[Libguestfs] [PATCH nbdkit] tls: Implement Pre-Shared Keys (PSK) authentication.
Daniel P. Berrangé
berrange at redhat.com
Thu Jun 28 15:54:58 UTC 2018
On Thu, Jun 28, 2018 at 10:18:25AM -0500, Eric Blake wrote:
> On 06/25/2018 12:01 PM, Richard W.M. Jones wrote:
> > ---
> > docs/nbdkit.pod.in | 45 +++++++++--
> > src/crypto.c | 234 +++++++++++++++++++++++++++++++++++++----------------
> > src/internal.h | 1 +
> > src/main.c | 8 +-
> > 4 files changed, 210 insertions(+), 78 deletions(-)
> >
>
> > +Create a PSK file containing one or more C<username:key> pairs. It is
> > +easiest to use L<psktool(1)> for this:
> > +
> > + psktool -u rich -p /tmp/psk
> > +
> > +The PSK file contains the hex-encoded random keys in plaintext. Any
> > +client which can read this file will be able to connect to the server.
>
> If I'm understanding correctly, it's also possible for a server to create a
> file that supports multiple users:
>
> c1:1234
> c2:2345
>
> but then hand out a smaller file to client c1 that contains only the c2:1234
> line, and another small file to client c2, and then a single server can not
> only accept multiple clients but also distinguish which client connected. Is
> there any reason for nbdkit as a server to additionally limit which
> resources are served depending on which client connected?
>
> But that's probably overkill for now; as it's just as easy to point nbdkit
> to the smaller file in the first place, and since right now nbdkit serves up
> at most one file, provided the client can connect in the first place (it
> would matter more for something like nbd-server, which has an init file that
> specifies multiple resources served by a single server, and therefore might
> want per-user restrictions on those resources).
I could see a situation where a host has a single file of keys + users used
for all NBD servers, and then whitelists specific user names per instance.
Not a blocker, but conceptually relevant. When I add the authorization work
to QEMU I'd intend to use that to authorize the client username.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the Libguestfs
mailing list