[IPython-dev] Security

MinRK benjaminrk at gmail.com
Tue Apr 10 16:53:52 EDT 2012

On Tue, Apr 10, 2012 at 13:02, Jason Grout <jason-sage at creativetrax.com>wrote:

> Hi everyone,
> I just want to confirm that I'm analyzing things correctly with regards
> to security in the IPython (and zmq) infrastructure.  I've read
> http://ipython.org/ipython-doc/dev/parallel/parallel_security.html
> (which notes that is not thorough and pyzmq needs a security audit) and
> http://ipython.org/ipython-doc/dev/parallel/parallel_intro.html#security.
> My aim is to have a client on one computer and a hub and engine on
> another computer, with the messages flowing between them as securely as
> if I had the client ssh into the hub/engine computer, run python, and
> captured the stdout.  In particular, I want to prevent other users on
> either the client or the hub/engine machine from seeing messages or
> inserting their own messages, at least to the level of protection that
> ssh or filesystem permission controls provide (I trust those).  And I'm
> remembering the old adage that if I'm hand-implementing the security,
> I'm doing it wrong.
> As I understand it now (am I assessing the situation correctly?), I can
> use ssh to tunnel the messages from the client computer to the engine
> computer.  From there, the messages are transmitted over tcp via the
> loopback to the hub, and then again over tcp via the loopback to the
> engine.  Well, in reality, the message may not actually go through the
> entire tcp stack since the loopback interface can be optimized on the OS
> level.  IPython has implemented some controls for rejecting messages
> that are not signed with specific authentication credentials, so if I
> securely transmit and store the credentials (using ssh and filesystem
> permissions), things *should* be okay as long as the loopback interface
> is not compromised.  However, the loopback interface still allows
> connections from anyone on the local computer to any port, and the hub
> and engines still take up ports on the server.  So if an untrusted user
> exploited a bug in the signing mechanism, or wanted to do some sort of
> DNS attack, that would be possible.
> Is it possible to instead have the messages go over unix domain sockets
> (via the zmq ipc transport), which could then be protected using
> filesystem permissions?  In that scenario, the client could have an ssh
> tunnel to the hub/engine machine, then connect via IPC to the hub.  The
> unix domain socket address would be protected by necessary filesystem
> controls so that untrusted users on the hub/engine machine couldn't even
> connect to the hub.  In fact, if the client, hub, and engine were all
> running on the same computer as the same user, the socket could be set
> to have no permissions for other users, providing a secure message
> pathway.  Am I thinking of things correctly?  Using these sockets seems
> to take one potential worry out (any user being able to connect to the
> hub or engine).

I just tried IPC on my latptop, and it definitely does work, though the
config is a bit weird, due to some assumptions that TCP is what people
actually use:

$> ipcontroller --transport=ipc --ip=$HOME/ipcluster/socket

will result in a bunch of files called `$HOME/ipcluster/socket:12345`.
 This sets up IPC communication for the cluster.

The only thing I don't know about is forwarding UDS connections from the
client to the Hub, but if you know how to do that, you might be set (some
code would need to change in the ssh forwarding utils, but that shouldn't
be much).


> Thanks,
> Jason
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20120410/e49024ef/attachment.html>

More information about the IPython-dev mailing list