On Wednesday 12 December 2007, Michael Quick wrote: > Chris Knadle wrote: > > On Tuesday 11 December 2007, Michael Quick wrote: > >> Probably the best response to the "security issue" would be to just use > >> HTTPS (ie. curl https://host/file.sh). Users will have to trust scripts > >> anyway, there is little risk. > > > > Just one obvious snag: you need a signed SSL certificate. That means > > either making your own self-signed cert (or your own CA) and deploying it > > to all of the boxes, or purchasing a certificate that's signed by a known > > CA. Either way it's kind of a pain in the neck. > > > > But assuming you can deal with that it's definitely a better solution; > > the traffic won't be totally in the clear, and there's some way of > > verifying the authenticity of source. > > > > -- Chris > > Good point! > > I think that there could be a couple of ways of handling it .. > > Setup the website for user/password auth and do the following: > curl -u quickm https://host.com/location/to/file.sh > Enter host password for user 'quickm': ******* > (which I tried and it 'seemed' to work, but is the password plain text?) > (can also do curl -u quickm:mypasswd https://... ) > > Send the user a cert or deploy it on the plaform as a package update or > something: > curl - E cert_file.pem https://host.com/location/to/file.sh > (didn't try this)
I'm not sure I understand the above, because that would be trying to use HTTPS to download the cert to allow using HTTPS. :-/ As for whether the password is sent in the clear; I'm pretty sure you could easily find that out with 'dsniff'. -- Chris -- Chris Knadle [EMAIL PROTECTED]
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Mid-Hudson Valley Linux Users Group http://mhvlug.org http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug Upcoming Meetings (6pm - 8pm) MHVLS Auditorium Dec 5 - Open Source Show and Tell Jan 2 - TBD Feb 6 - DBUS Mar 5 - Setting up a platform-independent home/small office network using Linux
