On 10/24/16 03:56 PM, sor...@gmail.com wrote: > Hello, > First of all this fully on my personal title. As I have done some work in the past on PAM integration I would like to give you some input.
> There's a need in our department to use bconsole with user accounts existing > on the director machines. Something that is similar with the functionality > requested in this thread: > https://groups.google.com/d/msg/bareos-devel/TtsY4cj3fhk/CuQaAHrL-KYJ > However, the aforementioned thread requires TLS-PSK authentication between > the file daemons and the director, while we want PSK authentication only > between the console and the director. In any case, the pre-shared key should > be transferred securely between the machines. > > I've looked into the code of bareos and TLS is activated only after the > mutual cram-md5 authentication. Correct that is something eventually a StartTLS approach should solve. > > I've changed the code and I have a working prototype with TLS-PSK > authentication. The preshared key is authenticated by PAM on the server side. > I would like to transfer this code into your master branch. > I guess this is the code you posted on github in your forked repo. One small question please rebase your branch when you do multiple commits fixing previous code. I now had to do that myself to see what you really did and to follow the new code. > Before submitting a pull request, I would like to discuss with you the > handshake protocol changes that I've made. > > In the Hello message, the client specifies the version of the communication > protocol that it supports. This allows for evolutions in the protocol. For StartTLS we were thinking about changing that already. > > If the server does not answer with the expected response then the client > falls back to the current communication protocol, i.e. mutual authentication > by cram-md5. > > I would welcome your suggestions to change the handshaking protocol such that > the modifications are at the end of the day accepted in the main branch of > bareos. I have some design concerns. First of all I think the server side should decide what kind of authentication it does for a certain console. First of all I think this should only be used for "named" consoles e.g. not the default console. I have extracted some code from an earlier attempt to implement a PAM glue layer in the director that I could share with you if you are interested in it. Its just some rough code that needs more work but implements some parts you also did but a bit more in BAREOS style. It implements in the console definition in the DIR a way to specify which users and hosts can authenticate to a certain console and hand those off to PAM. That way you can limit who can use a certain console. Further more I use the normal "shared secret" as wrap key for the password I send over to the DIR. That way even an NON SSL session is somewhat "secure" I do agree that StartTLS is a cleaner solution in the long run. I had a quick look at your code and it is not quite BAREOS style so I guess that has to be fixed eventually but it not really to important in the design phase. B.T.W. as I'm only somewhat lightly involved in BAREOS these days its more my personal interest in this particular area that motivates me to give you some input. So anything I say might not reflect anything the project will eventually accept as upstream patch. -- Marco van Wieringen marco.van.wierin...@bareos.com Bareos GmbH & Co. KG Phone: +49-221-63069389 http://www.bareos.com Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646 Komplementär: Bareos Verwaltungs-GmbH Geschäftsführer: Stephan Dühr, M. Außendorf, J. Steffens, P. Storz -- You received this message because you are subscribed to the Google Groups "bareos-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to bareos-devel+unsubscr...@googlegroups.com. To post to this group, send email to bareos-devel@googlegroups.com. For more options, visit https://groups.google.com/d/optout.