[PYTHON-CRYPTO] Implementing XML-RPC public key auth with minimal dependencies

[Daniel Clark]

We are having a discussion on the bcfg2-devel mailing list [1] about
the best way to introduce public key authentication into the software.

A big consideration for us is minimizing client dependencies - ideally
all we want to have as dependencies are a Python 2.5 install with
OpenSSL compiled in statically, and the Bcfg2 distribution itself (on
some platforms, we may also try using cx-freeze to remove the Python
requirement).

Currently there is a scheme in use that uses Python's built-in httplib
module [2], which provides encryption, but no certificate
verification, and a shared secret password. We would like to move to a
public key based scheme, so it is not trivial for one client to spoof
another and get information not intended for it.

Does anyone have suggestions as to what the best approach would be?

I was thinking that it might be possible to continue to use httplib
HTTPS for encryption, but then as part of the session negotiate access
with a pure python RSA module (this suffers from the fact I have been
unable to find one of those that is recently maintained, but there was
at least one good candidate [3] the looked like it could be made to
work with recent Python versions with a little bit of work --
currently it goes into infinite recursion).

In general, do people who know much more about cryptology than I do
think that would be a secure solution?

Would it be more vulnerable than SSL or SSH to session hijacking?

[1] RFC: Bcfg2 Security Specification - Discussion Draft 1
http://thread.gmane.org/gmane.comp.sysutils.bcfg2.devel/1608

[2] 18.7 httplib -- HTTP protocol client
http://docs.python.org/lib/module-httplib.html

[3] RSA module for Python
http://www.stuvel.eu/rsa

Thanks for any comments,
-- 
Daniel Clark # http://dclark.us # http://opensysadmin.com