diff options
Diffstat (limited to 'debian/openslp-dfsg/openslp-dfsg-1.2.1/doc/html/UsersGuide/Security.html')
| -rw-r--r-- | debian/openslp-dfsg/openslp-dfsg-1.2.1/doc/html/UsersGuide/Security.html | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/debian/openslp-dfsg/openslp-dfsg-1.2.1/doc/html/UsersGuide/Security.html b/debian/openslp-dfsg/openslp-dfsg-1.2.1/doc/html/UsersGuide/Security.html new file mode 100644 index 00000000..69e81fc3 --- /dev/null +++ b/debian/openslp-dfsg/openslp-dfsg-1.2.1/doc/html/UsersGuide/Security.html @@ -0,0 +1,73 @@ +<!doctype html public "-//w3c//dtd html 4.0 transitional//en"> +<html> +<head> + <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> + <meta name="GENERATOR" content="Mozilla/4.76C-CCK-MCD Caldera Systems OpenLinux [en] (X11; U; Linux 2.4.2 i686) [Netscape]"> + <title>OpenSLP Users Guide - Security</title> +</head> +<body text="#000000" bgcolor="#FFFFFF" link="#0000EE" vlink="#551A8B" alink="#FF0000"> + +<h2> +Security</h2> + +<hr WIDTH="100%"> +<h3> +Protecting the daemon against attacks</h3> +The following measures have been taken to protect the OpenSLP daemon from +attacks: +<ul> +<li> +The OpenSLP daemon (slpd) must run as root initially in order to bind to +the well known SLP port. However, slpd will relinquish root privileges +and suid() to the daemon user (if it exists).</li> + +<li> +If slpd includes paranoid SLP message checking code . This slows +down the operation of slpd slightly but ensures that malformed or intentionally +malicious SLP messages will not cause segmentation faults in the daemon.</li> +</ul> + +<h3> +Protecting the integrity of service registrations</h3> +As of version 0.9.0, OpenSLP fully supports the SLPv2 message authentication +blocks to ensure that registrations can not be modified in transit and +that they are sent to and received from valid agents. When +properly installed and configured, OpenSLP will automatically provide this +level of security to all SLP enabled applications with out any need to +recompile or relink. Installation of secure OpenSLP is a little +involved... +<p>Currently, OpenSLP uses DSS signatures to ensure the authenticity and +integrity of certain SLP messages. In order to do this, administrators +need to: build a security enabled OpenSLP, provide (or generate) +a DSA public and private keys, and setup the /etc/slp.spi file. +The administrator also has to ensure that OpenSSL crypto libraries are +properly installed before secure OpenSLP will work. +<p>Step 1: Since we not sure how many installations will require +OpenSLP security so the security features are not currently built +in by default. To build a security into open slp OpenSLP you will +have to use --enable-security on the ./configure command line +<p>Step 2: Generate DSA public and private key files in PEM format +using the OpenSSL command line. I'll provide details on exactly +how this is done when I get more time in the mean time, you can figure +it out by reading the openssl man pages. +<p>Step 3: Copy the private DSA key PEM key file to very safe locations +on hosts that will be registering services. The public DSA key PEM +file goes on all hosts that will be registering services and on all hosts +that will be finding services. +<p>Step 4: Edit the /etc/slp.spi file to assign an SPI to the DSA keys. +Details on how to do this are documented in the comments of the slp.spi +file +<br> +<h3> +User Level Access Control</h3> +Plans have been made to provide a mechanism that will enforce user level +access control that will allow the administrator to specify the users or +groups that can register services with SLP. +<br> +<h3> +Help</h3> +If you find a security hole in OpenSLP, <i>please</i> bring it to +the attention of the <a href="mailto:matt@caldera.com">OpenSLP +maintainer</a>. Thanks. +</body> +</html> |