[
https://issues.apache.org/jira/browse/KNOX-733?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15430728#comment-15430728
]
Larry McCay commented on KNOX-733:
----------------------------------
Hi [~snowch] - thanks for the questions.
Again, I think we need to make sure that we are talking about the correct CLI.
When I say CLI, I mean the interface available through knoxcli.sh not what you
develop using the client shell.
I am going to file a JIRA for adding the export command to KnoxCLI after I
answer these questions:
bq. If the CLI is generating the truststore, the output should include the
certificate signature and inform the user to manually verify that the
certificate signature is correct (i.e. it is not the injected certificate of an
attacker performing a man-in-the-middle attack)?
Since this is an explicitly run knoxcli.sh command that will need to be run by
the admin (knox or root users), there is no need for a signature. The delivery
of the truststore or PEM file will need to be done by the admin to the client
developer in a trusted manner.
bq. The developer may also want to build the truststore manually and provide a
truststore password? Is it possible to provide certificate passwords too in
truststores?
This is perfectly fine and we will need to provide the location (either by
config or convention) of the truststore location. Yes, you may provide
passwords for truststores though they often not required. When not providing
one the integrity check will not be done however. When exporting to JKS, I plan
to use "changeme" as the password. It can subsequently be changed with keytool
or some other keystore tooling.
bq. If the developer is using their own certificate authority or a less well
known public certificate authority, the truststore may not need the cluster
certificate and instead only need the CA certificate?
Absolutely correct. In this case, either add the CA to cacerts for the client
machine or create your own truststore as described above.
bq. In more secure environments, is it possible to configure knox server to
require client certificates to authenticate to the server? If so, the CLI
should also be able to access the client certificate in a keystore?
This is an excellent point. We do have the ability to configure the gateway
server to require client certs. This will require a separate JIRA as it isn't
pertinent to the trust issue being discussed here. Client cert is also an edge
case requirement from my experience. We should discuss that in the JIRA for
that work and prioritize accordingly.
> Knox shell client is susceptible to man-in-the-middle attack
> -------------------------------------------------------------
>
> Key: KNOX-733
> URL: https://issues.apache.org/jira/browse/KNOX-733
> Project: Apache Knox
> Issue Type: Bug
> Reporter: chris snow
> Assignee: chris snow
> Fix For: 0.10.0
>
>
> The Knox shell client does not verify the certificate of the server.
> One option would be to provide another method where developers can provide
> their own client, e.g.
> public static Hadoop login( String url, String username, String password,
> HttpClient client ) throws URISyntaxException { }
> https://github.com/apache/knox/blob/master/gateway-shell/src/main/java/org/apache/hadoop/gateway/shell/Hadoop.java#L60
> I can provide a patch if you are happy with this approach.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
