summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNiko Tyni <ntyni@iki.fi>2008-03-18 17:12:13 +0100
committerNiko Tyni <ntyni@iki.fi>2008-03-18 17:12:13 +0100
commit8227b83b7337c57d9c8a5820792626ab5c196426 (patch)
tree67b66e6ab3f0fe04793afb33f8daf5a18ad5675d
parentce9013c52ea8299c608d9cdf3f3697454057a5d4 (diff)
downloadsmokeping-8227b83b7337c57d9c8a5820792626ab5c196426.tar.gz
smokeping-8227b83b7337c57d9c8a5820792626ab5c196426.tar.xz
add some security notes to the master/slave documentation --niko
-rw-r--r--CHANGES2
-rw-r--r--doc/smokeping_master_slave.pod19
-rw-r--r--lib/Smokeping.pm5
3 files changed, 23 insertions, 3 deletions
diff --git a/CHANGES b/CHANGES
index 86dac26..ce9d054 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+* add some security notes to the master/slave documentation --niko
+
* Switch message hash generation to Digest::HMAC_MD5 (bundled) since this
prevents the extension attack. Note that this change requires that you
upgrade client and server in sync (you should do that anyway, but
diff --git a/doc/smokeping_master_slave.pod b/doc/smokeping_master_slave.pod
index 009a6c2..bd3b41f 100644
--- a/doc/smokeping_master_slave.pod
+++ b/doc/smokeping_master_slave.pod
@@ -33,9 +33,9 @@ of probing it connects to the master again to deliver the results.
If the assignment for a slave changes, the master will tell the slave after
the slave has delivered its results.
-The master and the slaves sign their messages by supplying an md5 hash of the
-message appended with a shared secret. Optionally the whole communication
-can run over ssl.
+The master and the slaves sign their messages by supplying an HMAC-MD5
+code (RFC 2104) of the message and a shared secret. Optionally the whole
+communication can run over ssl.
[slave 1] [slave 2] [slave 3]
| | |
@@ -119,6 +119,19 @@ F</tmp/smokeping.$USER.cache>.
--cache-dir=/var/smokeping/ \
--shared-secret=/var/smokeping/secret.txt
+=head1 SECURITY CONSIDERATIONS
+
+The master effectively has full access to slave hosts as the user the
+slave smokeping instance is run as. The configuration is transferred as
+Perl code that is evaluated on the slave. While this is done inside a
+restricted C<Safe> compartment, there are various ways that a malicious
+master could use to embed arbitrary commands in the configuration and
+get them to run when the slave probes its targets.
+
+The strength of the shared secret is thus of paramount importance. Brute
+forcing the secret would enable a man-in-the-middle to inject a malicious
+new configuration and compromise the slave.
+
=head1 COPYRIGHT
Copyright (c) 2007 by Tobias Oetiker, OETIKER+PARTNER AG. All right reserved.
diff --git a/lib/Smokeping.pm b/lib/Smokeping.pm
index 84775eb..13410af 100644
--- a/lib/Smokeping.pm
+++ b/lib/Smokeping.pm
@@ -3347,6 +3347,11 @@ and the secret:
slave1:secret1
slave2:secret2
...
+
+Note that these secrets combined with a man-in-the-middle attack
+effectively give shell access to the corresponding slaves (see
+L<smokeping_master_slave>), so the file should be appropriately protected
+and the secrets should not be easily crackable.
END_DOC
},