Hello, There's a need in our department to use bconsole with user accounts existing on the director machines. Something that is similar with the functionality requested in this thread: https://groups.google.com/d/msg/bareos-devel/TtsY4cj3fhk/CuQaAHrL-KYJ However, the aforementioned thread requires TLS-PSK authentication between the file daemons and the director, while we want PSK authentication only between the console and the director. In any case, the pre-shared key should be transferred securely between the machines.
I've looked into the code of bareos and TLS is activated only after the mutual cram-md5 authentication. I've changed the code and I have a working prototype with TLS-PSK authentication. The preshared key is authenticated by PAM on the server side. I would like to transfer this code into your master branch. Before submitting a pull request, I would like to discuss with you the handshake protocol changes that I've made. In your code, you have C->S // client-to-server Hello *UserAgent* calling\n S->C // server-to-client auth cram-md5c <%u:%u@host> ssl=0|1|2 C->S base64-encoded challenge response S->C 1000 OK auth\n C->S auth cram-md5 <%u:%u@host> ssl=0|1|2 S->C base64-encoded challenge response C->S 1000 OK auth\n S->C 1000 OK: bareos-dir Version 16.3.1 (01 July 2016)\n TLS set-up if required TLS tear-down if tls.authenticate I propose the following handshaking procedure: C->S Hello *UserAgent* calling protocol=%u ssl=0|1|2\n S->C 1000 OK: bareos-dir protocol=%u ssl=0|1|2\n TLS set-up if required C->S auth psk base64_encode(user:pass)\n S->C // server authenticated client 1000 OK auth\n C->S // client authenticates server by cram-md5 auth cram-md5 <%u:%u@host> ssl=0|1|2 S->C base64-encoded challenge response C->S 1000 OK auth\n TLS tear-down if tls.authenticate In the Hello message, the client specifies the version of the communication protocol that it supports. This allows for evolutions in the protocol. If the server does not answer with the expected response then the client falls back to the current communication protocol, i.e. mutual authentication by cram-md5. I would welcome your suggestions to change the handshaking protocol such that the modifications are at the end of the day accepted in the main branch of bareos. Thank you, Sorin -- You received this message because you are subscribed to the Google Groups "bareos-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to bareos-devel+unsubscr...@googlegroups.com. To post to this group, send email to bareos-devel@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
