Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] PKI Signatures working?

2015-09-24 18:21:36
Subject: Re: [Bacula-users] PKI Signatures working?
From: Kern Sibbald <kern AT sibbald DOT com>
To: Ana Emília M. Arruda <emiliaarruda AT gmail DOT com>, Markus Falb <markus.falb AT fasel DOT at>
Date: Thu, 24 Sep 2015 18:16:45 -0400
Hello Ana,

I have not followed this thread in detail, but if the user wants more security in verifying the FD, it is possible to enable TLSAuthentication without enabling TLS on transmitted data, and in that case, in addition to the regular MD5 authentication Bacula will do TLSAuthentication but then not use TLS for the rest of the data transmission.

Best regards,
Kern

On 15-09-23 04:27 PM, Ana Emília M. Arruda wrote:
Complementing my previous post, MD5 and SHA1 do not make use of pki signatures from bacula crypto lib. They are hashes used for integrity verification and not for authenticity verification.

Best regards,
Ana

On Wed, Sep 23, 2015 at 3:45 PM, Ana Emília M. Arruda <emiliaarruda AT gmail DOT com> wrote:
Hello Markus,

I´m quite sure that it is not possible to have pki signature without pki encryption. You can have computation of MD5 and SHA1 signature of the file if configured in your FileSet. When dealing with pki signatures, this works only when you use pki encryption. I mean, the encrypted data at file daemon is signed before sent to storage daemon.

Best regards,
Ana

On Wed, Sep 23, 2015 at 5:30 AM, Markus Falb <markus.falb AT fasel DOT at> wrote:
Hello Bacula Users,

I am trying pki signatures without pki encryption off.
In my fd config I have

FileDaemon {
        Name = x-fd
        ...
        pki signatures = yes
        pki encryption = no
        pki keypair = /etc/pki/tls/private/x-fd.pem # with CN=x-fd
}

I have a second machine y-fd with equivalent config.

I make a Backup of x-fd.

I do a restore of this backup but I change the restore host to y-fd, and
it works, and that surprises me because y-fd should not be able to
verify the signature made with the private key from x-fd, it does not
know the public key of x-fd, right?

I wonder how this is supposed to work.
+
I don't even know if a signature was made in the first place and how to
verify that.

--
Kind Regards, Markus Falb


------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users




------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140


_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users


------------------------------------------------------------------------------

_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] is 7.2 ready for prime time?, Kern Sibbald
Next by Date:  Re: [Bacula-users] PKI Signatures working?, Ana Emília M. Arruda
Previous by Thread:  Re: [Bacula-users] PKI Signatures working?, Ana Emília M. Arruda
Next by Thread:  Re: [Bacula-users] PKI Signatures working?, Ana Emília M. Arruda
Indexes:  [Date] [Thread] [Top] [All Lists]