Puppet users - Oct 2010 - Can a hacker take over by impersonating puppetmaster?

I was wondering how easy/hard is it for a hacker to control my hosts
by impersonating puppetmaster, say by poisoning DNS to point
puppet.dom.ain to their own server?
Are there reasosns why that would not work?

Thanks a lot.
Mohamed.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Oct 4, 2010 at 4:47 PM, Mohamed Lrhazi <lrhazi@gmail.com>
wrote:
> I was wondering how easy/hard is it for a hacker to control my hosts
> by impersonating puppetmaster, say by poisoning DNS to point
> puppet.dom.ain to their own server?
> Are there reasosns why that would not work?
The SSL layer and its key exchange mechanism should handle that.

-- 
Benjamin C. Kite, System Administrator, Greenpeace USA
☎ (202) 319-2489 - ⬡ (202) 538-2845

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 10/04/2010 04:52 PM, Benjamin Kite wrote:
> On Mon, Oct 4, 2010 at 4:47 PM, Mohamed Lrhazi <lrhazi@gmail.com>
wrote:
>> I was wondering how easy/hard is it for a hacker to control my hosts
>> by impersonating puppetmaster, say by poisoning DNS to point
>> puppet.dom.ain to their own server?
>> Are there reasosns why that would not work?
> 
> The SSL layer and its key exchange mechanism should handle that.
> 
It most definitely does.

Your clients cache the master''s certificate.

You could technically have a problem if you
1. make a certificate request from a new client and
2. don''t see the request in your puppet master''s puppetca.

Then an attacker could sign the hijacked request and impersonate a
master for your new client.

Needless to say, if that happens, make sure to erase the certificate
that the newly compromised node has saved.

Cheers,
Felix

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

----- "Benjamin Kite" <benjamin.kite@greenpeace.org> wrote:
> On Mon, Oct 4, 2010 at 4:47 PM, Mohamed Lrhazi <lrhazi@gmail.com>
> wrote:
> > I was wondering how easy/hard is it for a hacker to control my
> hosts
> > by impersonating puppetmaster, say by poisoning DNS to point
> > puppet.dom.ain to their own server?
> > Are there reasosns why that would not work?
> 
> The SSL layer and its key exchange mechanism should handle that.

If your machines are just setup to talk to ''puppet'' this
generally is fine unless your machines are also mobile.

If your laptop shows up on a hostile network and you get DHCP from it your
hostname might change, puppet will make a new certificate sign request and send
it to ''puppet''.  If the hostile network have an auto signing
master you might run into troubles there.

On more traditional static hosts it should be fine as long as he cant convince
your puppetd to make new cert requests - usually only through changing hostnames
so be weary if you use some shared hosting provider and have DHCP not under your
control.

-- 
R.I.Pienaar

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

>> I was wondering how easy/hard is it for a hacker to control my hosts
>> by impersonating puppetmaster, say by poisoning DNS to point
>> puppet.dom.ain to their own server?
>> Are there reasosns why that would not work?
>
> The SSL layer and its key exchange mechanism should handle that.
New agents would not know the difference, however, and trust the
attacker''s master.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thank you guys. Am still wondering, what happens if an old client
finds itself connecting to a new master? I know the master verifies
the client cert, but the client does not verify the server''s, or am I
missing something?
Why would SSL fail if the master changes?

Thanks a lot.
Mohamed.

On Monday, October 4, 2010, Richard Crowley <r@rcrowley.org>
wrote:
>>> I was wondering how easy/hard is it for a hacker to control my
hosts
>>> by impersonating puppetmaster, say by poisoning DNS to point
>>> puppet.dom.ain to their own server?
>>> Are there reasosns why that would not work?
>>
>> The SSL layer and its key exchange mechanism should handle that.
>
> New agents would not know the difference, however, and trust the
> attacker''s master.
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
" Logic merely sanctions the conquests of the intuition."
Jacques Hadamard

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Oct 4, 2010 at 10:57 AM, Felix Frank
<felix.frank@alumni.tu-berlin.de> wrote:
>
>
> Your clients cache the master''s certificate.
>
I think thats the piece I was missing in my understanding... Thanks a lot.

So if the master''s cert changes, does the client refuse the new master?

Mohamed.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Oct 4, 2010 at 8:58 AM, Mohamed Lrhazi <lrhazi@gmail.com>
wrote:
> On Mon, Oct 4, 2010 at 10:57 AM, Felix Frank
> <felix.frank@alumni.tu-berlin.de> wrote:
>
>> Your clients cache the master''s certificate.
Correction. The puppet agent fetches the CA cert and it verifies the
puppet master cert is signed by the CA cert. If not, the agent will
not communicate with puppet master due to a cert mismatch.

If you are paranoid and concerned about security, do not use autosign
on Puppet master, and distribute the ca.pem public key to the puppet
agent manually as part of provisioning process. This will alleviate
the problem of a rogue host connecting to puppet master, and prevent
man in the middle attack.
> I think thats the piece I was missing in my understanding... Thanks a lot.
>
> So if the master''s cert changes, does the client refuse the new
master?
No, the puppet agent checks:
1. Is the certificate signed by the trusted CA and valid?
2. Does the server DNS match the CN or subject alt name?

So if you examine the certificate, here are the fields that are important:
# openssl x509 -text --noout -in
/var/lib/puppet/ssl/certs/puppet.internal.clientsite.com.pem
Certificate:
        Issuer: CN=Puppet CA ca.clientsite.com
        Validity
            Not Before: Sep 26 21:10:12 2010 GMT
            Not After : Sep 25 21:10:12 2015 GMT
        Subject: CN=puppetmaster1.internal.clientsite.com
...
            X509v3 Subject Alternative Name:
                DNS:puppet, DNS:puppet.internal.clientsite.com
...

So in the first step, the puppet agent checks the certificate has not
expired (Validity) and the issuer must ultimately be linked to the
root CA in ca.pem. In this discussion the issuer is simply the built
in CA. The second step, it ensures the CN or the subject altname
matches the puppet master DNS.

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Oct 4, 2010 at 7:17 PM, Nan Liu <nan@puppetlabs.com>
wrote:
> Correction. The puppet agent fetches the CA cert and it verifies the
> puppet master cert is signed by the CA cert. If not, the agent will
> not communicate with puppet master due to a cert mismatch.
Thanks a lot Nan. I think I have just one more clarification to ask...
Where does the client fetch the CA cert from and how often?

I guess I''ll feel all safe if the fetching happens during the initial
setup phase of a new client, and it keeps it locally from that point
on.

Thanks,
Mohamed.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Oct 5, 2010, at 5:55 PM, Mohamed Lrhazi wrote:
> On Mon, Oct 4, 2010 at 7:17 PM, Nan Liu <nan@puppetlabs.com> wrote:
>> Correction. The puppet agent fetches the CA cert and it verifies the
>> puppet master cert is signed by the CA cert. If not, the agent will
>> not communicate with puppet master due to a cert mismatch.
> 
> Thanks a lot Nan. I think I have just one more clarification to ask...
> Where does the client fetch the CA cert from and how often?
> 
> I guess I''ll feel all safe if the fetching happens during the
initial
> setup phase of a new client, and it keeps it locally from that point
> on.
I believe the client will not actually save the ca''s certificate until
the client has a signed cert.  After that point it keeps the cert.  The distro I
use keeps it in /var/lib/puppet/ssl/ca.pem.  You can always just put that cert
into what ever process you use to install puppet in the first place if
you''re worried.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.