[Mono-dev] RFC on remoting security stuff

[Robert Jordan]

Hi Atsushi,

AtsushiEno wrote:
> Hi,
> 
> As part of filling .NET 2.0 API, I am wondering how and what we need to do
> secure remoting support (introduced in 2.0), namely HttpChannel, TcpChannel
> and IpcChannel. (I'd like to put my disclaimer - am far from familiar
> with those
> remoting stuff, so don't hit me if I am misunderstanding the entire bits ;-)
> 
> It seems that secure remoting stuff sorta involves
> WindowsImpersonationContext
> which is based on authentication information which will be likely from
> System.Net.CredentialCache.DefaultCredentials (if written in managed land).
> 
> DefaultCredentials seems to require CAS (and some work, as it is
> commented as "Need EnvironmentPermission implementation first"). So I guess
> it is not likely possible to implement security support in the same
> manner as
> .NET does.
> 
> So I'd like to hear you guys' ideas. Would we just leave them unimplemented,
> or find some alternative security support, like using TLS to at least enable
> encryption (and optionally integrity by some certificate configuration) ?
> 
> (While we could implement NegotiateStream and hence secure connection itself
> would not be an issue, am having problems to solve NTLM issue on my machine
> and cannot implement it so far.)

It is possible to implement Mono's secure remoting based on
NegotiateStream, but we'd need something like SAMBA to handle
the mutual authentication.

For impersonation support, we'd need to "suid root" the application,
which is a no-no at present. IMO, this would require a complete audit
of all participating managed and unmanaged libs.

That said, I think we should implement secure remoting on top of
AuthenticatedStream (SslStream). This is the only way to make
secure remoting really useful on Mono's main platform Unix.

For MS.NET interoperability we could provide custom channels for
MS.NET based on our channels.

Robert