[IPython-dev] pyzmq authentication
benjaminrk at gmail.com
Tue May 31 14:45:33 EDT 2011
On Tue, May 31, 2011 at 11:13, Jason Grout <jason-sage at creativetrax.com> wrote:
> On 5/31/11 12:57 PM, MinRK wrote:
>> We did briefly have an encrypted socket, but the zeromq community
>> rightly opposed that rather vehemently, largely because we aren't
>> security experts, and the illusion of security provided by a poor
>> implementation is really *less* secure than having no security at all.
>> Our answer with IPython is that SSH provides our security. Typically
>> the Controller listens on localhost, and the best way to connect to it
>> from another machine is with an SSH tunnel (IPython does help create
>> the tunnels) rather than listening on a public port. We do provide a
>> small level of additional security by including an authentication key
>> in all messages that is checked when receiving to determine if the
>> sender is authorized to make a request.
> If I understand things correctly, if I have several frontends running code
> on a single backend server (with multiple kernels---the sage notebook is my
> usecase), then untrusted code from any of the kernels could connect to and
> mess with the other sessions, right? Is it correct to say that any user
> could connect with any kernel running on the same server?
Oh, you are talking about the *non* parallel kernel. Yes, that code
has exactly zero security - anyone with access to the sockets can
execute arbitrary code. We really do need to replace
IPython.zmq.session with the one in the parallel code which does
include simple key checking, which should be per-kernel (or
per-cluster in the parallel code).
More information about the IPython-dev