Brocade FC SAN lookup service should allow customized hosts key and missing policy

Bug #1320050 reported by Jia Ming Zhang on 2014-05-16
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
High
Jia Ming Zhang

Bug Description

In the BrcdFCSanLookupService, when initialize. The ssh client should be allowed to load customized host key file instead of only load from the OS host key file. Also for the host key missing policy, the code should also allow to be customized by parsing the kwargs instead of hard-code the "missing policy". The "MIssing Policy" will not stop the man in the middle attack if the known_hosts is not a match, it should allow customized policy being configured in different scenarios to fit the security need.

Jia Ming Zhang (jmzhang) on 2014-05-16
information type: Private Security → Public Security
Jia Ming Zhang (jmzhang) on 2014-05-16
Changed in cinder:
assignee: nobody → Jia Ming Zhang (jmzhang)

Fix proposed to branch: master
Review: https://review.openstack.org/93865

Changed in cinder:
status: New → In Progress
Jay Bryant (jsbryant) on 2014-05-19
Changed in cinder:
importance: Undecided → High
tags: added: icehouse-backport-potential

Fix proposed to branch: master
Review: https://review.openstack.org/94159

Reviewed: https://review.openstack.org/94159
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=1eda138be81b2405969b80c00f30ba237e250fcd
Submitter: Jenkins
Branch: master

commit 1eda138be81b2405969b80c00f30ba237e250fcd
Author: Lynxzh <email address hidden>
Date: Mon May 19 17:49:00 2014 +0800

    BrcdFCSanLookupService should allow customize host key and policy

    In BrcdFCSanLookupService, the initialization should allow the
    customization of the known_hosts_file and missing_key_policy so that the
    hosts key and missing policy can be customized according to the
    different scenario and customer aspect. This will not change the default
    behavior when no argument is given, but more flexible to allow the
    caller to give more options according to different requirements.

    Closes-Bug: #1320050
    Change-Id: If5767f63ccd2cde5fbea30a6154acf4d28f662b6

Changed in cinder:
status: In Progress → Fix Committed

Change abandoned by Jay Bryant (<email address hidden>) on branch: stable/icehouse
Review: https://review.openstack.org/94258
Reason: Abandoning this change. It was decided that this is just security weakness. Not backporting at this time and we are going to address this going forward in a new blueprint.

Thierry Carrez (ttx) on 2014-06-11
Changed in cinder:
milestone: none → juno-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-10-16
Changed in cinder:
milestone: juno-1 → 2014.2
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers