I’m trying to build a client-server application and it seems that DRb is
a really nice way of doing this. The problem is that there doesn’t seem
to be any good way of actually locking down DRb if the service is
published on a publicly accessible port.
I have tried this:
Create a web service which accepts a username/password. A call hands
back a token (valid for 30 seconds) and adds the callers IP address to
the ACL for DRb. The caller must attach to DRb and present the token
within the 30 seconds or the ACL is reset and the token expires. I am
prepared to trust people with a valid login not to be running code which
will mangle the server.
The above seems to be a good way of securing the service, but soap4r has
two problems:
(a) It hangs the client for 30 seconds after use when I try to start a
GTk thread. Weird!
(b) It doesn’t work in Ruby 1.9,
So, should I look into a less buggy (and more compatible) web service or
is there a way of setting up DRb on its own in such a way that
malevolent users can be screened? Or, can someone suggest a better way
of managing this?
I’m trying to build a client-server application and it seems that DRb is
a really nice way of doing this. The problem is that there doesn’t seem
to be any good way of actually locking down DRb if the service is
published on a publicly accessible port.
There may even be a way to automatically set up a tunnel in the ssh
config, but this works too.
The -n and -N options to ssh are useful in this case on linux/unix, but
I haven’t tried them on windows.
If you have users set up key-based authentication, then you can even set
up the tunnel from your application code instead of a .bat, and the
users don’t have to type username/password.
The huge benefit is that your application code can then mostly ignore
authentication and security issues.
Another option (and I know nothing about DRb so I have no idea if it’s
feasible or not) might be to use SSL with client certificate
authentication.
-Mario.
–
I want to change the world but they won’t give me the source code.