'[Fwknop-discuss] EC2 + fwknop: Experiences? Thoughts?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fwknop-discuss
Subject:    [Fwknop-discuss] EC2 + fwknop: Experiences? Thoughts?
From:       "Mark V" <mvyver () gmail ! com>
Date:       2008-10-30 5:44:14
Message-ID: 389c43e40810292244s236e261y224f702e16a32eb1 () mail ! gmail ! com
[Download RAW message or body]

Hi Group,
I've used fwknop previously with GPG encryption.
I was wondering if any one had contemplated using fwknop within
Amazon's EC2 instances?
In particular without 'baking in' any security keys/settings - apart
from the fwknop configuration

The advantage of this is tighter control over access as well as an
additional security layer.

AFAICT, one hurdle in using GPG is that the setup requires the private
key to reside on the fwknop server.
In the case of running an EC2 instance the trust is relationship is reversed.
Specifically, a ssh key pair is used to launch the instance and the
public key is available within the running instance, via the EC2 API.

I can only think to use some of the meta-data on the EC2 AMI in the
following way.
The fwknop client would encrypt this data, and the fwknop server (on
the running AMI instance) would decrypt, then parse the data received,
compare it to the data on the queried from the API and grant access if
they matched.
In this setup the data the client sends would include the meta-data
attribute the fwknop server should look up, as well as the data that
should be matched with the instance's value.
Hopefully that is clear?

In case people are not familiar with the EC2 API, meta-data can be
queried via curl, or some perl, ruby etc library as described here:
http://docs.amazonwebservices.com/AWSEC2/latest/DeveloperGuide/index.html?AESDG-chapter-instancedata.html

Any comments, suggestions, thoughts?

Regards
Mark

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic