[Ovirt-devel] gssapi/kerberos support for qpidd
Ian Main
imain at redhat.com
Thu Jan 29 17:28:48 UTC 2009
On Thu, 29 Jan 2009 16:56:10 +0000
"Daniel P. Berrange" <berrange at redhat.com> wrote:
> On Thu, Jan 29, 2009 at 08:45:08AM -0800, Ian Main wrote:
> >
> > This set of patches adds support gssapi/kerberos to qpidd. You'll
> > note that it's still not secure as we allow 'plain' auth with a
> > guest account for daemons that connect over localhost (taskomatic,
> > dbomatic etc.) and unfortunately there's no way to constrain that
> > to localhost connections at this time.
>
> Doesn't QPidd have UNIX domain socket support ? We shouldn't really
> use TCP over 'localhost' for local connections, since it is just
> unneccessarily increasing latency & overheads.
>
> Unless you really do need/want to authenticate local connections with GSSAPI
> too, there'd be no particular need to run GSSAPI over the UNIX domain socket,
> just rely on the filesystem permissioning on the socket to restrict access.
Yeah that would be nice wouldn't it? :) Unfortunately it doesn't
support domain sockets. OTOH though I think we do want to support
having eg taskomatic on other machines so gssapi will be needed in the
end anyway. I do agree it is very heavy for localhost but I think we
can live with it.
Ian
More information about the ovirt-devel
mailing list