On Thu, 2012-08-09 at 15:53 -0600, Bryan Sutula wrote: > On Thu, 2012-08-09 at 22:35 +0400, Anton Pak wrote: > > I don't recall any security related discussion in OpenHPI. > > I confirm that this was not discussed. It is not really an HPI issue, > nor an OpenHPI issue. It's really the issue for individual plugins, and > the transport layers they choose to use to talk to their hardware. > > As far as suggested solutions, the plugin does not necessarily have to > get authentication information from the openhpi.conf file. The plugin > can arrange to authenticate using other means depending on the > transport. > > I do question the value of spending too much time on this. As Anton > points out in a different reply, one with root access and access to > openhpi source can certainly extract the credentials of any scheme that > we may come up with. This is because, in the end, the daemon must be > able to authenticate and the methods (source code) being used are > public. > > When I've seen similar discussions in the past, the conclusion was > always that machines running openhpi (and other management software) > need to be locked down, not allowing access by unauthorized people. I > suspect that this will be the conclusion of this discussion as well. >
I agree open source makes it easier to find out what the password is. It is almost impossible to protect the system if the user access is not secured. Still we could deter the hacker by making the task much more difficult. Plain text passwords are getting bigger scrutiny and many of the open source packages have started addressing the problem. Does not hurt it looking at what is changing and how to make openhpi little more secure. Mohan > My $.02, > Bryan Sutula > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Openhpi-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openhpi-devel ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Openhpi-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openhpi-devel
