[libvirt] connect: ssh: Shall we remove the dependency of netcat ?

Peter Krempa pkrempa at redhat.com
Tue Mar 31 12:18:14 UTC 2015


On Tue, Mar 31, 2015 at 09:02:23 +0800, zhang bo wrote:
> On 2015/3/28 0:25, Peter Krempa wrote:
> 
> > On Fri, Mar 27, 2015 at 10:54:26 +0800, zhang bo wrote:
> 
> > 
> > Too powerful? That is a ridiculous statement that probably originates
> > from some kind of misunderstanding when creating a security policy or
> > stuff like that. If a policy bans nc as "powerful" then it's missing on
> > a lot of other options how to create listening or outgoing connections
> > on arbitrary sockets. The only insecure part is that it does not use
> > encryption, but that's a widely known fact about nc.
> > 
> 
> 
> Sorry for replying so late:)
> I tried to confirm the security fact the other days, unfortunately no clear answer gotten.
> What I meant was that the *network monitoring tools*, such as 'nc' and 'tcpdump',
> they are considered as dangerous for network security. They are prohibited
> in our company and some other organizations. I'm not quite sure whether the result that
>  they're  prohibited are directly related to their capability of monitoring network.
> But they actually got prohibited anyway.


That sounds like a security-by-obscurity policy. I don't think that
banning such tools might have any benefit for security.

Anyways I'm planing on adding the native client. In such case, companies
having such ridiculous security rules may opt to uninstall netcat and
rely solely on libvirt's internal client (once it's implemented). Such
policy will then basically mandate a minimal version of libvirt that
will support the new client as older clients will still want to use NC.

Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20150331/bec44b6b/attachment-0001.sig>


More information about the libvir-list mailing list