tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: SoC: Improve syslogd



On Mon, May 26, 2008 at 5:49 PM, Martin Schütte 
<lists%mschuette.name@localhost> wrote:

<snip>

>> The bigger question is how you intend to handle the authorization
>> issues that come along with -transport-tls. For example, how do you
>> specify the remote client names that a sender is permitted to listen
>> to. Or how to specify if you use name, fingerprint or anonymous
>> authentication. The current rsyslog approach works, but is ugly.
>
> I think for syslogd it is sufficient to use one global list of trusted
> certificates/fingerprints.
>
> So the configuration can use a single CA cert:
> "CACertFile=xyz.cert"
> or a directory with trust anchors (trusted CA and/or client certs)
> "CertDirectory=/some/path"

Yes, but how to configure the "permitted sender" ACLs (those systems
that a permitted to send to send messages to the syslogd)?

> To support fingerprints I imagine to either list them in syslog.conf
> "CertFingeprints=SHA1:E1:2D:53:2B:7C:6B:8A:29:A2:76:C8:64:36:0B:08:4B:7A:F1:9E:9D
> SHA1:E1:2D:53:2B:7C:6B:8A:29:A2:76:C8:64:36:0B:08:4B:7A:F1:9E:9F"
> or to use the file system and have them inside the CertDirectory to be added
> with:
> "touch
> /some/path/SHA1:E1:2D:53:2B:7C:6B:8A:29:A2:76:C8:64:36:0B:08:4B:7A:F1:9E:9D"

I need to think a bit more about the rest of the choices ;)

Rainer


Home | Main Index | Thread Index | Old Index