From: cinap_lenrek@felloff.net
To: 9front@9front.org
Subject: inquery: plans for phasing out cpu, rx and import
Date: Sat, 6 Aug 2016 21:39:42 +0200 [thread overview]
Message-ID: <0ad979f36b9bdec6514c2d43af79e9c3@felloff.net> (raw)
now that we have rcpu taking over for cpu, import and rx...
i want to discuss how to phase out the old protocols.
rationale:
the cpu and import protocols are flawed in several ways:
- initial handshake is not authenticated nor encypted,
mitm attacker can change the commandline and import
path without any credentials.
- import and rx default to unencrypted connection.
- when encrypting, defaults to rc4 with sha1... no
automatic cipher negotiation.
- cpu and import are the only programs still needing
devssl in the kernel.
- import's authentication negotiation requires some
ugly code in exportfs snooping the first message
of the 9p conversation to see if its a import calling.
the following things could be done:
- disable listen scripts for exportfs, cpu and rx services.
so 9front machines will not serve these anymore by
default. client would still work as normal, code still
there and continuing maintaining it.
- rename the old programs, say, move them to /bin/old/^(cpu exportfs import ...)
scripts will break, but program still there under a different
name in case one needs it. code still there and will be
maintained.
- just delete the code. you need to keep old binaries arround
yourself to use it. and maintain your own kernel config to have
devssl for it to work. code not maintained anymore.
suggestions?
--
cinap
next reply other threads:[~2016-08-06 19:39 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-06 19:39 cinap_lenrek [this message]
2016-08-07 2:25 ` [9front] " sl
2016-08-07 23:55 ` kokamoto
2016-08-08 1:37 ` sl
2016-08-08 7:38 ` kokamoto
2016-08-08 15:22 ` stanley lieber
2016-08-08 15:53 ` hiro
2016-08-08 16:33 ` cinap_lenrek
2016-08-09 9:45 ` hiro
2016-08-09 14:57 ` Kurt H Maier
2016-08-09 15:12 ` stanley lieber
2016-08-09 17:46 ` cinap_lenrek
2016-08-09 15:09 ` stanley lieber
2016-08-09 15:33 ` Kurt H Maier
2016-08-11 8:47 ` Steve Simon
2016-08-09 17:44 ` cinap_lenrek
2016-08-09 17:56 ` stanley lieber
2016-08-09 17:49 ` cinap_lenrek
2016-08-09 17:59 ` stanley lieber
2016-08-10 10:04 ` hiro
2016-08-08 15:54 ` cinap_lenrek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0ad979f36b9bdec6514c2d43af79e9c3@felloff.net \
--to=cinap_lenrek@felloff.net \
--cc=9front@9front.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).