SSH transport

Havoc Pennington hp at redhat.com
Wed Feb 28 15:22:10 PST 2007


Daniel P. Berrange wrote:
> 
> Why SSH rather than SSL/TLS ? For an SSH based system, I'd rather expect
> that a regular TCP/Unix DBus channel would just be tunnelled over SSH, in 
> much the same way as X is tunnelled.  For a built-in encrypted transport
> simply leveraging the SSL/TLS protocol is the more common approach. One
> can use any of OpenSSL, Mozilla NSS or GNU TLS libraries for this, though
> the latter two are preferred for ABI stability & licensing terms. Its
> actually surprisingly easy to hook these into existing apps with very
> little changes to existing code required. 
> 

Good point. I agree for encryption, don't forget authentication, 
though... in a NIS/kerberos type environment with shared homedirs, then 
we already have a cookie-in-homedir auth that would work, so ssl would 
be fine. In a NIS/kerberos type environment without shared homedirs, it 
seems the missing piece is mostly kerberos or sasl auth (encryption may 
not really matter in many environments, but may in others). In an 
environment where people are doing remote X display without a shared 
homedir or NIS/kerberos, then ssh auth might make sense. If using ssh 
auth, does it make sense to also use ssh encryption?

Don't know. No idea how remote X setups are most commonly done...

Havoc



More information about the dbus mailing list