Propagation and security

As you already know, service (for example SSH, FTP, web server) is assigned to the destination in system Perun by the Facility manager. The destination is a target where a configuration of service is propagated. There are several types of destination, for example e-mail (new configuration is sent to the given e-mail address), but in your case, we use type HOST (new configuration is sent directly to the machine). When the destination accepts the configuration, pre-installed scripts are run at the destination to make all necessary changes.

Perun does not send only configuration from the facility to the machine, but this configuration also contains data about "destination" (hostname of machine receiving configuration from Perun) and "facility" (facility for which configuration is built). These attributes are further important for the machine to distinguish whether to accept configuration or not.

Facility manager (for example manager of facility carach.ics.muni.cz serving as cloud frontend) can assign as destination machine's name (for example carach1.ics.muni.cz) or alias (for example cloud-frontend.ics.muni.cz) or its IP address in Perun. The last two possibilities (alias, IP) could cause problems because the manager can insert an alias or IP out of the scope of his rights.

For example, the evil facility manager of skirit.ics.muni.cz can assign destination alias cloud-frontend.ics.muni.cz as a destination for some service, even though he is not the manager of the machine with alias cloud-frontend.ics.muni.cz. The machine is registered in the Perun, but its alias is not present.

Because the evil facility manager assigned the destination alias, which is not in the system, the inner control mechanism can not avert this attempt at fraud behavior. The inner control mechanism will be further described later in the text.

Since the evil facility manager saved this settings, machine carach.ics.muni.cz. with alias cloud-frontend.ics.muni.cz will receive configuration from facility skirit.ics.muni.cz which is under full control of the evil manager.

Perun has an inner system of control whether the facility manager has the right to assign service to a destination. It covers situations when an assigned value is stored in the Perun database.

The inner control mechanism consists of the following rules: The facility manager can add the name of a new destination (or host) to a service if and only if

• There is no host and no destination with the name in the system.

• There is a destination or host connected with the facility, where the manager is the facility manager.

The inner control mechanism does not cover the situation when the facility manager assigns the value of the destination out of Perun coverage (for example new alias of destination). To avoid potentially fraudulent behavior, the destination accepts configuration where the value of attribute "destination" equals the result of command `hostname -f` as default. To change default settings, the destination (host) manager must fill variables DNS_ALIAS_WHITELIST or FACILITY_WHITELIST with values (IPs, aliases, destination's name). These values are then compared with attributes "destination" and "facility" delivered with the new configuration.

These variables are set in: /opt/perun/bin/perun or in /etc/perunv3.conf:

DNS_ALIAS_WHITELIST accepts both IP addresses and aliases (only one value is enough for one machine), values are separated by space.

For example DNS_ALIAS_WHITELIST = (86.49.81.84 cloud-frontend.ics.muni.cz) FACILITY_WHITELIST accepts facility names (as are named in Perun), the values are separated by space. For example FACILITY_WHITELIST=(carach.ics.muni.cz)

To allow the service propagation, both whitelists are checked and matched in only one whitelist is enough to accept the configuration.

Open

Perun safety