SSH transport
Havoc Pennington
hp at redhat.com
Wed Feb 28 15:22:10 PST 2007
Daniel P. Berrange wrote:
>
> Why SSH rather than SSL/TLS ? For an SSH based system, I'd rather expect
> that a regular TCP/Unix DBus channel would just be tunnelled over SSH, in
> much the same way as X is tunnelled. For a built-in encrypted transport
> simply leveraging the SSL/TLS protocol is the more common approach. One
> can use any of OpenSSL, Mozilla NSS or GNU TLS libraries for this, though
> the latter two are preferred for ABI stability & licensing terms. Its
> actually surprisingly easy to hook these into existing apps with very
> little changes to existing code required.
>
Good point. I agree for encryption, don't forget authentication,
though... in a NIS/kerberos type environment with shared homedirs, then
we already have a cookie-in-homedir auth that would work, so ssl would
be fine. In a NIS/kerberos type environment without shared homedirs, it
seems the missing piece is mostly kerberos or sasl auth (encryption may
not really matter in many environments, but may in others). In an
environment where people are doing remote X display without a shared
homedir or NIS/kerberos, then ssh auth might make sense. If using ssh
auth, does it make sense to also use ssh encryption?
Don't know. No idea how remote X setups are most commonly done...
Havoc
More information about the dbus
mailing list