On Thu, 2012-08-09 at 22:35 +0400, Anton Pak wrote: > I don't recall any security related discussion in OpenHPI.
I confirm that this was not discussed. It is not really an HPI issue, nor an OpenHPI issue. It's really the issue for individual plugins, and the transport layers they choose to use to talk to their hardware. As far as suggested solutions, the plugin does not necessarily have to get authentication information from the openhpi.conf file. The plugin can arrange to authenticate using other means depending on the transport. I do question the value of spending too much time on this. As Anton points out in a different reply, one with root access and access to openhpi source can certainly extract the credentials of any scheme that we may come up with. This is because, in the end, the daemon must be able to authenticate and the methods (source code) being used are public. When I've seen similar discussions in the past, the conclusion was always that machines running openhpi (and other management software) need to be locked down, not allowing access by unauthorized people. I suspect that this will be the conclusion of this discussion as well. My $.02, Bryan Sutula ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Openhpi-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openhpi-devel
