undefined | Better HN

0 pointse12e11y ago0 comments

So, is being addressed not has been addressed? Is REAT the future of Salt? The most relevant I could find wasn't very clear:

https://groups.google.com/forum/#!topic/salt-users/nh8MqRiHV...

As far as I can tell RAET is still optional/Beta?:

http://docs.saltstack.com/en/latest/topics/releases/2014.7.0...

I tried finding out if CVEs had been assigned to the AES/RSA issues, but as far as I can tell there weren't any CVEs assigned:

http://www.cvedetails.com/vulnerability-list/vendor_id-12943...

Mail suggesting CVE for RSA exponent: http://www.openwall.com/lists/oss-security/2013/07/01/1

But the CVE is only reserved, not assigned?: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2228

With the history of some very serious issues with the salt crypto, I'm a little concerned that there doesn't seem to exist any good documentation on the past and current state of the protocol security from the salt project?

As I said up-thread -- perhaps I'm not being fair, perhaps I'm just not aware of where to look -- but I've yet to see anything that puts me entirely at ease: have new members been added to the team? Has there been a successful audit? Did the attacks turn out to not be practical?

While I might not have the same confidence in paramiko as I do in openssh -- at least it works with a well-tested protocol -- and more importantly -- with a rather well-known protocol -- it's easier to evaluate. If someone can get root access via ssh that is bad. If the risk is limited to someone stealing a private key, then that is at least something to plan around (and make decisions around).

0 comments

carlivar11y ago

Yeah, good questions for sure. I'd suggest asking on the SaltStack IRC channel which is very active and helpful.

http://www.saltstack.com/community/

j / k navigate · click thread line to collapse