Chris Knadle wrote: > On Tuesday 11 December 2007, Michael Quick wrote: > >> [EMAIL PROTECTED] wrote: >> >>> On Dec 11, 2007 12:30 AM, Porkchop <[EMAIL PROTECTED]> wrote: >>> >>>> Yes, I realize you assumed he was using a public internet site he has no >>>> control over rather than an intranet server. But he didn't tell us that. >>>> >>> Again, HTTP is so easily spoofable that even people that ask for help >>> about bash can do it. If he's on an intranet so large as to require >>> automated installation solutions, then there's a fairly good chance, I >>> think, that there are other people on the network besides him. The >>> moment you add another person into the equation, the network should >>> now be assumed compromised; I may be being a bit pessimistic here, but >>> we're talking about "Administrator" priviledges. >>> >> Probably the best response to the "security issue" would be to just use >> HTTPS (ie. curl https://host/file.sh). Users will have to trust scripts >> anyway, there is little risk. >> > > Just one obvious snag: you need a signed SSL certificate. That means > either making your own self-signed cert (or your own CA) and deploying it to > all of the boxes, or purchasing a certificate that's signed by a known CA. > Either way it's kind of a pain in the neck. > > But assuming you can deal with that it's definitely a better solution; the > traffic won't be totally in the clear, and there's some way of verifying the > authenticity of source. > > -- Chris > Good point!
I think that there could be a couple of ways of handling it .. Setup the website for user/password auth and do the following: curl -u quickm https://host.com/location/to/file.sh Enter host password for user 'quickm': ******* (which I tried and it 'seemed' to work, but is the password plain text?) (can also do curl -u quickm:mypasswd https://... ) Send the user a cert or deploy it on the plaform as a package update or something: curl - E cert_file.pem https://host.com/location/to/file.sh (didn't try this) _______________________________________________ Mid-Hudson Valley Linux Users Group http://mhvlug.org http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug Upcoming Meetings (6pm - 8pm) MHVLS Auditorium Dec 5 - Open Source Show and Tell Jan 2 - TBD Feb 6 - DBUS Mar 5 - Setting up a platform-independent home/small office network using Linux
