From WebOS Internals
Jump to navigation Jump to search

SkyNet is an application which manages the secure linking of webOS (and other) devices together over the internet.

It uses secure exchange of ssh keys, and management of restricted command lines in the authorized_keys file, to allow secure, managed, authorized communication between devices.

It can also be used to set up secure tunnels and VPN networks of devices using openssh layer 3 tunnelling.

All actions must be carefully controlled and authorised by the user, lest it become the SkyNet of the Terminator variety ...

Discussion welcome on how we achieve this. Let's use this as a working page for architecture and design ideas. Just write them below.

Service Methods

First we need a means of creating an ssh key-pair, and sending the public key to another device for installation there.

So an atomic service method to create a key-pair, and install the private key. The service method must not give access to the private key.

Then a second service method to return the public key for transmission to the remote device. Transmission can be over email.

Security implications for the key-pair generation service method include denial of service by a rogue mojo app calling the service to create a new private key. This can be countered by a confirmation screen like in the old Java Package Manager Service.

No known security implications for the public key retrieval service method. One assumes that rogue mojo knowledge of a public key is not an issue (it's a public key by definition).

Encrypted Virtual Tunnels

We can use the layer-3 tunnelling features of OpenSSH 4.3 or later to create an encrypted virtual tunnel between the two hosts.

See and for details.

Initially a point-to-point connection will allow communication between two participating hosts.

This may be able to be extended to all hosts participating in SkyNet. We could perhaps use the 10.x.y.z address range, and use the last three octets of the wifi MAC address to guarantee uniqueness across the last three octets of the 10.x.y.z addressing range. The subnet would be to allow routing between all participating hosts.