Ticket #521 (new enhancement)
authenticated slave-master connections
|Reported by:||ipv6guru||Owned by:|
Several potential buildslave admins have balked at the idea of their machines being vulnerable to DNS/MitM attacks, in which their buildslaves would be tricked into connecting to a false buildmaster (either by subverting their view of DNS so that they were directed to the wrong IP address, or by subverting their packets so that their connection was directed to the wrong machine).
To address this (admittedly unlikely) vulnerability requires that the buildslave be able to verify that it has connected to the right buildmaster. In the longer term, I expect to accomplish this with Foolscap/NewPB (a secure version of PB that I have been working on for a couple of years). In the shorter term, our options are to run the PB-based slave-master connection over SSL/TLS or over SSH. In either case, we must validate the target machine's certificate/host-key against some notion of the "right" one to get any benefit out of this at all.
We can do the lightweight thing and mimic ssh: the first time we connect, stash the cert/host-key in a local file. From there on out, refuse to connect to a machine that has a mismatched host key.
Or we can do the better form and use a secure introduction: when the buildmaster admin gives the master's hostname:port to the buildslave admin, include the fingerprint of the master's certificate/hostkey as well. This removes the vulnerability of the initial connection being made to the malicious buildmaster.
From the point of view of the code, I think the SSL path is easier to implement. Getting the certificate out of the connection is a bit trickier, but I think it's still reasonable. This will require a different cslaveport? (maybe cslaveportSSL??), because it's not as if we're going to use STARTTLS here. We also need some new options for 'buildbot create-slave', to let it know it should use PB-over-SSL instead of regular PB. It might also add some version dependencies on newer releases of Twisted, and will certainly require pyopenssl on the buildslave side.
Submitted: Brian Warner ( warner ) - 2006-10-09 07:10