[jboss-as7-dev] How hard would it be to support key based auth by default to make life simpler and more secure ?

Bill Burke bburke at redhat.com
Mon Nov 14 08:42:33 EST 2011 

You could just have the app-server automatically generate the keys for 
you the first time it ever boots (or even every boot cycle).  Just have 
the CLI look at a pre-defined directory for the generated key-pair.  THe 
idea here is that CLI works perfectly out-of-the-box with no config on 
the same machine as the CLI runs on.  What is still protected is a 
remote machine accessing the app-server.  This is fine, IMO.

Usability problems still exist though as you would need to import the 
client-auth key into your browser.  But, maybe this is a good thing as 
it will require the user to think about how they want to secure the 
app-server.

On 11/14/11 6:40 AM, Max Rydahl Andersen wrote:
>>>>
>>>> These will make all examples that uses maven deploy plugin, cli scripts, arquillian, jboss tools etc. to somehow
>>>> either tell users to type in their username and full password in clear text in pom.xml and other files.
>>>>
>>>> Which sounds worse to me than a default locked down to only localhost…but I'm not a security expert :)
>>>>
>>>> I was wondering how hard it would be to make the authentication support key based auth by default and we make
>>>> the tools use ${user.name} and ${user.home}/.jboss/default.pub and .priv (or some other name) for the public/private keys ?
>>>
>>> You would need a key-based SASL authentication mechanism.  There are no
>>> standard ones as of right now.  If you know of a key-based SASL
>>> mechanism that you think we should support, let me know and we'll
>>> evaluate it.
>>
>> We would have to do noauth + SSL + trust. I think it's an option worth considering. The big problem though is that we have to have a setup process to generate the certs, which is greater complexity than the user/pass option. We would have to generate a host key pair and a client key pair.
>
>
> I'm not an expert on these things at all but eclipse uses http://www.jcraft.com/jsch/ to manage and create ssh keys and uses the standard .ssh location's etc.
>
> Is something additional needed ?
>
> /max
> http://about.me/maxandersen
>
>
>
>
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the jboss-as7-dev mailing list