From: Paul B. <P.B...@cs...> - 2004-11-04 15:04:08
|
Steve (and other invisible people), Any thoughts on using SmartFrog to install GT3 securely? And regarding using SmartFrog securely, do we have to use an internal CA, or can we (re)use an external CA (e.g. UK eScience one that we've used for setting up GT3 security)? Regards, Paul. -----Original Message----- From: Steve Loughran [mailto:ste...@hp...] Sent: 27 September 2004 11:26 To: Paul Brebner; smartfrog-developer Subject: Re: FW: SmartFrog System Availability Paul Brebner wrote: > Steve, > > Just a quick question about SmartFrog security... > > We're going to try and deploy is across the 4 OGSA test-bed nodes, but the > sys admins have asked about security ;-0 They do that, dont they. > > If we didn't use SmartFrog security, (how) could a random hacker exploit the > SmartFrog port/demon without knowing what it was? [Initially we thought of > just getting it to deploy grid services, so it would run as a user with > limited permissions] I think you should be using smartrog security. Otherwise you would have to hope that nobody on the network was going to send RMI messages to a port; you are relying on ignorance of the ports use as the sole security mechanism. To be honest, we tend to work that way during development, but it is naughty. I am debating doing a portscan on the site deploying something to power down the system just to see how many boxes are so exposed. > If we needed SmartFrog to install a complete secure installation of GT3, how > could we best set it up to run the root part of the GSI security > configuration? I hope someone else on the CC:'d mail list can handle that question. GT2.x certainly needs to run as root; I don't know about GT3. My overall recommendation is to use smartfrog security. A lot of effort has been put in there, and without that underpinning you are just crossing your fingers and hoping for the best. -Steve |