On Jan 11, 2014, at 2:03 PM, Charles Lepple wrote: -- snip -- > Authentication does not affect the behavior: in NUT, status is pulled from > upsd, not pushed.
Ahhh, thanks much for the clarification, Charles. >> Are there other merits of authenticating clients ? > > I honestly don't know. Having not written the original code, I see > authentication for slave mode as something that is easier to leave in than > take out, given that authentication is a little more relevant for the master > connections. > > Also, as you point out below, it does limit the mischief a bit. > >> On the flip side, since commercial products like NAS drive implementations >> use fixed, well known user/pass credentials, all clients would need to be >> configured with such well known credentials if they were all to authenticate >> with a common user. > > Why do they need well-known credentials? If they were to authenticate, NAS equipment such as Synology have hard coded NUT credentials. -- snip -- >> The NUT /etc/ups/upsd.users file has only one entry: >> -- >> [monuser] >> password = superdupersecret >> upsmon master >> -- >> Is this a security issue if the password is well known ? Searching the >> mailing list I only found the comment: "All a upsmon slave can do, is delay >> shutting down for a handful of seconds." ... seems like limited mischief. > > If you have "upsmon slave", I would agree with the "limited mischief" > comment. The entry above says "upsmon master", which allows setting "fsd". > This fools other clients into thinking that the UPS has been commanded to > shut down, and if the clients are running upsmon, they too will shut down. I understand, so for the common case where ups@localhost is the only valid "master", the master password could even be randomly generated as the "superdupersecret" and then the "monuser" password is less important since a slave basically can't do anything. Such as: -- upsd.users -- [master] password = superdupersecret upsmon master [monuser] password = notsosecret upsmon slave -- I guess this still begs the question if the "monuser" user is really necessary, other than providing the satisfying feeling of valid logins. :-) > -- > Charles Lepple > clepple@gmail Thanks again, Lonnie _______________________________________________ Nut-upsuser mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/nut-upsuser
