Ostiary

Ian Grigg iang at systemics.com
Tue Aug 2 10:40:49 EDT 2005


On Tuesday 02 August 2005 13:26, Udhay Shankar N wrote:
> Sounds interesting. Has anybody used this, and are there any comments?
> 
> Udhay
> 
> http://ingles.homeunix.org/software/ost/

> ... 
> Perhaps you only really need to remotely initiate a limited set of 
> operations. In this case, you don't need a shell prompt, just a way to 
> securely kick off scripts from elsewhere.
> 
> Enter 'Ostiary'. It is designed to allow you to run a fixed set of commands 
> remotely, without giving everyone else access to the same commands. It is 
> designed to do exactly and only what is necessary for this, and no more. 

I recently wrote this as a login program that was
hard coded to run the commands concerned.

The reason for doing this instead of the Ostiary
approach is that SSH had to be running anyway,
and SSH provides the key management regime.
Without that, I'd have to invent my own which
in Ostiary's case was the Hashing mechanisms.
So on this point it would come down to whether
we cared enough to replace SSH's authentication
regime, which I'd think would be rarer (perhaps
in the embedded market where Unix doesn't need
maintaining??).

Also, efficiency of command sending was not
an issue - each send was about 10 seconds in
my tests.


>     * Keep things simple. I'm no crypto expert; I know I'm not capable of 
> coming up with an ssh replacement. So I need to keep things so utterly 
> simple that I can be sure I'm not missing anything important.

I think it is smart to keep things simple regardless
of ones expertise :)  Also, I wouldn't overdo the
"hackability" argument.  If flaws are found, you'll
find time to fix them, and for the cost of a few
hacked boxes, you'll have the benefit of a lot
more secured boxes.

iang
-- 
Advances in Financial Cryptography, Issue 2:
   https://www.financialcryptography.com/mt/archives/000498.html
Mark Stiegler, An Introduction to Petname Systems
Nick Szabo, Scarce Objects
Ian Grigg, Triple Entry Accounting

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list