[collectd-changes] Authentication/Encryption for the network plugin.

Florian Forster octo at verplant.org
Sat Apr 11 02:10:02 CEST 2009


I've just finished writing a patch that adds authentication and
encryption to the network plugin. Each listen socket can be assigned a
“security level”. Currently, there are three of those:

 - Encrypt
   Encrypt outgoing data and only accept encrypted data when receiving.
 - Sign
   Outgoing data is signed; signed and encrypted data is accepted when
 - None
   Send without any cryptography and accept anything when receiving.
The security level and shared secret can be set per-socket, so that
forwarding instances can re-encrypt and similar goodies.
The libgcrypt library is used to calculate hashes, encrypt and decrypt,
see <http://www.gnu.org/software/libgcrypt/>. I tested compiling the
`network' plugin without libgcrypt afterwards, but haven't tested this
much yet. Feedback is welcome :)
Algorithms used are SHA-256 for signing and AES-256 in CBC mode /
SHA-224 when encrypting. Also, SHA-256 is used to get the 32 byte key
for AES-256 from the user-supplied secret.

I'm by no means an encryption expert, so any feedback on this would be
very welcome, too :)

As usual, the collectd.conf(5) manual page has more information on
configuration aspects.

A bit thank you goes out to Thorsten von Eicken of RightScale who
motivated me to work into this direction :) I'm sure I would have put
this off again otherwise ;)

Florian octo Forster
Hacker in training
GnuPG: 0x91523C3D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.verplant.org/pipermail/collectd-changes/attachments/20090411/28123770/attachment.pgp 

More information about the collectd-changes mailing list