Greetings! Are there any plans of using Kerberos for authentication in addition to (or in place of) SSL certificates in Puppet? Kerberos provides mutual, cryptographically strong authentication. A number of different services are Kerberos-enabled (SSH, NFSv4 and HTTP are common examples), and thus use the same authentication mechanism system-wide. At our site, almost all services and users are authenticated with Kerberos. We still need to mantain a separate authentication structure with SSL certificates for Puppet, which is a bit redundant. Having Puppet use Kerberos for authentication would be splendid for a number of reasons, but for now I just wonder if it'd be feasible at all to implement. Cheers, -Berge -- Berge Schwebs Bjørlo Alegría! _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
Berge Schwebs Bjørlo <berge@trivini.no> writes:> Kerberos provides mutual, cryptographically strong authentication. A > number of different services are Kerberos-enabled (SSH, NFSv4 and HTTP > are common examples), and thus use the same authentication mechanism > system-wide. At our site, almost all services and users are > authenticated with Kerberos. We still need to mantain a separate > authentication structure with SSL certificates for Puppet, which is a > bit redundant.Note that all of the services that you list actually use GSSAPI, not Kerberos directly, and at least in theory could also use other GSSAPI mechanisms. (HTTP does something even more complicated and has some issues, but that''s probably beside the point.) We would also use this, if we had it available, although it''s not a high enough priority for us to fund. -- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
I agree that having Kerberos would be nice, but don''t you want to encrypt all of the communication between the puppet server and the clients anyway? Having my config files fly around in the clear makes me a bit nervous. And, if you''re going to encrypt everything anyway, sticking with SSL might make more sense. Just my .02. Trevor On Dec 19, 2007 6:42 PM, Berge Schwebs Bjørlo <berge@trivini.no> wrote:> Greetings! > > Are there any plans of using Kerberos for authentication in addition to (or > in place of) SSL certificates in Puppet? > > Kerberos provides mutual, cryptographically strong authentication. A number > of different services are Kerberos-enabled (SSH, NFSv4 and HTTP are common > examples), and thus use the same authentication mechanism system-wide. At our > site, almost all services and users are authenticated with Kerberos. We still > need to mantain a separate authentication structure with SSL certificates for > Puppet, which is a bit redundant. > > Having Puppet use Kerberos for authentication would be splendid for a number > of reasons, but for now I just wonder if it''d be feasible at all to > implement. > > Cheers, > -Berge > > -- > Berge Schwebs Bjørlo > Alegría! > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >
On Thu, Dec 20, 2007 at 07:18:53AM -0500, Trevor Vaughan wrote:> I agree that having Kerberos would be nice, but don''t you want to > encrypt all of the communication between the puppet server and the > clients anyway?> Having my config files fly around in the clear makes me a bit nervous.> And, if you''re going to encrypt everything anyway, sticking with SSL > might make more sense.AFAIK (I''ve not used kerberos in anger) there are several ways in which this could be deployed: 1. HTTP + Kerberos/GSSAPI HTTP Auth 2. HTTP + Kerberos/GSSAPI HTTP Auth over SSL 3. HTTP over SSL with Kerberos authentication I don''t know support for 3, but I''d *imagine* 2 would probably reasonably easy to implement, and would also fulfil your privacy requirements. Well, I''ll admit here that I''ve not looked at the puppet code for a while, though. Most importantly, it does mean that if you''ve already got a kerberos infrastructure, you won''t need to setup a parallel public key infrastructure.> Just my .02. > > Trevor > > On Dec 19, 2007 6:42 PM, Berge Schwebs Bjørlo <berge@trivini.no> wrote: > > Greetings! > > > > Are there any plans of using Kerberos for authentication in addition to (or > > in place of) SSL certificates in Puppet? > > > > Kerberos provides mutual, cryptographically strong authentication. A number > > of different services are Kerberos-enabled (SSH, NFSv4 and HTTP are common > > examples), and thus use the same authentication mechanism system-wide. At our > > site, almost all services and users are authenticated with Kerberos. We still > > need to mantain a separate authentication structure with SSL certificates for > > Puppet, which is a bit redundant. > > > > Having Puppet use Kerberos for authentication would be splendid for a number > > of reasons, but for now I just wonder if it''d be feasible at all to > > implement. > > > > Cheers, > > -Berge > > > > -- > > Berge Schwebs Bjørlo > > Alegría! > > _______________________________________________ > > Puppet-users mailing list > > Puppet-users@madstop.com > > https://mail.madstop.com/mailman/listinfo/puppet-users > > > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >-- Ceri Storey <cez@necrofish.org.uk> ''What I really want is "apt-get smite"'' --Rob Partington http://unix.culti.st/
On Dec 20, 2007, at 9:05 AM, Ceri Storey wrote:> I don''t know support for 3, but I''d *imagine* 2 would probably > reasonably easy > to implement, and would also fulfil your privacy requirements. Well, > I''ll admit here that I''ve not looked at the puppet code for a > while, though. > > Most importantly, it does mean that if you''ve already got a kerberos > infrastructure, you won''t need to setup a parallel public key > infrastructure.Puppet''s server-side authentication has already been abstracted, since we''re able to offload it to Apache when we use Mongrel. I haven''t looked at doing so for the client, but it shouldn''t be any harder, I think, especially with the recent refactoring I''ve done to how http connections are handled. If you can find someone using Ruby''s Net::HTTP class to do Kerberized connections, you should be able to apply the same methods to Puppet. As Russ intimated, though, I''m not going to do this on my own, I''d be glad to accept a functional patch or do the work if it were funded. -- People are more violently opposed to fur than leather because it is safer to harrass rich women than motorcycle gangs. --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
"Trevor Vaughan" <peiriannydd@gmail.com> writes:> I agree that having Kerberos would be nice, but don''t you want to > encrypt all of the communication between the puppet server and the > clients anyway?GSSAPI provides integrity and confidentiality. With current versions of Kerberos, it does so with 256-bit symmetric AES keys, which is as good or better than TLS implementations. -- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
Hi> I agree that having Kerberos would be nice, but don''t you want to > encrypt all of the communication between the puppet server and the > clients anyway? > > Having my config files fly around in the clear makes me a bit nervous.isn''t that already the fact?! Or why do you make this assumption? greets pete
On Dec 20, 2007, at 1:27 PM, Peter Meier wrote:> Hi > >> I agree that having Kerberos would be nice, but don''t you want to >> encrypt all of the communication between the puppet server and the >> clients anyway? >> >> Having my config files fly around in the clear makes me a bit >> nervous. > > > isn''t that already the fact?! Or why do you make this assumption?All puppet traffic is both authenticated and encrypted, running over https. -- Some people are afraid of heights. I''m afraid of widths. -- Stephen Wright --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com