[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FreeBSD and monit status
From: |
Christian Hopp |
Subject: |
Re: FreeBSD and monit status |
Date: |
Thu, 12 Sep 2002 17:36:24 +0200 (CEST) |
On 12 Sep 2002, Jan-Henrik Haukeland wrote:
> Christian Hopp <address@hidden> writes:
>
> > And now for something completely different... I asked before if we
> > should include a check for the permissions of the monitrc file. IMO
> > monit must not start if the permissions are not 0600, 0400, 0500.
> > Opinions?
>
> Agree. We can put the test in env.c since this code runs early.
I could do.
> > Maybe we should think about a different way of saving the password.
> > We could use the htpasswd program of apache or we directly store it in
> > monit as md5, et al, like this
> >
> > set httpd port 2812
> > allow admin:md5:6af286f0509e7c166abf710850f44fc4
> > allow foo:nis:monituser
> > allow foo:htpasswd:/opt/monit/htpasswd
>
> Nah, since monit does not utilize ssl or other encryption at the http
> level the user will have to provide a password in cleartext from
> within the browser (for Basic Auth), which could easily be sniffed. In
> other words this does not solve the fundamental problem. Besides md5
> will not work since monit implements Basic Authentication by comparing
> cleartext base64 encoded passwords.
Anyways, there was a thinking mistake of mine. If we do not provide the
cleartext passwd... how should cli interface communicate with the server.
I don't see sniffing so critical, because it is not wise to let monit run
on anything else but localhost. You can easily let programs like stunnel
do the external communication.
C.Hopp
--
Christian Hopp email: address@hidden
Institut für Elektrische Informationstechnik fon: +49-5323-72-2113
Technische Universität Clausthal fax: +49-5323-72-3197
pgpkey: https://www.iei.tu-clausthal.de/pgp-keys/chopp.key.asc (2001-11-22)