Puppet users - Sep 2009 - Security with mongrel

I''m using mongrel and these lines in apache config concern me (from
wiki/UsingMongrel):
  SSLVerifyClient optional
  RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

So apache gives access to everyone. Does the puppetmaster additionally
verify client''s identity? It''s not obvious from the source
code.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Sep 3, 2009, at 6:46 AM, Štefan Sakalík wrote:
>
> I''m using mongrel and these lines in apache config concern me
(from
> wiki/UsingMongrel):
>  SSLVerifyClient optional
>  RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>
> So apache gives access to everyone. Does the puppetmaster additionally
> verify client''s identity? It''s not obvious from the
source code.
Hi,

This is so unsigned clients can connect and send their initial info.  
(allowing the puppetmaster to sign them)

I would add your IP space range of what servers should be allowed to  
connect with your puppetmaster if concerned about security.

You can also disable the above option and only enable when adding new  
clients.

-L

--
Larry Ludwig
Reductive Labs


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Larry Ludwig wrote:
> On Sep 3, 2009, at 6:46 AM, Štefan Sakalík wrote:
>
>   
>> I''m using mongrel and these lines in apache config concern me
(from
>> wiki/UsingMongrel):
>>  SSLVerifyClient optional
>>  RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>>
>> So apache gives access to everyone. Does the puppetmaster additionally
>> verify client''s identity? It''s not obvious from the
source code.
>>     
>
> Hi,
>
> This is so unsigned clients can connect and send their initial info.  
> (allowing the puppetmaster to sign them)
>   
I see now. I wanted to make sure that client without signed certificate 
can''t get access to fileserver. So I assume this is the case.

-Stefan

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Sep 4, 2009, at 9:56 AM, Štefan Sakalík wrote:
>
> Larry Ludwig wrote:
>> On Sep 3, 2009, at 6:46 AM, Štefan Sakalík wrote:
>>
>>
>>> I''m using mongrel and these lines in apache config concern
me (from
>>> wiki/UsingMongrel):
>>> SSLVerifyClient optional
>>> RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>>>
>>> So apache gives access to everyone. Does the puppetmaster  
>>> additionally
>>> verify client''s identity? It''s not obvious from
the source code.
>>>
>>
>> Hi,
>>
>> This is so unsigned clients can connect and send their initial info.
>> (allowing the puppetmaster to sign them)
>>
> I see now. I wanted to make sure that client without signed  
> certificate
> can''t get access to fileserver. So I assume this is the case.
Correct.

-L

--
Larry Ludwig
Reductive Labs


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---