Ostiary - Simple, Secure Remote Script Execution

Ostiary, n. One who keeps the door, especially the door of a church...

Table of Contents

  1. Introduction
  2. How It Works
    1. Hash Fucntions
    2. HMAC
    3. The Basic Algorithm
  3. Complications
    1. What If An Attacker Gets Your Passwords?
    2. Using Up CPU Without Knowing Passwords
  4. Getting Ostiary
    1. Server and Unix Client
    2. Palm Client
    3. Windows Client
  5. Installing Ostiary
    1. Compiling Ostiary
    2. Using Ostiary
    3. Notes On Command Scripts
  6. Alternatives to Ostiary
    1. Port Knocking
    2. Net::Pcap
    3. Xringd
    4. Procmail et. al.
    5. VPNs
  7. FAQs

"There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies and the other is to make it so complicated that there are no obvious deficiencies." - C.A.R. Hoare

"Sure I'm paranoid, but am I paranoid ENOUGH?" - Unknown


Tools like ssh and lsh are great for allowing secure remote access to your system. They offer essentially full, flexible remote control of a machine, in an ecrypted and authenticated manner. But they are complex pieces of software; there's no way to do what they do without being complex. And with complexity comes bugs. Tools like ssh and lsh, and VPNs like CIPE, PPTP, and more have all had serious flaws that would allow an attacker to get full control over your system.

If you leave such programs running all the time, you take the risk that someone is going to use an exploit on you before you have a chance to apply a patch. For some purposes, this is an acceptable - even necessary - tradeoff, but it would be nice to enable them only when actually needed, to minimize the risk. And for other purposes, ssh et. al. are overkill. Perhaps you only really need to remotely initiate a limited set of operations. In this case, you don't need a shell prompt, just a way to securely kick off scripts from elsewhere.

Enter 'Ostiary'. It is designed to allow you to run a fixed set of commands remotely, without giving everyone else access to the same commands. It is designed to do exactly and only what is necessary for this, and no more. The only argument given to the command is the IP address of the client, and only if the authentication is successful. The following are the key design goals: