[IPython-dev] pyzmq authentication

MinRK benjaminrk at gmail.com
Wed Jun 1 12:41:55 EDT 2011

On Wed, Jun 1, 2011 at 06:40, Jason Grout <jason-sage at creativetrax.com> wrote:
> On 5/31/11 1:45 PM, MinRK wrote:
>> On Tue, May 31, 2011 at 11:13, Jason Grout<jason-sage at creativetrax.com>
>>  wrote:
>>> On 5/31/11 12:57 PM, MinRK wrote:
>>>> We did briefly have an encrypted socket, but the zeromq community
>>>> rightly opposed that rather vehemently, largely because we aren't
>>>> security experts, and the illusion of security provided by a poor
>>>> implementation is really *less* secure than having no security at all.
>>>> Our answer with IPython is that SSH provides our security.  Typically
>>>> the Controller listens on localhost, and the best way to connect to it
>>>> from another machine is with an SSH tunnel (IPython does help create
>>>> the tunnels) rather than listening on a public port.  We do provide a
>>>> small level of additional security by including an authentication key
>>>> in all messages that is checked when receiving to determine if the
>>>> sender is authorized to make a request.
>>> If I understand things correctly, if I have several frontends running
>>> code
>>> on a single backend server (with multiple kernels---the sage notebook is
>>> my
>>> usecase), then untrusted code from any of the kernels could connect to
>>> and
>>> mess with the other sessions, right?  Is it correct to say that any user
>>> could connect with any kernel running on the same server?
>> Oh, you are talking about the *non* parallel kernel.  Yes, that code
>> has exactly zero security - anyone with access to the sockets can
>> execute arbitrary code.  We really do need to replace
>> IPython.zmq.session with the one in the parallel code which does
>> include simple key checking, which should be per-kernel (or
>> per-cluster in the parallel code).
> I think simple key-checking is what I was talking about.  Do you mean
> something equivalent to the Authentication Keys section of the
> multiprocessing module docs [1]?  Basically, I pass in a shared secret as an
> argument when I start the kernel, and then the pyzmq connection is
> authenticated with this secret without transmitting the secret.

What we have currently is extremely primitive, and only meant to
protect against accidental execution rather than
malicious intrusion. The key is sent and checked with every message.
Handshaking is particularly complicated with zeromq since it's connectionless,
but I think applying it just to the execution socket is doable, though
it's actually impossible on the other sockets as they are.


> Thanks,
> Jason
> [1] http://docs.python.org/dev/library/multiprocessing#authentication-keys

More information about the IPython-dev mailing list