Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

djberg96 (2603)

djberg96
  (email not shown publicly)

Journal of djberg96 (2603)

Thursday March 07, 2002
02:37 PM

I've got this idea, see

[ #3356 ]
I was thinking about the problem of security with regards to my reverse RPC server. In case you missed my earlier journal entries, I proposed an RPC server that let the clients send code refs or modules (either as a name or frozen text) to be executed by a remote server (instead of lumping all the methods in the server itself). The code/method would then be executed with the results sent back to the client.

The main problem with this is security. What if some miscreant sends "rm -rf *" to the server? How can a compromise be reached without resorting to massive regular expression checking? I milled over this for a while. Today, I had an idea.

Why not use some sort of ssh style authentication built directly into our server? Basically, only authorized programmers would be given a key, and only the proper key would allow you to connect to the server.

You could even have different levels of access based on your key. Level 1 - you can call predefined methods (if any) built into the server; Level 2 - you can use modules installed on the remote machine to create objects and/or call functions; Level 3 - you can send your own frozen objects, or code refs, to the remote server to be executed.

This would require a bit more administration, as someone would have to deal out the keys as appropriate, but I think it could work.

Then again, maybe this has already been done in XML land. I don't know. If it hasn't - ugh. That's a lot of work. Maybe I should ask for a grant from the Perl Foundation. If not, I think it would take a joint effort from a few people. Maybe a sourceforge project.

Anyone interested? Offhand, I'd say Ben Trott would be a good source for the authentication part, Matt Sergeant for the RPC portion and Paul Seamons for the generic server portion.

5 minutes later...

Am I just re-inventing Apache/mod_perl?

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • This sounds somewhat like Penguin. I actually wrote a prototype of a new version of Penguin that uses SSH for transport and authentication. I abstracted out the subsystem SSH stuff (that SFTP uses) so that it's very easy to build systems on top of SSH--this secures the entire transport layer, and lets the system just send messages between client and server.

    It worked. I didn't really handle authorization, though--it was just standard SSH authentication. You could hack in authorization on top of the SSH iden
    • Oh, hey. Didn't know you were hanging around use.perl :)

      Yes, a couple of others have mentioned Penguin as well and I've taken a look. I tried contacting the author, but haven't heard back. I didn't really expect anything - looks like it's been five years since it was last touched.

      I was actually looking at your Crypt::OpenPGP module the other day as a possible solution. I know nothing about PGP, so I was thinking of buying the ORA book on it just for that!

      Securing the transport layer wasn't somethi

      • Yes, a couple of others have mentioned Penguin as well and I've taken a look. I tried contacting the author, but haven't heard back. I didn't really expect anything - looks like it's been five years since it was last touched.

        I tried contacting him about Penguin over five years ago, and never heard back. :-)

      • Using Crypt::OpenPGP would be another option that would work quite well. That would give you more control over authentication etc, but with the same amount of security--you could encrypt each message to secure the transport, and sign it to perform authentication.

        I'll send you the code when I get access to it again, in a couple of days (at SXSW right now :).