On 10/04/2010 04:52 PM, Benjamin Kite wrote: > On Mon, Oct 4, 2010 at 4:47 PM, Mohamed Lrhazi <lrh...@gmail.com> wrote: >> I was wondering how easy/hard is it for a hacker to control my hosts >> by impersonating puppetmaster, say by poisoning DNS to point >> puppet.dom.ain to their own server? >> Are there reasosns why that would not work? > > The SSL layer and its key exchange mechanism should handle that. >
It most definitely does. Your clients cache the master's certificate. You could technically have a problem if you 1. make a certificate request from a new client and 2. don't see the request in your puppet master's puppetca. Then an attacker could sign the hijacked request and impersonate a master for your new client. Needless to say, if that happens, make sure to erase the certificate that the newly compromised node has saved. Cheers, Felix -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
