[collectd-changes] Authentication/Encryption for the network plugin.
Florian Forster
octo at verplant.org
Sat Apr 11 02:10:02 CEST 2009
Hi,
I've just finished writing a patch that adds authentication and
encryption to the network plugin. Each listen socket can be assigned a
“security level”. Currently, there are three of those:
- Encrypt
Encrypt outgoing data and only accept encrypted data when receiving.
- Sign
Outgoing data is signed; signed and encrypted data is accepted when
receiving.
- None
Send without any cryptography and accept anything when receiving.
The security level and shared secret can be set per-socket, so that
forwarding instances can re-encrypt and similar goodies.
The libgcrypt library is used to calculate hashes, encrypt and decrypt,
see <http://www.gnu.org/software/libgcrypt/>. I tested compiling the
`network' plugin without libgcrypt afterwards, but haven't tested this
much yet. Feedback is welcome :)
Algorithms used are SHA-256 for signing and AES-256 in CBC mode /
SHA-224 when encrypting. Also, SHA-256 is used to get the 32 byte key
for AES-256 from the user-supplied secret.
I'm by no means an encryption expert, so any feedback on this would be
very welcome, too :)
As usual, the collectd.conf(5) manual page has more information on
configuration aspects.
A bit thank you goes out to Thorsten von Eicken of RightScale who
motivated me to work into this direction :) I'm sure I would have put
this off again otherwise ;)
Regards,
-octo
--
Florian octo Forster
Hacker in training
GnuPG: 0x91523C3D
http://verplant.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.verplant.org/pipermail/collectd-changes/attachments/20090411/28123770/attachment.pgp
More information about the collectd-changes
mailing list