just for completion, autosign is enabled only once a kickstart/preseed etc file has been requested by the predefined ip address (or mac) in foreman.
I agree that signing the clients without autosign is a good alternative, but i'm not sure if trusting your fqdn is any different to trusting your ip / mac address. when choosing to reinstall a host, foreman will clean the cert (again only once the kickstart file has been requested, so you could schedule reinstalls). and when deleting a host, the certificate will be revoked. Ohad On Mon, Jun 7, 2010 at 9:00 PM, Michael DeHaan <mich...@puppetlabs.com>wrote: > On Fri, Jun 4, 2010 at 5:25 PM, Todd Zullinger <t...@pobox.com> wrote: > > Oded wrote: > >> Never tried it myself but I think you can create the certificate as > >> a part of the provisioning process, and then somehow place it in the > >> new server. > >> > http://serverfault.com/questions/19462/how-can-i-pre-sign-puppet-certificates > > > > Without reading the link to see if it's similar to what I do, I have a > > script I run on the puppet master to pre-generate certificates and > > package them as rpm's. These then go into a repository which the > > install is setup to use and the certificate package is installed by > > kickstart. > > > > The package, if you're curious is at: > > > > > http://tmz.fedorapeople.org/packages/puppet-host-package-0.6.0-1.el5.src.rpm > > > > It's not polished in any way. It's one of those "works for me, > > someday I should finish and improve it" things. > > > > But I prefer this to enabling autosign. > > > > Nice idea....I like that. > > I had toyed with adding such an autosign-simulating feature to Cobbler > that ohad mentioned (but different*), but I don't see how that > provides any greater security, as once you have > automated provisioning via TFTP (it's an open protocol by design), > it's really a moot point to claim you're layering extra security on > top. Also Anaconda doesn't support > access control around accessing kickstarts. > > * = rather than enabling autosign, the system would note what hosts > just started kickstart, and let cobblerd sign that specific host once > it shows up in 'puppetca', polling periodically, until the host > indicates > it reaches 'kickstart done' status, or after 30 minutes, whichever is > sooner. That way there's no need to enable autosign, but it's > effectively the same thing. The system could also remove > certificates > for hosts that we being reinstalled if kicked off from a secure > interface (can't really trust PXE and HTTP requests). > > --Michael > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
