I am looking into alternatives for the initial cert sign for new puppet clients. We will have non-sysadmins kickstarting new hosts, and I am trying to minimize the time they have to wait for a cert sign while maintaining at least a marginally sane level of security. My question is this: does the puppetmaster check that a new cert request for host A (csr with subject "cn=A.mydomain") is coming from the IP address of host A?, or is initial host authentication completely left up to us? I understand that a simple reverse lookup isn''t really sufficient, but I am curious if it is part of puppet''s "protocol". -- Chad M. Huneycutt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Chad Huneycutt wrote:> I am looking into alternatives for the initial cert sign for new > puppet clients. We will have non-sysadmins kickstarting new hosts, > and I am trying to minimize the time they have to wait for a cert sign > while maintaining at least a marginally sane level of security. > > My question is this: does the puppetmaster check that a new cert > request for host A (csr with subject "cn=A.mydomain") is coming from > the IP address of host A?, or is initial host authentication > completely left up to us? I understand that a simple reverse lookup > isn''t really sufficient, but I am curious if it is part of puppet''s > "protocol". >No, the certificate request does not use DNS nor does the signing or validation/verification that comes later. So it is completely up to you and spoofed requests could be tricky to detect given the current terseness of puppetca. If you are leaning towards convenience and your network is well protected (firewalled) you could use autosign with little concern. It depends also on what you''re protecting, what''s in your manifests for a "default" host or otherwise. OTOH you could use a cronjob on the puppetca server that ran `puppetca --list` and notififany change from the previous result (say 2 minutes ago) could trigger a ticket or e-mail or sms. -- Mark Foster - Sr. Systems Engineer - BitPusher, LLC We push your bits so you don''t have to! http://www.bitpusher.com/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Mon, Jul 28, 2008 at 10:18 AM, Mark Foster <mfoster@bitpusher.com> wrote:> > Chad Huneycutt wrote: >> I am looking into alternatives for the initial cert sign for new >> puppet clients. We will have non-sysadmins kickstarting new hosts, >> and I am trying to minimize the time they have to wait for a cert sign >> while maintaining at least a marginally sane level of security. >> >> My question is this: does the puppetmaster check that a new cert >> request for host A (csr with subject "cn=A.mydomain") is coming from >> the IP address of host A?, or is initial host authentication >> completely left up to us? I understand that a simple reverse lookup >> isn''t really sufficient, but I am curious if it is part of puppet''s >> "protocol". >> > > No, the certificate request does not use DNS nor does the signing or > validation/verification that comes later. > So it is completely up to you and spoofed requests could be tricky to > detect given the current terseness of puppetca. > > If you are leaning towards convenience and your network is well > protected (firewalled) you could use autosign with little concern. It > depends also on what you''re protecting, what''s in your manifests for a > "default" host or otherwise.Thanks, Mark. I am behind a firewall, but the network is pretty much open (university). It is a good point about the contents of my default manifest. I think I can pretty easily move any sensitive configuration data (or perhaps all of it) into host-specific manifests, and then enable autosign.> OTOH you could use a cronjob on the puppetca server that ran `puppetca > --list` and notififany change from the previous result (say 2 minutes > ago) could trigger a ticket or e-mail or sms.This was what I had in mind, and it would probably also work, as we would have a few people with sufficient privileges to authenticate and sign new host requests. -- Chad M. Huneycutt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---