Hi Chris,
yep, a dynamic authenticator needs to authentiate itself too.
Am 26.12.2015 um 11:02 schrieb Chris Beckett:
> Is the only way to authenticate the connection by the component trying
> to register an authentication service by using static permissions? I am
If you mean, is this
1. static WAMP-CRA (or WAMP-Ticket) with secrets literally contained in
the node configuration file
the only way to authenticate a dynamic authenticator? Then, no, you can
also have:
2. implement the authenticator in Python, run the component embedded in
a Crossbar.io router worker and use a fixed authrole assignment
(possible, since the embedded code is trusted/known anyway)
-> there is no issue since there is no secret anyway
3. use Unix domain sockets for connecting the authenticator to the
router, use filesystem permissions for security, and a fixed WAMP
authrole again
-> there is no issue since there is no secret anyway
---
1. - 3. are possible today with Crossbar.io release, while the following
options are upcoming.
---
4. static WAMP-TLS (TLS with WebSocket or RawSocket) for connecting the
authenticator to the router and TLS client certificate authentication,
and have the authid set from the cert, and the authrole from static config
-> there is no issue since the secret (the private key part) is not
exposed to Crossbar.io at all
Support for WAMP-TLS is in trunk:
https://github.com/crossbario/crossbarexamples/tree/master/authenticate/tlsdynamic
But:
https://github.com/crossbario/crossbar/issues/569
5. static WAMP-CRA with secrets from env vars
I agree (to what I guess you hint at) that it would make sense to be
able to use static WAMP-CRA authentication with secrets coming from
environment variables, instead of literal values in the node configuration:
https://github.com/crossbario/crossbar/issues/568
(We have such option for listening TCP ports already ..)
-> the issue is moved elsewhere (the secret needs to be on the box where
Crossbar.io, but is set outside the node config).
6. static WAMP-cryptosign
Then I am working on WAMP-cryptosign, which is a new WAMP-level
authentication scheme based on Curve25519 crypto.
This will run over any WAMP transport, including non-TLS ones.
With WAMP-cryptosign, a node's static authentication configuration will
have entries for client public keys:
"principals": {
"backend-inst01": {
"pubkey": "rxVbS2hlekZOZVMlPjKwknj4LzHEiKxTpKQEjodJhAE=",
"role": "backend-component"
}
}
-> there is no issue since the secret (the private key part) is not
exposed to Crossbar.io at all
===
I think with 1. - 6. above, most scenarios should be adressed.
> really trying to avoid having to hard-code accounts and passwords in a
> configuration file since this seems insecure. For most hosting
If you want the box running some app component reboot without manual
intervention (and leaving hardware crypto modules and such out of scope
for now), then there will always be some file with a "secret" stored on
the box:
a. a shell profile file setting an env var MY_SECRET=..
b. a private key for a public-private key thing
c. a (optionally salted) key for a symmetric crypto thing
If you loose that file, or someone gets access to that file, you're screwed.
Now, the question is: is it a good idea to make the whole Crossbar.io
node configuration file a security sensitive file by having secrets (eg
static WAMP-CRA secrets) right in that file?
Or would it be better to have the secret be only referred to in the node
config (e.g. the name of an env var)?
I think the user should have the choice here.
https://github.com/crossbario/crossbar/issues/568
Cheers,
/Tobias
> environments you would probably make these environment variables so they
> can be configured through the management website as well.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Crossbar" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to
crossbario+...@googlegroups.com
> <mailto:
crossbario+...@googlegroups.com>.
> To post to this group, send email to
cross...@googlegroups.com
> <mailto:
cross...@googlegroups.com>.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/crossbario/0b9eef7f-117b-4288-9014-89ebc295532c%40googlegroups.com
> <
https://groups.google.com/d/msgid/crossbario/0b9eef7f-117b-4288-9014-89ebc295532c%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit
https://groups.google.com/d/optout.