Support one time key based initial authentication #1625
Description
I'm looking into deploying weave in multiple on-premise locations, where some of the machines could be eventually compromised/decommissioned.
When working in a potentially high-risk environment, it would be useful to be able to:
- Prevent an attacker from reusing a password token to join malicious instances into the weave network.
- Support forcibly detaching a node from the network.
This can be done without creating a 'master' node using an approach like:
first_node:
Only the password hash needs to be saved & propagated by weave.
$ weave launch --master-password abc
$ weave provision --master-password abc
One time key, valid for 5 minutes: xyz
second_node:
There's a small time span where conflicts could arise if a very fast attacker attempts to join a second instance using key X before knowledge about the first instance using key X propagates throughout the network.
$ weave launch --key xyz initial_node
third_node
$ weave launch --key xyz
Failed to join network, peer already exists
And on any node attached to the network, one could run:
$ weave eject --key xyz --master-password abc
This is somewhat related to issues #39 (since a selectively distributed password update could be used to eject a node) and #206