-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/01/2013 04:45 PM, Ralph Mitchell wrote:
On Fri, Mar 1, 2013 at 3:40 PM, <user-87556346d4af@xymon.invalid
<mailto:user-87556346d4af@xymon.invalid>> wrote:
[snip]
Perhaps user/pass authentication could be added, but "real"
security at the report-submission level would be SSL-handshaking at
the port with any local keys controlled by standard unix/host
access controls, (or HTTPS and xymonmsgcgi.msg and appropriate
user/pass auth info after the SSL tunnel is set up). The bits and
pieces are in trunk, but I'm not sure what their current working
state is...
I'm currently using xymoncgimsg.cgi to catch status messages sent
over HTTPS via curl. For what I'm doing, the client-side xymon
binary can be replaced by a script.
I'm not using client-side certificates, though that ought to be
fairly easy to add. The problem with any client-side
userid/password/certificate is that you have to have a plain text
password or key somewhere, so the whole security chain could
unravel if not done right.
Another piece of software I use, Bacula, can use SSL and does
validation against the CN field. I would think that would be a
reasonable solution. It also needs to pass a signature test. I would
think it would be pretty hard to fake a CN and then get it signed by
your in-house certificate authority, let alone VeriSign.
- --
- ---- _ _ _ _ ___ _ _ _
|Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| | | |__/ | \| _| |user-ae4522577e16@xymon.invalid - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlExI20ACgkQmb+gadEcsb4BgwCgyifmXeCCHou/X5qVYRp05hMN
2yUAmgKjxYEhHfSH8f2P6jZ48ZwhROk1
=YI8p
-----END PGP SIGNATURE-----