Difference between revisions of "Application:SkyNet"
(3 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
SkyNet is an application which manages the secure linking of webOS (and other) devices together over the internet. | SkyNet is an application which manages the secure linking of webOS (and other) devices together over the internet. | ||
− | It uses secure exchange of ssh keys, and management of restricted | + | It uses secure exchange of ssh keys, and management of restricted command lines in the authorized_keys file, to allow secure, managed, authorized communication between devices. |
− | It can also be used to set up secure tunnels and VPN networks of devices using | + | It can also be used to set up secure tunnels and VPN networks of devices using openssh layer 3 tunnelling. |
All actions must be carefully controlled and authorised by the user, lest it become the SkyNet of the Terminator variety ... | All actions must be carefully controlled and authorised by the user, lest it become the SkyNet of the Terminator variety ... | ||
Discussion welcome on how we achieve this. Let's use this as a working page for architecture and design ideas. Just write them below. | Discussion welcome on how we achieve this. Let's use this as a working page for architecture and design ideas. Just write them below. | ||
− | |||
− | |||
− | |||
− | |||
== Service Methods == | == Service Methods == | ||
Line 17: | Line 13: | ||
First we need a means of creating an ssh key-pair, and sending the public key to another device for installation there. | First we need a means of creating an ssh key-pair, and sending the public key to another device for installation there. | ||
− | So an atomic service method to create a key-pair, install the private key | + | So an atomic service method to create a key-pair, and install the private key. The service method must not give access to the private key. |
− | + | Then a second service method to return the public key for transmission to the remote device. Transmission can be over email. | |
Security implications for the key-pair generation service method include denial of service by a rogue mojo app calling the service to create a new private key. This can be countered by a confirmation screen like in the old Java Package Manager Service. | Security implications for the key-pair generation service method include denial of service by a rogue mojo app calling the service to create a new private key. This can be countered by a confirmation screen like in the old Java Package Manager Service. | ||
No known security implications for the public key retrieval service method. One assumes that rogue mojo knowledge of a public key is not an issue (it's a public key by definition). | No known security implications for the public key retrieval service method. One assumes that rogue mojo knowledge of a public key is not an issue (it's a public key by definition). | ||
+ | |||
+ | == Encrypted Virtual Tunnels == | ||
+ | |||
+ | We can use the layer-3 tunnelling features of OpenSSH 4.3 or later to create an encrypted virtual tunnel between the two hosts. | ||
+ | |||
+ | See https://help.ubuntu.com/community/SSH_VPN and http://wouter.horre.be/doc/vpn-over-ssh for details. | ||
+ | |||
+ | Initially a point-to-point connection will allow communication between two participating hosts. | ||
+ | |||
+ | This may be able to be extended to all hosts participating in SkyNet. We could perhaps use the 10.x.y.z address range, and use the last three octets of the wifi MAC address to guarantee uniqueness across the last three octets of the 10.x.y.z addressing range. The subnet would be 255.0.0.0 to allow routing between all participating hosts. |
Latest revision as of 11:46, 23 May 2010
SkyNet is an application which manages the secure linking of webOS (and other) devices together over the internet.
It uses secure exchange of ssh keys, and management of restricted command lines in the authorized_keys file, to allow secure, managed, authorized communication between devices.
It can also be used to set up secure tunnels and VPN networks of devices using openssh layer 3 tunnelling.
All actions must be carefully controlled and authorised by the user, lest it become the SkyNet of the Terminator variety ...
Discussion welcome on how we achieve this. Let's use this as a working page for architecture and design ideas. Just write them below.
Service Methods
First we need a means of creating an ssh key-pair, and sending the public key to another device for installation there.
So an atomic service method to create a key-pair, and install the private key. The service method must not give access to the private key.
Then a second service method to return the public key for transmission to the remote device. Transmission can be over email.
Security implications for the key-pair generation service method include denial of service by a rogue mojo app calling the service to create a new private key. This can be countered by a confirmation screen like in the old Java Package Manager Service.
No known security implications for the public key retrieval service method. One assumes that rogue mojo knowledge of a public key is not an issue (it's a public key by definition).
Encrypted Virtual Tunnels
We can use the layer-3 tunnelling features of OpenSSH 4.3 or later to create an encrypted virtual tunnel between the two hosts.
See https://help.ubuntu.com/community/SSH_VPN and http://wouter.horre.be/doc/vpn-over-ssh for details.
Initially a point-to-point connection will allow communication between two participating hosts.
This may be able to be extended to all hosts participating in SkyNet. We could perhaps use the 10.x.y.z address range, and use the last three octets of the wifi MAC address to guarantee uniqueness across the last three octets of the 10.x.y.z addressing range. The subnet would be 255.0.0.0 to allow routing between all participating hosts.