[ofa-general] OpenSM Console Ideas?

Hal Rosenstock hrosenstock at xsigo.com
Tue Feb 26 09:59:08 PST 2008 

Hi Tim,

On Tue, 2008-02-26 at 08:46 -0800, Timothy A. Meier wrote:
> Hi Hal,
>    I haven't had very much feedback yet.  Do you have any idea how many people
> use the console?

No idea.

-- Hal

> Hal Rosenstock wrote:
> > Hi Tim,
> > 
> > On Thu, 2008-02-21 at 16:27 -0800, Timothy A. Meier wrote:
> >> LLNL uses the remote console feature in OpenSM.  We have a need to secure
> >> this remote connection with authentication/authorization and encryption
> >> (specifically PAM and OpenSSL).  I have a working prototype, and would
> >> like to formalize it and share/include this with OpenSM.
> >>
> >> Before I go down this path too far, I would like to solicit ideas from
> >> others who use the console.
> >>
> >> Currently, the console can be used in local, loopback, or remote modes.
> >> If security is added, should it replace other modes, or be an additional mode?
> > 
> > IMO the old modes should be preserved and I would view
> > authentication/authorization and encryption as an orthogonal dimension
> > to be supported with any of those modes.
> > 
> This was my initial instinct as well.  Honestly, however, once we have
> a secure connection, we will probably use it exclusively.  I suppose the
> local console would also be necessary.  I can preserve all modes.
> 
> >> The intention is to use PAM for the AA framework, and OpenSSL for secure
> >> sockets.  Are there any serious objections to this implementation plan?
> > 
> > Is the license compatible with OpenFabrics ?
> >
> Well I am not a lawyer, but I believe that it is.  OpenSSL has a dual license,
> both are BSD-style open source licenses (one for the toolkit, one for openssl).
> An alternate to OpenSSL is GNU TLS.  GNU TLS is not as widely used, and has
> the GNU Lesser GPL which is supposed to be extremely lax.
> 
> The PAM libraries are included with most linux distros, (RH, Debian, etc.) and
> have BSD style and GNU GPL licenses.
> 
> >> The console feature has always been a configuration/command line option,
> >> but should the secure console be conditionally compiled/linked as well?
> >> (eliminate dependency on the PAM and OpenSSL libs, pam, pam_misc, cryto, ssl).
> > 
> > This might depend on the licensing. Also, on one hand, it would be nice
> > to minimize the build options, but for those where space is an issue,
> > the separate configurability of this would be useful. (Not knowing the
> > additional size of this but it sounds like it will be large enough to
> > not make this a mandatory requirement of the console).
> > 
> > -- Hal
> >
> Agreed.  Should it NOT include the security stuff into the build, by default?
> And the Console be disabled by default, and if enabled, default to "local"?
> 
> >> The secure console would require a relatively primitive client application,
> >> which I will probably package under opensm, just like osmtest.  Make sense?
> >>
> >> Do you have any other ideas or suggestions for the remote console?
> >>
> > 
> 
>

More information about the general mailing list