * Switch message hash generation to Digest::HMAC_MD5 (bundled) since this prevents the extension attack. Note that this change requires that you upgrade client and server in sync (you should do that anyway, but diff --git a/doc/smokeping_master_slave.pod b/doc/smokeping_master_slave.pod index 009a6c2..bd3b41f 100644 --- a/doc/smokeping_master_slave.pod +++ b/doc/smokeping_master_slave.pod @@ -33,9 +33,9 @@ of probing it connects to the master again to deliver the results. If the assignment for a slave changes, the master will tell the slave after the slave has delivered its results. -The master and the slaves sign their messages by supplying an md5 hash of the -message appended with a shared secret. Optionally the whole communication -can run over ssl. +The master and the slaves sign their messages by supplying an HMAC-MD5 +code (RFC 2104) of the message and a shared secret. Optionally the whole +communication can run over ssl. [slave 1] [slave 2] [slave 3] | | | @@ -119,6 +119,19 @@ F</tmp/smokeping.$USER.cache>. --cache-dir=/var/smokeping/ \ --shared-secret=/var/smokeping/secret.txt +=head1 SECURITY CONSIDERATIONS + +The master effectively has full access to slave hosts as the user the +slave smokeping instance is run as. The configuration is transferred as +Perl code that is evaluated on the slave. While this is done inside a +restricted C<Safe> compartment, there are various ways that a malicious +master could use to embed arbitrary commands in the configuration and +get them to run when the slave probes its targets. + +The strength of the shared secret is thus of paramount importance. Brute +forcing the secret would enable a man-in-the-middle to inject a malicious +new configuration and compromise the slave. + =head1 COPYRIGHT Copyright (c) 2007 by Tobias Oetiker, OETIKER+PARTNER AG. All right reserved. diff --git a/lib/Smokeping.pm b/lib/Smokeping.pm index 84775eb..13410af 100644 --- a/lib/Smokeping.pm +++ b/lib/Smokeping.pm @@ -3347,6 +3347,11 @@ and the secret: slave1:secret1 slave2:secret2 ... + +Note that these secrets combined with a man-in-the-middle attack +effectively give shell access to the corresponding slaves (see +L<smokeping_master_slave>), so the file should be appropriately protected +and the secrets should not be easily crackable. END_DOC }, |