[IPython-dev] "Unsigned Message" error in a forking kernel manager
Jason Grout
jason-sage at creativetrax.com
Tue May 29 19:36:38 EDT 2012
On 5/29/12 6:04 PM, Jason Grout wrote:
> On 5/29/12 3:36 PM, Fernando Perez wrote:
>> Hi Jason,
>>
>> On Tue, May 29, 2012 at 1:08 PM, Jason Grout
>> <jason-sage at creativetrax.com> wrote:
>>> Is there a key or something that I should be
>>> doing to "sign" my messages? If someone could give this a quick
>>> look-over and see if there are any obvious problems, that would be great.
>>
>> Yes, kernels sign their messages, to make it harder for other
>> processes in the same machine to send them arbitrary commands
>> (remember, our protocol is openly explained, so without this any
>> ipython process would basically be a user shell listening on a port
>> for the first clown to say 'rm -rf $HOME'). See the code in
>> zmq/session.py around line 423 for the signing, and the key is a
>> member of the Session class which you can change/reassign (which will
>> trigger a recomputation of the auth field used to sign the messages,
>> see line 298).
>
> Thanks. I remember being a part of the original authentication
> conversation last year (we implemented the same thing for the sage cell
> server). The question is: how do I get the key the kernel expects
> messages to be signed with? Should I be initializing the kernel with
> that? If so, how should I initialize a kernel to use a specific key for
> its sessions? It seems that the initializing code is in the KernelApp
> class in kernelapp.py. If I understand traits correctly, the various
> *_port traits can be initialized by passing in keyword arguments into
> the constructor, and that is how the ports are being correctly
> initialized in my gist. However, the key for the session seems to be
> only initialized if I read a connection file (in load_connection_file).
> So a more specific question is: can I initialize a session key using
> embed_kernel using just the arguments to embed_kernel? Or equivalently,
> using just initialization arguments to KernelApp, can I set the kernel's
> session key?
Just a follow-up: changing the first few lines of embed_kernel to:
if IPKernelApp.initialized():
app = IPKernelApp.instance()
else:
app = IPKernelApp.instance(**kwargs)
if key:
app.config.Session.key=key
app.initialize([])
and adding a `key` keyword argument to embed_kernel seems to work.
Should I submit a pull request, or is there a better way to do this?
Thanks,
Jason
More information about the IPython-dev
mailing list