I have been looking at Puppet as a possible replacement for cfengine at our site. One difficulty I''ve had with cfengine that I''m wondering if Puppet can solve is that of dealing with laptop/mobile users. Since these laptops move around quite a bit, their IP/hostname is constantly changing. From playing with puppet a bit, I''ve found that it seems to generate the client certificate based on whatever "hostname" is set to at the time. Then, no matter what network you''re on (or dynamic hostname you get from that network), if you set hostname to match the value when your client cert was generated, the authentication with the puppetmaster server works. In other words, the server doesn''t seem to care what IP/hostname you really have; it only cares about the cert that the puppetd client gives it. However, I''m not sure forcing the hostname to some other value just to make puppet work is a good idea since I''m not sure what, if any, other apps it might break. Is there a good way to deal with mobile users and their ever-changing hostnames such that puppet will work from any location? Thanks, Jeremy
Jeremy Dreese wrote:> I have been looking at Puppet as a possible replacement for cfengine at > our site. One difficulty I''ve had with cfengine that I''m wondering if > Puppet can solve is that of dealing with laptop/mobile users. Since > these laptops move around quite a bit, their IP/hostname is constantly > changing. From playing with puppet a bit, I''ve found that it seems to > generate the client certificate based on whatever "hostname" is set to > at the time. Then, no matter what network you''re on (or dynamic > hostname you get from that network), if you set hostname to match the > value when your client cert was generated, the authentication with the > puppetmaster server works. In other words, the server doesn''t seem to > care what IP/hostname you really have; it only cares about the cert that > the puppetd client gives it. However, I''m not sure forcing the hostname > to some other value just to make puppet work is a good idea since I''m > not sure what, if any, other apps it might break. Is there a good way > to deal with mobile users and their ever-changing hostnames such that > puppet will work from any location? > > Thanks, > JeremySecurity in puppet is based on the x.509 certificate, which is signed by a trusted authority. The CN field of the client certificate doesn''t have a contain a FQDN, so you might come up with your own naming scheme, like notebook1.lan, notebook2.lan, or whatever, where the .lan domain may not actually exist. The master server can be configured to use the FQDN fact, or the CN field of the certificate as the node name of the connecting client. Hope this helps, -- Jeff McCune The Ohio State University Department of Mathematics Systems Manager _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
> The master server can be configured to use the FQDN fact, or the CN > field of the certificate as the node name of the connecting client. >Okay, I figured out the problem (with some better understanding from Jeff''s message). My master server was in fact using the cert CN (which is what I want); I verified that using "puppetmasterd --genconfig". The problem was that the puppetd command on the client tried to generate a new cert every time it was run based on my current hostname. But obviously I wanted it to use the cert I had already created using my preferred hostname. I found that if I set "certname = preferredhostname.lan" in my /etc/puppet/puppetd.conf file, puppetd then used my preferred hostname, rather than my current hostname. Thanks for the help. Jeremy -- Jeremy Dreese Engineering Computing Systems Integrator College of Engineering Bucknell University voice: (570) 577-3714 fax: (570) 577-3579 email: jdreese@bucknell.edu