[IPython-dev] pyzmq authentication

Jason Grout jason-sage at creativetrax.com
Wed Jun 1 09:40:31 EDT 2011


On 5/31/11 1:45 PM, MinRK wrote:
> On Tue, May 31, 2011 at 11:13, Jason Grout<jason-sage at creativetrax.com>  wrote:
>> On 5/31/11 12:57 PM, MinRK wrote:
>>>
>>> We did briefly have an encrypted socket, but the zeromq community
>>> rightly opposed that rather vehemently, largely because we aren't
>>> security experts, and the illusion of security provided by a poor
>>> implementation is really *less* secure than having no security at all.
>>>
>>> Our answer with IPython is that SSH provides our security.  Typically
>>> the Controller listens on localhost, and the best way to connect to it
>>> from another machine is with an SSH tunnel (IPython does help create
>>> the tunnels) rather than listening on a public port.  We do provide a
>>> small level of additional security by including an authentication key
>>> in all messages that is checked when receiving to determine if the
>>> sender is authorized to make a request.
>>
>> If I understand things correctly, if I have several frontends running code
>> on a single backend server (with multiple kernels---the sage notebook is my
>> usecase), then untrusted code from any of the kernels could connect to and
>> mess with the other sessions, right?  Is it correct to say that any user
>> could connect with any kernel running on the same server?
>
> Oh, you are talking about the *non* parallel kernel.  Yes, that code
> has exactly zero security - anyone with access to the sockets can
> execute arbitrary code.  We really do need to replace
> IPython.zmq.session with the one in the parallel code which does
> include simple key checking, which should be per-kernel (or
> per-cluster in the parallel code).


I think simple key-checking is what I was talking about.  Do you mean 
something equivalent to the Authentication Keys section of the 
multiprocessing module docs [1]?  Basically, I pass in a shared secret 
as an argument when I start the kernel, and then the pyzmq connection is 
authenticated with this secret without transmitting the secret.

Thanks,

Jason

[1] http://docs.python.org/dev/library/multiprocessing#authentication-keys



More information about the IPython-dev mailing list