Sharing environments - a proposal

roger peppe roger.peppe at canonical.com
Fri May 30 07:32:15 UTC 2014


On 30 May 2014 06:50, John Meinel <john at arbash-meinel.com> wrote:
> ...
>
>>
>> > PROBLEM: right now all connections to the api server are secured with
>> > TLS and the client-cert.
>>
>> As John says, this isn't actually true - connections are secured with
>> a server cert and a password.
>>
>> Unfortunately I believe it is impossible to lose either one of these
>> without rendering juju fundamentally insecure against man-in-the-middle
>> attacks.
>>
>> If we take the approach you suggest, that's what we'd end up with. Anyone
>> that can subvert the network between the "juju connect" command and the
>> API server could pretend to be the desired environment, forwarding and
>> changing requests as maliciously as it liked. There's no way that the
>> client can know that it's talking to the middle-man, and no way for the
>> server to know that it's not being addressed by the expected client.
>>
>> There is also the problem that the "endpoint" can change - with HA the
>> actual API addresses can and will change (and there are many
>> possible addresses too - we try to connect to all of them; that's
>> not very convenient for a small piece of information to copy
>> and paste)
>
>
> So we could certainly make it safe once you have securely connected 1 time.
> In that we can ask what the CA cert is for this environment, and then make
> sure all future connections are validated with that CA.

Yes. You have to work out how you're going to connect securely that
first time though. How do you propose to do that?

  cheers,
    rog.



More information about the Juju-dev mailing list