security and OTP based apps.

[Bengt Kleberg]

> I'm thinking of using Erlang (and OTP libs) to build a 
> highly-concurrent distributed application. I'd like to have 
> supervisors starting processes on remote nodes, hot-code 
> swapping and so on. All this seems much easier and more practical 
> in Erlang than other languages.

good idea.


> My only real question before starting on a prototype is on security.
> The application would be accessible from the Internet. I have read a 
> bit about setting the cookies, but also that "the user must be allowed
> to rsh to the remote hosts without being prompted for a password" (using
> whatever mechanisms rsh uses for this).

according to the manual page (i am assuming you refer to the slave
module) you may specify an alternative to ''rsh'' on the command line.
if you change to ''ssh'', and either use a hardened system or openbsd,
you will not have security problems with the operating system.
use un-guessable/random cookies and you might be safe from somebody
using erlang, too. i have not looked into the latter part of the problem.


> Not being a security guy, I'm not sure how what the risks in practice
> are for this kind of thing. Are there any documents on securing Erlang
> based applications that are exposed to the Internet? I'd be grateful
> for any pointers on useful related information.

i was a security guy. i would love doing this and then write the
papers. beeing a family man it will have to wait until somebody is
willing to pay me to do it. hint, hint.


bengt