[jboss-as7-dev] How hard would it be to support key based auth by default to make life simpler and more secure ?

Jason T. Greene jason.greene at redhat.com
Mon Nov 14 10:34:37 EST 2011


Alternatively we could do cert generation in this same way (on first 
use), although we would have to modify the admin web server to do TLS 
lazily.

On 11/14/11 9:06 AM, Jason T. Greene wrote:
> Yeah this is why I like the username/password option the best. All of
> tools, including the CLI, can just notice there is no entry in the props
> file and just ask "Hey you didn't configure a user, would you like me to
> add one?"
>
> The passwords are stored in digest crypt form, and can be easily
> generated by any other external tools IDE etc. We also don't have a
> chicken-egg problem with somehow triggering the transport to relaunch,
> since the user auth is lazily discoverd (one the file is changed we notice).
>
> On 11/14/11 9:00 AM, Bill Burke wrote:
>> Geez guys, we're not trying to have CIA/NSA level security out of the
>> box.  We're just trying to prevent the case where a really stupid user
>> (aka The Server Side) deploys their application on the internet without
>> thinking one bit about security.
>>
>> On 11/14/11 9:56 AM, Andrig Miller wrote:
>>> It's also a problem with servers with SSD's. I ran into this myself.
>>>
>>> Andy
>>>
>>> ------------------------------------------------------------------------
>>>
>>>       *From: *"Jason T. Greene"<jason.greene at redhat.com>
>>>       *To: *"Darran Lofthouse"<darran.lofthouse at jboss.com>
>>>       *Cc: *jboss-as7-dev at lists.jboss.org
>>>       *Sent: *Monday, November 14, 2011 7:53:38 AM
>>>       *Subject: *Re: [jboss-as7-dev] How hard would it be to support key
>>>       based auth by default to make life simpler and more secure ?
>>>
>>>       It's something I thought about, we would have to make up a bunch of
>>>       stuff in the CERT (not a big deal I guess). Although the thing I worry
>>>       about is that cert generation requires gathering a major amount of
>>>       entropy from /dev/random. It would seriously affect boot time, and it
>>>       would potentially pause for a long period to gather more entropy. This
>>>       is a problem for headless devices for example, that don't have a
>>>       keyboard and mouse connected to them.
>>>
>>>       On 11/14/11 7:57 AM, Darran Lofthouse wrote:
>>>        >   It would need to be SSL not SSH as we need to support the
>>>       mechanism for
>>>        >   both the Native interface and the HTTP interface but I am starting to
>>>        >   like this as an out of the box scenario.
>>>        >
>>>        >   The advantage we have for the browser is we can always display a nice
>>>        >   HTML page when they connect with full instructions, it is the other
>>>        >   mechanisms where we have less opportunity to dynamically provide
>>>       guidance.
>>>        >
>>>        >   On 11/14/2011 01:42 PM, Bill Burke wrote:
>>>        >>   You could just have the app-server automatically generate the
>>>       keys for
>>>        >>   you the first time it ever boots (or even every boot cycle).
>>>       Just have
>>>        >>   the CLI look at a pre-defined directory for the generated
>>>       key-pair. THe
>>>        >>   idea here is that CLI works perfectly out-of-the-box with no
>>>       config on
>>>        >>   the same machine as the CLI runs on. What is still protected is a
>>>        >>   remote machine accessing the app-server. This is fine, IMO.
>>>        >>
>>>        >>   Usability problems still exist though as you would need to
>>>       import the
>>>        >>   client-auth key into your browser. But, maybe this is a good
>>>       thing as
>>>        >>   it will require the user to think about how they want to secure the
>>>        >>   app-server.
>>>        >>
>>>        >>   On 11/14/11 6:40 AM, Max Rydahl Andersen wrote:
>>>        >>>>>>
>>>        >>>>>>   These will make all examples that uses maven deploy plugin,
>>>       cli scripts, arquillian, jboss tools etc. to somehow
>>>        >>>>>>   either tell users to type in their username and full
>>>       password in clear text in pom.xml and other files.
>>>        >>>>>>
>>>        >>>>>>   Which sounds worse to me than a default locked down to only
>>>       localhost…but I'm not a security expert :)
>>>        >>>>>>
>>>        >>>>>>   I was wondering how hard it would be to make the
>>>       authentication support key based auth by default and we make
>>>        >>>>>>   the tools use ${user.name} and
>>>       ${user.home}/.jboss/default.pub and .priv (or some other name) for
>>>       the public/private keys ?
>>>        >>>>>
>>>        >>>>>   You would need a key-based SASL authentication mechanism.
>>>       There are no
>>>        >>>>>   standard ones as of right now. If you know of a key-based SASL
>>>        >>>>>   mechanism that you think we should support, let me know and we'll
>>>        >>>>>   evaluate it.
>>>        >>>>
>>>        >>>>   We would have to do noauth + SSL + trust. I think it's an
>>>       option worth considering. The big problem though is that we have to
>>>       have a setup process to generate the certs, which is greater
>>>       complexity than the user/pass option. We would have to generate a
>>>       host key pair and a client key pair.
>>>        >>>
>>>        >>>
>>>        >>>   I'm not an expert on these things at all but eclipse uses
>>>       http://www.jcraft.com/jsch/ to manage and create ssh keys and uses
>>>       the standard .ssh location's etc.
>>>        >>>
>>>        >>>   Is something additional needed ?
>>>        >>>
>>>        >>>   /max
>>>        >>>   http://about.me/maxandersen
>>>        >>>
>>>        >>>
>>>        >>>
>>>        >>>
>>>        >>>   _______________________________________________
>>>        >>>   jboss-as7-dev mailing list
>>>        >>>   jboss-as7-dev at lists.jboss.org
>>>        >>>   https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>        >>
>>>        >   _______________________________________________
>>>        >   jboss-as7-dev mailing list
>>>        >   jboss-as7-dev at lists.jboss.org
>>>        >   https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>
>>>
>>>       --
>>>       Jason T. Greene
>>>       JBoss AS Lead / EAP Platform Architect
>>>       JBoss, a division of Red Hat
>>>       _______________________________________________
>>>       jboss-as7-dev mailing list
>>>       jboss-as7-dev at lists.jboss.org
>>>       https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> jboss-as7-dev mailing list
>>> jboss-as7-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>
>
>


-- 
Jason T. Greene
JBoss AS Lead / EAP Platform Architect
JBoss, a division of Red Hat


More information about the jboss-as7-dev mailing list