WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] Re: [RFC][PATCH] Secure XML-RPC for Xend

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-devel] Re: [RFC][PATCH] Secure XML-RPC for Xend
From: Anthony Liguori <aliguori@xxxxxxxxxx>
Date: Fri, 09 Jun 2006 09:57:24 -0500
Delivery-date: Fri, 09 Jun 2006 07:58:08 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <4488D93D.7070303@xxxxxxxxxx> <20060609083434.GA19035@xxxxxxxxxxxxxxx> <20060609084147.GH31509@xxxxxxxxxx> <20060609085443.GA28541@xxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Pan/0.14.2 (This is not a psychotic episode. It's a cleansing moment of clarity.)
On Fri, 09 Jun 2006 09:54:44 +0100, Anil Madhavapeddy wrote:

> On Fri, Jun 09, 2006 at 04:41:48AM -0400, Daniel Veillard wrote:
>> 
>>    SSH authentication is really expensive especially when you compare to
>> other cost in the XML-RPC. I would really like some persistency
>> of the connection if possible, especially for operations like monitoring,
>> it's okay to reopen from time to time, but without reuse it would just not
>> work.
> 
> Yes, but the right place to do it is not in Xend.  The auth caching
> can be set up outside of Xend much more robustly depending on your
> version of OpenSSH.  If done in Xend, then it definitely needs to
> use the wildcard support in ControlPath to avoid the authentication
> race condition, and an OpenSSH version check.

I think Daniel is suggesting that we use HTTP Keep-Alive which I also
think is a really good idea.  I think this will come in handy regardless
of whether we use SSH.

This makes my patch a lot nicer though.  I just would make sure the
client uses Keep-Alive and then you get the same 1-time auth without
any of the SSH trickery.

I'm investigating this right now.  I seem to recall the HTTP server in
python providing support for Keep-Alive...

> 
> As Ian says, stunnel/SSL is probably easier from the client's point
> of view (although I do like the easier SSH key management this patch
> allows).

There doesn't have to be one solution.  The only real code that's needed
here is xm serve which is not more than 100 lines.  The client code is
more of an example.  I see no reason why we couldn't support all of these
protocols (httpu, http, https, ssh).

Regards,

Anthony Liguori

> Anil



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel