help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

does encrypt=true actually work?


From: Chris Ward
Subject: does encrypt=true actually work?
Date: Mon, 16 Jan 2006 15:00:00 -0800 (PST)


Has anyone verified that files sent over the wire via copy rules using the 'encrypt=true' arg are actually encrypted? I setup a simple test scenario where an attacking machine is able to sniff packets destined for a cfengine client and grab the [clear text] contents of a file which is supposed to be encrypted; the client and the attacking machine were plugged into a hub, while the server was on another network via a switch.

Here's the version of cfengine and the copy rule:

# /usr/local/sbin/cfagent --version
GNU cfengine 2.1.11


 copy:
  hostX::
$(base)/cfengine/test-encryption dest=/var/tmp/junk/test-encryption type=sum o=root g=other encrypt=true server=$(cfmaster)


And here's the cfservd.conf rule admitting the file (I tried it separately using both admit rule lines):

admit:

    $(base)/cfengine *.domain.com encrypt=true
    $(base)/cfengine/test-encryption *.domain.com encrypt=true


The output from cfagent doesn't seem to be complaining about communication between the client and the server not being encrypted:

Checking copy from
cfengine.domain.com:/usr/local/cfengine/test-encryption to
/var/tmp/junk/test-encryption
Connect to cfengine.domain.com = 192.168.164.179, port h=5308
Found address (192.168.164.179) for host cfengine.domain.com
Updating last-seen time for cfengine.domain.com
Loaded /usr/local/var/cfengine/ppkeys/root-cfengine.domain.com.pub

...............................................................
cfengine:hostX: Strong authentication of server=cfengine.domain.com
connection confirmed


Finally, here's a portion of the tcpdump output (from the attacking machine) that was able to capture the contents of the 'test-encryption' file:

SYNCH 1137449613 STAT /usr/local/cfengine/test-encryption
t 70
OK: 0 420 0 0 0 48 1137449613 1137448262 1137448847 0 7191113 1 134405
UUUUUU
t 44
GET 2048 /usr/local/cfengine/test-encryption
test-encryption:This text should be encrypted.


Maybe I'm misunderstanding exactly how copy and encrypt=true are supposed to function, but this to me points towards cfengine not properly encrypting data before the server sends the file to the client. Has anyone else explored this issue before or been able to verify that copy encryption truly works?

-Chris




reply via email to

[Prev in Thread] Current Thread [Next in Thread]